back to article Euro police forces infiltrated encrypted phone biz – and now 'criminal' EncroChat users are being rounded up

French and Dutch police have boasted of infiltrating and killing off encrypted chat service EncroChat, alleging it was used by organised crime gangs to plot murders, sell drugs, launder criminal profits and more. The encrypted chat platform is alleged by British, French and Dutch law enforcement agencies to have been used by …

  1. IGotOut Silver badge

    So...

    So I presume no legally mandated "backdoors" we're mandated for this to happen?

    No thought not.

    Just good Police work.

    1. jake Silver badge

      Re: So...

      No legaly mandated backdoors, no. Just the ones EncrChat made available to their own employees. All the cops had to do was get someone employed by EncroChat, and Bob's their Auntie.

      I wouldn't call it good police work, I'd call it bad security practices at EncroChat.

      How's that Zoom and/or Skype (etc. etc.) workin' for all y'all? Are your corporate lawyers happy with Microsoft storing all the stuff your employees use Office363 for?

      1. Cederic Silver badge

        Re: So...

        While it may well be poor security at EncroChat that doesn't preclude it also being good police work.

        Also, I now hate you for making me admit that the French police might actually have done something good.

        1. Schultz Silver badge

          "the French police might actually have done something good"

          What, Lois DeFunes doesn't get any credits for years of hilarious work in the French police? What about Jacques Clouseau, he was very successful solving international crime!?

          1. Anonymous Coward
            Anonymous Coward

            Re: "the French police might actually have done something good"

            What about Jacques Clouseau, he was very successful solving international crime!?

            "Is this your deug?" ...

        2. Potemkine! Silver badge

          Re: So...

          Also, I now hate. you for making me admit that the French police might actually have done something good.

          Having talked with some law forces agents working on cybersecurity during Lille' FIC2020, I can assure you they do some very interesting things, even if they lack of means and people. They are really very good compared to the poor resources allocated to them

      2. NoneSuch Silver badge
        Mushroom

        Re: So...

        "though the UK state is notably hostile to the idea of encrypted comms that its agents can't read whenever they feel like it."

        When the people oversee the government, that's democracy.

        When governments oversee their people, that's oligarchy.

        1. DJO Silver badge

          Re: So...

          Not oligarchy, the word you wanted is "tyranny".

    2. HildyJ Silver badge
      Thumb Up

      Re: So...

      You are right (and many of the comments are wrong). According to a more detailed description in Vice - https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked - the French hacked Encrochat's servers and had them install malware on the users' phones. The malware accessed the users' text inputs before they could be encrypted by the alternate OS and sent them to a police (or intelligence) server.

      Encrochat didn't put encryption chips in the photos although they did physically disable the GPS, camera, and microphone. Encrochat didn't have their own backdoor to the phones. The police didn't have to crack any encryption. It was just a sophisticated malware attack.

      No need for backdoors when you have brains.

      1. Doctor Syntax Silver badge

        Re: So...

        "they did physically disable the GPS, camera, and microphone"

        The reports also mention pictures in the seized data. I don't doubt there will have been a certain amount of disinformation in the account that's been released.

        1. Beeblebrox

          The reports also mention pictures

          "encryption chips in the photos"

          Pics, or it didn't happen.

          Sounds like a crap / pricey messaging app anyway. Are all these lawyers and journalists just there to communicate with the criminals, or just because of the integrity of the platform?

          I'm considering crossing this off my ways to pass information to WikiLeaks under the circumstances - sorry Jules. Back to writing messages on the back of a fag packet.

      2. Smooth Newt Silver badge
        Happy

        Re: So...

        The Vice article contains the following request

        Do you know anything else about Encrochat? We'd love to hear from you. Using a non-work phone or computer, you can contact reporter's name securely on Signal on blah, Wickr on blah, ...

        There's some sort of irony there I think.

      3. Eclectic Man

        Re: So...

        I took an informal course by Prof Fred Piper of Royal Holloway, as part of my employment years ago at a security company. He was pretty sure that the most common ways of breaking cryptography were sex, drugs and money, with a little blackmail thrown in for good measure.

        As for it being set up by state actors rather than career criminals, some countries have few scruples when it comes to villainy in other countries. If some country had set it up they would definitely not want the servers to be on their territory.

        1. Smooth Newt Silver badge
          Meh

          Re: So...

          He was pretty sure that the most common ways of breaking cryptography were sex, drugs and money, with a little blackmail thrown in for good measure.

          Coercion is often called rubber-hose cryptanalysis, and is much cheaper and easier than the mathematical kind. It is even enshrined into UK law in the Regulation of Investigatory Powers Act.

          1. Mage Silver badge
            Coat

            Re: Coercion is often called rubber-hose cryptanalysis

            Obligatory XKCD

            This is the link, but might not be a rubber hose

        2. Anonymous Coward
          Anonymous Coward

          Re: So...

          "...state actors rather than career criminals..."

          There's a difference?

      4. JCitizen Bronze badge
        Coffee/keyboard

        Good gumshoe work...

        @HildyJ

        Just like any good IT security tech would say, you have to secure your endpoints for VPN to work like you want it to. If someone hacks both ends, all bets are off!

    3. Anonymous Coward
      Anonymous Coward

      Honey pot

      Looks like a honey pot to me, so yeh 100% backdoor:

      https://web.archive.org/web/20150901000000*/encrochat.network

      I try to verify it, but it doesn't quite make sense. Why for example did villains trust it, yet normal people not? So many users claimed, yet such a tiny surface area of data to verify on the web and those are reports from the MET. Where did its marketing budget come from? It's development budget? How was tech support done?

      Do a google search on Encrochat and look at the photos and the sources, you'd think a tech site would buy one and test it, and photo it. Since it would be useful for tech companies protecting their trade secrets, yet the photos are all tabloid or police reports.

      How as the ongoing flow of payment handled?

      It has the web surface of a psych-op, not of a technical product. The nuts and bolts are all missing for the transaction, the websites are shallow shells that get minor updates only.

      I'm not the only person to think so, this from 2016:

      https://medium.com/@fordnic/evidence-suggests-encrochat-is-working-with-the-nsa-and-other-authorities-281bfd05ed9e

      "Evidence suggests Encrochat is working with the NSA and other authorities..."

      Yeh, it looks like they pulled the plug on a failed honeypot, with a press release of stuff that doesn't verify. e.g. mob killings from 2015 when the device would only just have been released.

      Round numbers, 60000, 10000... you're telling me that a company with 180 million a year revenue somehow goes under the radar???? Despite having 60000*2 per year money flows into it?

      Ridiculous no?

      1. Chris G Silver badge

        Re: Honey pot

        It certainly has the look of having been set up by a state actor/s.

        Otherwise it would need to be the result of a private enterprise originating in a private hollowed out volcano somewhere.

