Justus Reisinger's presentation on the (European) legal challenges of EncroChat and SkyECC at LEAP 2025
- Joint Defense Team
- Feb 27
- 18 min read
At Fair Trials' annual LEAP (Legal Experts Advisory Panel) meeting in Milan, our co-founder Justus Reisinger gave a rousing presentation on the legal challenges associated with EncroChat and SkyECC evidence, the text of which is reproduced below.
Dear colleagues,
Thank you for getting the opportunity to talk about to you about EncroChat and Sky ECC-cases. It is kind of refreshing talking about this topic to a friendly and receptive audience for a change; talking to people who at least act interested in securing a fair trial, even for people involved in these cases, who are – quite often – not seen as the most sympathetic suspects. They, who are not seen as vulnerable, needing our help the most. Sometimes organized crime is even being framed as a kind of terrorism nowadays, also among colleagues of ours. And as we just heard in the speech of Prof. Gearty, the qualification of “terrorism” can function as the engine driving the drift away from the rule of law. So, I don’t ask you to be “fan of our clients” or to, in any way, even identify ourselves with our clients. But I do ask you to at least rethink being a “fan of EncroChat or Sky ECC as evidence”, as one said earlier today, because it is not the one or the other. Let’s just stick to our mutual drift, the ultimate reason for choosing the métier we have: being “fan of a fair trial”. The real proof that the right to a fair trial is still a practical and effective right and not just existing theoretically, as an illusory right – which is, as we heard from Mr. Canestrini yesterday, the main objective of the European Convention on Human Rights, as explained by the Court in the case of Artico versus Italy, dated already from 1980 – is in granting this right in its full extent, even to the most unlikable clients, in the most uncomfortable cases. In my view, that is our minimum challenge in these cases: to achieve a fair trial and I will explain to you not just why I think this should be done, but also how.
“The High Contracting Parties shall secure to everyone within their jurisdiction the rights and freedoms defined in Section I of this Convention”; this is the text of Article 1 of the European Convention on Human Rights. When I break it down: this is what has been driving me in defending suspects in these cases, over 6 years already (it was in het beginning of 2019 that clients were arrested on the suspicion of selling EncroChat-phones to criminals and, in that way, laundering their criminal money – an allegation of which they were relatively recent acquitted by the Regional Court of Rotterdam, by the way). It was also the driving force behind the letter of concern by Fair Trials, already three years ago, because of the concerns about evidence that was introduced which was gathered crossing borders/ transnationally: irrespective of how evidence is assessed in any other procedure (abroad), when it’s to be used in a criminal court, that court must decide on the legality and reliability. The European Court of Human Rights is very clear in this, for example in the case of Belugin versus Russia.
But before I come to talk about the discussion of fair trial standards in EncroChat and Sky ECC-cases into more detail and before my colleague, Catherine Forget will address some challenges from the perspective of the right to respect for privacy, I will introduce you a little bit into the different cryptocommunication services – abbreviated to ‘PGP’; ‘Pretty Good Privacy’. I will have to keep it really basic, when it comes to the technical details.
The data from the communication by the first PGP-providers started to become being used as evidence in (Dutch) courtrooms already 10 years ago. First it concerned the data from the service providers Ennetcom and PGPsafe, which were acquired by copying the servers used by these companies, respectively in Canada and Costa Rica. These providers used emailing and the data were stored on their servers, as well as the encryption keys, which made it possible to decrypt all the seized messages.
EncroChat and Sky ECC took a different approach. They made a communication system more user-friendly, by using chat instead of email, and more secure by not storing the content itself on the servers. There were differences among those systems as well: Sky ECC used a private encryption key per phone, EncroChat per message. Therefore, the data of Sky ECC could be acquired by using a wiretap on the servers from June 2019 (getting the end-to-end encrypted communication and metadata, as well as group chats which could already be decrypted by using the public encryption keys on the servers) and by using a hack to get the private encryption keys out of the individual phones. This wouldn’t have worked for EncroChat because of the more sophisticated way of encryption, but the investigatory authorities managed to get the data by using Trojan software which harvested the data within the individual devices, before the data were even encrypted, from April 2020 onwards.
