EncroChat, targeted equipment interference, and the Court of Appeal

enter image description here This is a quick comment on the Court of Appeal's judgment in the case of A and Ors, R v, relating to EncroChat.

It is a comment on the judgment, and the way in which the Court applied the rules under the Investigatory Powers Act 2016. I am aware of online discussions around the evidence put to the court of first instance, and the resulting findings of fact. I make no comment on those.

If you are reading this because you're a telecoms operator and you're wondering what to do with a targeted equipment interference warrant or a targeted interception warrant received from an agency, feel free to get in touch for advice.

Background to the case

The overall (not very detailed) facts

There's a summary of the broader story, by Gareth Corfield, writing for The Register, and I'd suggest reading that if you are not sure where to start. If you want more detail, take a look at R (C) v. Director of Public Prosecutions.

The Court described what happened quite briefly:

the EncroChat servers were in France and the French Gendarmerie had discovered a way to send an implant to all EncroChat devices in the world under cover of an apparent update. That implant caused the device to transmit to the French police all the data held on it. This was called the Stage 1 process. It would capture all data which had not been erased, typically therefore 7 days' worth of communications. Thereafter, in the Stage 2 process, the implant collected messages which were created after Stage 1. The Stage 2 collections occurred after what was called "the infection", which was the point at which the implant first arrived on the device and executed Stage 1.

The issue before the Court of Appeal here

The gist of the issue before the Court of Appeal here was whether, in acquiring communications from the compromised Encrochat devices by way of the implant inserted by the French agency, the UK's National Crime Agency accessed communications which were "being transmitted", or which were "stored in or by the telecommunication system".

The more detailed description of the challenges appeal is this:

(1) The ruling that the EncroChat communications were not intercepted while they were being transmitted (within s4(4)(a) of the [Investigatory Powers Act 2016), but were intercepted while they were stored before or after transmission, (within the definition of s4(4)(b).

(2) The ruling that, in the alternative to (1), s56(2)(a), (relating to the offence under s3 of the 2016 Act), could not apply, because the interceptions were not carried out by conduct in the UK, as defined by s4(8) of the Act.

(3) The ruling that s56(2)(c), relating to the restriction on requesting mutual assistance in s10 of the Act, does not apply, because the European Investigation Order made no request that fell within s10(1)(a) or, in the alternative, the request in the EIO was the exercise of a statutory power for the purposes of s10(2A).

(4) The ruling that s56(2)(b), relating to the prohibition on an overseas authority to carry out the interception of communications imposed by s9 of the 2016 Act, did not apply because the [Joint Investigation Team]'s activity, while 'in accordance with the Targeted Equipment Interference warrant' was nevertheless not pursuant to a request by UK authorities to carry out the interception."

It's the first ground for appeal which interests me.

A quick primer on the law

Unlawful interception

s3(1) Investigatory Powers Act 2016 establishes a criminal offence of unlawful interception.

(1) A person commits an offence if—

     (a) the person intentionally intercepts a communication in the course of its transmission by means of—

          (i) a public telecommunication system,

          (ii) a private telecommunication system, or

          (iii) a public postal service,

     (b) the interception is carried out in the United Kingdom, and

     (c) the person does not have lawful authority to carry out the interception.

Given the primacy of the French authorities in this activity, there is a question as to whether s3(1)(b) — that any interception was "carried out in the United Kingdom" — was met. However, the Court felt it did not need to address it in detail, given the conclusion it reached on what it termed its "key question". If the Court had ruled differently, and found that the conduct in question could not be done lawfully under a targeted equipment interference warrant, this point would likely have more prominence.

