Here you can find out how German law enforcement succeeded in obtaining highly sophisticated encrypted digital communications, namely in France, and why special attention must be paid to what is communicated digitally and how. He who writes, stays!
The wind is turning - the world is becoming visibly more digital and with the increase in digitality, without men and women always being aware of it, their own documentation is taking place, which cannot be found in any master file or folder, but can be found on hard drives, servers or in a "cloud". This becomes legally explosive when often whimsical correspondence is sent electronically, whether via email or - much more frequently - in messenger services (SMS, WhatsApp, Facebook, Instagram, etc.). An example of this is the e-mail of an employee of a client on parts under investigation after a major fire event with regard to fire risks: "Hier riechts so brandig".
The relevance of such communication is significantly increased by the fact that alleged violations of the law repeatedly lead to criminal investigations and such correspondence is found in the course of these investigations, whether by reading out servers as part of a search or by seizing/confiscating mobile devices that - once decrypted - allow access to the correspondence conducted with this hardware. The result is that whimsical correspondence found in this course quickly dampens the mood of the author, recipient and the company behind it when it becomes clear how this correspondence is read, interpreted and exploited by law enforcement agencies that are not very fond of humor.
A recent BGH decision on so-called EncroChat is a cause for concern. What was at stake: EncroChat was a company that offered tap-proof so-called crypto cell phones including a messenger service, this via a so-called end-to-end encryption (EE2E). There were around 60,000 users worldwide who apparently attached particular importance to their privacy. In Germany, for good reasons, the conditions under which a so-called source TKÜ (surveillance of telecommunications via the installation of so-called Trojans) or a so-called online search may be carried out are very high (§§ 100a, 100b StPO). Both measures use "technical means" to intervene in information technology systems used by the persons concerned. Both cases therefore involve legally legitimized "hacking" of digital devices, nothing else. These measures, which are subject to judicial review, are only permissible if there is a so-called qualified suspicion of specifically listed catalog crimes, such as crimes against life, forms of organized crime, significant tax crimes or money laundering. But: According to parts of the German jurisdiction already the use of a crypto cell phone of the company EncroChat indicates a conspiratorial behavior to commit and conceal criminal offenses. German case law (such as the Higher Regional Court of Bremen and the Higher Regional Court of Rostock) makes the claim, which is not even remotely proven, that the technology of this provider was used on a large scale and predominantly throughout Europe in the criminal milieu for the commission of serious crimes.
What is only possible in Germany under more difficult conditions, i.e. hacking into and investigating communications via crypto phones, is not even half as difficult in France: French investigating authorities had noticed in individual cases that crypto phones from EncroChat (models OnePlus One, OnePlusX and BQ Aquaris X) were being used by suspects of (rather minor) narcotics offenses. This triggered a large-scale investigation in France, which - as far as is known - was not based on any suspicion against specific individuals. The French authorities succeeded in infiltrating the company's servers in France as well as the associated information technology systems, i.e. the crypto cell phones, by 2020. To this day, all the details of how the collection actually took place are not known. This information - which is anything but trivial - is supposed to be subject to secrecy from the point of view of the French authorities. What is known, however, is that access was gained by installing software in the form of an interception device: In order to bypass the message encryption, a Trojan was installed on all EncroChat terminals with the help of an update. This enabled the French authorities to both access stored content and intercept ongoing communications. The data obtained in this way was then also presumably made available to the German investigating authorities from April 2020 onwards, because there were also indications of criminal acts in Germany. As far as is known, there was no formal request for mutual legal assistance at that time. The General Public Prosecutor's Office in Frankfurt a. M. did not issue a so-called European Investigation Order (EEA) until June 2, 2020. The investigative court in Lille approved the transmission and use of the data in Germany on 13.06.2020. Previously, it had ordered their collection under French law. Data was transmitted to Germany by 28.06.2020. More than 2,000 preliminary proceedings were initiated on the basis of this data.
The German Federal Court of Justice had to deal with the question of the admissibility of EncroChats because convictions in criminal proceedings were based on precisely these EncroChats transmitted from France. The Federal Court of Justice expressly rejected a ban on the use of evidence, even though the German constitution provides special protection for the secrecy of telecommunications (Article 10 of the Basic Law) and even derives from this a duty on the part of the state to protect against interference by foreign states with information technology systems in Germany. This is precisely why online searches and source tapping are subject to high legal hurdles. As far as is known, such measures were not taken in Germany, but France gratefully resorted to the EncroChats, which were not subject to German rules. There was also no coordination with the German authorities on the part of the French investigative authorities; in particular, France did not issue a so-called European investigation order; the issuance of the investigation order would have given Germany the opportunity to object to the measure under Directive 2014/41/EU. The German authorities, in turn, would have had to object because the measure would not have been permissible under German criminal law due to a lack of qualified suspicion (Section 91g (6) IRG).
And this is where it gets interesting: Instead of examining the French measure and objecting to it, as provided for by law, the German investigating authorities issued their own European investigation order - this obviously with the aim of concealing what was the plan from the outset: namely, to intercept the evidence collected in France by circumventing clear German rules. Our Federal Supreme Court did not see any problem in this. Neither did the European investigation order of the German investigating authorities, which was only intended for camouflage purposes, pose a problem for it, nor did principles of German constitutional law, international law and the European Convention on Human Rights.
This teaches the following: Digital communication is the future. No one can get around that anymore. But digital communication cannot be protected even by hardware and software specially designed for this purpose. This applies to unwanted access by public prosecutors just as it does to access by competitors. And the principle: What do I care, I have nothing to hide, has always been wrong. Because how digital communication, especially via messenger services, is read, understood and exploited once, is ultimately decided by a court, not by the author of that communication. This further means that in this light, it is important that companies communicate with the necessary sensitivity for every written word. After all, you don't know who will be reading along later. And German legal protection, which exists at least in certain fundamentals, is worth nothing if it is completely devalued by way of modern forum shopping simply because the interference in digital communication takes place via states that do not know a comparable level of protection.