In April of last year, the Dutch police service announced it had arrested a man who allegedly ran a company selling custom PGP BlackBerrys—security-focused BlackBerry devices that are supposedly heavily used by organized crime groups. Toronto Police also seized a server belonging to the company.
Now, Dutch police say they have managed to decrypt a number of messages stored on that server, despite the messages supposedly being protected with end-to-end encryption.
By decrypting the messages, authorities have gained access to evidence for dozens of investigations into "assassinations, armed robbery, drug trafficking, money laundering, attempted murder and other organized crime," a translated version of a press release from Openbaar Ministerie (the Public Prosecution Service) reads. The body claims to have "access to 3.6 million encrypted messages within organized crime."
The company at the center of this investigation is Ennetcom, a small firm which launched in 2009, according to an archived version of the company's website.
Ennetcom sold BlackBerry devices that came preloaded with a selection of security features, including PGP email. This theoretically meant that message content would be protected if an email was intercepted, or if authorities searched the server emails were stored on. Ennetcom routed user communications through its own infrastructure.
After the publication of the Openbaar Ministerie press release, Ennetcom replied with its own message, published to its website. The company claimed to have customers in government agencies, and described the prosecution as something like a fishing expedition, according to a translated version of the announcement.
Motherboard has previously reported that both Dutch and Canadian police have the ability to decrypt messages sent with PGP BlackBerry devices, but that only applied to individual phones in the possession of investigators. This latest news, however, concerns reading messages that were on the seized server.
"It involves a total of 7TB of data, which is secured on the central server of Ennetcom in Canada," the Openbaar Ministerie press release continues. According to the release, investigators found it was possible to read messages on the server late last year.
According to a Canadian court filing, the messages could be decrypted because Ennetcom's server generated the PGP keys to access messages.
"The Dutch authorities also discovered that the 'keys' for the PGP encryption system were generated by the server, rather than by the device. As a result, the Dutch authorities came to believe that the keys to decrypt the PGP encrypted information, on the Ennetcom PGP BlackBerry devices, are stored on Ennetcom's BlackBerry Enterprise Servers," the filing reads. The filing adds that Ennetcom had 20,000 users.
"The human right to privacy is a fundamental right for both individuals and companies to have," a message on another archived section of Ennetcom's site reads.