Interception with lawful authority

Not all acts of interception amount to the offence of "unlawful interception". Leaving aside the issue that the interception must be "intentional" (not an issue discussed in the case), interception falls outside the scope of the offence if the person carrying it out has "lawful authority".

s6 defines what is "lawful authority". and the two key elements of the s6(1) definition are these:

a person has lawful authority to carry out an interception if, and only if—

     (a) the interception is carried out in accordance with—

          (i) a targeted interception warrant ... under Chapter 1 of Part 2, or


     (c) in the case of a communication stored in or by a telecommunication system, the interception—

          (i) is carried out in accordance with a targeted equipment interference warrant under Part 5 ...

(I have removed the bits about "other forms of lawful interception", and the bits about bulk powers or court orders or other statutory powers, since they are not relevant here.)

The outcome is that, if conduct is "interception", a person does it with lawful authority, and does not commit an offence of unlawful interception, if they have a TI warrant or, if the communication is a "stored communication", they have a TEI warrant.

A targeted equipment interference warrant

Under s99 Investigatory Powers Act 2016, a TEI warrant authorises the interference with equipment for the purpose of obtaining communications, equipment data, and other information. "interference" is not a defined term.

A TEI warrant does not authorise in relation to a communication other than a stored communication conduct which would (unless done with lawful authority) constitute the offence of unlawful interception (s99(6)).

"intercept a communication in the course of its transmission"

So what does it mean to "intercept a communication in the course of its transmission"?

s4 Investigatory Powers Act 2016 sets out the definition, but there are lots of references out to additional definitions:

... a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if—

     (a) the person does a relevant act in relation to the system, and

     (b) the effect of the relevant act is to make any content of the communication available, at a relevant time, to a person who is not the sender or intended recipient of the communication.

The definition of "relevant act" did not arise (see s4(2); it includes "monitoring transmissions"), but "relevant time" received significant discussion.

s4(4) defines "relevant time" in the following terms:

In this section “relevant time”, in relation to a communication transmitted by means of a telecommunication system, means—

     (a) any time while the communication is being transmitted, and

     (b) any time when the communication is stored in or by the system (whether before or after its transmission).

The Court of Appeal's key question here

Paragraph 26 of the judgment sets out what the court considered to be the key question:

The key question was whether at the relevant time the communications were "being transmitted" or were "stored in or by the telecommunication system." The judge found the latter to be the case. The EncroChat messages were properly regarded as falling within section 4(4)(b) of the 2016 Act and they had been obtained in accordance with a Targeted Equipment Interference warrant.

This question is important for two reasons.

No unlawful interception

First, if the communications in question were "stored in or by the telecommunication system", interception of them would take place with lawful authority if the acquiring agency had a TEI warrant (and the facts suggest that the NCA had such a warrant). There would be no offence of unlawful interception.

Admissibility of the intercepted material

Second, if the interception was carried out under a TEI warrant, rather than a TI warrant, the provisions of s56 — exclusion of matters from legal proceedings — do not prohibit the disclosure of any content or secondary data of a communication, because of Paragraph 2 to Schedule 2 Investigatory Powers Act 2016:

if the interception of that communication was lawful by virtue of ... section 6(1)(c)"

In other words, the communications could be admitted as evidence.

"being transmitted" or "stored in or by the telecommunication system"

Having decided the question which it needed to answer, the court proceeded to lay out its reasoning.

The legal analysis

The main focus of the early stages of its reasoning — paragraphs 55 to 64 — is to deal with the contention that the concept of "storage" is limited, and especially whether it is limited to storage "in a manner which enables the intended recipient to collect it or otherwise have access to it" (being the wording under RIPA 2000).

First, the court held that the issue does not require "a minute examination of the inner workings of every system in every case". The court must, however, "understand the system", and then apply the "ordinary English words" of the tests in s4(4), including the word "stored".

Second, the court was dismissive of previous case law. The Court acknoweldged the parties' references to the Coulson case but decided — at paragraph 56 — that:

We do not consider that any of the previous decisions of the court assist in [deciding whether, as a matter of ordinary language, the communication was being transmitted or stored at the time of extraction]. They were all decided under different statutory regimes.

