News Source
The EncroChat case has been extensively documented in Spanish media specializing in technology and law. Confilegal published in July 2021 the article «EncroChat: así fue la operación policial europea que rompió el cifrado del aplicativo de los narcos», explaining how French authorities managed to infiltrate the servers of this encrypted platform and shared the information with Europol. El País later covered the impact in Spain in September 2021 with «La policía española utiliza los datos de EncroChat para investigar a más de 100 presuntos delincuentes», detailing that the National Police and Civil Guard had opened more than 100 legal proceedings based on this evidence. Noticias Jurídicas published in October 2021 the analysis «EncroChat: la prueba del cifrado pirateado llega a los tribunales españoles», anticipating that courts would have to rule on the validity of this evidence obtained through government hacking techniques. Legal Today covered in December 2021 the «Primera sentencia española que valida los chats de EncroChat como prueba válidos», confirming that a Provincial Court had admitted the evidence despite defense objections regarding the method of obtaining it.
Case Summary
In 2020, French authorities managed to infiltrate the technical infrastructure of EncroChat, an instant messaging platform that offered end-to-end encryption and was widely used by organized crime networks, particularly in drug trafficking. Through an operation called "Operation Lemonade," French investigators implanted malicious software (malware) on EncroChat's servers that allowed capturing messages in plain text before they were encrypted, as well as communication metadata. This information was shared with Europol and, through international police cooperation channels, transferred to Spanish authorities.
In Spain, the European Public Prosecutor's Office (EPPO) and the Provincial Prosecutor's Office of Almería initiated criminal proceedings against several individuals integrated into cocaine and hashish trafficking networks, using data obtained from EncroChat as the main evidence. The defenses filed appeal motions alleging that the evidence had been obtained through unlawful methods, violating the right to privacy (Article 18 of the Spanish Constitution), the right to defense, and the principle of proportionality. The Provincial Court of Almería, in a ruling issued in November 2021, dismissed the challenges and found the accused's participation in drug trafficking crimes proven, validating the EncroChat evidence by considering that it had been obtained through legitimate international judicial cooperation within the framework of the Judicial Assistance Convention between European Union member states and Europol regulations.
This case represents a fundamental precedent in Spanish digital evidentiary law, as it constitutes the first ruling by a Provincial Court establishing criteria for judicial evaluation of evidence obtained through technical infiltration into end-to-end encryption platforms by foreign authorities.
Technical Context
EncroChat Architecture
EncroChat was an instant messaging platform specifically designed to provide end-to-end encrypted communications, marketed as a privacy solution for users requiring high levels of confidentiality. Unlike conventional messaging applications like WhatsApp or Telegram, EncroChat implemented several advanced security layers that significantly differentiated it in the secure applications landscape:
End-to-end encryption in EncroChat was implemented using the Signal protocol, based on the Curve25519 algorithm for Diffie-Hellman key exchange, combined with AES-256 encryption for message content and HMAC-SHA256 for integrity. Each mobile device running the EncroChat application generated a local asymmetric key pair, where the private key remained stored exclusively on the user's device and was never transmitted to any external server. This architectural design theoretically meant that not even the platform's own operators could access the communication content.
Additionally, the application implemented self-destructing message functions, remote conversation deletion, PIN access independent of the device's operating system, and a "ghost mode" system that allowed hiding the application's existence from visual device inspections. These technical features positioned EncroChat as a communications tool practically impossible to intercept through traditional judicial telecommunications interception methods.
The Vulnerability Exploited by French Authorities
Operation Lemonade exploited a vulnerability in the new device activation process for EncroChat. When a user acquired a new terminal with the EncroChat pre-installed application, the device had to connect to the platform's servers to complete the initial registration and synchronization process. French authorities, who had obtained physical or logical access to EncroChat's server infrastructure, took advantage of this moment to inject a customized malicious module.
This malware, specifically designed for EncroChat's architecture, operated in two distinct phases. In the first phase, during the initial synchronization process, the malware inserted an additional unique identifier in the device that allowed correlating the device with the registered user. In the second phase, the malware captured the message content at the exact moment when the user was composing them but before they were encrypted using the Signal protocol, storing these plain texts in an encrypted local database within the device itself.
