Got to love the gullibility of organized crime. The story in short:
Apparently there was a company called Ennetcom which sold "encrypted" Blackberries for about 1500 Euros to people, no questions asked.
"The Dutch authorities also discovered that these Ennetcom PGP BlackBerry devices, because of their modifications, could not be used on conventional cellular telephone networks. Rather, they operate through a system run by Ennetcom that generates anonymous email addresses by which the users of these devices can communicate in complete anonymity. The Ennetcom PGP BlackBerry devices can only operate through a BlackBerry Enterprise Server. ''
"In this case, the Dutch authorities discovered that the Ennetcom PGP BlackBerry devices were only able to communicate via PGP encrypted e-mail with other Ennetcom PGP BlackBerry devices connected to the same Ennetcom network. The Dutch authorities also discovered that the “keys” for the PGP encryption system were generated by the server, rather than by the device. As a result, the Dutch authorities came to believe that the keys to decrypt the PGP encrypted information, on the Ennetcom PGP BlackBerry devices, are stored on Ennetcom’s BlackBerry Enterprise Servers."
And now the Dutch police has access to 7TB of data with 3.6 million encrypted messages.
Although the legality of the way the authorities acquired this data is questionable, I really cannot stop laughing at these serious criminals who just believed their communication would be safe. "Lets just all use the same service which only uses a couple of servers and stores every message we ever send, it will be perfectly safe''
The authorities definitely have the keys, and the source states the keys were generated and stored on the same servers as the messages themselves. Oops...
well, the phones kept popping up during arrests etc. together with some other interesting items.
"As a result of their ongoing investigations, the Dutch authorities have seized a large number of Ennetcom PGP BlackBerry devices. They have also recovered numerous firearms (including assault rifles, machine guns and handguns), explosives (including grenades), drugs, large sums of money, stolen motor vehicles and vehicle tracking devices."
Sounds just like old-fashioned policework. I don't know the exact numbers but I think it's safe to say that in most European countries the authorities has a legal right to breach into suspects' systems if they have reason to suspect of wrongdoings.
Court order, yes. But sometime it's a gray area and common sense steps in, like if lives are in danger then they do whatevs and actions are afterwards analyzed if they're punishable or not.
I can say for Germany that evidence that has been collected in illegal ways can't be used in court. However, there are certain tricks around that, even if it's just letting the guy go and watch him do something bad again.
Any thing telecom or postal service or invasion of privacy requires the consent of a judge. Unlike in Anglo-American systems, most European systems go by a system derived from Napoleonic law, where it was frowned upon that a judge that sentences also decides on the permissibility and legality of inquisitiry measures. Therefore, there are dedicated judges for that, judges of instruction, they give the instructions with regards to all inquisitory measures the police will then take, so the legality is examined before the inquisitory measures are executed. This is completely different from Anglo-American legal systems, where the inquisitory measures are taken by the prosecution, and post factum checked for legality by the same judge that does the sentencing, and that judge also has inquisitorial powers, he can order new inquisitory measures. In Continental European legal systems, the legality of the inquisitorial measures, will again be checked post factum by the judge that sentences, and if the accused party so wishes, also by courts of appeal, constitutional courts and several european courts, depending on the course of legal action. It's safe to say that Continental European prosecution, judicial police and police forces, have to be very careful in every step they make, how they libel the petition for extraordinary inquisitorial measures, how they perform them, and how they secure the evidence. In complex cases like this one, chances are considerable that someone will have made a mistake, and that the prosecution will not be successful.
Illegal ways might also be relative, for example in Finland it's actually punishable to be a bystander and watch some serious poop hitting the fan and do nothing, but no one ever gets punished for trying or intervening. Same laws apply for authorities since the regulations don't specify 'single people' but rather (language barrier) 'some one/party'. I'd believe most countries has something similar. People do their jobs. I could actually quote a local infosec company regarding the CIA leaks that fits this semi well: "We're not surprised that the CIA could get around our security systems; afterall, they're job is to do reconnaissance, and if a recon group can get through defenses with their own tools then it's a fair play... etc and continues"
Cat and mouse, everything is not black and white. Point was from the beginning that even without mass surveillance parties can still operate perfectly fine.
Indeed. Altho those orders are decided very quickly, usually under an hour. But still, even with all the laws and regulation common sense still plays a role in a society.
It's just that over here (Holland) it takes a lot of effort to convince a judge that a group/organization as a whole has criminal intentions and should be forbidden. A good example is the motorbike club Satudarah. Nearly all the members have criminal records as long as my kitchen table and this club has already been banned from Germany, but still they are legal here because it has not been proven the club itself has criminal intentions, just all the members happen to be criminals coincidentally.
Now if you take this point of view back to Ennetcom, it has not been proven Ennetcom itself is a criminal organization. They merely provide a somewhat ISP-like service which happens to be encrypted and (according to the police) very popular with criminals. Ennetcom itself argues they also have a lot of customers who need privacy for other reasons, freedom of speech for instance.
The police didn't target specific suspects, they just pulled all the servers out of the racks and all acquired data will be subject to investigation. And even better: not one mention in the news about the investigation or prosecution of Ennetcom itself, but only about the criminals using the service. Getting the people behind Ennetcom itself convicted in a criminal court will be a tough job.
