Breaking the silence

Dutch police officers carry out a raid as a result of information obtained from the EncroChat network

Dutch police officers carry out a raid as a result of information obtained from the EncroChat network

On April Fool’s Day 2020, French law enforcement agencies finally caught a break in a two-year long investigation into organised crime networks across Europe. They’d found a way into a shadowy encrypted phone service known as EncroChat that boasted “military-grade” encryption. It wasn’t until ten weeks later, however, on 12th June 2020, that the company realised that its bespoke messaging service had been compromised and sent out a hasty alert.

“DANGER. Important Security Notice. Today we had our domains seized illegally by government entities,” read the message that lit up the phones of the estimated 60,000 EncroChat users across Europe. “Due to the level of sophistication of the attack, and the malware code, we can no longer guarantee the security of your device… You are advised to power off and physically dispose of your device immediately.”

EncroChat devices were no ordinary phones and many of the people who used the bespoke encrypted mobiles were no ordinary customers. EncroChat’s privacy-conscious clientele paid big bucks for a highly secure service. Advertised by the company as “100 percent anonymous” with no way “to associate a device or SIM card to a customer account”, an EncroChat encrypted phone retailed at around £1,000 and a six-month subscription cost another £1,500.

For this money, clients got a smartphone stripped of features that could be used to infiltrate the device and identify the user, such as its camera, USB port and GPS chip. SIM cards were encrypted, and users could “panic-wipe” the phone’s data remotely. A partition in the system allowed it to run either as a ‘normal’ Android device or in a “secure boot” mode – a feature that could be employed as a useful decoy to trick snoopers. In the latter setting, EncroChat customers could send messages via an in-house end-to-end encrypted chat service that was billed as being so secure it was equivalent to two people having “a conversation in an empty room”. Its servers were “located offshore in a data centre that never creates, stores or decrypts keys, message conversations or user data”.

In other words, it was the ideal service for those seeking to avoid the prying eyes of the authorities.

Information obtained from EncroChat led to the discovery of shipping containers converted into cells and torture chambers in the Netherlands

Or so some of EncroChat’s users thought. Unbeknown to them, by mid-June C3N, an elite French cybercrime unit, had been watching their every move for more than two months. In total, French agents had intercepted more than 100 million messages between EncroChat users in real-time. That information was then shared with the authorities in the Netherlands and the UK.

Among the company’s users were some of Europe’s most wanted criminals. EncroChat’s promises of total anonymity had made it the go-to service for drug barons, hitmen, traffickers and money launderers across the continent. Believing their messages were totally secure, they had brazenly discussed their black-market business dealings. Assassins plotted how to take down targets and money-washing schemes were laid out in gritty detail. Arms dealers shared weapon specs and prices with gangster buyers. Drug dealers sent photos posing with wads of money and their stashes – kilos of cocaine, bars of hash and bags stuffed with ecstasy.

By the time EncroChat and its clients realised how extensively the service had been infiltrated, it was too late. In the days that followed EncroChat’s ‘security alert’, law enforcement agencies across Europe moved to take down the criminals they had been silently watching for months. In the UK the operation was codenamed ‘Venetic’ and videos of raids show armed police leaping onto balconies and smashing down front doors with battering rams. Sniffer dogs searched houses and bemused suspects were led away, some caught so unawares that they were taken out to police vans in their underwear.

“They believed they were operating above the capabilities of policing, which was simply not the case”

Detective chief superintendent Simon Parkes, deputy head of the Eastern Region Specialist Operations Unit (ERSOU) oversaw a number of raids in the east of England. Between April and July ERSOU seized over 370kg of cocaine and £2.6 million in cash and arrested 63 people as part of Venetic. “It’s difficult to overstate the significance of this operation as it has removed a number of highly organised and dangerous criminal groups from society,” says Parkes. “It is a huge dent in criminal operations across the country and we’re likely to continue to see results on the back of the operation.”

In total, the British National Crime Agency (NCA) announced that it had made 746 arrests and seized £54 million in “criminal cash” as well as 73 luxury watches, 55 high-value cars and two tonnes of drugs.

Similar raids in the Netherlands resulted in the arrests of more than 100 people as well as the seizure of €20 million in cash and three tonnes of amphetamines. Dutch authorities also shut down 19 crystal meth labs, reportedly run by an alliance of Dutch ecstasy producers and a Mexican cartel. Jannine van den Berg, chief constable of the Dutch police force’s central unit, likened the operation to “sitting at the table where the criminals were chatting among themselves”. Parkes agrees. “There’s no doubt that the criminals using the EncroChat platform were clueless to the prospect of law enforcement being able to gain access to their messages. As will become apparent through the ongoing investigations taking place all over the country, they believed they were operating above the capabilities of policing, which was simply not the case.”

