A section of the UK government has proposed making the sale or possession of bespoke encrypted phones for crime a criminal offense in its own right. The measure is intended to help the country’s law enforcement agencies tackle organized crime and those who facilitate it, but civil liberties experts tell Motherboard the proposal is overbroad and poorly defined, meaning it could sweep up other forms of secure communication used by the wider population if not adjusted.
The news highlights law enforcement’s continued targeting of the encrypted phone industry. Alongside technical operations, undercover investigations, and even creating their own phone company to secretly harvest messages, authorities are increasingly exploring legislative options too.
“At the moment the government proposal appears to be vague and overly broad. While it states that the provisions ‘will not apply to commercially available mobile phones nor the encrypted messaging apps available on them’ it is difficult to see how it will not result in targeting devices used on a daily [basis] by human rights defenders, protesters and pretty much all of us who want to keep our data secure,” Ioannis Kouvakas, senior legal officer and assistant general counsel at UK-based activism organization Privacy International, told Motherboard in an email.
Are you a user or seller in the encrypted phone industry? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
The proposal is included in a document published by the Home Office. In that document, the Home Office proposes two legislative measures that it says could be used to improve law enforcement’s response to serious and organized crime, and is seeking input from law enforcement, businesses, lawyers, civil liberties NGOs, and the wider public.
“I welcome your input on these two proposals for possible future legislation to improve the response to the threat of serious and organised crime, to ensure that our law enforcement agencies remain ahead of the curve and to leave organised crime groups with no place to Hide,” a foreword written by the Home Secretary Suella Braverman reads.
The first measure looks to create new criminal offenses on the “making, modifying, supply, offering to supply and possession of articles for use in serious crime.” The document points to several specific items: vehicle concealments used to hide illicit goods; digital templates for 3D-printing firearms; pill presses used in the drug trade; and “sophisticated encrypted communication devices used to facilitate organised crime.”
In other words, this change would criminalize owning an encrypted phone, selling one, or making one for use in crime, a crime in itself. This is not yet the case in the UK, or many other countries. Typically, law enforcement have found novel workarounds in order to charge people who sell encrypted phones to criminals. In the U.S., prosecutors have turned to RICO, a law traditionally used to target mob bosses, to treat encrypted phone companies as criminal entities in their own right. In the Netherlands, authorities have charged encrypted phone sellers with money laundering offenses, rather than prosecuting the sale of possession of phones themselves. Some countries are much more extreme, such as the United Arab Emirates, where those selling encrypted technologies not approved by the state face penalties.
Specifically, the Home Office points to companies such as Encrochat which create “bespoke” devices. Encrochat was hugely popular among serious organized criminals in the UK, Europe, South America, and the Middle East. In 2020, French military police hacked into the company’s infrastructure, and pushed a malicious update to Encrochat’s tens of thousands of handsets. From that, French police could read Encrochat user messages, and then shared that intelligence goldmine with other agencies, including the UK’s National Crime Agency. Data from the Encrochat hack has led to 2,864 arrests in the UK, the country’s largest investigation against organised crime ever. It is these sorts of companies that the Home Office says it wants to target.
With encrypted phones, the Home Office writes that both the encryption itself and modifications made to the phones are creating “considerable barriers” to law enforcement. Typically, phones from this industry use end-to-end encryption, meaning that messages are encrypted before leaving the device, rendering any interception by law enforcement ineffective. (Multiple agencies have instead found misconfigurations in how companies’ encryption works, or hacked into firms, to circumvent this protection). Encrypted phone companies sometimes physically remove the microphone, camera, and GPS functionality from handsets too. Often distributors sell these phones for thousands of dollars for yearly subscriptions.
Given that price, the Home Office says it is “harder to foresee a need for anyone to use them for legitimate, legal reasons.” But there are legitimate use cases. Those include defense lawyers who use these phones to contact their clients. Haroon Raza, a Dutch attorney, told Motherboard he used encrypted phones from multiple brands to speak to his clients because they simply did not use ordinary cellphones. Dutch authorities controversially read Raza’s messages as part of investigations into encrypted phone companies.
The Home Office adds that under one option for legislation, laws could still criminalize people who did not suspect the technology would be used for serious crime, simply because the technology is so “closely associated with serious crime.” Potential signs could include someone paying for a phone “through means which disguise the identity of the payer,” the document reads. Often distributors sell phones for Bitcoin or cash, according to multiple encrypted phone sellers that spoke to Motherboard.
The document says “the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them.” But the Home Office does not yet have a settled definition of what encompasses “sophisticated encrypted communication devices,” leaving open the question of what exactly the UK would be prepared to charge a person for possessing or selling.
Riana Pfefferkorn, research scholar at the Stanford Internet Observatory, wrote to Motherboard in an email “what's too ‘bespoke’ to be legal?”
“Many ‘secure phones’ are just heavily modified Android handsets. How much modification is too ‘sophisticated’ to be OK? Is just removing the camera and/or microphone enough? What about relabeling messaging apps with a Calculator icon?” Pfefferkorn added. (Sky, the largest encrypted phone company until it shut down in 2021, had a feature where it hid a user’s messages behind a calculator app, according to documents obtained by Motherboard.)
Jon Callas, director of public interest technology at activism organization the Electronic Frontier Foundation, and a co-founder of now defunct secure communication company Silent Circle, told Motherboard in an email that “the Home Office should let us know what ‘bespoke’ means; if it means the opposite of ‘mass market’ they should let us know.” Callas added, “In short, we need clarification about what they're actually doing.”
The consultation period for members of the public to provide feedback to the Home Office ends on March 21st.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.