The future of data-driven investigations in light of the Sky ECC operation

Start of the investigation

Already in 2015, Dutch and French law enforcement authorities found in multiple criminal investigations that individuals engaged in plotting and committing serious crime were using Sky ECC phones. After some years, they decided to start a criminal investigation to gain more insight in criminal organisations in which individuals used these cryptophones.

In 2018, Belgian law enforcement authorities started an investigation into the Sky ECC phones they increasingly encountered during drug investigations. An investigation was initially launched against Sky ECC for their membership of a criminal organisation because their services were actively aimed at thwarting law enforcement authorities. ⁸ Later, it became clear that probably the actual goal, and most certainly the result, of the operation was not to prosecute the individuals behind Sky ECC itself, but to obtain insight in the criminal activities carried out in Belgium and beyond and to prosecute individuals operating from Belgium and neighbouring countries. ⁹

Around the same time, Dutch and French law enforcement officials also found that servers facilitating these encrypted communications were located at the hosting service provider ‘OVH’ in Roubaix, France. Subsequently, Dutch law enforcement authorities issued European Investigation Orders (EIOs) to France on 6 December 2018. They requested French law enforcement authorities to create an image of the Sky ECC servers. The goal of the EIOs was to reveal the technical setup of the servers and prepare for further investigation by use of wiretapping and the decryption of data. Belgium independently sent a similar EIO to France on 21 November 2018.

The French authorities executed the EIO’s and gained access to the IT infrastructure of the Sky ECC servers, allowing them to conduct a preliminary investigation. As a result of this investigation, on 13 February 2019, the French prosecutor at the Lille court initiated a formal investigation into Sky ECC. As part of this investigation, on 14 June 2019, the prosecutor sought and obtained permission from the French court to intercept, record, and transcribe communications passing through the Sky ECC servers.

On 24-26 June 2019, the IP traffic at two servers at OVH was wiretapped by French law enforcement authorities (the main server and a back-up server). Dutch law enforcement authorities obtained access to the intercepted data on 11 July 2019. This was later formalised in a second EIO and a “notice of transfer” was issued on 20 August 2019, showing that the data collected by the IP taps had been transferred to two public prosecutors of the Rotterdam Public Prosecution Service and to the Belgian authorities under Article 26 of the Cybercrime Convention and Article 7 of the European Convention on Mutual Assistance in Criminal Matters. The magistrate judge of the Lille District Court initiated the transfer of data, requesting the findings to be fed back to France.

Most of the ‘IP wiretap data’ from this brief interception period in June 2019 was encrypted. Some data, however, was not encrypted. Notably, in July 2019, law enforcement officials were able to identify subject lines of some group calls and the Sky ECC IDs of the participants in these group calls.

Interception of Sky ECC messages

On 1 November 2019, Dutch, Belgian, and French law enforcement authorities formally agreed to create a ‘Joint Investigation Team’ (hereinafter: JIT). The agreement was signed on 13 December 2019. The goal of the JIT was twofold: gathering evidence about the criminal activities of Sky Global and its users, and sharing technical knowhow and resources among participating authorities.

The signing law enforcement authorities agreed to share the intercepted data at OVH in France with all JIT partners in order to identify those responsible, get an idea of the IT infrastructure behind Sky ECC, take it down, and prove whether or not Sky ECC is a criminal product, consisting of the facilitating of criminal offences. Moreover, the partners agreed on the use of the intercepted data. It was explicitly mentioned that they could analyse the raw data that could contain information in order to support ongoing or launch new criminal investigations into other criminals or criminal groups. The JIT agreement was initially concluded for a term of one year, but was later extended until 13 December 2021. ¹⁰

Dutch technicians then developed a technique to copy the random access memory (RAM) of one of the Sky ECC servers without causing them to go offline. Subsequently, the Netherlands developed a so-called ‘Man In The Middle technique’ (MITM technique), which enabled the decryption of message traffic. According to Dutch case law, this technique was jointly developed and refined by the JIT partners. ¹¹ The aim was to obtain encryption keys and/or passwords to decrypt the connection between devices and Sky ECC servers and to forensically analyse the Sky ECC servers later. This decryption technique was then shared with French law enforcement authorities, who needed a special permit to use it. The permit was granted by a committee established to consider the right to privacy and confidentiality of postal correspondence in accordance with article R.226-2 of the French Code Pénal.

A French judge then authorised the interception from 18 December 2020 until presumably approximately 9 March 2021, the date law enforcement authorities made the Sky ECC operation public. On this ‘action day’, a large number of arrests were made, and numerous house searches and seizures were conducted, in Belgium and the Netherlands. ¹² According to Belgian law enforcement officials, 1 billion (!) messages were intercepted and shared with the JIT partners. ¹³ At least 500 million messages of this ‘bulk interception’ were decrypted within the first month. ¹⁴ We believe that these messages represent a treasure trove or “jackpot” for law enforcement authorities, due to the potential evidence of crimes and intelligence that can be derived from them. Law enforcement officials have made similar statements in interviews. ¹⁵

Belgian authorities stated on 9 March 2023, that the Sky ECC operation led to a total of 526 cases against 2,961 suspects. Sentences have already been imposed in 344 individual cases and almost €110 million in criminal money has been seized. ¹⁶ The Sky ECC operation also led to over 250 judgements in the Netherlands, and a sentence was imposed in 170 individual cases. ¹⁷

Analysing Sky ECC messages

After the interception, the collected data must be analysed and then actually used as evidence in criminal investigations. To this end, law enforcement authorities have a system in place to store and analyse the intercepted data. The system, called ‘Hansken’, is a forensic platform developed by the Dutch National Forensic Institute (NFI).

