After the roundtable discussion organized by the Lawyer's Academy of the Serbian Bar Association on the topic of SKY ECC communication as evidence in criminal proceedings on June 29, 2023, we summarize the key conclusions on an extremely relevant issue - SKY ECC hacking.
For those who are not familiar, data from the messaging encryption platform SKY ECC has recently been "intercepted" by the police in a somewhat unclear procedure. This has resulted not only in the arrest of many suspects but also in the media disclosure of the content of their exchanged messages, without any verification of their authenticity.
This highly controversial situation has sparked numerous debates, as it revolves around a "story" that lacks supporting evidence. With the introduction of prosecutorial investigations and the burden of proof lying on the prosecution's side, it is no longer sufficient to simply "know what happened." What is "known" must be proven through subjective and material evidence
SKY ECC serves as a sort of police testimony, mostly unsupported by any subjective or material evidence, which is currently used to detain the accused. As per our experience and the words of attorney Miodrag Stojanović (Republika Srpska) and attorney Bojana Franović Kovačević (Montenegro), Balkan prosecutors openly admit that they have no other evidence beyond SKY ECC communication (hence the media sensationalism).
One of the fundamental rights that each of us should have is the right to a fair trial. This right is guaranteed as a standard by international legal instruments and constitutions of many countries worldwide. Even if the accused is charged with a serious criminal offense, it is essential to ensure their right to defense and a fair process, including the right to legal representation, access to evidence, and the presumption of innocence.
However, the collective conclusion of the roundtable is that despite the evident violation of communication privacy, the use of SKY ECC communication is perceived as a technological victory of the police in the war against organized crime.
Regardless of the fact that these messages have provided crucial context against the accused, they still have the right to defense and the right to challenge the evidence. But what happens when there is no such evidence?
The defense has the right to investigate how the messages were obtained and to raise questions about their authenticity and integrity. However, if it is not allowed for a police officer to testify, for example, "...the accused confessed everything to us, but when the lawyer arrived he changed his mind...", then why even discuss it? The courts have previously refused to admit such evidence during the proceedings at all.
However, in the cases based on SKY ECC communication, it will be treated throughout the trial as justification for detention and in hope that during the long-term detention, some corroborating evidence may appear. So, what's the difference and the reason for this? Technological advancement.
Excessive surveillance and privacy breaches occur daily for all of us. The "hacking" of the SKY ECC platform is presented as a bitter pill we should swallow, as it is directed "only" against organized crime. However, this situation opens the doors to abuse and violations of the rights of many innocent individuals who are not subjects of any investigation but may become targets of subsequent "interceptions" of their private communications, as mass surveillance is becoming popular.
In first overturning decision in this type of cases the Serbian Court of Appeal's on July 07, 2023 provides following explanation: “…among other things, when assessing the admissibility and legality of evidence obtained in another country and submitted through international legal assistance, it is not sufficient to merely state, as the first instance court does in the reasoning of the initial judgment, that the evidence was obtained through international legal assistance. According to the Court of Appeal, the trial court failed to first provide clear and reasoned grounds regarding the legality of the submitted SKY ECC communications, based on the criteria of the state in which they were obtained. This should have been done through an analysis of how they were obtained in the Republic of France and an evaluation of whether such communication was acquired in a manner inconsistent with the principles of our legal system and generally accepted rules of international law.
In this regard, the trial court was obligated to analyze the fact that the evidence and information in the case files indicate that, given the joint judicial investigation by the Dutch, Belgian, and French authorities, the encrypted solution for SKY ECC phones was used by criminal organizations operating in these three countries, and some even at the international level. The search and seizure of data contained in the SKY ECC platform's server database were carried out based on the decision of the competent judicial authority of the Republic of France, authorizing the installation of technical devices for capturing computer data on the external connection of the server, issued on December 21, 2020 in accordance with the criminal procedure code of the
Republic of France. This was done to capture the cryptographic elements of each phone using the SKY ECC encryption system, which, when combined with cryptographic elements obtained from interceptions, would enable the decryption of individual messages received by these phones. Therefore, according to the Court of Appeal, the trial court, when assessing whether the data collected by foreign authorities can be used as evidence in a domestic criminal case, should have considered, first and foremost, that they were obtained in accordance with the applicable laws of the Republic of France and based on a decision of the competent judicial authority of that country.
Furthermore, considering that the purpose of the request was to submit evidence and supporting materials rather than carry out a specific evidentiary action, the trial court's statements regarding the evidence obtained by the competent authority of the Republic of France being substantively equivalent to the evidentiary action and evidence obtained in accordance with the provisions of the criminal procedure code - computer data search are unclear. This is especially important considering that computer data search involves searching processed and personal data and comparing them with data already present in databases relating to the suspect and the criminal offense. Accordingly, by the nature of things, it is performed on servers located within our territory, while in the present case, it concerns an encrypted communication platform with servers abroad.
Moreover, the trial court's statements that the evidence acquired by the competent authorities of the Republic of France and obtained through international legal assistance in the cases of the Special Department for organized crime of the Higher Court in Belgrade as an “incidental findings”, can be used as such in the proceeding are unclear...”.
Given the information presented above, when charges are brought against the defendants solely based on SKY ECC communication, without any supporting evidence, the probability of acquittals will significantly rise.
By Danilo Nikolic and Luka Nikolic, Partners, JPM & Partners