Police cracks cryptophones in Operation Sky: could this happen to my smartphone as well?

Operation Sky: the background

The newspapers have recently been actively reporting on Operation Sky, the large-scale action, during which, the Dutch and Belgian police cracked the encrypted chat service Sky ECC, which was thought to be impenetrable. The chat service was only available via smartphones specifically designed for that purpose. Sky ECC advertised itself as the ultimate service for people who require maximum privacy.

Cryptochat populair among criminals

That maximum privacy came with a very hefty price tag and it was already clear in 2016-2017 that the service was very popular with criminals in the drug world to hide their mutual communications from the police. The investigation into Sky ECC started in mid-2018 after the Antwerp police seized yet another batch of cryptophones.

Although the investigation made progress here and there, the police would have to wait until the end of 2020 before they could actually decrypt intercepted messages and thus read along with the criminals. Because the flow of messages was so large, artificial intelligence had to be used to filter and manage the messages. That presented another problem, because criminals use alternative words to indicate certain persons, objects and actions, which may or may not closely resemble the official word in Dutch or English. To exacerbate things, sometimes multiple words were used for the same thing. For the artificial intelligence to find the relevant entries in the messages, the jargon first had be discovered and mapped. Only once that had been done could the police state to coordinate the physical action. Because of all the hurdles along the way, it takes until 9 March 2021 before the police comes into action, raiding more than two hundred addresses in Belgium on the basis of the evidence obtained from the Sky ECC chat service.

What to do with data that was not yet relied on during the police action?

Following the action, the police is now faced a difficult choice: what to do with all the messages that have not yet been decrypted or not yet used as evidence because the artificial intelligence had not identified them as relevant based on the search terms used by the detectives? The volume of messages is gigantic and processing all of them would take an enormous amount of time.

Another concern is the fact that Sky ECC must also have had legitimate users whose privacy was possibly violated and could be further violated by continued investigation, although it is possible for legitimate users to report to the Belgian police so that their data can, as far as possible, be excluded from further investigation.

Privacy and smartphones

While this police action was clearly a great success, it also raises questions among many people about the protection of their privacy when using their smartphones, which are almost by definition less protected than Sky ECC's cryptophones. In addition to that lesser protection, the average smartphone also contains a particularly large amount of sensitive information about the user of the device and others with whom this person communicates (family, friends, acquaintances, colleagues). Sky ECC was a textbook example of a service that was suspicious in itself and had a very limited number of users who presumably used the service almost exclusively for criminal purposes. With an ordinary smartphone, however, the situation is different.

Nevertheless, ordinary smartphones are also used on a daily basis to facilitate crime and are thus targeted by police as evidence. Moreover, not every criminal is organized and so many use the same smartphone and the same accounts for both their criminal and their legitimate behaviour. That is problematic because it means that the average smartphone contains not only information regarding those criminal communications but also a lot of innocent data, including data from/about persons other than the suspect, such as e.g. messages and photos of family and friends, which could end up being targeted by the criminal investigation as well.

Privacy concerns not only the user

Thus, it is not only the privacy of the suspect that is at risk, but also the privacy of everyone with whom the suspect has been in contact. The police must therefore always weigh up its legitimate interest in prosecuting criminal conduct against the privacy and other fundamental rights of those involved. Some interference with the privacy of the suspect is of course unavoidable but there is no reason to process purely personal and irrelevant information available on the smartphone during the investigation. The balance in this is not always easy, as the police also have the task of conducting sufficiently broad investigations so that they do not miss certain elements, either indicating the suspect’s innocence or guilt, leading to a wrongful conviction or acquittal.

Smartphone as legal evidence

Moreover, it is not only the smartphone of a suspect that is often relevant to the investigation. The smartphones of witnesses and victims are increasingly used as evidence in criminal investigations as well. This is logical because those smartphones often contain a lot of important information to link the suspect to the crime. Measures can also be taken in relation to a smartphone for which the police have indications that the smartphone is in the possession of a person of relevance to the crime, but errors can occur (e.g. the smartphone was used by the suspect before but is now in the possession of an innocent person in his/her household) and hence the police must be mindful when gathering and processing information on a smartphone. If you imagine how much information the average smartphone contains and what can be deduced from that, not only about the owner or user of the device, but potentially also about family, friends, acquaintances, professional contacts, etc. then it is quite clear that the unnecessary processing of that data constitutes a serious invasion of the privacy of those involved.

In all the above cases, the police must therefore ensure that there is no excessive interference with the privacy of all those involved. The assessment of what constitutes excessive interference does vary, depending on the 'status' of the person involved and the crime at issue. The suspect in particular will logically have to tolerate more interference. Moreover, in the event of excessive interference, it is not only the privacy of those involved that may be at risk. The excessive processing of data on the smartphone could also lead to so-called 'fishing expeditions', where the police indiscriminately look for information on the smartphone that could be an indication of criminal behaviour without any trace or clue justifying that line of enquiry, acting completely outside the context of the ongoing investigation.

What does the law say?

Fortunately, the law provides certain safeguards to protect the confidentiality of any smartphone, and these are just the same for a particularly well-protected service like Sky ECC as they are for an ordinary smartphone. Interception of messages and communications and other secret measures is subject to strict conditions in any case and, in Belgium, must be authorized by the investigating judge. The reading or cracking of a smartphone by the police is also subject to conditions, which differ depending on whether the smartphone has already been seized (e.g. after a search) or not (e.g. during an interrogation or at the scene of the crime). Moreover, when reading a smartphone is possible, a separate mandate must exist to access information that is not on the memory of the device itself, but is accessible through the device, a so-called network search. This must be authorized by the investigating judge. In addition, general principles of privacy and proportionality still apply even when there is a legal basis that justifies the interference in principle, so that it does not become excessive.

The police can use tools that make it technically possible to crack a smartphone, read it and decode and analyse the data found on it. When the smartphone is physically in the possession of the investigators we speak of mobile forensic tools. What is possible depends on the type of smartphone and the available technology. So can the police crack your smartphone? Yes, possibly, but not without a good reason.

The FORMOBILE project

As part of the FORMOBILE project, Timelex investigated the legislation in all EU countries on cracking and reading smartphones and other mobile devices. This of course includes decrypting and analysing data found on these devices (including through artificial intelligence) to serve as evidence in criminal investigations. The research mainly focused on mobile forensic tools, where it is assumed that the smartphone is in the possession of the police (whether or not seized). Nevertheless, other relevant topics discussed in this blog post also were covered in the research, such as the conditions for taking covert measures, e.g. for intercepting messages.

The aim of the study was to identify the legal conditions for the use of such tools by the police and the restrictions and safeguards provided by law, in particular to protect the user/owner of the device and other persons involved. This included consideration of the 'status' of the data subject, in particular the difference in treatment between the suspect(s) and witnesses or victims. Also relevant was the covert or open nature of the police actions, and for open actions, whether a smartphone had already been seized or not was also taken into account.

Want to know more?

If you want to know more about the legal situation in Belgium, in the EU or in any other specific EU country, go to theFORMOBILE project. If you scroll down on that page you will find all the national reports, as well as the general EU-wide report.

Do you have a specific question or would you like support in this matter? We are happy to help. In that case, please contact a Timelex attorney.