Crime Boss or Tech CEO? An Encrypted Phone Company Sues the Government to Save Itself

In an illustration on his company’s website, Canadian entrepreneur and CEO Jean-François Eap is smiling with his head slightly tilted to the side alongside the staff of his technology company. Next to Eap are images of the Chief Operating Officer, the Chief Technology Officer, the company’s Controller, as well as the Vice President of Revenue Operations. They all work for Eap at Sky Global, a firm that develops privacy-focused mobile phones with custom software for sending encrypted messages.

But Eap is not an ordinary tech CEO. In March, the U.S. Department of Justice indicted him for allegedly helping distribute at least 5 kilograms of cocaine by providing his customized phones to criminals. The indictment also charged Eap and an alleged co-conspirator under the Racketeer Influenced and Corrupt Organizations Act (RICO), a law originally designed to prosecute mob bosses. As part of the operation against Sky, U.S. authorities also seized over 100 Sky web domains. In parallel, European law enforcement officials said they managed to intercept and decrypt some half a billion messages sent by Sky devices. Ordinarily this would require somehow bypassing Sky’s end-to-end encryption, suggesting a sophisticated law enforcement operation. Sky told Motherboard at the time that this was done via a rogue version of Sky’s app.

In the encrypted phone world, these charges and operations are not that unusual. Law enforcement agencies have targeted Phantom Secure, Encrochat, and other companies. In the wake of some of these law enforcement actions, the owners and employees of the companies were arrested or have become fugitives. Eap, however, has not disappeared. In fact, his lawyers say he didn't do the crimes alleged in the indictment, that Sky was and is a legitimate, above-board company, and they are pushing back and trying to regain control of the seized web domains. On Thursday, Eap’s counsel submitted a detailed filing in the Southern District of California laying out why they think the government took over the domains illegally, and saying they have offered to cooperate with the Department of Justice. The filing, reviewed by Motherboard, also included detailed internal Sky documents showing how parts of the company operated.

“The government should be ordered to return the seized internet domains because the government’s seizure and retention of the domains is improper and contrary to law,” the filing, signed by Ashwin J. Ram and Steven R. Welk, attorneys for Sky from law firm Steptoe & Johnson LLP, reads. It adds that the indictment is “falsely alleging that Sky ECC was created by Mr. Eap and used by Mr. Herdman [his alleged co-conspirator] to facilitate drug trafficking and other illegal activity.”

Without its domains, Sky has essentially been rendered a dead company. The filing notes that the firm had to let go of 27 staff and 14 contractors after the law enforcement action. But if a court agrees with Sky, perhaps the company could try to resurrect itself.

Beyond reviewing the documents included with the court filing, Motherboard has spoken to multiple people who sold phones on behalf of Sky, a source familiar with the investigation into the company, and obtained another cache of documents that Sky provides to its resellers. The documents and interviews show that Sky did try to enforce policies to keep crooks off its platform. But those efforts cannot erase the past—at least at one point, Sky was a preferred phone of choice for some serious organized criminals.

“Of course they know. Of course they know,” one person who sold Sky phones to criminals told Motherboard when asked if they thought Sky itself knew it was providing devices to criminals. Motherboard granted the source anonymity to speak more candidly about potentially criminal behaviour. 

Eap started Sky in 2010 in Vancouver, Canada. The main product was Sky ECC, a phone that came preloaded with an app for sending encrypted messages to other Sky users. The phones also included an unlimited data roaming package, according to the filing. Sky offered the ability to remotely wipe a device; a customer could contact their reseller who would either wipe the device themselves or send a request to Sky itself to do so.

The company worked on a distributor model, where Sky entered agreements with distributors who would then hire their own agents who would sell the devices to end-users. The filing collectively describes these sellers as “partners” and says Sky did this because, being a startup, it did not have its own sales or marketing channels at first. By March of this year, the company had around 120,000 active users, according to the filing.

Many of Sky’s customers, however, were criminals, the Department of Justice alleges, and former Sky sellers told Motherboard. In Australia, Sky sellers competed with other encrypted phone companies such as Ciphr and Phantom Secure. Criminal users of these sorts of companies have used their respective remote wipe features to, sometimes successfully, remove incriminating evidence from phones after the police seized the devices.

“Ciphr and Sky started moving into the Australian market with superior products,” an encrypted phone industry source told Motherboard. Motherboard provided them anonymity to protect them from retaliation.