        1. TimMaher Bronze badge
          Trollface

          Re: Honey pot

          While stroking a fluffy white cat.

          “Look, you can see it all on TV”.

      2. Julz Silver badge

        Re: Honey pot

        I does look a lot like a honeypot that has been busted and a mad dash to arrest and cease stuff to put a front out the world.

        If your interested, the internet archive has copies of what their web site used to look like:

        https://web.archive.org/web/20181112142511/http://encrochat.network/

        Which went all quiet around Dec 2018

        There seems to be a big Canadian connection, and here is the archived web site for one of their 'resellers':

        https://web.archive.org/web/20191025220110/http://www.eccanada.ca/

        1. Chris G Silver badge

          Re: Honey pot

          What I find interesting is that a service like this or, say tor, are like putting your name on a list when you sign up for them.

          Of course many users are simply concerned about their own privacy,or sensitive business information but anyone who is known to he trying to hide stuff will attract attention from the phuzz and other agencies.

          Plain sight platforms plus your own encryption and you are more likely to be lost in the noise.

          1. Julz Silver badge
            Black Helicopters

            Re: Honey pot

            Or perhaps a web based numbers station.

            https://www.numbers-stations.com/

          2. Ben Tasker Silver badge

            Re: Honey pot

            > What I find interesting is that a service like this or, say tor, are like putting your name on a list when you sign up for them.

            You don't sign up to use Tor, you just use it (and if you're worried about ISPs noticing you're using Tor, can use things like meek and snowflake to obfuscate).

            It doesn't overly detract from your point, just if you have stumbled across some "sign up to Tor" site, it's all but certainly a scam site.

            > Plain sight platforms plus your own encryption and you are more likely to be lost in the noise.

            The problem with that, for many users, is the feasibility of doing so and (more importantly) the difficulty involved in securely exchanging keys. Even something (relatively) simple like installing OTR is too much for some, and a significant proportion of those that do probably don't verify keys properly.

            Encrypted platforms abstract and automate that away from the user.

            Even now, I'm sure the attention still mainly comes the other way round - you become "of interest" and they try and look at your comms, rather than you use an encrypted service and become of interest. There'll be exceptions of course

            1. Graham Cobb

              Re: Honey pot

              The problem with that, for many users, is the feasibility of doing so and (more importantly) the difficulty involved in securely exchanging keys.

              Indeed, although replaced in this case with the difficulty of knowing whether the service you are using is actually under the control of law enforcement (and, of course, the difficulty the LE people have in using any information they can gather without blowing that they are reading the secret comms).

              One assumes that if you are a serious criminal you mostly use services where many of the people at the provider can be physically accessed (i.e. killed or seriously injured) if it turns out they are giving away your secrets! The problem is presumably that in today's international crime scene you need tools that will be trusted by two criminal enterprises in different parts of the world.

              If I were a criminal mastermind, I think I would prefer to use something that is open source and widely used and work on the key distribution and update problem instead -- that is much more likely to be amenable to traditional human-based solutions that these people have much experience of.

              But maybe that is why I am not!

          3. Cynic_999 Silver badge

            Re: Honey pot

            Using your own bespoke encryption is all very well for communicating with people you already know, but no use for advertising or finding illicit services and communicating with someone you have never met (such as a hitman). For that you need an encryption technique that anyone can obtain and use.

            1. Stoneshop Silver badge

              Re: Honey pot

              Same with codes. You have to have a predefined set of actions corresponding with the set of message codes exchanged with each party you are dealing with (e.g.. "Jean has a big moustache" means "Bring me the head of Diego Garcia"), but if something not covered by that set comes up you are stuck and you have to fall back on other, encrypted, methods

          4. Claptrap314 Silver badge

            Roll your own crypto?

            DO. NOT. TRY. TO. ROLL. YOUR. OWN. CRYPTO.

            Why is it that someone has to post this to EVERY article the the subject?

            Do a little (just a bit) of research on modern crypto algorithms. Every last one of them was developed by a team. And then peer reviewed by other teams.

            Teams of people with PhDs in mathematics (usually algebra). Teams of people each with over a decade of experience in the field.

            You really, really aren't at that level. Neither am I. Neither are 99.9999% of people in the world. Honestly, there is probably another 9 to add.

            1. Anonymous Coward
              Anonymous Coward

              Re: Roll your own crypto?

              I took his comment to mean setting up the crypto yourself rather than *designing* the crypto.

              If I decided to be an evil criminal, I'd not trust *ANY* "secure" app without running some other end to end crypto over the top of it. I wouldn't attempt to design my own crypto in the process.

            2. Anonymous Coward
              Anonymous Coward

              Re: Roll your own crypto?

              Whilst I see your point of how insecure fail encryption is the fact remains that known crypto is already half way clear text given that published methods are definitely going to be attempted during decryption.

              For years crypto merchants have been claiming their published system are uncrackable based upon known tech, only for these claims to be proven false again and again.

              Thus published crypto might be uncrackable by "normal individuals" using "known" methods in reasonable time limits however there are other individuals who can, especially if they already know the crypto in use or can bypass it completely.

              An unknown crypto of equal validity to published crypto is going to be a better bet since those that are attempting to decrypt it do not already know it exists and have to actually do some extra work before they can apply their greater than normal tech methods.

              So if known crypto is fundamentally easier to crack than equal unknown and there is evidence that greater than normal tech agents exist then forcing these agencies to do more work rather than just believing the hype is going to make decryption more expensive and time consuming that at present.

              Lucky for the non-normal actors the majority of people working in this field do not actually understand crypto better than those that design the greater than normal tech however that does not stop the former padding/using multiple methods on their transmissions to make decryption more expensive in time and money.

              What you should really take away from all this is that publish cryptography is only really useful against "normal people" thus everyone should ignore any claims about how hard decryption actually is given that these assumption are based upon only normal people with normal resources attempting it.

              You would imagine that this should be obvious to anyone who has even a basic understanding of cryptography and yet the vast majority of people reading this are more sheep than superstar or they too would be working for the greater than normal tech agencies.

              1. Claptrap314 Silver badge

                Re: Roll your own crypto?

                Do a little reading. Seriously.

      3. bobblestiltskin

        Re: Honey pot

        https://encrochat.us/ looks interesting.

        I do not know if it is connected to the Dutch company.

      4. Roland6 Silver badge

        Re: Honey pot

        >"Evidence suggests Encrochat is working with the NSA and other authorities..."

        Given the timeline, there might be something in the Snowden 2013 disclosures - I wonder who has access to the full repository and hence whether this action now was partially to be ahead of possible publication by some journalist of their researches...

      5. John Savard Silver badge

        Re: Honey pot

        I can think of one reason why normal people would not use it, the high price tag.

    4. Version 1.0 Silver badge

      Re: So...

