Recently, researchers at the Netherlands Forensic Institute succeeded in cracking hundreds of crypto phones (1). Reading these phones is becoming increasingly important in criminal investigations. Nevertheless, there are also objections, partly because it constitutes a serious intrusion into the private lives of citizens. But what role do crypto phones currently play in criminal investigations? And when may a crypto phone be read? This article takes a closer look at that.
As mentioned, crypto phones are frequently used by criminals, especially in organized crime. Normally, investigators can easily intercept telephone communications, such as text messages and phone calls. A crypto phone differs from a regular phone in that these phones contain special software that encrypts communications (2). As a result, text messages can only be viewed by the recipient unless a crypto phone is "cracked.
It may be lucrative for investigators to use these crypto phones to uncover the truth. Recent research by the Scientific Research and Documentation Center (WODC) has shown that encryption has become commonplace in criminal investigations (3). At the same time, there are concerns about reading these phones, given the objective to be pursued with them. After all, it is a far-reaching detection method that clashes with various fundamental rights, such as the right to privacy. It is not for nothing that the European Council calls encryption a necessary means to protect the fundamental rights of citizens (4). It is therefore important that sufficient safeguards are in place to strike the right balance between the interests of investigation on the one hand, and the interests of the individual on the other.
The legal safeguards can be found in the Code of Criminal Procedure (Sv). In the context of crypto phones, two investigative powers in particular are relevant, namely the decryption order (Article 126nh paragraph 1 Sv) and the hacking power (Articles 126nba, 126uba and 126zpa Sv). These laws provide that these investigative powers may only be used under strict conditions. This, according to the WODC research report, is also the reason why little use is made of them. In all likelihood, only the most serious criminal cases will see the decryption and reading of crypto phones applied.
Although there are clear legal safeguards for Dutch investigative services, in practice messages cracked abroad are also used. Since foreign investigative authorities are not bound by Dutch laws and regulations, discussion arose as to whether these cracked messages may be used as evidence in Dutch criminal cases.
Meanwhile, the Supreme Court has addressed the use of crypto-data obtained abroad in two issues.
The first case related to a liquidation in IJsselstein (5). Several Blackberrys were found during the arrest. These Blackberries had been converted through service provider Ennetcom, which meant that all messages had been sent encrypted. These messages, also called Ennetcom data, were stored on servers in Canada. For that reason, a legal assistance request was made to the Canadian authority to transfer this data to the Dutch authorities. The defense was of the opinion that the Ennetcomdata should not be used in evidence. After all, the evidence would not have been obtained lawfully and could not be checked for reliability. This was all the more true since the defendant indicated that he did not send the communications. This would have violated the right to a fair trial.
However, the Supreme Court followed the reasoning of the trial court, namely that obtaining and using the data as evidence was lawful. After the data was transferred from Canada, the prosecution sought authorization from the examining magistrate to use the data. The Canadian judge had made this a condition for the transfer of the data. This authorization from the examining magistrate was an adequate safeguard for the use of the Ennetcom data, despite the fact that the data was obtained elsewhere.
Since October 2022, the possibility exists for courts and tribunals to submit preliminary questions to the criminal division of the Supreme Court. The first preliminary question answered by the Supreme Court in this context concerned the use of decrypted cryptocommunications originating in France (6).
Criminal cases are pending before courts in Overijssel and Noord-Nederland in which the prosecution is using decrypted messages in its evidence. Indeed, the defendants in these cases used phones from service providers EncroChat and SkyECC, whose servers are located in France. French authorities managed to crack the cryptocommunications and intercept the messages. This data was then shared with the Netherlands. It is also argued in these criminal cases that the data from France was not lawfully obtained, and that there is no way to verify that its representation is reliable.
The Supreme Court states that the "principle of interstate reliance" applies here, as argued by the prosecution. This means that Dutch courts must generally respect the decisions of foreign authorities in a criminal investigation, may assume that the investigation was in accordance with the applicable requirements in that country, and was conducted in such a way that the results are reliable. Only if there are concrete indications to doubt the reliability of the results is further review appropriate.
Authorizations have also been sought by the prosecution in these criminal cases from the magistrate judge. The Supreme Court indicates that obtaining a warrant, even if not required by law, can create certain safeguards that are important for the way data is selected from large databases, the ability to review that selection process, and for privacy protection of data subjects.
Reading crypto phones can provide valuable evidence in a criminal investigation. At the same time, care must be taken as it also seriously infringes on several fundamental rights of suspects. These safeguards are partly provided in the Code of Criminal Procedure, where strict conditions apply to the use of the decryption warrant and the hacking power for investigative purposes. If data have been obtained from abroad, the interstate principle of trust is assumed, with authorization from the examining magistrate as a possible additional safeguard.
NFI manages to crack hundreds of crypto phones, 'a bank vault within a bank vault' (nos.nl)
Why crypto phones are big business | RTL News
J. Jansen et al, 'The role of encryption in detection. Obstacles and opportunities,' NHL Stenden University of Applied Sciences 2023, p. 270.
Encryption: Council adopts resolution on security thanks to and despite encryption - Consilium (europa.eu)
HR June 28, 2022, ECLI:NL:HR:2022:900.
HR June 13, 2023, ECLI:NL:HR:2023:913.