This capture technique is technically known as "man-in-the-middle" (MITM) in the context of messaging applications, or more specifically as endpoint capture. The fundamental difference from traditional telecommunications interception is that investigators did not access communications in transit between sender and receiver, but rather obtained a copy of the content before it was protected by end-to-end encryption.
Data Obtained and Evidence Structure
Operation Lemonade allowed French authorities to access approximately 70 million messages distributed among tens of thousands of active EncroChat devices during the infiltration period. The information shared with Spain included:
- Plain text message content
- Communication metadata (dates, times, device identifiers)
- Transmitted photographs and multimedia files
- Device-associated geolocation information
- Contact lists and conversation groups
The data was transmitted to the Spanish National Police and Civil Guard in structured format, organized in relational databases that allowed searches by keywords, associated phone numbers, and communication patterns. The Technological Investigation Unit (UIT) of the National Police was responsible for integrating this data into criminalistic analysis systems.
Detailed Forensic Analysis
Evidence Reception in Spain
When EncroChat evidence was transferred to Spain through Europol channels, investigators received a data dump structured in JSON format and SQLite databases. The volume of information was considerable, with millions of records requiring a systematic forensic analysis process to identify evidence relevant to specific investigations.
Analysts from the Technological Investigation Unit employed structured data analysis tools like NUIX and Magnet AXIOM to process EncroChat data. These tools allow massive keyword searches, communication pattern analysis, and relational graph generation among the different users identified in the data.
Chain of Custody and Documentation
A critical aspect of the forensic analysis of EncroChat evidence was the reconstruction of chain of custody from the original obtaining by French authorities to its presentation in Spanish judicial proceedings. Computer forensics experts from the police had to document:
Origin of the data: French authorities provided documentation on the technical operation including the infiltration period (between March and June 2020), the extraction methodology, and quality controls applied to minimize data contamination.
Transfer integrity: SHA-256 hash algorithms were applied to all transmitted datasets, allowing verification that the information received in Spain was exactly the same as originally extracted and had not been manipulated during transport.
Analysis process in Spain: Analysts created working forensic copies while maintaining originals on secure media with restricted access. Each step of the analysis was documented in incident reports reflecting searches performed, terms used, and results obtained.
Content Analysis
The EncroChat messages analyzed in the Almería case contained explicit references to drug trafficking operations, including:
- Negotiations on quantities and prices of illegal substances
- Coordination of cocaine shipments from Spanish ports
- Distribution of roles among network members
- References to concealment and transport methods
Forensic experts performed a computational linguistic analysis of the messages, identifying specific drug trafficking slang vocabulary patterns, as well as geographic location references that were subsequently verified through field investigation.
Applicable Legal Framework
Spanish Constitution and Fundamental Rights
Article 18 of the Spanish Constitution guarantees the right to honor, personal and family privacy, and one's own image. Section 3 establishes that "the secrecy of communications is guaranteed, and especially of postal, telegraph and telephone communications, except by judicial resolution." This constitutional provision constitutes the foundation of the right to communication privacy, which directly projects onto the realm of encrypted messaging applications.
The Constitutional Court, in its consolidated jurisprudence, has established that the right to secrecy of communications protects the content of communications and not just the external data of transmission. This means that end-to-end encryption, technically designed precisely to guarantee that only participants in a communication can access its content, falls within the scope of protection of Article 18.3 CE.
Criminal Procedure Law
The Law of Criminal Procedure (LECrım) regulates the interception of communications in Articles 579 and following. Article 579.1 establishes that "the judge may order the interception of telecommunications communications that are produced, transmitted, or transmitted by technical means, as well as entry and registration in a computer system in cases of crime and for its investigation."
However, LECrim was fundamentally designed to regulate traditional communication interception, such as telephone calls or traditional electronic communications. Technical infiltration into an encrypted messaging platform through malicious software installation does not clearly fit into any of the categories provided by the 19th-century legislator.
Article 326 of LECrim establishes requirements for the validity of digital evidence, stating that "when investigating a crime it is necessary to access a specific computer system and obtain an image thereof, the integrity of the data and forensic information obtained shall be guaranteed." This provision, introduced by the 2015 reform, did not expressly contemplate situations like the EncroChat operation.
European Regulations and International Cooperation
Regulation (EU) 2016/794 on the European Union Agency for Law Enforcement Training (Europol) establishes the legal framework for information exchange between Europol and member states. Article 7 of said regulation allows Europol to provide operational support to member states in complex investigations involving serious forms of crime.