In short, this is the process of acquiring the data, but before the authorities from the countries of the two separate Joint Investigation Teams – France and the Netherlands in case of EncroChat and France, the Netherlands and Belgium in case of Sky ECC – were (technically and strategically) ready to deploy these operations, it took a long run-up, starting already back in 2016, with a major role for the Dutch police department “Team High Tech Crime”. As said, I have to limit myself and will jump to the legal aspects.
The data of these operations were subsequently shared by France (and with the help of Europol) with other countries in various ways: “spontaneously” and “voluntarily”, via the previous mentioned Joint Investigation Team or by the usage of European Investigation Orders.
The big legal question is now, in all different jurisdictions where this evidence is brought into criminal proceedings: in what way should criminal (trial) judges test this evidence? A lot of judges, in different countries, already answered this question in the simplest way: “we don’t have to test it, we trust in France” – blindly, apparently…
For example, in the Netherlands we had some judges who asked preliminary questions of the Supreme Court back in 2022 on how far testing the legality of evidence from another (EU) country should go. Some other judges contributed to this question by asking how far testing the reliability should go. To be honest, as lawyers we were pretty confident about that last question being answered in line with our arguments: of course, trial judges should decide on the reliability of any evidence themselves. Things turned out differently... To our surprise – or even better: to our shock – the Dutch Supreme Court decided not only the legality has to be presumed until a final decision from the country of origin tells us otherwise, even the reliability must be presumed until there are indications for the contrary… It’s quite telling that such an explanation of the principle of mutual trust is also called “the principle of non-inquiry” in the academic world.
I will come back to this, to explain that this is the opposite of exercising a fair trial that enables the defendant to comment effectively on the incriminating evidence brought forward against him or her. And it is this that makes our letter of concern still as relevant as three years ago and probably even more, because of the case law and common practices after this letter, heading EncroChat and Sky ECC-cases in the complete wrong direction of ‘non-inquiry’ and (thus) depriving defendants from making effective use of its (procedural) rights.
Against this background of the right to a fair trial, I will discuss three aspects with you that are particularly important in EncroChat and Sky ECC-cases: there is a need to test effectively
- the legality of the EncroChat and Sky ECC-data,
- the reliability of that data and
- the evidential value of that data; especially to identify the user/ users of an individual account and to interpretate the data in the light of the accusations by a prosecutor.
The (lack of) legality
First of all, the legality of the data. As said, the case law of the European Court of Human Rights makes clear that the bare minimum of any criminal trial, is that the trial judge tests whether the (incriminating) evidence is in accordance with fundamental human rights (as set out in section I of the European Convention on Human Rights, as well as in other Treaties/ sources of international law). I refer – again – to a decision like in the case of Belugin versus Russia. When applying this bare minimum, the case law of the Court is also indicating that the mere fact that the (incriminating) evidence was introduced by using legal instruments of the European Union shouldn’t prevent a (trial) judge from testing the evidence to human right standards, especially when a potential violation is brought forward by an individual defendant in a substantiated way: a grief sérieux et étayé, as the Court mentions in the case of Pirozzi versus Belgium.
So even in a legal order working closely together and trusting each other as in the European Union, the mutual trust is not absolute or the highest standard in the hierarchy of criminal proceedings; the right to a fair trial is!
It is at this point that I would refer also to the concerns expressed by scholars and academics, by quoting prof. dr. Bachmaier from the Madrid University:
It could be argued that the principle of non-inquiry is the expression of the mutual recognition principle, given that it is based on the premise that all national authorities comply with the law, also when gathering evidence. I do not aim here to put into question the professionalism and trustworthiness of the public authorities carrying out a criminal investigation and conducting investigative measures. However, the core issue remains that, despite the mutual trust between public authorities, the defence has still the right to check how the evidence has been gathered abroad, and it is the duty of any defence lawyer to ensure that this has been done in compliance with the procedural rules.This is how the adversarial procedure works, and this principle is to be respected regardless of whether the defence is confronted with evidence obtained in the forum State or in another EU Member State.
I think I could stop here, with this quote. This is it, spot on!
Still, I need to discuss something more with you, as the mutual trust is also for another reason not so relevant anymore. Because the Grand Chamber of the Court of Justice of the European Union has given a ruling on 30th of April 2024 in the case of “M.N.”, better known as the ‘EncroChat I’-decision in the case C-670/22, started by the Regional Court of Berlin by asking for preliminary questions.