Hansken can store, extract, and process data using ‘dozens’ of forensic tools. The system is designed to process large volumes of structured and unstructured data from various sources, searching for data and correlations that can provide insights to make informed decisions. ¹⁸ The Hansken system has been used in over 1,000 criminal cases in the Netherlands. ¹⁹

In Dutch case law, court judgments frequently cite the content of messages linked to suspects’ Sky-IDs. ²⁰ These messages often refer to particular drugs. Analysts utilising the Hansken system employ “topic lists” to effectively search for pertinent messages using specialised keywords, including slang terms related to drug trafficking and homicide. ²¹

A judgment from the Lower Court of The Hague’ provides a compelling illustration of how messages were identified and connected to the suspect. ²² The court highlights the automated analysis and classification of chats among Sky ECC users. Specifically, within the “cocaine” category, keywords such as ‘cocaine’,’ ‘port’, the name of a specific place (such as Rotterdam), ‘airco’ (referring to an air conditioner), ‘get out’ (to get drugs out), and ‘eye’ produced relevant matches. These matches revealed messages originating from distinct users of Sky ECC phones. After public prosecutors approved the investigation, the dataset of messages and metadata was made available to the investigation of the suspect in the present investigation. These messages were then used as evidence that contributed to the conviction of these suspects. In the present case, the judges were convinced that these messages could be attributed to the suspect, based on location data, testimonials of the suspect and family, and linking specific dates and times to activities of the suspect. They were punished for drug trafficking and other crimes and sentenced to five years of imprisonment.

Furthermore, the Dutch NFI confirms they make use of algorithms and artificial intelligence (AI) to analyse large volumes of data. For example, object recognition techniques are used to identify items such as ship containers, banking cards, weapons, and drugs. Additionally, the NFI is able to automatically extract text from images for subsequent examination. ²³ It is worth noting that the NFI explicitly acknowledges that outcomes following the application of algorithms or AI are not 100% reliable. ²⁴ For example, a false positive may occur when object or text recognition techniques are used.

In Belgium, there is no case law available with considerations about the way data from the Sky ECC operation is analysed. However, the Belgian minister of Justice is quoted in a press release, explaining that

“[i]n order to mine the hundreds of millions of messages, we used artificial intelligence and machine learning to filter word combinations with criminal content. With this technique, we are currently moving to a second phase, which is to parse English and Albanian communications. Both languages are frequently used in the intercepted messages. Next, we will develop an algorithm that traces dubious money flows, for example with crypto coins. This new form of data-driven investigation is a powerful tool for our investigators. We want to exploit this to the maximum.” ²⁵

The concept of data-driven investigations

The concept of data-driven investigations was developed by Dutch law enforcement officials involved in combatting cybercrime. ²⁶ The work process for law enforcement authorities originated from a need to build a better information position by pooling digital traces and structuring data. In this way, information gathered in criminal investigations can also be used in other investigations. The data – typically called ‘intelligence’ – can also be used to gain insight into cybercrime phenomena and contribute to the development of new methods and means in tackling and stopping cybercrime. ²⁷

Data-driven investigations consist of four steps:

1. ‘Collect’, in which not only evidence from previous operations is used, but also newly acquired ‘strategic data sets’ are acquired in a criminal investigation;

The first step of data collection typically involves the exercise of investigative powers, such as wiretapping, akin to the Sky ECC operation. A notable instance where substantial datasets were acquired is the Silk Road operation, where law enforcement obtained an image of a server. The copy was then shared by the Federal Bureau of Investigation (FBI) and Europol with other law enforcement authorities. ²⁹ Another example is the EncroChat operation, which resulted in the collection of approximately 300 million messages. ³⁰ And recently, in May 2023, Europol revealed ‘Operation SpecTor’, following the seizure of servers of the marketplace Monopoly Market in December 2021, essentially describing a data-driven operation:

“Europol has been compiling intelligence packages based on troves of evidence provided by German authorities, who successfully seized the marketplace’s criminal infrastructure in December 2021. These target packages, created by cross-matching and analysing the collected data and evidence, served as the basis for hundreds of national investigations. (…) As law enforcement authorities gained access to the vendors’ extensive buyer lists, thousands of customers across the globe are now at risk of prosecution as well.” ³¹

The second step of storage and third step of Analysis were already described earlier, using the Hansken platform as an example.