      It simply documents that "encrypted" communications can not be assumed to be private... it's no big surprise.

  2. Anonymous Coward
    Anonymous Coward

    But private ciphers also exist...even if end-to-end encryption is broken.......

    Quote: "..UK state is notably hostile to the idea of encrypted comms that its agents can't read whenever they feel like it.*

    *

    Well...........the quote actually means "can't read the plain text".....because of course "the agents" can read the cipher text. But I wonder how often people use private ciphers BEFORE THE MESSAGE ENTERS A (SUSPECT) ENCRYPTED CHANNEL.

    *

    170G0f1M04$w05G40H660www0rjf0vux0Zxp0DsF

    0Kgl1Lxu10tY0z9q07lL0PlT09RR1VmT0YfC0EW9

    1Cod009h0bhS15Sz0tby1bLr1lUx0Xjv0BfA0xuL

    0R2H1HD21Gw717DU18f20L3C0KEQ1ckO0L3a1bS0

    1JLq0$Uv15jh0eQf0y0u0=pv0NxG0F=g04gg0SMo

    0jC$0wsX1cfR00GG1jBd1OqP0A5n0sH30=FP0$3H

    0hoL1CVn0J1l1c5M0$hh0JqB0qTL16ij0Sdp0DcZ

    1jdt0XYO1cKu0jXy0K7=0G1k18GW0MQL0XVL07do

    1gG30Yxp0=av02wB0Z6i16tl10wc1Imv0$xS0n64

    1PDV1iX01kBB19TK1K3104st0AVe0DO61ZI51IVx

    1Rnj1jdz0VNM0fAY05Ph08St141O1IvP1DM30Pne

    0STY125Q0=Js1deS0JsY0oG10Ho00dbp0hig1IDy

    1RA=0Kdr0=Vs0XoU12960fl00h3Q0tqI1jko1X7B

    0n0r0kv=0V=i0kl=1brL0VD10d6V1DwO1PmC1h=c

    11b70rN419Zp0y5y0X5z0jmT0MIR1SH01Sjx1gUL

    16iD0ONn0DWc1HS50fJN0FfD0Hyz1LSC0i030cN1

    02Wb0FdV10jl0hBx0eSy1NuV09oP06BV1bXt1OIf

    1H7a0zoF1ZkG02td1fMt0axf0kxh0noc09450Cxf

    1XkW0A7Y122N1Jzh0s4D1Ckf0kGI0gaK

    *

    1. Inventor of the Marmite Laser Silver badge

      Re: But private ciphers also exist...even if end-to-end encryption is broken.......

      Can I have double fries and a banana fritter with that?

      1. jake Silver badge

        Re: But private ciphers also exist...even if end-to-end encryption is broken.......

        The cock crows at midnight. Don't tell Madeline.

        1. The Basis of everything is...

          Re: But private ciphers also exist...even if end-to-end encryption is broken.......

          Thats a code, not a cypher.

          Madeline knows already. The cock is cooked.

          1. keithpeter
            Coat

            Re: But private ciphers also exist...even if end-to-end encryption is broken.......

            @Basis and all...

            http://www.cs.columbia.edu/~CS4HS/talks/codebooks.pdf

            I am old enough to have actually used a code book to send domain specific information over a Telex link (shipping, 1980s).

            Coat: Journal of Commerce in the pocket.

    2. Lee D Silver badge

      Re: But private ciphers also exist...even if end-to-end encryption is broken.......

      This is what annoys me.

      With any half-decent modern encryption, you can publish the cipher text full-page in the Daily Mail for all you care. Nobody should be able to read it. And nobody should be able to "encrypt" anything and claim to be the other side without access to the private key (and, if you have a brain, passphrase too).

      Using tech like this would just make me flag you up instantly as someone to watch, if I was doing their job. But you could just send a bog-standard email with a PGP encrypted section on the bottom and exchange public keys with people and it would be basically impossible to crack. Any "compromised" user... just doesn't give up their passphrase.

      And with things like perfect-forward secrecy, you can even get schemes where complete compromise of the key does not reveal historically encrypted messages.

      The metadata is always present anyway. But without the message it's nothing more than coincidence, and proving that in court is hard to do.

      Somewhere there are bunches of mafiosa just encrypting their stuff offline with a basic AES tool, merging the data into an image, and then attaching them to an email or hiding them in DNS lookups or whatever (hey, DNS lookup of an unpublished sub-domain, using DNSSEC/DNS-o-HTTP... that seems pretty secure to me to hold a message inside - and if you didn't know the sub-domain to query, I don't think nameservers will give them up... and if it's encrypted you couldn't snoop them), and are completely off the radar.

      1. Pascal Monett Silver badge

        "The metadata is always present anyway. But without the message it's nothing more than coincidence"

        Maybe, but if the metadata demonstrates that you've been calling a criminal scumbag twenty times in the past month, then the police don't need the content to tell the judge that you know the guy. From that point, it should be easy to gather proof that you're dealing with him financially, or working for him materially, and then you go down for the count.

        1. Anonymous Coward
          Anonymous Coward

          you missed a bit here...

          easy for the police to prove you know the guy - but you only go down for the count if you can't afford a good lawyer - otherwise our prisons would be over-flowing with lawyers, politicians and estate agents!

          1. Potemkine! Silver badge

            Re: you missed a bit here...

            prisons would be over-flowing with lawyers, politicians and estate agents!

            Some of them know the Laws, but some of them know the Judge. It helps.

        2. Lee D Silver badge

          And they can get that metadata by just watching you and him for an afternoon and see if you're both on the phone at the same time.

          You can't stop the metadata, but you can't convict on its basis alone.

          I have a friend who's close to all the local villains in his area. Does phoning him mean I'm planning something? No, I'm phoning the guy who used to live next to my parents when I was a kid and we were good friends with.

          If the metadata is convictable, they don't care about the encryption at all. If it's not, then they need the encrypted data. Either way, you've lost/won just the same.

          And, sorry, but no court in the land will convict you *solely* on the basis of being in communication with even the head of the local mafia. The guy could have murdered someone, and then phoned me for a chat, it doesn't mean anything and isn't convictable without a body of evidence that I was actually involved and not just used as an unwitting alibi.

        3. Anonymous Coward
          Anonymous Coward

          "The metadata is always present anyway. But without the message it's nothing more than coincidence"

          *

          What metadata? The example at the top of this thread is published IN EL REG. Who wrote the message? Who deciphered the message?

          *

          And that's before we consider internet cafes, hijacked WiFi, VPNs, burner phones, peer-to-peer messaging......and so on.

          *

          Only someone wanting to be caught will be using a traceable account!

        4. keithpeter

          31 payg sim cards on a daily rotation? Choice of 7 burner phones bought off the market stall? (gcd 7, 31 = low repetition)

        5. Dr Dan Holdsworth
          Boffin

          If the police are relying on metadata, then the obvious thing to do is to deny them the metadata.