The Court of Justice answered a lot of questions, among which questions about the meaning of article 31 of Directive 2014/41. First, the Court explains in this regard that the term ‘telecommunication’ has an autonomous meaning within the EU law and has to be understood in a broad sense. Therefore it not only covers interception (‘in the air’) – e.g. by wire-tapping the servers of Sky ECC – but also capturing data (from individual telecommunication devices) – e.g. by installing Trojan software as was done on all the individual EncroChat-handsets wherever on the world.
Secondly, if investigatory powers are exercised which affect users in other countries (and the Court limits itself to EU Member States), these other countries have to be notified upfront/ as soon as possible by enabling the competent authority to judge whether this investigatory power would allow by (inter)national law in a similar domestic case. If that would be allowed, the authorities of another EU Member State can’t be refused to undertake these investigatory powers just because they are not the authorities of that specific Member State itself. However, when a judge concludes that in a similar domestic case the investigation of telecommunication would not be allowed, it would circumvent and even undermine effective legal protection of residents if other, foreign authorities would be allowed to do so anyway. If that’s the situation and we apply this to EncroChat or Sky ECC, the competent authority should order the French investigatory authorities to stop immediately with the wiretapping/ hacking, and evidence already gathered couldn’t be used in criminal trials.
In the case of EncroChat and Sky ECC we can establish as a fact: the French authorities didn’t notify the competent authority of a single EU Member State and France certainly didn’t enable the competent authorities to test the investigations as a similar domestic case. So that is a clear and irreparable infringement of EU law, in particular of article 31 Directive 2014/41. Nota bene, it must be noted that this provision is not just written in the interest of the sovereignty of the Member States (like the Dutch and German Supreme Courts argue), but also in the interests of all individual residents in the respectively Member States, who should be able to count on the real enforcement of the applicable law in these Member States (see ECJ EncroChat I C-670/22, paragraph 124, 125).
Furthermore, ex post we must conclude that the reasons on which the French authorities relied and on which the wiretapping and hacking was justified, wouldn’t have been enough for justifying this in other countries.
For example, I give you the Dutch perspective again, but I know this is no different for a lot of other EU Member States:
- the EncroChat-hack was carried out based on information from a handful of criminal cases about soft drugs (cannabis), with just one having a suspicion about hard drugs (crack cocaine). Already because of the origin of this information (criminal case files) this would in no way be enough for assuming upfront that there is a reasonable suspicion against all tens of thousands of users of EncroChat (not involved in any criminal case file), for a criminal offense with a maximum penalty of at least eight years!
- the Sky ECC-operation was basically carried out by relying on the information that 9.000 Sky ECC-messages found in another criminal case file as well (against another ‘PGP-service’). That information should be the proof that the people sending those messages were involved in committing crimes. Like in the situation of EncroChat, this would reasonable never have been enough to convince a Dutch judge upfront that all users of Sky ECC, sending billions of messages (half a million each 24 hours). By the way, also afterwards judges can’t find the proof of all users being criminals, even after extensive research (think about the acquittal of the EncroChat-resellers, by the Regional Court of Rotterdam, ECLI:NL:RBROT:2024:11351 and ECLI:NL:RBROT:2024:11353).
Nota bene, in both situations of EncroChat and Sky ECC not only these problems of proportionality arise. It is also the principle of subsidiarity that confronts us with a problem: it has been shown that there were other possibilities to set up an investigation against users of EncroChat or Sky ECC when there was in fact a reasonable suspicion, for example by getting anonymous or criminal intelligence reports, by using the metadata to identify these users and/or observe them to enrich such incriminating information. Hacking everybody wasn’t strictly necessary; it was just desired by the investigatory authorities for giving a golden opportunity by proactive surveillance instead of reactive investigating.
But maybe the most pure and simple example is Austria. The Austrian Supreme Court ruled that because of the fact that Austrian law doesn’t provide a legal basis for hacking at all, neither a foreign authority can be granted permission to deploy such investigatory powers. In that situation there is not even the need to do a ‘post facto’ (theoretically) review... Either way, in both situations (the Dutch and Austrian), the result will be the same: there is violation of EU law with the effect that (digital) evidence from telecommunication services exists, while it shouldn’t!
