The Guardian

Cracking the apps Crimefighters accused of going too far to bring down super-cartels

Daniel Boffey Chief reporter

Law enforcement sources described it as an embarrassment of riches, a treasure trove that led to raids across Europe and in Dubai this week said to have brought down a super-cartel controlling a third of Europe’s cocaine trade.

“It was as if we were sitting at the table with the criminals,” the executive director of Europol, Catherine De Bolle, said in a recent interview.

The cracking of an encrypted communication app known as Sky ECC, said to be the “best-in-class security”, and the deliverance into the hands of FBI agents and police officers in Europe of 1bn messages sent and received by 120,000 users, has been a gift that keeps on giving.

The US attorney’s office had gone public with the triumph of code cracking last March in an indictment against Jean-François Eap, the chief executive of the Canada-based firm Sky Global, which owns communications technology, accusing him of participating in a criminal enterprise “that facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted communications devices”.

A blizzard of arrests followed, starting with last year’s raids in Belgium and the Netherlands at the level of the street lieutenants and culminating in this week’s Operation Desert Light and the arrest of 49 suspects hiding out in luxury properties in Spain and Dubai, including six alleged global kingpins.

The incinerators in Belgium are said to be unable to cope with the sheer scale of cocaine being seized in Antwerp, while Dubai’s prisons are playing host to a who’s who iof the organised crime world, many with links to Daniel Kinahan, the alleged Irish crime boss and friend of the boxer Tyson Fury.

The audacious piece of law enforcement follows other recent policing initiatives, including the FBI’s discovery of a private key to unlock a bitcoin wallet in which Colonial Pipeline Co had paid $5m (£4m) in ransom to cyberhackers.

Questions are being raised, however, in the case of Sky ECC and the cracking of other encryption services, about whether this audacity may have gone too far.

A legal motion brimming with internal emails and documents, filed by lawyers acting for Sky Global – as part of an attempt to reclaim 116 internet domains that it claims were unlawfully seized by the FBI and other law enforcement agencies – argues that lines are definitively being crossed that should worry us all.

Eap, publicly condemned as a friend to organised crime but described by friends as a tech startup nerd who has never even smoked a cigarette in his life, is said to be shattered, regarding himself as collateral damage in a tech arms race between organised criminals and their law enforcement foes.

The Sky ECC encryption platform emerged in 2013 “in response to global increases in cellphone hacking and high-profile data breaches”, according to the motion filed at a US district court in southern California.

Sky Global sold secure devices with the app preloaded on to distributors around the world. While WhatsApp targeted average customers, Sky ECC was more niche: “individuals and industries with heightened privacy concerns … consisting of government entities, military contractors, celebrities and members of the legal, healthcare and financial industries”.

An email contained within the file suggests that at one stage in 2018 Sky Global offered free samples of the phones to Ontario police. The firm also knew that such a piece of technology could be useful to criminals. It insists, however, that it took every measure available to reduce the risk. One exhibit in the file from May 2020 chronicles how Sky

Global’s support team received a request from a reseller named “Kaan” in Germany asking the firm to urgently wipe the contents of two phones. “PLEASE HELP! Two customers have problems with the police. Their devices were confiscated. Please delete two devices and the Sky app.”

The support team responded that they would not wipe a device that “we know is subject to a valid legal investigation”. The email added: “It should be noted that our software automatically erases all data at least every seven days [fewer, if the user changes their settings] and we are unable to prevent such data from being erased.”

The company argues that simply because its technology could be used for nefarious purposes does not mean it was designed for organised crime. “What has happened here is the equivalent of the government seizing Apple. com because drug dealers use iPhone encryption features to communicate with each other,” Sky Global’s lawyers wrote.

The lawyers also argue that when Sky ECC was closed down, an opening in the secret communications market was created – one the FBI was keen to exploit. From 2018, an encrypted service known as Anom had been gathering momentum in the criminal underworld despite its cost of $1,700 (£1,400) for the handset and a $1,250 annual subscription. What its users didn’t know was that Anom was an FBI invention and every message on it was being read by law enforcement.

With Sky ECC down, Anom enjoyed what the FBI admit was exponential growth in its customer base, with 6,000 customers switching over.

The closure of Sky ECC, its lawyers claim, was in part an effort “to bolster a separate law enforcement operation at the expense of a thriving and legal private business”. The dramatic scenes of recent days of once cocky men being led away from their pads in Marbella and Dubai may be seen to justify law enforcement’s means.

But a further concern has arisen in cases being heard in UK courts. No one outside a small circle of people, and specifically the French authorities – which seem to have been instrumental in accessing a Sky ECC server in their country – can say how the messages were hacked or even whether the data can be relied upon.

The Italian supreme court ordered prosecutors last month to disclose how the Sky ECC data had been retrieved, arguing that it was impossible to have a fair trial if the accused was unable to access the evidence or assess its reliability and legality. Whether prosecutors choose to do so could determine whether the arrests made this week lead to convictions or not.

With legal questions over the provenance of the communications intercepted in Sky ECC, there will be concern about whether the treasure unearthed proves to be fool’s gold – and what rights have been trodden on in the gathering of it.

World

en-gb

2022-12-03T08:00:00.0000000Z

2022-12-03T08:00:00.0000000Z

https://guardian.pressreader.com/article/282291029258777

Guardian/Observer