          This is what numbers stations do. If only the recipient can decrypt a message, then it doesn't matter who else can eavesdrop on that message, hence you might as well transmit the message as widely as possible to obfuscate who you are sending the messages to. Numbers stations use radio; an Internet version might be to use Usenet to propagate the messages.

          The final point is that encrypted messaging is only worthwhile if the users are smart enough to use it properly, and if the police really want to catch them. Low-level drugs dealers are generally pretty stupid and are easier to catch by simpler means.

          1. jake Silver badge

            "an Internet version might be to use Usenet to propagate the messages."

            That has been done by at least three different groups[0] as proof of concept. The first was in the alt.binaries hierarchy in the late '80s, shortly after The Great Renaming. The second was in the massively abused Jobs groups in the late '90s, followed shortly by the third in the so-called "Dutch dump groups". All used what seemed to be "broken binaries", with a special line in the header, making them easy to filter out of the noise.

            All were successful, in that nobody commented on them in situ ... Anybody who knows anything about Usenet knows that if they had been detected, the conspiracy nuts would have been going out of their tiny little minds. Obviously, nobody knows if any government agency detected it.

            Some say the Hipcrime entity was attempting something like this, but the consensus among most newsadmins is that that particular bit of sillyness was just simple flooding/cancellation/reposting in a misguided (and ultimately failed) attempt at disruption.

            [0] There were probably many more, given the reality of Usenet and its users, but I am only aware of these three.

      2. Alan Brown Silver badge

        Re: But private ciphers also exist...even if end-to-end encryption is broken.......

        "Any "compromised" user... just doesn't give up their passphrase."

        Until introduced to rubber hose cryptography

      3. Cynic_999 Silver badge

        Re: But private ciphers also exist...even if end-to-end encryption is broken.......

        As I stated in a previous message, that's all very well for messages sent between people who already know each other, but is no good for people who wish to advertise their criminal services, or their desire to hire a criminal service.

        No need for expensive hardware to simply securely communicate with a known person. Just send PGP encrypted emails to each other. Use a hidden email (or similar) service if the metadata would be a problem rather than only the message contents.

      4. Claptrap314 Silver badge

        Is alt.binaries still a thing?

        If so, I would assume any criminal organization would be posting there constantly. Which ones are actual messages and not just noise is an exercise for the interested.

        1. John Brown (no body) Silver badge

          Re: Is alt.binaries still a thing?

          Yes, it's still "a thing".

          On my last perusal, most of the TV and movie groups are full of posts using randomised senders, subject lines made up of randomised letters/numbers, may or may not be complete, sometimes are clearly posted in "sets" but often across multiple groups. If you aren't "in the know", then they are just noise. Most likely it's pirate groups passing their wares to their mates/members, but for all I know, even if you manage to get a full set of posts, they may well be encrypted as well, if not just passworded RAR or ZIPs, but getting a full set looks like you need to scan many different groups in the hope of finding related posts. I assume they have some other channel or method of informing the recipients how and where to find the relevant posts.

          On the other hand, there are still live and lively discussion groups going. There's even binary groups that are used as intended.

    3. Grinning Bandicoot

      Re: But private ciphers also exist...even if end-to-end encryption is broken.......

      5005 06010 98080 35803 81481 16513 89340 47876 10153 11063 Here are some letters for the moderator

  3. Anonymous Coward
    Anonymous Coward

    So having 'broken' an encrypted message service and shown it be a hive of scum and villainy, presumably they can point to all end-to-end encrypted messaging systems and say "Well, that one was full of wrong 'uns, so those probably are too - if only we had a way of intercepting the messages there, see what great work we can do in cleaning it up'.

    1. Long John Silver
      Pirate

      The NCA, Mrs May's folly, may well think along those lines. Other agencies, e.g. the real expertise at GCHQ and its like, know better.

    2. Dr Dan Holdsworth
      Pirate

      This is the classic trick for landing someone you don't like in the smelly. Take a list of, say, people banking with a tax haven that you have managed to lift from somewhere and add a few extra names and details to it. Hey presto, guilt by association, and the reason that American courts use a principle that evidence obtained illegally is inadmissible in court.

  4. Long John Silver
    Pirate

    Matters arising

    I may be wrong but my understanding is of encryption when using this device depending upon a dedicated chip. If so, the question arises whether relying upon a pre-configured chip is inherently less secure than when using software running on a generic processor. Among possibilities for insecurity are inclusion of a planned back-door or exploitation of an accidental vulnerability. Either way, an entire batch of devices becomes suspect. Vulnerabilities in solely open source, solely software, implementation of a reliable encryption algorithm can be identified and fixed without need of changing a physical component.

    It would appear that both honest and criminal users of this device placed too much faith in the high cost of the service guaranteeing fitness for purpose.

    The criminal element might have done better by using throwaway phones for each transaction. By not using potentially dodgy encryption they wouldn't draw attention to themselves. Moreover, open communication using, when feasible, agreed code words/phrases (perhaps decided in advance under encrypted email communication) can be made very secure for many purposes.

    Perhaps, law enforcement agencies should offer expensive master-classes for criminals? There again, perhaps not.

    1. jake Silver badge

      Re: Matters arising

      It's actually simpler than that.

      The cops infiltrated EncroChat (the company itself) and snooped on supposedly encrypted data directly off the EncroChat servers. This is a very good example of why using code that has to go through a central server not under the control of the users should never be considered secure.

      If you want security, peer to peer is the way to go. And sometimes not even then, at least in the hands of typical members of the GreatUnwashed.

      We now return you to the usual unfounded bickering and speculation.

      "When three sit down to talk revolution, two are fools and the third is a police spy."

      1. Hubert Cumberdale

        Re: Matters arising

        Agreed. As a criminal*, I would be highly suspicious of any such system. And paying four figures for a special phone? Have none of them heard of Signal et al.? Even WhatsApp is end-to-end encrypted these days. I don't geddit.

        (*that is to say, if I were a criminal...)

        1. disgustedoftunbridgewells Silver badge

          Re: Matters arising

          Wickr is popular amongst dealers

        2. I Am Spartacus

          Re: Matters arising

          Hubert,

          The noise you're hearing is black helicopters circling whilst the boy's kick in your doors.

        3. amanfromMars 1 Silver badge

          Re: Matters arising

          Agreed. As a criminal*, I would be highly suspicious of any such system. And paying four figures for a special phone? Have none of them heard of Signal et al.? Even WhatsApp is end-to-end encrypted these days. I don't geddit. ..... Hubert Cumberdale

          Regarding criminals and why they don't geddit, HC, one might like to realise Albert Einstein sussed it out a long time again with this observation ....... "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."