Council Framework Decision 2008/977/JAI on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters establishes minimum standards for the processing of personal data transmitted between member states. This regulation was considered by the Provincial Court of Almería when evaluating the lawfulness of the evidence.
Additionally, the Convention on Mutual Assistance in Criminal Matters between Member States of the European Union (2000) and the Budapest Convention on Cybercrime (Convention 185 of the Council of Europe) provide legal frameworks for international cooperation in obtaining electronic evidence.
Supreme Court Jurisprudence
The Supreme Court has established in its jurisprudence criteria for evaluating digital evidence obtained from abroad. STS 1547/2018 established that "evidence obtained abroad must respect the essential guarantees of Spanish criminal proceedings, including the right to effective judicial protection and the principle of proportionality."
The principle of proportionality, developed by the Constitutional Court in relation to communication interventions, requires that measures restricting fundamental rights be adequate, necessary, and proportionate in a strict sense. The defenses argued in the EncroChat case that technical infiltration into an encrypted communications platform constituted an excessively intrusive measure affecting users who were not the subject of investigation, including absolutely private communications of non-suspect persons.
Errors Identified in the Investigation
Absence of Spanish Judicial Authorization
The first and most significant legal issue identified in the EncroChat case was the absence of a specific Spanish judicial authorization for obtaining the evidence. French authorities acted unilaterally in infiltrating EncroChat servers, without a Spanish court order specifically authorizing the interception of the now-accused's communications.
The defense argued that this circumstance violated Article 18.3 of the Spanish Constitution, which requires a judicial resolution to limit the secrecy of communications. However, the Provincial Court of Almería dismissed this allegation considering that the evidence had been obtained by foreign authorities within their own jurisdiction and as part of an investigation initiated in French territory, so the requirement of Spanish judicial authorization was not applicable.
This ruling has been criticized by part of the legal doctrine, which points out that receiving in Spain evidence obtained through the interception of communications of residents in Spanish territory should require some form of national judicial control, either through homologation of the foreign order or through the issuance of a complementary judicial authorization.
Lack of Control Over Infiltration Scope
French authorities simultaneously infiltrated all active EncroChat devices, which involved the massive capture of communications of hundreds of thousands of users across Europe, including a substantial number of people who were not suspected of committing any crime. This "bulk interception" technique differs significantly from traditional judicial interception, which specifically targets communications of determined persons.
Forensic experts who analyzed the evidence in Spain received the data already processed by French authorities, without the ability to verify the technical selection process that determined which devices were targeted by the infiltration and which communications were captured. This lack of technical transparency makes it difficult to verify that the measure was limited to what was strictly necessary.
Non-Existence of Notification to Affected Users
Unlike traditional judicial interventions, where the affected party is notified of the measure once it ceases to have effects (generally upon conclusion of the criminal process), EncroChat users were never informed that their communications had been compromised. This notification absence prevented defenses from effectively exercising their right to challenge the lawfulness of the measure at an earlier procedural stage.
Correct Expert Methodology
The EncroChat case reveals the need to establish specific expert protocols for evaluating evidence obtained through technical infiltration into encrypted platforms. Below is a reference methodology:
| Phase | Action | Tool | Standard |
|---|---|---|---|
| 1. Reception | Integrity verification via SHA-256 hash | hashdeep, SHA256SUM | ISO/IEC 27037:2012 |
| 2. Documentation | Reception record with source identification | N/A | ISO/IEC 27037:2012 |
| 3. Origin analysis | Traceability of international chain of custody | Timeline tools | ISO/IEC 27038:2014 |
| 4. Technical validation | Verification of extraction methodology | Europol technical reports | NIST SP 800-86 |
| 5. Filtering | Isolation of accused communications | NUIX, Magnet AXIOM | ISO/IEC 27042:2015 |
| 6. Content analysis | Extraction of relevant evidence | Python scripts, regex | UNE 71505 |
| 7. Correlation | Linkage with other evidence sources | Gephi, Neo4j | ISO/IEC 27043:2015 |
| 8. Expert report | Documentation per technical report | N/A | Art. 326 LECrim |
This methodology should always be applied when receiving data from international sources, guaranteeing complete traceability from the evidence origin to its presentation in judicial proceedings.