In that situation it is up to the criminal law to restore justice; criminal law serves more goals than just restoring justice by punishing individual perpetrators, but also by bounding the public authorities to the law.
It is then very interesting to see that the Court of Justice of the European Union also explains how that should be done, when there is a violation of EU law. In this regard, the Court refers to the principle of effectiveness. In essence the Court argues that when EU law is violated in the process of acquiring evidence and that evidence is “likely to have a preponderant influence on the findings of fact”, the national criminal court is obliged to exclude the evidence if the accused is not in the position to comment effectively on that information (especially when it concerns a field of which the judges have no knowledge).
That is exactly the situation in almost all EncroChat and Sky ECC-cases. The chat-data are the sole or at least decisive incriminating evidence, but it’s not possible to challenge the legality inFrance, where foreign defendants are declared inadmissible, nor to exercise defence rights about this operation – for example by questioning French police officers – in court rooms in the ‘forum’ countries of prosecution.
One Italian judge -I know of- did order the questioning of some French police officers involved, but the French bluntly refused to comply. Therefore, we can’t even ask whether the French deliberately omitted to notify the competent authorities of the other Member States, maybe even in consultation with other investigatory authorities. Regardless of what they would answer to such a question, the mere fact it is impossible to ask, poses us to a big procedural problem, a problem of an unfair trial.
The (lack of) reliability
But maybe even more important, when it comes down to ‘fact finding’: we can’t even ask questions on the circumstances in which the evidence is obtained and, thus, on the reliability!
This is a problem, because the case law of the Court of Justice of the European Union is very clear: it is in principle up to the trial judge to rule on the reliability (see ECJ EncroChat IC-670/22, paragraph 90) and the rule of mandatory exclusion of evidence acquired breaching EU law is in particular relevant when the evidence introduced concerns “a field of which the judges have no knowledge” (par. 226 and 227 of the decision in the case ‘La Quadrature du Net’, ECLI:EU:C:2020:791).
When it comes down to evaluating the reliability of digital evidence, it is without a doubt that I dare to say that this is such a field. And it is in conjunction with the case law of the European Court of Human Rights that we, as Dutch lawyers, were so confident we would win the reliability argument. After all, it is consistent case law of the European Court that incriminating evidence can be challenged by the defendant by testing “whether the circumstances in which the evidence is obtained cast doubt on the reliability” – not just if the circumstances in which the evidence is obtained cast doubt on the reliability, like the Dutch Supreme Court states, because in that case we already know enough and in dubio pro reo we shouldn’t use the evidence at all, to prevent wrongful convictions from happening. At this point I will just refer to the decision of the Grand Chamber of the European Court from 2009 in the case of Bykov versus Russia.
Therefore, it will be needed to be able to examine the digital chain of custody up to the point of the presentation of the EncroChat or Sky ECC-data in each case. The mere disclosing of the evidence to the defendant by presenting chats just in plain Excel-sheets, is in no way sufficient to enable the adequately assess the reliability of the data or to discover potential flaws.
In the Netherlands (and by now also other countries, like Italy and Germany) prosecutor tend to refer to two reports of the Dutch National Forensic Institute to show that the data are reliable and by referring to the ‘Avalanche effect’ – a principle that is based on the cryptography and basically comes down to the conclusion: if you can read the text, that is the proof of a correct decryption. But this is insufficient! There are way more potential flaws in the whole process of harvesting the data.
In specific cases it was shown that the EncroChat-data was incomplete and wrongfully attributed to a certain account. In a Dutch case, for example, an Excel-sheet contained two identical messages on the transfer of some amount of cash money and it was not before having a better (forensic) look at these messages that it was discovered that one of those was incorrect. One of the two messages was never sent but could have easily led to a – wrongful! – conviction for money-laundering for both identified users.
And also for Sky ECC-cases the point is not that a defendant could simply argue that the intercepted, but (end-to-end) encrypted data was decrypted incorrectly. The point is that the data is far from complete and, above all, in some cases attributed to the wrong account. The letter has even been shown in a report of the Dutch police, while they couldn’t find a good explanation for this error! The dangers of wrong usage/ misinterpretation, however, are obvious…
Thus, it will be necessary for every defendant, as part of his or her right to a fair trial, to be able to test at least – and I’m not aiming for a limitative listing – the completeness or the extent of the incompleteness of the data, the correctness of the attribution of the data to a certain account or in time/ place or even the correctness of the presentation in case files (in the past it was proved that even the receiver and sender have been reversed on an occasion).