The fourth step of engagement is the step in which law enforcement authorities take specific interventions based on intelligence. The intervention may be a criminal investigation. For example, Europol states in another press release: “An intelligence packaged produced by Europol based on information from the SKY ECC operation allowed the identification of the structure, activities and international connections of the criminal network. This intelligence report triggered the current investigation.” ³²

Note that these interventions do not necessarily involve launching a criminal investigation or prosecuting a specific suspect. For example, law enforcement authorities could decide to warn (mostly young) offenders by knocking on their doors (‘knock-and-talks’) or publishing nicknames of suspects to send them a message and attempt to halt their illegal activities. ³³

Grey infrastructures

The fact that law enforcement authorities increasingly carry out data-driven investigations is closely linked to the emergence of ‘grey infrastructures’, such as Sky ECC, that render the use of traditional investigative methods more difficult.

A grey infrastructure is a service that is often located in a country with strong privacy laws or a history of not cooperating with law enforcement authorities, and thus often used by (cyber)criminals. Examples are bulletproof hosting providers, cryptocurrency exchanges, and Virtual Private Network Services. ³⁴ These companies offer services that are used both for legal purposes and for committing and shielding crime. ³⁵

In its “Internet Organised Crime Threat Report 2021”, Europol mentions for the first time that EncroChat cryptophones are an example of a service that offers a grey infrastructure. It also states that “[a]lthough not all users of such services are necessarily criminals, the level of criminality associated with such services is often so high that national law enforcement agencies, after finding enough evidence of criminal abuse, could consider them to be criminal enterprise”. ³⁶

While some countries intend to criminalise the use of cryptophones, ³⁷ developing secure and privacy-friendly software is currently not prohibited. On the contrary, Article 25(1) of the General Data Protection Regulation (GDPR) requires controllers ³⁸ to incorporate appropriate technical and organisational measures from the software design stage onwards, to ensure and demonstrate compliance with data protection principles. By integrating privacy-friendly features into their messaging applications, cryptophone providers effectively fulfil this obligation. ³⁹ Nevertheless, cryptophone networks and services could be considered as grey infrastructures due to their prevalent use by criminals and criminal organisations.

Moreover, the way grey infrastructures operate renders the use of traditional investigative methods, such as wiretapping and data production orders, ineffective. This forces law enforcement to resort to more intrusive investigative methods. With regard to Sky ECC, the company made use of a private Access Point Name (which is the gateway between a smartphone and another network) that connected the Sky ECC phones directly to the Sky ECC network. As a result, private data sessions were established through regular transmission towers without, however, being susceptible to regular interception by law enforcement authorities. ⁴⁰ Law enforcement authorities consequently proceeded to another way of intercepting the communications, notably in bulk and using sophisticated decryption techniques. The details of the decryption technique and interception used are not entirely known at the time of writing (September 2023).

A slippery slope for law enforcement activities?

Data-driven criminal investigations targeting grey infrastructures such as Sky ECC can be a slippery slope for two reasons: the ‘mixed bag’ of law enforcement purposes and an unclear threshold to be considered a grey infrastructure.

First, operations such as Sky ECC often involve a ‘mixed bag’ of law enforcement purposes, because they pursue different objectives. Collecting evidence of crimes is often only of them. The Sky ECC operation, for instance, yielded valuable intelligence on the modus operandi of organised crime, particularly drug-related activities, and to some extent disrupted criminals’ communication about their illicit activities, until they moved to a different communication service. It may also have created uncertainty among individuals as to whether they are under suspicion by law enforcement authorities.

Consequently, some authors have called for a broader discussion about the role of law enforcement authorities in today’s fight against crime. Should the scope of their responsibilities be limited to investigation and prosecution, or could investigative resources be deployed for countermeasures, when it is clear from the start of an investigation that an actual prosecution is less feasible? ⁴¹ For example, is it allowed to take down an entire darknet market without initiating any investigation into the crimes committed by administrators or vendors? While some authors argue that such takedowns can be secondary objectives, the permissibility depends on the specific national laws. ⁴² Additionally, we wonder whether the primary objective of the Sky ECC operation should be considered the acquisition of intelligence, which drives subsequent criminal investigations, instead of gathering evidence in a criminal investigation. ⁴³ It goes without saying that the main objective cannot be a fishing expedition. This may be the case when the data secured during an investigation is not sufficiently related to the investigation at hand.

Second, the threshold for law enforcement authorities to consider a service provider a ‘grey infrastructure’ is unclear. It was argued by Belgian authorities that Sky ECC was almost exclusively used for criminal purposes, justifying the broad scope of the interception. ⁴⁴ In the operation regarding Ennetcom phones, the Dutch Public Prosecution Service submitted that – out of 458 conversations analysed – 78.4% (359) were found to contain topics related to criminal activities. These were identified by keywords, such as slang use for drug trafficking. ⁴⁵ From a human rights perspective, this is problematic because communication of non-criminals will be intercepted as well. As the threshold for considering an infrastructure ‘grey’ is lowered, there is a risk that data-driven operations slip into a fishing expedition, which is prohibited by the ECHR.