Third, the Court looked at the difference in language between RIPA 2000 and the IPA:

Section 2(7) of the 2000 Act makes it clear, among other things, that the storage which it describes can be occurring at the same time as the communication is "being transmitted". It also limits the concept of "storage" to storage "in a manner which enables the intended recipient to collect it or otherwise have access to it". Section 4(4) does not repeat this limitation, although Mr. Ryder suggested that transmission only ends when the recipient actually accesses the communication. In section 4(4), unlike section 2(7), all forms of storage are caught, whether or not they enable the intended recipient to access the communication.

In other words, the Court was unwilling to read into the Investigatory Powers Act 2016 words which Parliament had "deliberately omitted".

The Court then turned specifically to the formulation of s4(4) Investigatory Powers Act 2016.

The purpose of this provision, the Court said, was to "extend the types of storage which amount to being in "the course of transmission" so as to catch communications which are "stored" for the purposes of [the s3 offence]".

It said that:

The conjunction which connects section 4(4)(a) and 4(4)(b) is "and" not "or". The appellants' submission that the court must start with section 4(4)(a) and determine whether a message was intercepted while being transmitted and, if the answer to that is yes, cannot then go on to consider whether it was also, at the same time, being stored is simply wrong.

It goes on to say that:

It is unnecessary to add any words [to s4(4)(b)] to catch storage while the communication is being transmitted because that is necessarily caught by the plain words of the provision.


[s4(4)(b)] extends to all communications which are stored on the system, whenever that might occur

And finally:

The communication is that which is transmitted. What remains on the device is not what has been transmitted, but a copy of it or what, in older forms of messaging, might be described as a "draft". That is so however quickly after transmission the obtaining of the copy takes place, or even if the copy is extracted while the original encrypted communication is being transmitted.

I understand this to mean that the Court's view is that a communication can be both "stored in or by the [telecommunication' system" and "being transmitted" at the same time, such that, even if a communication is being transmitted, it may also be "stored". (If the two could not co-exist, it strikes me that an answer of "yes" to the first limb must entail a "no" to the second limb, which the Court here refuted.)

I think this means that, if a communication is available by virtue of access to a device, then it is inherently a "stored" communication, irrespective of whether a copy of it is also in the course of transmission.

I'd need to give that some further thought, and I note that the Court itself recognises that this is not a universally-held position (see paragraph 68). I'm not sure its letter/post analogy is at all helpful and, if anything, probably muddies the water further.

The application to the facts

The Court relied on the court of first instance's finding of fact. It stated, at paragraph 63, that:

the communications were extracted directly from the handset of the user and not while they were travelling to, through or from any other part of the system. This is a process which is like any other means of downloading the content of a mobile phone handset. It is done remotely, but it is done by interrogating the RAM of the phone, not by intercepting the communication after it has left the phone. In the case of the sender the material was recovered in the form of unencrypted messages stored in the RAM of the device in a form in which they existed before they were transmitted from the device to the servers in Roubaix, via the telecommunications system

Because of this, the Court said, "[t]he material was stored when it was intercepted".

Given the facts as applied by the Court, and the Court's ruling on the point of law, this is an expected outcome.


I've thought a lot about the interaction of TI and TEI, starting in the days of the draft Investigatory Powers bill. I continue to do so. I'm pleased to see the development of the law on this point, and I'm sure it will continue as agencies see the value in TEI capabilities, both from an intelligence and an evidential perspective.

It is clear to me that the Investigatory Powers Act 2016 intended the TEI framework to provide lawful authority for the interception of stored communications. I don't think that that — given the language on the face of the Act — is controversial.

The Court's decision in terms of "storage" is interesting, and deserving of more thought. My initial reaction is that if an agency can acquire a communication by retrieving it from a user's terminal equipment, there is an argument that the communication is indeed "stored" on the terminal equipment, in the plain English sense of the term, even if only transiently. If it were not stored there, they would not be able to acquire it.