          There is very little chat on any media stream about the NCA's recent operation snaring any criminal masterminds, becausealthough one would surely logically expect any mastermind to realise crime is reserved and preserved for the intellectually challenged and fooled and hence their non-appearance.

          Is criminal mastermind oxymoronic like military intelligence?

          1. Chris G Silver badge

            Re: Matters arising

            "Is criminal mastermind oxymoronic like military intelligence?"

            No, the criminal masterminds own the internet and most of everything else.

          2. Anonymous Coward
            Anonymous Coward

            Re: Matters arising

            Some are naive enough to think crime doesn't pay.

          3. Hubert Cumberdale

            Re: Matters arising

            Is criminal mastermind oxymoronic like military intelligence?

            Or like Microsoft Works?

    2. Unbelievable!

      Surveillance via small print. Human rights to privacy are gone.

      for as long as 'authorities' have the power to read encrypted or otherwise data transmissions, launch secret satellites for interception reason, issue nsa letters compelling service providers to obey and reveal etc... thats if they obey the law. truth is, if they want badly enough, one worker can be expendable.. just re-employed elsewhere//

      ask yourself, why does any company require so much information when registering for a service? Surely that would put customers off?

      The answer is to consider that you're actually registering onto a spy program.

      If youtube can store and serve so, so very much video hi res content, easily. how much storage space and speed capaility do you think text based data would require?

      1. jake Silver badge

        Re: Surveillance via small print. Human rights to privacy are gone.

        "how much storage space and speed capaility do you think text based data would require?"

        Speaking as a guy who has speced, built and run several Usenet news farms, the answer to that is "probably more than you think".

        1. Anonymous Coward
          Anonymous Coward

          Re: Surveillance via small print. Human rights to privacy are gone.

          Speaking as a usenet user, how much of that text based data is used as text at the end of the day = p

          1. Anonymous Coward
            Anonymous Coward

            Re: Surveillance via small print. Human rights to privacy are gone.

            Indeed. Especially when you consider all the header and/or data to go with each text blob.

            Plain text is way less efficient than other types of data.

          2. jake Silver badge

            Re: Surveillance via small print. Human rights to privacy are gone.

            Even without the bunnies and other copyright infringement Usenet is far harder to do well that it looks on first blush.

    3. Doctor Syntax Silver badge

      Re: Matters arising

      "I may be wrong but my understanding is of encryption when using this device depending upon a dedicated chip."

      The Motherboard article says they didn't, they just added a little something in software to intercept the plain text from the keyboard. Which raises the question of how did that get smuggled out to their own servers without anyone noticing?

      1. disgustedoftunbridgewells Silver badge

        Re: Matters arising

        I'm speculating but the servers surely do a lot of communication with the clients - the phones. The data could have been smuggled out that way.

      2. Graham Cobb

        Re: Matters arising

        I don't suppose many of the purchasers bothered to do network traffic inspection testing of the device in use: the captured data could be sent in an unencrypted http message to a police server without anyone likely to notice!

        The crims who would notice (who are likely to be government-backed if they are really that sophisticated) will not be using commercially-available WhatsappForCrims services.

      3. Roland6 Silver badge

        Re: Matters arising

        > Which raises the question of how did that get smuggled out to their own servers without anyone noticing?

        Through the normal out-of-band MMS service available to operators, normal background auto Android app updates...

        Reading about the phones, I suggest that fundamentally the phone was running a jailbreak Android image, however, I expect that whilst much effort was put into the secure messaging app, the phones network interface was totally normal ie. untouched.

        The laugh would be if the phone used Google Play Store/services for the app updates..

    4. Roland6 Silver badge

      Re: Matters arising

      >I may be wrong but my understanding is of encryption when using this device depending upon a dedicated chip.

      I wonder whether any of these devices get into the hands of white hat researchers...

      I suspect from what little has been published, both about what the police are letting on about EncroChat and what was published on the EncroChat website (see link elsewhere in comments to the WayBack Machine), the encryption actually used was a bulk standard off-the-shelf package and possibly one natively supported by Android. What does make sense, is the attention paid to key management so that the service could guarantee anonymity. I suspect many will now be looking at how you might implement a secure end-to-end secure messaging service that avoids the flaws in PGP, AES et al, namely:

      For example, with PGP a user has only one key. If the private key of a user is exposed, a perpetrator is able to decrypt all previous messages sent. Another serious drawback is non-reputability. Every message is signed with your private key which verifies and exposes the sender's digital identity, proving authorship of the message.

      >The criminal element might have done better by using throwaway phones for each transaction. By not using potentially dodgy encryption they wouldn't draw attention to themselves.

      The use of throwaway phones would of mitigated the worst effects of the "malware" install. I think the 'dodgy' encryption had zero to do with it - with the amount of encrypted traffic flowing these days I doubt the traffic itself drew any attention.

    5. John Savard Silver badge

      Re: Matters arising

      There was no encryption chip, nor, for that matter, was there any plaintext on the Encrochat servers. The phones were an ordinary phone from a normal Spanish cell phone company.

      There was encryption software which communicated through the Encrochat servers.

      The Encrochat servers got compromised, sent malware out to the users' phones, and then the malware read plaintext on the phones and sent it to the cops.

  5. Anonymous Coward
    Anonymous Coward

    Nothing to Hide, Nothing to Fear

    Let the Heiling Begin.

    First they came for the Journalists and Defence Lawyers ...

    1. Peter2 Silver badge

      Re: Nothing to Hide, Nothing to Fear

      Yes. I'm sure lots of Journalists and Defense Lawyers were spending 3 grand a year on a contract for a phone.

      Twit.

      Spying on defense lawyers is illegal, and even it is done then no details gained via it could be revealed to the prosecution (they'd be obliged to tell the court or end up never, ever being able to practice law again anywhere in the western hemisphere) so that's pointless and won't happen. Working in legal IT I can say that it's not something we are concerned about given that discussions with clients happen in person, not over the phone because that sort of paranoia is cheaper, and evidently more effective.

      Shall we ask if El Reg buys all of their journalists 3k per year phones? I doubt it, somehow since they'd only be good communicating with another person using the same comms channel and a £3k a year bill per user is going to put off pretty much everybody. Even if they did do that, it'd be pointless given that if I wanted to phone them instead of just emailing the tips address then it'd be no more secure than phoning another mobile.

      1. amanfromMars 1 Silver badge

        Re: Nothing to Hide, Nothing to Fear

        Spying on defense lawyers is illegal, and even it is done then no details gained via it could be revealed to the prosecution (they'd be obliged to tell the court or end up never, ever being able to practice law again anywhere in the western hemisphere) so that's pointless and won't happen. ...... Peter2

        As obvious persons of interest, given the vast hundreds of billion of pounds slush funds of fiat money they are responsible for laundering and disbursing to recipients, .... and aint that the sweetest of honey pot temptations to abuse and misuse ...... does GCHQ provide Parliament with all of their security needs and mentor and monitor all of their feeds. ...... you know, not so much spy on them as ensure there is Sterling Blanket Oversight? Surely Cheltenham, and its satellite operations, doesn't keep itself in the dark about any of the actions and thoughts of Parliamentarians?