We could ask ourselves whether it is it possible that law enforcement authorities will one day hack or bulk intercept data from (parts of) the IT infrastructure of services like Signal or Telegram. Clearly, these applications host, for example, designated group chats or ‘channels’ focusing on drug trafficking. ⁴⁶ Although cryptophones are very different in nature from regular smartphones with encrypted communication applications, we do not consider this an unthinkable scenario.

This leads us to the question how legitimate users of grey infrastructures are protected, when those infrastructures are targeted in data-driven criminal investigations. This topic has not yet received much attention. ⁴⁷ It appears that legitimate users are offered no or only very limited legal protection so far. For instance, from a human rights perspective, it was rather worrying that all legitimate Sky ECC users were asked to come forward at some point during the investigation. ⁴⁸ For them, it may have been unclear what law enforcement authorities would do with this knowledge. Would their data be first checked and then filtered out? Should lawyers be obliged to hand over their Sky-ID to filter out privileged communications? We do not answer these questions in this article, but they are in our view worth examining.

Interferences

The right to respect for correspondence within the meaning of Article 8 § 1 ECHR aims to protect the confidentiality of communications. This covers the contents of the actual messages sent, but also information relating to such messages (traffic data, such as the date, time, duration, and telecommunications numbers). ⁴⁹ It is clear people could communicate with Sky ECC using different apps, such as apps for e-mail, chats, and voicemail. Intercepting this data therefore amounts to an interference with the right to privacy and more particularly the right to respect for correspondence. The ECtHR has consistently regarded the interception of communications as a serious interference with the right to respect for private life and the right to respect for correspondence. ⁵⁰

Certain public prosecutors assert that devices like Sky ECC phones are distinct from regular smartphones, because they are primarily used to facilitate criminal activities rather than for legitimate business and personal purposes. As a result, they argue that the interception of communications through a cryptophone should be considered a minor infringement. ⁵¹ We firmly disagree with this reasoning, as the extent to which communications are related to criminal matters should not dictate the severity of the interference. What truly matters is that law enforcement authorities covertly intercept private communications between individuals and that this amounts to a serious interference with the right to respect for private life and the right to respect for correspondence. This interference is serious in nature, even when it relates to a single cryptophone. Moreover, given the very large amount of collected communication data (‘bulk’) (in this case, approximately 500 million messages), the interference with Article 8 ECHR is evidently serious in nature. ⁵²

Previous case law of the ECtHR has also dealt with bulk interception of communications. Early case law concerned bulk interception (“secret surveillance”) of landline phones. ⁵³ Following technological developments, it then concerned bulk interception of mobile phones, including internet traffic. ⁵⁴ Most recently, in the landmark cases of Big Brother Watch v. The United Kingdom ⁵⁵ and Centrum för Rättvisa v. Sweden, ⁵⁶ the ECtHR addressed modern-day bulk interception of communications carried out by intelligence services.

In Big Brother Watch and Centrum för Rättvisa, the ECtHR considers that an interference with Article 8 ECHR takes place not only during the interception, but during each and every phase in which intercepted communications are processed, i.e., from the collection phase, through the analysis phase, to the actual use of the data in a criminal investigation and sharing the data with other law enforcement authorities. The Strasbourg Court finds the analysis of intercepted communications particularly infringing. ⁵⁷

Minimum safeguards

An interference with the right to privacy can only be justified if the conditions set out in the second paragraph of Article 8 ECHR are satisfied. Thus, the interference must be “in accordance with the law”, pursue one or more “legitimate aims” and be “necessary in a democratic society” to achieve those aims. As part of the legality requirement, the ECtHR often sets out criteria or “minimum safeguards” to which Member States must adhere to avoid abuses of power.

Before applying the safeguards from existing ECtHR case law to the situation of data-driven criminal investigations, we point out that bulk interception in the context of intelligence services is different from bulk interception in a law enforcement context as carried out in the Sky ECC operation. ⁵⁸ There are two reasons for this. First, the aim to collect data is different. Intelligence and security services usually perform bulk interception for the purpose of foreign intelligence gathering, or the early detection and investigation of cyberattacks, counter-espionage, and counter-terrorism. ⁵⁹ In the context of bulk interception in the Sky ECC operation, the purpose is to combat and investigate crime. Second, bulk interception in an intelligence context is generally directed at international communications focusing on monitoring communications of persons or organisations outside the State’s territorial jurisdiction. ⁶⁰ In the Sky ECC operation, network traffic was intercepted from specific servers used by Sky ECC Global at a single internet service provider in France. This interception is more targeted compared to bulk interception in an intelligence context.

However, given the overall similarity to bulk interception, the ECtHR will probably require the same safeguards for Member States. ⁶¹ States and their institutions, such as the Public Prosecution Service and the judiciary, should also realise that in criminal cases, defence attorneys may refer to this case law and demand that States respect these minimum safeguards.