But does it follow from that that accessing a communication as it is transmitted across a packet-switched network could also be covered by a TEI warrant, on the basis that the communication is stored, very transiently, in that network element (i.e. the packets are in the element's memory)? If so, that would appear to limit the requirement for an interception warrant to interception where there is no stored copy available – for example, interception on a bearer itself (such as the interception of a radio transmission).

So transiency of "storage" as a theme for the future, perhaps.

And if the scope of a TEI warrant is as broad as this suggests, then it opens the door to interception by a broader range of organisations: TI warrantry is limited to intercepting authorities, but TEI warrants are available more broadly (see ss102-106 Investigatory Powers Act 2016).

Definitely more thinking needed.

(I am not in a position to comment on whether the Court was correct in terms of how the Court applied the law to the facts. I can see why it reached it, and also the potential for an appeal, and for a superior court to reach a different decision.)

Practical implications for telecommunications operators

Potential for authorities to seek assistance for a broader scope of interference

The decision takes a broad interpretation of the circumstances in which access to communications can be carried out on the basis of TEI warrantry. It's possible that this will lead to authorities seeking to rely on TEI warrantry more frequently than in the past.

If you receive a TEI warrant, it would be worth checking it even more closely than usual, to see if the conduct being sought aligns with a more traditional interpretation of the scope of Part 5, or if the authority has obtained a warrant on a more expansive basis. This is particularly true for assistance sought from you on the basis of s126 IPA, as opposed to s128 IPA. It may also be time to push for a clearer funding model for mandatory assistance with TEI operations.

Access to communications more traditionally regarded as "stored" may be expanded

The court was at pains to point out that the limitations on storage under RIPA 2000, and which formed the basis of the Coulson decision, do not apply to the concept of "storage" under the IPA.

As such, authorities may feel empowered to rely on TEI warrantry in the context of access to hosted communications more broadly than in the past (if only because some may not have appreciated the impact of the change in regime).

Will we see more multi-national operations?

More speculatively, and accepting that I may be misreading the decision, but it strikes me that the Court placed a lot of weight on the evidence of the French authorities, in terms of how the implant worked, and its effect. I wonder if a UK authority would have been afforded the same treatment, or whether a court would subject them to greater scrutiny.

If it appears that an operation led by an overseas authority receives a lesser standard of judicial scrutiny — and I do stress the if here — perhaps there will be more multi-national operations, where the "hard part" is done by the overseas authority.

Other outstanding questions

Are handsets part of the "public telecommunications system"

There's an interesting, if obiter, comment as to whether a mobile handset forms part of the "public telecommunications system". (The court uses the term "public telecommunications system", but the statutory definition is of "public telecommunication system". I've used the Court's language here.)

At paragraph 18, the Court says that the parties to this particular case agreed that:

the handsets are part of the "public telecommunications system", and therefore that material stored on them is stored "in or by the system".

However, the Court expresses its "reservations" about this, and I can understand why.

I'm not going to going into any further detail on this — this is too long already — but I expect this point to be litigated in the future.

"Realm v RAM"?

This is very much a side issue, but it is a bit of a head-scratcher.

The judgment makes repeated references to different parts of the Encrochat handsets, referring back to the original first instance decision. For example:

Within each device there are two forms of memory: Realm, which holds an archive of apps and data for use on the device, and RAM which is a faster and temporary type of memory which holds apps and data whilst the app is running on the device and is used for the operation of the app and supporting the activity of the CPU.

My "plain English" reading of this is that there's "Realm" and there's "RAM".

Originally, I thought this might have been ROM, but that didn't make sense in the context of modern mobile devices.

Are they referring to the "Realm" database, used for local storage on Android? (As opposed to, say, SQLite.)

If so, then I'm surprised that one can categorise memory in the Encrochat devices by saying "if you're not using the Realm database, you're storing stuff in RAM".

It's a side point, and doesn't really affect the analysis, but the specific reference to "Realm" as opposed to simply non-volatile storage puzzled me.