I am not saying the actions by the authorities are right or wrong, it's just how the law works here and what possibly could endanger any prosecution based on this evidence.
If you count animals it would be pure genocide caused by them! But exactly, that's why people have questions regarding the legality. I would bet there are a lot of foreign agencies and general bad people who would love to have a copy of that database.
"It's just that over here (Holland) it takes a lot of effort to convince a judge that a group/organization as a whole has criminal intentions and should be forbidden."
Exactly this. Taking the club aproach like Hells Angels or Cannonballs for example, they do their questionable stuff and are under constant supervision, but what a couple friends from those clubs say it basically sums up to they do their thing, and authorities do their thing, and basically nothing is illegal as long as you don't get caught. And even when you do get caught there's still that 'fair play' card in the game. Like Cannonball has been our customer several times but what does that matter? Google has been our customer, why would they be any better than the othet? They pay, we do our job and pay taxes and everything is fine. They do their stuff. Then an hour later we drink beer and do sauna with other friends who happen to be cops who knows exactly what's going on in the big picture, but won't interviene because nothing is wrong. They still keep a close eye on those clubs because they are under the magnifying glass 24/7, but keeping that magnifying glass up all the time isn't illegal because it's targeted surveillance. Privacy is indeed non-negitiable, and no one cares about encryption or masquerading: "Tools and objects aren't illegal, actions might be." They're just doing their job. Then there's computer sec companies who are liable to hand over authorities data they posess after a court order, but that data can be jibberish and anonymous, so the authorities are basically forced to break into the sec company's systems if they can to get something useful out. Here also both parties are only doing their jobs. However if that sec company notices (and a sec company has to keep a magnifying glass on systems constantly) poop that's about to hit the fan, they not only have to, but will, inform the authorities. They're doing their job.
It all is pretty complicated in a sense, but everything still boils down to those 2 words: common sense.
What probably happened in this case, is a very regrettable evolution, and Dutch police sadly is at the spearhead of this evolution in Europe. The Netherlands is a country with a huge law enforcement problem, of course the direct consequence of political decisions coming out the 1960's. The police has really been getting overly aggressive in the Netherlands since the mid 1990's. This action to go ahead and illegally hack with the cooperation of foreign organisations that have no jurisdiction, then to go and confiscate servers of a company with no proven criminal activity, is what is called a "fishing expedition". The prosecution knows very well that they will not be successful in their course of action, but they didn't get in through hacking with the usual means the secret service uses, so they had to get creative to get to all of that data. They know they won't be able to use that data for prosecution, they know they have made a decision on a course of action that permanently ruins their chances of getting all of these criminals convicted, but they want the data nonetheless in order to pursue illegal action against these criminals. Illegal action against criminals is often the only way to get things done in a country where politics are unwilling to make a workable compromise. It's like Adam Curry says, the Netherlands have become "Gitmo Nation Lowlands" next to Gitmo Nation East (UK) and Gitmo Nation West (US). It's the consequence of allowing marijuana, allowing all kinds of organisations that should not exist (there was a paedophilic club in the Netherlands for the longest time, even judges were members, it was public, official, and even subsidized with culture budgets, it was only shut down a couple of years ago). Just like in Scandinavia, the whole maximum tolerance sjw bullshit simply doesn't work, because it's just as much political extremism as anything else. It leads to a movement in the other direction, whereby law enforcement de facto becomes an illegal paramilitary group with its own agenda. Back in the early 1990's, the Netherlands was still a very nice and friendly place everywhere you went. Now there is a big difference between the big cities and the countryside and smaller cities. Even in some smaller cities, you really start to get that Sarayevo feeling, it's long past the Beirut phase. Satudarah is just one emanation thereof. The fact that a big chunk of jihadists in Europe come from the Netherlands, is another emanation thereof. Once you legalize drugs or don't fight it enough, that's just what you're going to get.
Het OM stelt dat de benodigde encryptiesleutels "in handen van OM en politie vielen", maar een woordvoerder wil niet zeggen hoe dat is gebeurd. Hij benadrukt wel dat PGP, de gebruikte beveiligingsstandaard, niet is gekraakt.
So they don't want to say how to got to the data. They just say they didn't jeopardise PGP while doing it.
Danny M., eigenaar van Ennetcom, werd vorig jaar aangehouden op verdenking van witwassen. Hij is vrij in afwachting van zijn strafproces. Volgens het OM moet M. hebben geweten dat zijn netwerk vooral werd gebruikt door criminelen en is hij daarom ook zelf strafbaar.
and
Advocate Inez Weski van Ennetcom en M. (37) relativeerde donderdag de claims van het OM. Volgens haar waren er onder de 40.000 klanten ook veel betrouwbare gebruikers zoals politici, politiemensen en militairen. Van slechts enkele gebruikers is vastgesteld dat ze een rol spelen in de misdaad.
(money laundring was used as a blanket accusation to justify a search and the confiscation of the servers)
Berichten werden bovendien na 48 uur onherstelbaar vernietigd. Volgens de advocate zijn de servers onrechtmatig in beslag genomen.
(so they had them before, they're just looking for a retroactive way to justify them having it. It's clear the whole thing is based on illegal hacking without proper instruction.)