A Department of Justice press release announcing the indictment against Eap alleged that Sky’s purpose was to create, maintain, and control a secure communication method to facilitate the trade of heroin, cocaine, and methamphetamine across Australia, Asia, Europe, and North America, including in the United States and Canada. The announcement alleged that Sky has facilitated the criminal activity of transnational criminal organizations for more than a decade.

“The indictment alleges that Sky Global generated hundreds of millions of dollars providing a service that allowed criminal networks around the world to hide their international drug trafficking activity from law enforcement,” Acting U.S. Attorney Randy Grossman said in the announcement.

In the wake of the mass interception of Sky messages by European authorities, police arrested over 80 people and confiscated phones and weapons.

In March 2018, the U.S. charged Vincent Ramos, the CEO of Phantom Secure, with similar charges to what Eap now faces. Ramos later pled guilty and received a nine-year sentence. That prosecution appears to have been something of a wake-up call to the encrypted phone industry—U.S. prosecutors and the FBI now potentially saw them as targets, not neutral technology companies like Apple or Google. Soon after, other companies started to change their positioning and ramp up their enforcement efforts.

“Sky now enforces contracts for distributors and sub-distributors,” the industry source told Motherboard in the wake of the Phantom shutdown. “No one ever speaks of criminals using the products.”

The idea was to create a buffer between the company and the criminal users, the source suggested. “Sky is 2 layers removed from the sale at minimum,” they added.

The exhibits included with Sky’s filing show in new detail the effort Sky took to remove criminals from its platform.

“You may not knowingly sell or otherwise provide the Products and Services to any Customer for illicit, illegal or criminal use,” a Sky terms of use document reads.

“This ECC ID has been flagged for breaching our terms of service. It will be deactivated immediately,” one email sent by a Sky support worker to a user reads. The message from Sky points to a section of the company’s terms of use that does mention non-permitted uses such as promoting criminal activity.

Another email sent by Sky’s chief operating officer to what appears to be a Sky distributor says that one of the distributor’s agents has violated the company’s terms of service because of their willingness to sell the Sky ECC product to someone wanting to use it for illicit activity, as well as other violations.

One document shows a submitted application by someone called Agramovic Srdjan to become a Sky reseller. When asked in the application form who they intended to sell Sky phones to, Srdjan wrote “political party, and criminals,” according to the document. Sky’s Head of Channel Sales then responded that selling to criminals is a breach of the Sky terms and conditions and denied the application.

Srdjan confirmed to Motherboard in an email that he did apply to become a Sky reseller, but said his “application was a joke.” It was “just to test what is happening. Everybody [was] talking about it, so I was just curious.” Another email shows a Sky seller reporting another applicant for their intention to sell Sky phones to criminals.

One of the more detailed documents is a spreadsheet listing various websites, classified ads, and Facebook, Twitter, and Instagram accounts which were advertising or discussing Sky phones and that Sky itself has tried to police. Where applicable the spreadsheet includes notes such as the social media post having an “illegal undertone,” and that Sky has contacted the account owner. “Referencing authorities. Have sent a request to have the ad corrected/removed,” another reads. This and another document mention “secret shopping,” suggesting that Sky engaged with the alleged sellers to try and ascertain if they were official resellers or not.

The most crucial documents may be those that discuss Sky’s remote wipe feature. An email chain between an apparent Sky seller and Sky itself discusses how to phrase marketing material around the feature. Originally, a website was going to read “We can remotely delete all data if the Unit is lost or detained by Third Parties.” A Sky employee suggested the website remove the phrase about the phone being “detained.”

Other documents show Sky employees declining to wipe devices when asked to do so by resellers.

“Hello. Please delete this ECC ID, the police have it,” one message sent to Sky reads. “PLEASE HELP!!! Two customers have problems with the police. Their devices were confiscated,” another adds. In both cases, Sky declined to wipe the phones, according to the emails.

In practice, some resellers found a workaround to Sky’s policies.

“What is a solution? Don’t tell me. Just ask me to wipe the phone; I’m not going to ask the reason. I’m going to do what you ask, and that’s it.” one former seller of Sky phones to criminal users told Motherboard. And even if they did know if the wipe was to remove content from a phone in police custody: “To be honest, I would probably wipe it.”

The Department of Justice announcement alleges that Sky instituted an “ask nothing/do nothing” approach after the takedown of Phantom so it could claim plausible deniability. Ram, one of the attorneys who signed the filing, told Motherboard in an emailed statement that Sky had no control over its third-party sellers, “beyond contractual obligations prohibiting the unlawful use and marketing of its technology.”