        That would surely be a gross dereliction of public duty and all too easily give rise to all of manner and matter of abuses and misuse? You know the system has corrupt form as evidenced by many past trials and tribulations.

  6. A. Lewis

    What a disappointing take on this good news. And it is good news. Hundreds of people responsible for great harm to the most vulnerable in our society, potentially under lock and key now. Criminal operations disrupted. Yet this article feels like it wants to suggest it was bad because of some highfalutin ideals of privacy overriding that fact that these people were directly responsible for the deaths of countless victims of the drug trade and organised crime.

    1. sabroni Silver badge

      You don't know who the users of this service were but because some were criminal you think it's ok to tar them all with the same brush.

      Drug smugglers all arrive in the country by boat or plane. Should we apply your tar brush to all travelers too?

      1. Anonymous Coward
        Anonymous Coward

        And some criminals use;

        - guns

        - computers

        - televisions

        - steak knives

        - cheddar cheese slices

        Please don't take my cheese away from me...

        1. Bowlers

          "cheddar cheese slices

          Please don't take my cheese away from me..."

          Except the rubbery ones.

          1. John H Woods Silver badge

            re: Except the rubbery ones.

            Except Halloumi, which is both rubbery and excellent

            1. Hubert Cumberdale

              Re: re: Except the rubbery ones.

              I went to a Chinese restaurant the other day, and I says to the waiter, I says, "this chicken is rubbery". And I got cancelled for attempting to extract humour from outdated stereotypes based on exaggerated accents.

          2. idiottaxpayerhere previously ishtiaq/theghostdeejay

            Which nulls any American cheese

            1. jake Silver badge

              It may interest you to know that so-called "American" so-called "cheese" is no more American than it is cheese ... The inventor of the narsty artificial plastic cheese substitute was a dude named James Lewis Kraft, who was Canadian.

    2. Doctor Syntax Silver badge

      I suppose you think you have nothing to hide. If so go back and look at the T&Cs of the online services you use. Start with banking. Then come back and tell us all the login credentials you're contractually allowed to share with us.

      Legitimate online commerce depends on being able to maintain security. Anything that compromises that for the sake of attacking criminal operations also attacks legitimate commerce is problematic.

      While one part of me thinks this was a great operation the other side worries. To do this legitimately, with due protection to the innocent, it should have been conducted under appropriate* warrants. Was it?

      *I also have concerns that the framework under which interception is carried out in the UK really is appropriate. There is a history of the Acts which provide this framework being struck down in court and replaced by a new one to provide the same shaky cover. I suspect that somewhere in a Home Office filing cabinet there's a draft of the next Act ready to put before Parliament as soon as the existing one gets successfully challenged.

    3. Cynic_999 Silver badge

      Yes, I'm sure a lot of really bad criminals died in the Nazi concentration camps. Which does not mean they were a good thing.

    4. Inkey
      Big Brother

      You're looking at it wrong

      I'm sure that if you aggregated the blood on hands and damage done to the "most vulnerable" it's not those that want to get high or those that enable them too that have the most to answer for... altough depending on how much kool aid you drank, sniffed or smoked your perception may vary...

      There were probably stoics at the time that felt that the stazi and the nazis had merit...and how about those who dared to proclaim that the earth was a sphere and orbited the sun... highfalutin indeed

      It's a human folly to believe that you can charge other humans to protect humans and that if you did that they actually would

    5. Anonymous Coward
      Anonymous Coward

      @A. Lewis

      You seem to be promoting a belief in "the ends justifies the means".

      Where exactly does that stop? Why would it?

      Absolute power corrupts absolutely.

      :/

  7. Neil Barnes Silver badge
    Big Brother

    It's an interesting dichotomy

    1) very very few people have the skills and knowledge to build an encryption system

    2) you can't trust an encryption system you didn't build yourself

    Oh dear...

    1. LucreLout Silver badge
      Pint

      Re: It's an interesting dichotomy

      you can't trust an encryption system you didn't build yourself

      I can't trust an encryption system I DID build myself. I mean, why would I? It's not like every bit of code I've ever written has been bug free.....

      Beer, because its Friday and whispering in pubs is relatively low risk for most comms.

      1. John Brown (no body) Silver badge

        Re: It's an interesting dichotomy

        "Beer, because its Friday and whispering in pubs is relatively low risk for most comms."

        Whispering in the pub is a little more risky these days, what with the music turned down and the 2 metre gap :-)

    2. Graham Cobb

      Re: It's an interesting dichotomy

      Which is why the answer is Open Source. While not perfect, it is likely a much better system than one you code yourself and you don't have to trust a small number of people.

      The biggest downside is if there is a bug or a weakness, it is easier for your adversary to find. But there is also a large chance someone else will find it and it will be fixed.

  8. Anonymous Coward
    Anonymous Coward

    (journalists, lawyers, academics, domestic and foreign political campaigners – to name just a few)

    Tom, Dick, and Harry, to name a few more.

    1. David Shaw

      Re: journalists, lawyers, academics, domestic and foreign political campaigners – to name...

      Alice, Bob, and ‘evil’ Mallory to name some more relevant characters

      1. Anonymous Coward
        Anonymous Coward

        Re: journalists, lawyers, academics, domestic and foreign political campaigners – to name...

        well, as a law-abiding citizen, I would like to have a phone that would be fully immune from State overwatch. Does that make me an evil Mallory?

        1. Cynic_999 Silver badge

          Re: journalists, lawyers, academics, domestic and foreign political campaigners – to name...

          Even law-abiding citizens are just one new law away from becoming criminals.

  9. Duncan Macdonald Silver badge

    Use offline encryption/decryption

    Use OpenPGP or other good encryption program on a standalone computer (no network access) for the encryption and decryption. Transfer the encrypted messages by USB stick (or even floppy disk!!!) to and from a computer with network access.

    For immediate communications use codes (not ciphers) on throwaway phones. (Codes are agreed words/phrases that mean something different to their normal meaning - examples "Alas Babylon" (from the book of the same name - means a nuclear attack is in progress) "Jean has a long mustache" (WW2 message to the French resistance - D-Day tomorrow)).

    1. disgustedoftunbridgewells Silver badge

      Re: Use offline encryption/decryption

      > Transfer the encrypted messages by USB stick

      That sort of defeats the point of an encrypted text chat app. If you're going to exchange information in person ( ie: talk face to face ) then there's no point in this service.