Evidential value
I am emphasizing the importance of the forgoing because this can directly affect the most crucial question in a criminal procedure: what can, in fact, be concluded on basis of the case file? The two key questions are: who is the user or who are the users of a certain account and what can be derived from his or her communication?
The evaluation of evidence is, of course, up to national law practitioners. But what should be said from a technical and European perspective, is that for an effective defence on the identification of client (as the user of an account), you should be granted access to the metadata, for example to know the (geo)location of a phone, to be able to provide an alibi for a client. But there are way more things that are important to know, like: data on servers, where the providers stored information on users/ accounts, used for commercial purposes for example (like subscription data, information on the reseller, data of the handset used, etc…). This data can be extremely exculpatory, just be showing that there was more than one user.
Unfortunately, because of the time, I can only introduce you to some basic (technical) aspects and I will round up with the conclusion that an effective defence is impossible without at least being able to get to know everything there is to know. In my view that is the essence of the principle of equality of arms, as one of the most important aspects of the right to a fair trial. In the context of evidence from encrypted messaging systems, this is explained clearly by the Grand Chamber of the European Court of Human Rights in the case of Yalçinkaya against Turkey.
The same will apply for the second key question: how do we have to interpretate the communication? Even when the communication is attributed to the right person and right time/ place: without knowing how incomplete the communication is, it’s impossible to answer this last question properly. For example, what if chats are missing between third parties who talked about keep out another suspect/ client to have higher profits themselves? Or what about chats that are missing which indicate towards voluntary withdrawing from the intention and preparation of certain crimes (for whatever reason) by a client? How can a defendant be required to tell this him- or herself without breaking the principle of nemo tenetur and, if a defendant will tell this, how can that claim be proven and, thus, believed by a judge when the chats are missing?
And what to do if this proof can come from other persons involved in the (group) chats, for example by questioning them as witnesses, but any information needed to summon them as witness(es) is just not disclosed by the investigatory or prosecuting authorities? There is not even a proper list available with all the accounts identified by the police, not even within a small country as the Netherlands…
On this point I will conclude by giving you a simple example. It was in a case pending before the Court of Appeal in Amsterdam that I managed to obtain the complete dataset (in Excel-sheets) of the account attributed to my client and of all of his counterparts. The night before the final hearing I was going through all these Excel-sheets, among other things to get more information about the alleged transfer of one kilogram of cocaine between my client and a third person. It was – of course – in the last chat of over 50 accounts that I discovered a chat between two Albanian guys in the Albanian language which showed, after translating, that the planned meeting for handing over one kilogram of cocaine in Amsterdam, never actually happened for a trivial reason. However, if this information wouldn’t have been available, there could have just as easy followed a conviction for the possession of and trading in one kilogram of cocaine… Mind you, not getting the communication of all persons involved in an alleged crime, is still the premise in every EncroChat and Sky ECC-case in the Netherlands. And even after asking/ begging for it, most of the times it will be refused by the judge! When this is already hard, you all can image the average response of judges when questioning the legality and reliability…
Conclusion
As I said, all the forgoing is just the tip of the iceberg, so if you want to know more about specific details, don’t hesitate to get in touch with me. But it is at least with these reasons that I wanted to clarify to you why I think that the right to a fair trial is still under big pressure in cases all over Europe, which rely (in a decisive manner) on data deriving from EncroChat and/or Sky ECC.
I will keep arguing that although our letter of concern is dated already three years ago, it is even more relevant than back then, because a lot of judges by now made up their mind in an irreversible way. It's no surprise this results in most of my (Dutch) colleagues stop fighting this type of evidence.
Nevertheless, I think that you are the audience by excellence to call on to keep on fighting for a fair trial inallcases, as the core task of every criminal defence lawyer:in cases against persons who obviously deserve help because of their vulnerable position, as well as in cases against persons seen as threatening the rule of law as being part of organized crime or even being called ‘terrorists’.After all, the real threat for the rule of law isn’t an individual not abiding the law, because with criminal proceedings the society is equipped to deal with individuals breaking the law.The real threat for the rule of law is the government not respecting the (rules of) law.