“Sky and Phantom Secure were fundamentally different companies. While Phantom operated in the dark and wiped devices held by law enforcement, Sky had a public website and platform, and created policies to prevent that from happening and had an actual track record of refusing to wipe devices that were known to be under investigation. More fundamentally, Sky took steps to root out bad actors, and when Sky became aware of illegal activity, it terminated the source of that activity. Phantom did the opposite,” Ram added.

But all of the documents which Sky provided and Motherboard reviewed which show enforcement of Sky’s policies were created in 2019 or later, after the U.S. prosecution of Phantom Secure’s Ramos.

In a statement, Ram said “There were compliance measures that explicitly prohibited criminal activity long before the Phantom indictment in 2018.  As with any legitimate company, these compliance measures were continually improved over time, including as a part of the well-documented ‘Sky 2.0’ launch, which pre-dated the Phantom indictment announced in March 2018.”

A source familiar with the investigation into Sky said they believe that the company is similar to Phantom Secure. That is, they believe the company is aware it was providing phones to criminal end-users, and Eap specifically knew that the customer base he had was mostly, if not almost exclusively, criminal, they said. Motherboard granted the source anonymity as they weren’t authorized to speak publicly about the case. The Department of Justice announcement says that Sky “knowingly and intentionally participated in a criminal enterprise.” Eap declined to comment through his attorney on whether he knew Sky’s users included criminals.

In its filing, Sky maintains that it advertised its phones to individuals with heightened data privacy concerns, “such as doctors, lawyers, government contractors, celebrities, and even law enforcement agencies.” One email chain suggests the company did have interest from at least one agency: the Ontario Provincial Police (OPP) in Canada.

In an email thread starting in 2018, Timothy Brown, an official at the OPP, asked to purchase at least one Sky device. “We are impressed with the service provided by the SkyECC phones. As previously noted the level of security is a bit too restrictive for our usual business purposes. However, we may still have a need for your product,” Brown wrote.

It is not clear what exactly the OPP wanted the devices for. The OPP did not respond to a request for comment.

Despite the high profile nature of the indictment, in the filing Eap’s counsel claims that the U.S. government’s efforts to pursue the prosecution “appear to be minimal.”

“The government has not, to my knowledge, initiated extradition proceedings against Mr. Eap, a Canadian citizen and resident,” the filing adds.

The FBI did not respond to a request for comment. Ian McLeod, public affairs and issues management at the Canadian Department of Justice declined to comment on whether extradition proceedings have started, saying that “extradition requests are confidential state-to-state communications.”

Sgt. Kris Clark, community services and media coordinator at the Royal Canadian Mounted Police (RCMP) told Motherboard in an email that “The RCMP continues to work closely with international policing partners in order to collect and preserve evidence and investigate transnational crime. To date no charges have been laid in Canada. Given the investigation is ongoing, no additional information is available for release.”

Eap’s lawyers also say they contacted the U.S. government in July to offer to cooperate with the investigation, and express their concerns over the seizures of Sky’s web domains. The filing says that the government declined to engage in substantive discussions.

Kelly Thornton, director of media relations at the U.S. Attorney’s Office in the Southern District of California, declined to comment.

Eap has responded in an unusually public manner to the charges against him. Shortly after the indictment against him, Eap told Motherboard that he would clear his name. Then several months ago, an employee at high profile public relations firm Berlin Rosen contacted Motherboard to arrange an interview with Eap. 

For months, the public relations firm planned an on-the-record interview with Eap. At the last moment, Eap’s counsel asked instead for the interview to be conducted on background. That is, attributing the information anonymously to someone familiar with the case. Motherboard declined: it is not typical to allow company CEOs to speak on background, because they are the ones ultimately accountable for a company’s actions.

With the sections of the filing that specifically say the government should return Sky’s seized domains, “Since its inception, Sky Global has taken all reasonable and necessary steps to ensure that its domains were used for their intended, legitimate purposes. Nevertheless, the government seized Sky Global’s property, directly resulting in the sudden, involuntary suspension of an ongoing legitimate business with global operations and customers.”

Ram added in the emailed statement that “The motion lays out exactly how law enforcement significantly overstepped its authority and violated the free speech and due process rights of Sky Global. Anyone concerned about privacy should be deeply troubled by how the government almost shut down a legitimate, law-abiding company that was attempting to address critical issues around data protection and privacy.”

Update: This piece has been updated to clarify that Eap's counsel asked for the interview to be conducted on background, and not Eap himself. The piece has also been updated to include more information from Ram.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.