In Big Brother Watch and Centrum för Rättvisa, the ECtHR stated it will examine whether the domestic legal framework of the State in question clearly defined the following eight minimum safeguards:

1. the grounds on which bulk interception may be authorised;

We find it particularly noteworthy that the minimum safeguards do not only focus on the collection phase, but require safeguards during all phases, including the (further) processing of data. ⁶³ Obviously, only a warrant provided by a judge or independent authority to justify bulk interception of communications is not enough. With these minimum safeguards, the ECtHR makes clear that throughout the phases of bulk data investigations, principles of data protection regulations apply, such as those mentioned in no. 6: the limits on the duration of interception, the storage of intercept material, and the circumstances in which such material must be erased and destroyed. Here, the ECtHR clearly establishes a connection between criminal procedural law and data protection law.

In order to minimise the risk of the bulk interception power being abused, the ECtHR emphasises the need for ‘end-to-end safeguards’. This entails the following key elements: (a) a necessity and proportionality assessment should be made at each stage of the process; (b) bulk interception should be subject to independent authorisation at the outset, when the object and scope of the operation are being defined; and (c) the operation should be subject to supervision and independent ex post facto review. ⁶⁴ The ECtHR references the report of the Venice Commission, which similarly highlighted the importance of authorisation and oversight in bulk interception regimes. ⁶⁵

Application to the interception of Sky ECC communications

In the Sky ECC operation, it is clear that an ex ante (judicial) authorisation from a French judge to intercept the communications in bulk was available. As explained earlier, Dutch, Belgian, and French law enforcement agencies cooperated and prepared the operation well, intercepting data from Sky ECC in steps. In the first stage, French law enforcement authorities obtained a warrant to intercept data for a limited amount of time and transfer data to other States in order to find a technical solution to decrypt the network traffic. A decryption technique developed by Dutch law enforcement authorities was then shared with French law enforcement authorities, who required a special permit to use it, which was granted by the appropriate committee. ⁶⁶ A French judge then subsequently authorised the bulk interception for a much longer period of time. In sum, a test on necessity and proportionality took place in the collection phase of the Sky ECC operation and was approved by Belgian courts. ⁶⁷

In the Netherlands, the Dutch Supreme Court ruled that the principle of mutual trust between States applies in the Sky ECC operation. First, this means that decisions by French authorities that form the basis for investigations conducted in France, must be respected by the Dutch courts in Dutch criminal proceedings. It should, therefore, be assumed that the relevant investigations by French law enforcement authorities have been conducted lawfully. ⁶⁸ Second, the Dutch criminal courts must assume that the investigation abroad was conducted in such a way that its results can be relied on. The Dutch courts are obliged to give further consideration to the reliability of the results only when there are specific indications to the contrary. ⁶⁹ The same applies if the investigation was conducted by a JIT. ⁷⁰

Application to the analysis of Sky ECC communications

Tension may arise in respecting the safeguards by law enforcement authorities that relate to processing data after the collection phase. ⁷¹ As explained earlier, the ECtHR finds the analysis of intercepted communications particularly infringing. ⁷² We question whether law enforcement authorities have proper procedures in place for selecting, examining, and using intercept material; whether they have clear limits on the duration of interception, the storage of intercepted material, and the circumstances in which such material must be erased and destroyed; and whether they have proper procedures for independent and effective ex post facto review.

First, when it comes to creating subsets in the initially obtained data set, one could argue that a judicial warrant or a warrant by an independent authority should be obtained to further investigate these subsets for law enforcement purposes. In a typical bulk interception regime, ‘selectors’, such as an e-mail address of a target, are utilised to identify and store relevant communications. The data can then be examined by an analyst. ⁷³ To determine the necessity and proportionality to select the data, a warrant should indicate the categories of selectors to be employed that relate to a target, such as an individual or a group of individuals. ⁷⁴ In our view, a judicial warrant each time a subset is created, would be an important safeguard, because it requires a test on the necessity and proportionality to further analyse the data. ⁷⁵ A judge could also provide additional safeguards in a warrant, such as special obligations to filter out privileged communications. We point out this is certainly not the case in Belgium, where the investigative judge – in line with criminal procedural rules – has transferred all the obtained data to the public prosecutor’s office that decides on launching new criminal files.

Second, the Law Enforcement Directive determines that data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. ⁷⁶ However, it remains unclear for how long the initial data set is kept, especially with regard to data that is not used as evidence in a specific criminal case. Therefore, we wonder whether these data protection regulations are respected by the authorities analysing the Sky ECC data.

Third, with respect to safeguards relating to data protection regulations by law enforcement authorities, we find it worrying that it is not clear to what extent these safeguards are effectively enforced by data protection authorities. In the Netherlands, the Dutch data protection authority did not investigate any of the cryptophone operations in the Netherlands (or at least so far not publicly). Many Dutch legal scholars are also critical about the effectiveness of oversight by the Dutch data protection authority on compliance with data protection law. ⁷⁷

In Belgium, an independent supervisory authority, the Supervisory Body for Police Information, is entrusted with monitoring the compliance of data protection rules by all Belgian law enforcement authorities. ⁷⁸ As far as we know, no investigation into the Sky ECC data collection and further processing has been launched so far. This is not surprising, as despite its broad legal mandate, the Supervisory Body cannot possibly investigate all data processing by law enforcement authorities because of its limited staff of ten persons.