Along with drugs and money comes violence. In both the UK and the Netherlands, authorities said that they had used information gleaned from the messages intercepted in real time to prevent “dozens of serious crimes” – this included tipping off targets of planned “liquidations, kidnappings and shootings” about plots against them. The discovery of seven shipping containers converted into sound-proofed torture chambers near Wouwse Plantage, south of Rotterdam, gave Dutch police a chilling insight into the underworld’s brutality. Inside the makeshift cells, they found handcuffs attached to the ceiling and floors and dental chairs with straps on the arm and leg rests. Torture implements, including scalpels and black sacks to put over victims’ heads, were found at another location, along with police uniforms that investigators say were for use in “fake arrests” to trap targets.

“As police, it’s our role to keep our communities safe and secure; apprehending some of the most dangerous and prolific high-level criminals makes a huge contribution towards this,” says Parkes. “EncroChat was a key communication tool used by criminals which has been successfully penetrated and dismantled and this is a considerable blow to them.”

Yet how this extraordinary information heist against Europe’s criminal underworld was carried out is still shrouded in mystery. Policing the digital world is a high-wire balancing act between security and the right to privacy, and so far law enforcement agencies have remained relatively tight-lipped about their tactics. Meanwhile, after sending out the security alert to its users, EncroChat fell silent. Nothing has been heard from the company or its owners since.

In 2019 a fraud report by RSA Cybersecurity and Digital Risk Management Solutions found that the number of “attacks via rogue mobile apps” had risen by 191 percent in the first six months of the year. Given the frequency with which we use smartphone apps and the sheer amount of data they now hold about us – from our banking details to our heart rates – it’s no surprise that companies are constantly beefing up the security both for physical phones and the electronic data they transmit. Fingerprint scans, iris recognition and two-step authentication are just some of the digital security measures used every day by regular people interacting with their handsets. Yet, while added layers of security have helped law-abiding citizens to protect their personal data, they are also being exploited by those seeking to hide their activities from the authorities for nefarious reasons.

The huge advances in encryption technologies have proved a particularly vexing issue for security services. In 2014, both Apple and Google – which between them own 96 percent of the smartphone operating systems market – introduced ‘full-disk encryption’, which tied decryption keys to users’ passwords. This meant that the keys to decode data were now stored by users on their devices, not by the companies.

Similarly, in 2016 WhatsApp – which has more than one billion users worldwide – introduced default end-to-end encryption for all phone calls, messages, videos and photos sent via its app. An end-to-end encrypted system, known as E2EE in the tech world, scrambles the data from the moment it leaves one device until it reaches the other. This shift meant that the keys to decrypt messages were no longer held by service providers, but by the sender and receiver only. As WhatsApp put it in a 2016 blog post, using E2EE means that: “No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.”

“Everything is hackable… There’s always a vulnerability somewhere”

It’s the last part of this statement that is causing a “furore” among the world’s national security services, says Zak Doffman, founder of Digital Barriers, a company working in the digital surveillance and security industry. If the service providers simply don’t have the keys to decrypt users’ data, “lawmakers can’t use their standard interception rights and methods,” he explains. “Even if they show up with a warrant and demand to see the content, these platforms have no ability to see it.”

Most major telecommunications apps – including iMessage, Signal, Wickr and WhatsApp – are now end-to-end encrypted and security agencies have warned of a ‘going dark’ crisis, a phrase borrowed from military slang that refers to communications being shifted to a private line where eavesdropping isn’t possible. In 2019, the US-led ‘Five Eyes’ – an intelligence alliance between English-speaking nations set up in the aftermath of World War II – issued a joint statement warning of encrypted communications services that “deliberately design their systems in a way that precludes any access to content” and are used by “criminals, including sex offenders, terrorists and organised criminal groups to frustrate investigations and avoid detection and prosecution.”

Finding a way to balance concerns over privacy rights with security, however, has proved challenging. Two options that have been tabled are ‘back doors’ – essentially giving security services a ‘skeleton key’ to access encrypted communications or, as promoted by the UK’s GCHQ, a ‘ghost protocol’ that would enable investigators to be added to a conversation between targeted users as an invisible third party. Both, however, have been roundly rejected by service providers and rights groups as open to exploitation and undermining trust in encrypted messaging. In an open-letter response to GCHQ’s proposal, a coalition of privacy campaigners – including Human Rights Watch and Privacy International – warned that a ghost protocol would “undermine the trust relationship” between service users and providers and “threaten fundamental human rights, including privacy and free expression”.