      And any system which requires users to remember codes is inherently weak.

      eg:

      "Hello Mr Legitimate Businessman, please send me some more 'rugs' as my customers have snorted them all"

      1. Stoneshop Silver badge
        FAIL

        That sort of defeats the point of an encrypted text chat app

        Transfer the encrypted message by USB stick to the communications device.

        Clearer now?

        1. disgustedoftunbridgewells Silver badge

          Re: That sort of defeats the point of an encrypted text chat app

          Oh, rather than typing them in, I see, that does make sense.

          To elaborate on that for this particular use case, I wonder if this would work:

          Two devices - a non-networked IO device for entering and reading messages and a communications device for transmission only.

          Enter your "more drugs plz" message into your input device and select the PGP key and address of the recipient to encrypt it with. Input device creates a QR code with the full message, recipient address, etc. Comms device scans the QR code and sends the message.

          Incoming messages handled in reverse - QR shown on the comms device and scanned, decrypted and displayed by the other [IO] device.

          It has the convenience that non-technical users could follow, limited attack surface of only a QR code scanner, the network attached device doesn't have any private data at all and both devices are prescribed ( ie: you can't use an insecure PC to create the message )

          Both devices would have to have cameras although they could have physical covers. Properly insulated software should make it pretty much impossible for a network attack.

          What do you think? Can you make any improvements?

          1. Stoneshop Silver badge

            Re: That sort of defeats the point of an encrypted text chat app

            Two devices - a non-networked IO device for entering and reading messages and a communications device for transmission only.

            Basically, this is the way encryption devices such as the Enigma, Fialka and Typex work, where you encrypt or decrypt the message airgapped from the comms method.

            Although that means that you still have to fully trust the crypto device, as you don't want to leak a plaintext segment of the outgoing message, and its QR reader needs to be fully isolated from the OS otherwise a malicious incoming message could still compromise the device. But that's not just with QR codes; any data transfer method between the crypto and comms devices opens an attack surface. With an Enigma you can't really compromise the machine itself so any attack should target the reader of the received message, but software-based systems will quite likely have _some_ weakness allowing them to be compromised.

    2. Lee D Silver badge

      Re: Use offline encryption/decryption

      We have encryption with perfect forward secrecy (so even the encrypted text and the stolen-afterwards private key does not reveal what the message contained).

      Any criminal who's just paying a French company for a "secure phone", the same as his mate's "secure phone" is the low-hanging fruit of those who are communicating secretly and don't wish the police to know about it.

    3. Alan Brown Silver badge

      Re: Use offline encryption/decryption

      and even if you don't have preagreed codes:

      "Regular checkin Mr Scott, code green, all normal."

    4. Cynic_999 Silver badge

      Re: Use offline encryption/decryption

      Using a non-networked computer does not protect you from having your messages recorded by a hardware keylogger. If you become a "person of interest," a small keylogger can be installed inside most computer keyboards in 5 minutes. Maybe by someone posing as a gas safety inspector to gain access to your home while you are out. Such keyloggers act as a hidden wifi hotspot while powered, which can then transfer your last few thousand keystrokes to anyone within wi-fi range over the following few days/weeks/months.

      1. Stoneshop Silver badge

        Re: Use offline encryption/decryption

        Which can be thwarted by keeping that offline machine inside a Faraday cage, running off a car battery that you disconnect from its charger when in use. And of course you religiously sweep the room.

        Still not perfect, but a few more hurdles between you and your adversaries.

    5. Claptrap314 Silver badge
      Mushroom

      Re: Use offline encryption/decryption

      The Iranians might suggest that the use of a USB stick isn't the best idea if you want to secure your system.

      And a floppy?

  10. Pete 2

    Lies, damned lies and official statements?

    > British, French and Dutch law enforcement agencies to have been used by around 60,000 people

    > British police claims that all 10,000 of EncroChat's UK users were criminals

    but only ...

    > 746 arrests. I.e. about 1 in 15 UK users.

    We know that all reports of "cyber crime" are bigged-up. Both in extent and sophistication. Is that the case here, too?

    60,000 users each paying £1500 per 6 months, comes out at £180 million a year to the owners of this network.

    If that is the true value of a covert mobile phone network, I cannot imagine that it will be down for long (esp. given what the operators will have learned from this). Nor that such networks do not operate elsewhere. In other parts of the world.

    Should we expect further reports of other "busts" in other countries - the USA being an obvious one. Or are those networks just better run and can avoid detection.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lies, damned lies and official statements?

      British Police recieve 9.254 Writs for Libel.

    2. Anonymous Coward
      Anonymous Coward

      Re: Lies, damned lies and official statements?

      "> British police claims that all 10,000 of EncroChat's UK users were criminals

      but only ...

      > 746 arrests. I.e. about 1 in 15 UK users.

      We know that all reports of "cyber crime" are bigged-up. Both in extent and sophistication. Is that the case here, too?"

      Hmm, a few things;

      1) It looks like the crims were awash with cash, so maybe it was not that uncommon for a 'user' to have more than one phone even at £3k a pop?

      2) The Met police chief said operations are ongoing, so they probably expect to arrest more people.

      3) In some cases, even having decrypted the messages, there may still not be sufficient evidence to make an arrest.

      4) We know that criminal gangs are often Global these days. So the wealth of intel recovered from the millions of encrypted messages should give the cops info about other possible networks in use. Expect more busts in the future and not just in Europe.

      And finally, let's be happy that a bunch of nasty individuals are hopefully going to be taken out of circulation for quite a while and that should mean there are fewer victims as a result :)

      Well done to our police forces!

      1. Stoneshop Silver badge
        Flame

        Re: Lies, damned lies and official statements?

        1) It looks like the crims were awash with cash, so maybe it was not that uncommon for a 'user' to have more than one phone even at £3k a pop?

        The drug cartels at least aren't really short of money indeed, given that they treat second-hand Learjets and such as consumables[0], and have "submarines"[1] built. So a couple thousand quid per phone appears to be just loose change.

        [0] to be consumed by fire that is, after the cargo has been unloaded.

        [1] not actually capable of diving, but they resemble one; a fully submerged cylindrical hull with a small canopy protruding above the water surface.

    3. Ben Tasker Silver badge

      Re: Lies, damned lies and official statements?

      > We know that all reports of "cyber crime" are bigged-up. Both in extent and sophistication.

      I'm reminded of the reports of the way the Police report the "street value" of seized drugs. They assume that the entire weight will be sold in the smallest possible denominations (smaller measures usually costing more per gram than larger ones).

      > Should we expect further reports of other "busts" in other countries - the USA being an obvious one. Or are those networks just better run and can avoid detection.

      Already happened to some limited extent - https://www.extremetech.com/mobile/265465-phantom-secure-ceo-busted-selling-super-secure-smartphones-drug-cartels

    4. John Jennings Bronze badge

      Re: Lies, damned lies and official statements?