Taking into account the safeguards stemming from data protection regulations, we wonder whether, for example, maximum retention periods are available for the data acquired in the Sky ECC operation. When data protection authorities or independent supervisory bodies will look into whether States have clear limits on the duration, storage, and erasure of interception material, we are not confident that the further processing and use of data collected during data-driven investigations will pass this ECtHR test. We emphasise again that a warrant to collect the data is not enough to respect the standards set in ECHR case law: certain principles of data protection law must also be respected, such as procedures for selecting and examining the stored material, and independent and effective oversight. In this respect, criminal procedural law and data protection law are connected with each other.

Transparency

As part of the equality of arms and an adversarial trial, both prosecution and defence must be given the opportunity to have knowledge of and comment on the observations filed and the evidence adduced by the other party. ⁸¹ Therefore, when the public prosecutor submits evidence in a criminal trial, the defence should have to opportunity to have knowledge and ask questions about the evidence obtained. This relates to the disclosure of prosecutorial evidence.

The question how evidence is obtained can be important for the defence to test the reliability of evidence and to test whether the right to privacy has been respected. The right to the full disclosure of prosecutorial evidence starts at the early stages of a criminal process, when the accused is to have adequate access to the investigation file. ⁸²

The ECtHR emphasises that the disclosure of all relevant evidence is not an absolute right. ⁸³ In any criminal proceedings there may be competing interests against disclosure. ⁸⁴ In some cases, it may be necessary to withhold certain evidence from the defence in order to preserve the fundamental rights of other individuals or to safeguard an important public interest, such as national security or the need to protect witnesses at risk of reprisals, or to keep police methods of criminal investigation a secret. ⁸⁵ When the trial judge assesses the appropriateness of the non-disclosure of certain materials to the defence, the ECtHR has stressed the importance of (1) weighing the public interest against the interest of the accused and (2) affording the defence an opportunity to participate in the decision-making process to the maximum extent possible. ⁸⁶

In the Sky ECC operation, it seems to be a recurring issue that public prosecutors are not willing to share all information that the defence requests. For example, the Italian Supreme Court declared in July 2022 that Italian prosecutors and police should disclose information on how they obtained intercepted messages from the Sky ECC cryptophone network. ⁸⁷ In the Netherlands, some courts were critical that it took some time for the Public Prosecution Service to provide a sufficient amount of information about the investigation and evidence-gathering activities in the Sky ECC operation. More specifically, at first, the Dutch Public Prosecution Service did not mention the development of the decryption tool, and only provided the necessary details about the operation (in France) later. ⁸⁸

In Belgium, information on how the investigation has been carried out, has not been made public. Defendants, however, have access to their criminal files, which besides police reports on the specific case contain a report of the federal prosecutor on the operation. Yet, details on how the decryption of the messages in the initial investigation took place, are not shared with the defendants. ⁸⁹ When it comes to the analysis of the intercepted data, only a press release of the minister of Justice is available, stating that artificial intelligence and machine learning were used to filter word combinations with criminal content and to parse English and Albanian communications, as both languages are frequently used in the intercepted messages. ⁹⁰

Notably, there is not much information available in case law about how the evidence is derived from the targeted bulk interception in the Sky ECC operation, in other words, about the analysis phase of bulk interception. The use of algorithms, key word indexes, or network analysis techniques is rarely mentioned in case law. It is possible that in relevant cases, the defence did not argue or explain why this information is relevant to the suspect and, therefore, courts did not deal with this aspect in their decisions. Yet, this information may be relevant when discussing the reliability of the evidence. In sum, while there is transparency about the collection phase of the Sky ECC operation in the Netherlands and Belgium, albeit not in all states, there is very little transparency about the analysis phase of the Sky ECC operation, even in the Netherlands and Belgium.

Reliability of evidence

As explained above, there appears to be little transparency about the processing of data after the collection phase in the Sky ECC operation. This is relevant because the ECtHR pays attention to whether the defendant had the opportunity to challenge both the authenticity and the use of the contested evidence. However, national courts have a considerable margin of appreciation when assessing the reliability of evidence. Moreover, the ECtHR only considers obtained evidence as unreliable if there are ‘manifest flaws’ to be detected in its processing. ⁹¹ In the case Khodorkovskiy and Lebedev v. Russia, for instance, the defendants claimed that the authorities had presented more evidence to the court than had originally been seized, as the servers had not been properly locked up. ⁹² In this case, the ECtHR decided that the use of the evidence did not breach Article 6 ECHR, as the defendants had had the opportunity to interrogate witnesses that were present at the time of the search and seizure operation. In addition, the ECtHR could not detect any manifest flaw in the process of seizing and examining the hard drives that would make the information obtained unreliable. In other words, when the defence has sufficient opportunities to ask questions about the way the data is processed and request expert witnesses, a lack of transparency may be counterbalanced.

