A Law-Enforcement Breach of End-to-End Encrypted Messaging: The Case of Encrochat

Encrochat was a communications network and service provider that offered modified Android smartphones offering end-to-end encrypted communication based on the Signal protocol. In 2020, French law enforcement — in collaboration with agencies in the UK and the Netherlands as well as the European Agency for Law Enforcement Cooperation (Europol) — compromised the Encrochat network and exfiltrated historical data as well as real-time messaging data and metadata for weeks. The compromise remained undetected for approximately two months, after which Encrochat administrators shut down the network. Encrochat was used by organised crime groups in Europe (and elsewhere), and the exfiltrated information was used as supporting evidence in over 6000 arrests and related prosecutions across Europe; the information also led to the seizure or freezing of over 900 million euros as criminal funds, and the seizure of hundreds of tonnes of illegal drugs. The London Metropolitan Police, which made use of the intelligence gathered, described this as “the most significant operation the Metropolitan Police Service has ever launched against serious and organised crime”. In this talk, I examine what is known about how Encrochat was compromised, and how we know what we know at this time. In particular, I will discuss: the security and cryptography features used in Encrochat; what is currently known about how law enforcement breached the Encrochat network in 2020 and a potential earlier compromise; how we pieced together what is currently known from public sources such as historical Internet data, court records, and news reports; and legal, practical, and social limitations on the attack.

Biography

Sunoo Park is an assistant professor at the NYU Courant Institute and affiliated interdisciplinary faculty at the NYU School of Law, and is spending summer 2024 as visiting faculty at EPFL. Her research focuses on security, privacy, transparency, and regulation of digital technologies — both in computer science (with a cryptography/security perspective) and in law (with a technology law/policy perspective). She received her J.D. at Harvard Law School, her Ph.D. in computer science at MIT, and her B.A. in computer science from the University of Cambridge.