      At 1000,eu for the device, followed by 3,000 eu per year subscription, you have to have a fairly big budget for privacy.

      The product was hardly being marketed as a 'mainstream' solution.

      Chances are that all (or almost) all the phones were for criminal purposes. Whether or not every single one had messages linking connecting an owner to a chargeable crime is another matter. Perhaps its easier to go for the low hanging fruit?

  11. Christoph

    Isn't it lucky that the cooperation with European police forces happened this year.

    After 31st December we're out of luck.

    1. disgustedoftunbridgewells Silver badge
      1. Anonymous Coward
        Anonymous Coward

        He's immature for pointing out the truth?

        I'd say you're immature for not being able to handle it.

    2. Anonymous Coward
      Anonymous Coward

      "After 31st December we're out of luck."

      Unlikely.

      Despite misinformation from the tabloid comics, it's only BRINO that's happening anytime this century.

      Until the "children" do grow up and decide they were better off actually being part of a 350M person economy.

  12. Anonymous Coward
    Anonymous Coward

    "....to support British police claims that all 10,000 of EncroChat's UK users were criminals. Such devices are of interest to legitimate users (journalists, lawyers, academics, domestic and foreign political campaigners.. "

    I would imagine the police also consider them criminals too...

    1. Chris G Silver badge

      The British police generally consider everyone not a policeman to be a criminal.

      Though they are not above massaging the law on occasion.

      An acquaintance, some years ago,was on jury service, one case was a yoof who had been caught for a series of car thefts, the charges included ( can't remember the exact number) something like 280 similar offences (commited over a relatively short period) to be taken into consideration.

      The beak looked up at the defendant and the arresting cop and remarked that the defendant had been a very busy boy and that the police were lucky to have cleared their unsolved car thefts with by catching such a prodigious car thief.

  13. Zippy´s Sausage Factory
    Joke

    Why am I thinking about 1960s Batman?

    Joker: "Do you have your criminal chat app?"

    Riddle: "It's on my criminal mobile phone."

    Joker: "Excellent"

    Batman: "Not so fast!"

    Both: "BATMAN!" (cue shocked Pikachu gif faces)

    Batman "Yes, and the Bat-Computer has been decoding everything you've been saying"

    Joker: "But how did you break our top-level criminal encryption?"

    Batman: "Well, to be honest... it was a bit rubbish."

    1. Anon
      Big Brother

      Re: Why am I thinking about 1960s Batman?

      Because you've been watching The Defpom's Mailbag Monday?

      1. Zippy´s Sausage Factory

        Re: Why am I thinking about 1960s Batman?

        I have no idea what that is but intend to find out forthwith. Or fifthwith, depending how long my thirdthwith task takes me.

  14. batfink Silver badge

    So what are GCHQ doing with all their funding then?

    So according to the (possibly misleading) available info, this was a bust led by the French, but the UK NCA claim to have "developed the tools" for this.

    Why are the NCA doing this? We already have spy agencies, funded in the billions pa. WTF are they doing then? I thought that the reason we throw money at them was so they could catch crims/peados/touriststerrorists?

    If I were the NCA I'd be holding my hand out for the other TLA's funding.

    It would be a very interesting committee meeting if the TLAs were asked to present a return on investment case.

    1. Alan Brown Silver badge

      Re: So what are GCHQ doing with all their funding then?

      "Why are the NCA doing this?"

      Perhaps the NCA are full of fecal matter?

    2. Roland6 Silver badge

      Re: So what are GCHQ doing with all their funding then?

      >Why are the NCA doing this?

      Well given we know that the NCA and GCHQ along with other agencies work together on things, I suspect having the NCA say "they did it" helps to coverup and divert awkward questions being asked of the European agencies and their investigations of European nationals given European laws.

      So I expect the French got an anonymous tip off - from the NSA - that enabled them to look in the right place to find the EncroChat services located in France.

      Aside: If you are interested in such matters, I recommend watching Deep Web - The Hunt for Dread Pirate Roberts.

  15. schermer
    Happy

    Dutch viewpoint

    From a dutch news channel ( https://www.nu.nl/binnenland/6061836/justitie-kon-live-meekijken-met-communicatie-criminelen-na-kraken-encrochat.html ): <translated>"The Dutch justice system has also been able to read more than twenty million messages live before they were encrypted by the users and EncroChat. The company is one of the largest providers of encrypted digital communication internationally.

    According to the judiciary, there are ten thousand users in the Netherlands whose reports concerned "unprecedentedly large numbers of serious crimes". As a result, the police say they have prevented liquidations, kidnapping plans have been thwarted, as have intended torture of individuals.

    It is painful to note that officials seem to have been bribed at important - logistics - locations."

    At least "our" Mocro-mafia can be diminished for a while. And moreover some of the corrupt officials can be dealt with.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dutch viewpoint

      "The company is one of the largest providers of encrypted digital communication internationally."

      Except it isn't.

      But don't let the facts get in the way of a good story.

  16. idiottaxpayerhere previously ishtiaq/theghostdeejay
    WTF?

    A secure Android telephone?

    I mean seriously? Were these crims so stupid that they believed such a thing existed?

    Maybe they should have used iPhones.

    Cheers… Ishy

  17. Eclectic Man

    The Brexit angle (sorry)

    Will the UK still get access to this sort of information after Brexit? Or after 31st December as, in theory, 'Brexit' has already happened?

    1. Anonymous Coward
      Anonymous Coward

      Re: The Brexit angle (sorry)

      No, they don't need Europe now, and are looking to the US for intel, safe in the knowledge that it doesn't worry about minor details like laws.

      Oh, and the UK is "taking back control". /S

  18. theExecutive

    Daniel Kinahan

    Drugs and Murder exposed

  19. theExecutive

    VPN

    Yes your safe!!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: VPN

      My safe what?

  20. Anonymous Coward
    Anonymous Coward

    You can run but you can't hide

    If you worked for Encrochat then I suspect that there are a lot of unhappy people who will soon be seeking you out. I do not think such encounters will end well.

  21. seven

    Not many criminal users...

    If as alleged by British, French and Dutch law enforcement agencies EncroChat has been used by around 60,000 people, then 746 arrests makes 0.012 of users to be criminals. If as the British police claim, there are 10,000 EncroChat's UK users, then 746 arrests makes 0.074 of the users to be criminals.

    I wonder what percentage of Gmail are criminals? I wonder if freedom itself will be criminalized. Then 100% of users will be criminals.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not many criminal users...

      As the often misquoted saying goes, "innocent until proven guilty".

      In other words, from the State's perspective, and as previously confirmed by Cardinal Richelieu, it's just a matter of time.

  22. Anonymous Coward
    Anonymous Coward

    Michelle of the resistance

    Listen carefully, I shall say this only once...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020