Reportedly, the Hansken system used to store and analyse Sky ECC data has an intricate system for logging, which results in a full trail of who did what with which data. This makes the processing of data – in theory – transparent to the investigation team, to the public prosecutor, to the court, and to the suspect’s lawyers. ⁹³ In practice, however, Dutch case law shows that requests of the defence for logging data or source code are always denied by Dutch judges. Instead, the defence are – to a certain extent – allowed to ask technical questions, access the data used against suspect themselves, and request a counter-expertise by an expert. ⁹⁴ For the defence, it should be clear from evaluations how a system like Hansken works and to what extent the output is reliable. ⁹⁵ The legal evaluation of the authenticity and reliability of digital evidence, and therefore the opportunity for the defence to challenge digital forensics expertise, depends on the selected digital forensic process, methods, and tools for each forensic task and its sufficient documentation in the chain of custody that can demonstrate data integrity preservation and reliability validation. ⁹⁶

In addition, Sagittae points out Dutch authorities took several steps to ascertain the reliability of collected data when selecting, examining, and using the data in Dutch criminal proceedings. First, the hash values of the data that were acquired in France were compared to the hash values of the data that were transmitted to the Netherlands. A hash value is a numeric value of a fixed length that uniquely identifies data. Corresponding hash values in both countries imply that both countries possess the exact same data. ⁹⁷ With only very few exceptions, the Dutch hash values of Sky ECC data all matched the French hash values. Furthermore, the NFI examined the accuracy and reliability of the data obtained in the Sky ECC operation. ⁹⁸ The report shows that the “Toolbox data” is a correct representation of the chat messages and their metadata, but that the data is sometimes incomplete. This incompleteness was deemed explainable by the NFI and not considered as a problem in case law. ⁹⁹

In a Belgian case, defendants have tried to challenge the reliability of the evidence, as law enforcement authorities did not disclose the decryption techniques that were used. Their arguments, however, were dismissed. The Antwerp Court of Appeal found that the disclosure of the decryption techniques is not relevant to assess the lawfulness of the evidence, as it does not concern the content of the messages. Moreover, the details of the used techniques were kept secret in order to be able to reuse the techniques in the future. According to the court, this did not constitute a violation of the right to a fair trial. ¹⁰⁰ Nevertheless, since the law does not specify how to ensure the reliability of digital decrypted evidence and there is no supervision, ¹⁰¹ we believe it is necessary for the defence to know how the data was decrypted. ¹⁰²

Furthermore, case law shows that judges simply discuss the evidence at hand, for example, the content of messages about drugs trafficking linked to Sky ECC users by their Sky-ID, and then determine whether they find the evidence convincing. ¹⁰³ The evidence is often supported by other materials. From case law, it visible how a variety of investigative methods are used to associate Sky ECC users with the messages. The additional investigative methods used include data production orders directed at telecommunication service providers to gather subscriber and location data, data production orders to gather passenger name records, seizing a suspect’s cryptophone, correlating the nicknames of suspects from other sources of evidence to Sky ECC messages, and, of course, obtaining testimonials or even confessions from suspects. ¹⁰⁴ In short, Sky ECC messages are rarely the only source of evidence used to convict individuals of crimes.

Access to datasets

When a public prosecutor submits evidence in a criminal trial that is obtained during the Sky ECC operation, the defence should have the opportunity to acquire knowledge and ask questions about this evidence. In the Sky ECC operation, and also in many other modern-day criminal investigations, ‘bulk data’ is involved. The ECtHR developed a specific procedure for large datasets, which we will discuss below.

In order to analyse the data, law enforcement authorities filter the raw dataset (also known as a ‘primary dataset’) into a ‘secondary dataset’. Where the raw dataset is unstructured and contains all seized data, the secondary dataset “only” contains all data relevant for criminal investigations. Still, this dataset is a large volume of information on all kinds of (potential) suspects and crimes. The next step is to compile the ‘tertiary dataset’ with all the relevant information for a specific investigation. The question of whether a dataset should be disclosed, must be reviewed with regard to the three different datasets. ¹⁰⁵

As for the raw dataset, there is no obligation to disclose all information, especially not when law enforcement authorities did not review the relevance of the data themselves. ¹⁰⁶ When the raw dataset is searched and thereafter filtered, using specific search terms to create a secondary dataset, it could be necessary to include the defence in this process. ¹⁰⁷

The ECtHR does not consider it necessary that the defence can use the search engine or any analytical software programs themselves: they can also provide law enforcement authorities with search terms. In that sense, a specific request to filter the raw dataset using specific search terms is also a safeguard against fishing expeditions. ¹⁰⁸ In Sigurdður Einarsson and others, the Court found that a procedure whereby the prosecution itself attempts to assess the importance of undisclosed information to the defence and weigh this against the public interest in keeping the information secret – and does not involve the defence in this assessment – does not provide for a fair trial. ¹⁰⁹ The defence needs to have the opportunity (a) to be involved in the definition of the criteria for determining what may be relevant and (b) to conduct further searches for exculpatory evidence. ¹¹⁰