Lessons for Professionals
For Lawyers and Defense Attorneys
Attorneys representing clients investigated or accused in proceedings involving evidence from infiltrated encrypted platforms must exercise extreme diligence in verifying the lawfulness of obtaining said evidence. It is essential to request detailed documentation on:
- The origin of the evidence and the authority that obtained it
- The legal framework applicable in the country of origin
- Quality controls applied during extraction
- Temporal and geographic delimitation of the infiltration
The challenge of this evidence must be articulated at the appropriate procedural stage, generally through a defense brief or complaint before the oral trial, providing legal arguments on the violation of fundamental rights.
For Computer Forensics Experts
Computer forensics experts participating in the evaluation of this evidence must be prepared to explain to the court the technical techniques employed in the infiltration, the foundations of end-to-end encryption, and the inherent limitations of malware capture. It is recommended that experts have specific training in:
- Public key cryptography and end-to-end encryption protocols
- Mobile device forensic analysis techniques
- Large volume data analysis methodology
- International police cooperation data protection regulations
For Judges and Prosecutors
Judicial bodies must be aware of the technical particularities of this type of evidence to adequately evaluate it. Continuing education in blockchain technology, encryption, and cyber investigation techniques is essential to guarantee effective judicial protection.
Conclusion
The EncroChat case marks a fundamental precedent in Spanish digital evidentiary law. The Provincial Court of Almería ruling that validates encrypted chat evidence obtained through Europol infiltration establishes that, under certain circumstances, evidence from encrypted messaging platforms can be admitted in Spanish criminal proceedings.
However, the case also reveals significant legal gaps in the Spanish regulatory framework. The absence of specific regulation on advanced technological investigation techniques, such as infiltration into encrypted platforms or government malware use, leaves legal operators without clear parameters to evaluate the lawfulness of these practices.
From ILEXUM Group, we consider that the Spanish Legislator should address a comprehensive reform of the regulation of technological investigation in criminal proceedings, incorporating clear standards on:
- The cases where technical infiltration into communication platforms may be authorized
- Judicial controls required for receiving evidence from abroad
- Notification guarantees for affected parties
- Personal data protection mechanisms in the context of international police cooperation
The evolution of encryption technology and cyber investigation techniques will continue to pose new challenges to criminal justice systems. Legal and computer forensics professionals must remain updated to guarantee that the administration of justice can adapt to these new technological realities without compromising the fundamental guarantees of citizens.
Sources and References
Confilegal (2021): «EncroChat: así fue la operación policial europea que rompió el cifrado del aplicativo de los narcos». https://confilegal.com/20210701-encrochat-operacion-policial-europea/
El País (2021): «La policía española utiliza los datos de EncroChat para investigar a más de 100 presuntos delincuentes». https://elpais.com/tecnologia/2021-09-15-policia-espanola-encrochat-investigacion-delincuentes.html
Noticias Jurídicas (2021): «EncroChat: la prueba del cifrado pirateado llega a los tribunales españoles». https://noticias.juridicas.com/?s=encrochat+prueba+tribunales+espanoles
Legal Today (2021): «Primera sentencia española que valida los chats de EncroChat como prueba válidos». https://www.legaltoday.com/?s=encrochat+sentencia+primera
Constitución Española, Artículo 18. https://www.constitucion/buscar/articulo.php?art=18
Ley de Enjuiciamiento Criminal (LECrım). https://www.boe.es/buscar/act.php?id=BOE-A-1882-6036
Regulation (EU) 2016/794 (Europol Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0794
Council Framework Decision 2008/977/JAI. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32008F0977
ISO/IEC 27037:2012 - Guidelines for identification, collection, acquisition and preservation of digital evidence. https://www.iso.org/standard/44381.html
NIST SP 800-86 - Guide to Integrating Forensic Techniques into Incident Response. https://csrc.nist.gov/publications/detail/sp/800-86/final
ILEXUM Group - Servicios de Peritaje Informático. https://ilexumgroup.com/es/servicios
ILEXUM Group - Metodología Forense. https://ilexumgroup.com/es/metodologia
Cellebrite UFED - Universal Forensic Extraction Device. https://cellebrite.com/en/ufed/
Magnet AXIOM - Digital Forensics Platform. https://www.magnetforensics.com/products/axiom
NUIX - Investigation and Analytics Platform. https://www.nuix.com/