Side event: Innovations in drug investigation: Decrypting crypto phones

Organized by the Government of the Netherlands and the United Nations Office on Drugs and Crime, Cybercrime and Anti-Money Laundering Section.

Hans Abma/ Dutch Ministry of Justice & Security: [opening remarks and gratitudes] We will be discussing drug organised crime under the general organised crime within the Dutch example. We will try to show you innovative ways of combating organised crime.

Martijn Egberts/ Dutch National Prosecutor Office: We are trying to give you an insight of the reasons we want to know more about cryptophones and what the criminals communicate about. A major driver that led me and my department in investigating cryptophones (Blackberry encrypted phones) was the increase of use by organised crime groups that was reported. We found that cryptophones are using P2P [Peer to peer] encryption which is an old protocol developed in the 1970s and still remains unbreakable. We also found that these were mainly sold from “spystores” and resellers shops. In these [shops] one could get a phone in which the microphone, camera and GPS location services were disabled, allowing only the exchange of encrypted emails thus having the law enforcement services unable to intercept any communication. In the cases we managed to decrypt confiscated cryptophones we came across communications of drug crime, assassinations, arm trafficking/sales or beacon planting: all information in plain sight when the message was decrypted. A clarification: our forensic people managed to crack the user codes, not the Blackberry decrypting system. We focused on two companies that were selling these doctored devices to the organised groups: ENNETCOM and PGP-SAFE. ENNETCOM had selling points located in Western Europe and Southern America as well as in Spain and Morocco and those places for us are related to drug crime. So, the goal of our investigation was to take down these companies being a facilitator to drug related crime with the additional suspicion of money laundering. For that had to seize the central servers on which they were communicating. A clarification: in the NL a suspicion of money laundering needs no crime related source justification. Therefore we only had to prove that ENNETCOM is selling to criminals.

We were interested in the device itself, in the number of ENNETCOM and PGP-SAFE customers, their identity, who is communicating with whom and hopefully reach the content of these emails. The reason we first focus on Blackberries is that these are very secure products and they marketing these products as such, having in place additional security measures in relations to competitors by redirecting all the traffic through their own infrastructure to a rented Blackberry enterprise office. Related to our case, Blackberry moved the relevant servers to Canada: a country with high privacy laws. In 2016 we requested from the Canadian authorities a forensic copy of the entire infrastructure and in the end a judge authorised us to search and secure over 7 terabytes of data and an inventory of 40.000 ENNETCOM users. After a period of 7 months a Canadian judge gave a ruling that allowed us a further investigation on these data. A public debate was initiated on the privacy breach, however the fact that the data were still encrypted left no option for a crime-related selective data sharing.

We started by making a copy of all the 120 servers to rebuild the entire infrastructure to be able to access all the meta-data and the messages. Within the first week we had found 3,5 million messages, probably of organised crime group that were still encrypted. After a month we were able to fight all the private keys and access the messages. We immediately looked at conversations on drugs, drug related assassinations, weapon dealing, etc and were able to identify people/criminals unknown to the Dutch authorities. Thereafter we uploaded all relevant information to the Big Data [dutch motherboard of intel] in which investigators eventually had access with a related judge’s order. ENNETCOM search produced 4,5 million messages and PGP-SAFE another 2 million messages that fed more than 100 different investigations only in the NL. We were able to find the assassins and the ones who were on the look-outs. We were allowed to use the data and were then able to prosecute and convict individuals. We were also able to find information on people who were innocently killed in the NL.

Neil Walsh/ UNODC: I want to focus on the challenges the governments have to go through when faced with really difficult encryption capabilities and that is increasing and ever-changing. The real question is on the responsibility of those companies involved: if you are set up a company marketing a phone that is utterly untraceable where is that legal authority lie? When we started looking at those companies, my view was that they were essentially a criminal business and they are setting themselves up to commit crime and to enable organised crime and terrorism. So, what is their liability? Should they be liable of creating “a thing” and at which point one draws the line in that regarding the genuine human rights discussion that is included. To me it seems that there is not one-size fit at all: some countries have strong judicial oversights like the NL but we know there will be other countries were they would lack this freedom of speech and human rights. Drawing from the ENNETCOM case we don’t always have to focus on the most challenging and technical solutions. It might be just getting the device or the server after all and then -with the support of a company- conducting a social network analysis to start identifying the key players.

In my bit of the business we focus a lot on capacity building: helping officers, judges, prosecutors doing the exact and the challenges they are up against. NL has a great skillset in doing this but If you are in a county that lacks of that you can see how criminals and terrorist will seek to exploit that. They will look for countries with strong privacy legislation or in complete absence of such legislation, or in countries with no capability of investigating or will of investigating and place their servers. It is not easy and there is no one-size solution for all

Q [Mauritius/ Drug enforcement]: How critical were the evidence derived from the Blackberries and could you please elaborate on how the judge accepted the accessibility of the evidence that you secured?
A [Martijn Egberts]: In one of the cases the defendant of the individual was the same [lawyer] as the company’s and was trying persistently to exclude the relevant evidence. In the end the judge thought is important to link the device to the accused and in light of the evidence the proof of individual’s guilt was strong.

Q [DRCNET]: My question relates to definitions and terminology. Could you please elaborate on the term innocent victim you used? My definition of crime differs from UNODC’s. Intrinsically the cultivation, production and distribution of drugs has no victims other than the pharmaceuticals. Also you seem to link drug trafficking to assassinations which to my view are very different things.
A [Martijn Egberts]: I am only referring to an innocent victim only because this one person was shoot down accidentally only because he drove the same car and used in the same building as a drug criminal that was targeted.

A [Neil Walsh]: A victim is a victim whether one is involved in criminality or not but when you refer to organised criminality often even they often accept the occupational hazards of being a victim of violence. That does not make their life any less meaningful than someone who is not involved in that, but the distinction is clear.
Q [European Law Student Association]: Just to clarify that from law perspective you could not outlaw such devices since you cannot prove that selling such a device will produce crime.

A [Neil Walsh]: The device in not the issue but the marketing of device that is capable of being untraceable.
A [Martijn Egberts]: We are not against encryption. I think is really important. What to try to find is a central point of criminal communication.

Q [ ]: Do you think that substantial damage has been made to the crime network with this instrument?
A [Martijn Egberts]: No. But did we successfully stopped some criminal organisations in the NL that were specialised in assassinating other people and they were hired by drug criminals? – Yes. Are we gonna lock up many more? -Yes. However, are there less drugs being imported? – I don’t think so.

A [Neil Walsh]: My sense on this is that the drugs angle is not the important angle but the ability to keep people safe especially when you have people in your community who are essentially assassins for hire. There has to be a balance between privacy, human rights and countering crime and terror. I certainly would not want to see a point where all governments have access to all information -just in case-, but we need to be in a space that when you have the ability to collect that evidence and manage them in a judiciary ruling/ human rights complying way then you can give society the reassurance that your data is not being wilfully abused or misused and there is a proportional legally accountable necessity, and that has to be the basis of everything we do.

Leave a Reply

Your email address will not be published.