The tertiary dataset contains information that is relevant to a single case. For this type of dataset, the general rule is clear: this data can be used against the suspect, and should be disclosed. ¹¹¹

Lastly, the defence should have an ‘effective opportunity’ to access and analyse the data. ¹¹² To make any discovery possible, it seems necessary to provide the defence with readable (i.e., not encrypted) data for review. Alternatively, the defence can be provided with access to the e-discovery program in which the data is made accessible on the premises of law enforcement authorities. ¹¹³

In sum, all information that is deemed relevant in a particular case and that can be used against the suspect in a criminal case (the tertiary dataset), should be disclosed to the suspect. In addition, the defence should have sufficient facilities (an ‘effective opportunity’) to access and analyse the data. The defence can request and should motivate why they require further access to the secondary dataset. Then, when the Public Prosecution Service denies access to the data, they must motivate this, for example because of ongoing (other) criminal investigations or risk of reprisals for individuals who are also part of the dataset.

In practice, the raw dataset is not disclosed to the defence. In the Sky ECC operation, the dataset is too large to review the relevance of all messages for law enforcement authorities, and requests to obtain access to the full dataset are always denied. ¹¹⁴ In Belgium, the minister of Justice himself has been summoned to disclose the full criminal file of the Sky ECC investigation, but that claim has been declined. ¹¹⁵ Finally, the Antwerp Court of Appeal found that revealing the entire dataset containing all intercepted Sky ECC communications in a specific criminal case would lead to a serious and non-acceptable violation of the right to privacy of Sky ECC users who are not connected to the criminal case at hand. It would also violate the secret nature of a criminal investigation. Therefore, the request was declined. ¹¹⁶ In the Netherlands, the defence has access to the tertiary dataset used in the criminal case against a suspect. The defence can request and should motivate why they require further access to (part of) the secondary dataset, to which the Public Prosecution Service has to respond. The defence can even use the same Hansken platform as law enforcement authorities use. ¹¹⁷ At first, this was only possible on the premises of the NFI in the Hague, but this is now also possible remotely.

Privacy violations

The ECtHR has repeatedly found that evidence obtained through a violation of the right to privacy does not necessarily amount to a violation of the right to a fair trial. ¹¹⁹ Hence, privacy violations should not lead to the exclusion of evidence and could have little to no impact on ongoing and future possible criminal cases. However, this view should perhaps be nuanced due to CJEU case law. The CJEU decided that national courts should exclude evidence if a defendant is not in a position to comment effectively on the evidence and if the evidence pertains to a field of which the judges have no knowledge and is likely to have a preponderant influence on the findings of fact. ¹²⁰ The impact of this case law, however, is not entirely clear. ¹²¹

In a Belgian Sky ECC case, the Antwerp Court of Appeal acknowledged that the right to privacy had been violated, as some of the collected data were retained under a data retention law that had been annulled in the meantime. In light of the above-mentioned case law of CJEU, the court found that the reliability of the data was not at stake and that the defendants had had the opportunity to challenge the data. It concerned data on several IMEI numbers that are not subject to interpretation and do not demand further scientific investigation. Moreover, the seriousness of the criminal offences at stake outweighed the privacy violation. Finally, the data was in no means decisive to the conviction. As a result, the evidence was not excluded. ¹²²

Right to a fair trial violations

Violations of the right to a fair trial may have serious consequences for the outcome of an investigation. Not only can evidence be excluded from the procedure, e.g., when evidence is not reliable, but a violation of the right to a fair trial can also render the procedure as a whole inadmissible or lead to the acquittal of suspects, e.g., when the defendant has not had proper access to the evidence. ¹²³

Pending cases

It remains to be seen whether these general principles on bulk interception will be upheld in future case law of the European courts. Whereas it may take years before those courts will decide on this matter, we highlight two pending cases that are particularly relevant in this context.

First, there is a case pending at the ECtHR about ByLock. This smartphone application allowed users to communicate via a private, encrypted connection. The application had hundreds of thousands of users, until it was permanently shut down by Turkish authorities in 2016. ¹²⁴ The applicant complains that the evidence, including information from his ByLock application, was collected, retained, and processed in violation of his right to respect for private life. Additionally, he complains that he was convicted on the basis of unlawfully obtained evidence, to which he did not have access, and which was not directly examined by the domestic courts, in violation of the principle of equality of arms and adversarial proceedings. The Grand Chamber has been invited to look into these issues in the near future. ¹²⁵

Second, the Landgericht Berlin requested a preliminary ruling to the CJEU on the EncroChat operation, which also involved the bulk interception and bulk collection of communications at a French internet service provider. Among other questions, the Landgericht asks the EU court whether the same German legal standards must apply when the evidence-gathering activities under an EIO took place in a different country (i.e., France) and what the consequences are when the integrity of the intercepted data cannot be verified by the authorities in the executing State by reason of blanket secrecy. ¹²⁶