It’s not just concerns about rights that have so far thwarted the creation of secret keys, though. As Doffman points out, you have a big problem if the wrong person gets access to them. “If [private communications service] Signal introduced a vulnerability in case the FBI came calling, how long would it be until the FSB gets hold of that and is able to monitor all of the Signal chats in Russia? That’s the argument. How can they make it safe for lawyers and dissidents and journalists operating in that market over those platforms, if potentially a security agency can just exploit vulnerabilities that the platform itself was forced to build in?”

There has been no resolution to the ‘going dark’ debate and as far as we know there are no FBI-mandated ‘back doors’ or GCHQ ‘ghost users’ lurking in WhatsApp or similar services at present. How, then, did law enforcement gain access to EncroChat’s supposedly secure messages? Well, there are other ways to get in. The bottom line is that “everything is hackable”, says cybersecurity expert Ian Brown. Indeed, this is not the first time European law enforcement have infiltrated services that users believed were impenetrable. In 2016, Canadian police turned over seven terabytes of data from a server in Toronto to Dutch police. On it was a cache of 3.7 million encrypted messages sent by users of Nijmegen-based Ennetcom – a secure messaging service that provided encrypted BlackBerrys with anonymous email accounts. Like EncroChat, the devices were used by some criminal organisations across Europe. Among those convicted using evidence from the decrypted messages was Naoufal F, an Amsterdam gangster who plotted the assassination of a rival from Ireland.

While the Dutch authorities initially claimed to have “cracked” the Ennetcom messages’ encryption, experts have said it is far more likely that police found a cryptographic “key management system” stored on the company’s servers alongside the data. This would, rather like having a set of jailer’s keys, have enabled investigators to ‘unlock’ all the encrypted messages on the file handed to them by the Canadian authorities. Alternatively, law enforcement might have managed to plant or even recruit an informant on the inside of the company. According to a report in the Dutch newspaper De Telegraaf, police were able to obtain a passcode by way of an IT company associated with Ennetcom (this claim was later denied by a lawyer acting on the IT contractor’s behalf).

Ultimately, no matter how secure a company claims to be, “there’s always a way in,” says Brown. “There’s always a vulnerability somewhere along the line, whether that results from human error or an informant, or in the architecture of the system itself.”

An EncroChat phone, a gun and £5.1 million in cash, all seized in the UK as part of the National Crime Agency’s Operation Venetic

One major clue about how law enforcement might have hacked into EncroChat is that the messages were reportedly intercepted in real time, allowing police to prevent serious crimes before they happened. That would rule out the possibility that an archive of stored messages was simply discovered on a server somewhere, as happened with Ennetcom.

“Clearly they had compromised the network, so there’s only two ways that can go,” says Doffman. The first, he explains, is a “man-in-the-middle attack”, essentially hacking into the system and lying in wait to catch data as it travels between a user and a sender. This type of attack, however, only works if end-to-end encryption isn’t being used. Free cloud-based messenger service Telegram is an example of this. The service doesn’t use E2EE as default (although users can opt to turn it on); instead it provides users’ security by scattering keys across its servers – meaning law enforcement would need to get warrants in multiple jurisdictions to see conversations.

For EncroChat, which did use E2EE, it’s more likely that police circumnavigated the need for keys altogether by intercepting messages before they were ever encrypted. One way this could have been done, Doffman speculates, is by inserting malware in a silent ‘over-the-air’ update to compromise the end device. This type of remote patching of apps is commonplace, often used to configure new settings, distribute new software and renew encryption keys. And, importantly, it was part of the standard service that EncroChat offered to its clients, so it wouldn’t have seemed out of place to users. “The weakness in end-to-end encryption is end points. It’s always end points,” Doffman tells me. Once law enforcement have compromised a physical device they can access everything on the phone.

All this, however, assumes that EncroChat services were provided as advertised. There is evidence that at least some parts weren’t. Although EncroChat said that its servers were located “offshore”, some of its servers were reportedly found in Lille, France.

The strength of its “military-grade” encryption may also have been an issue. One way that companies improve their security is by spotting and fixing vulnerabilities in their code. Big companies, such as Google and Apple, spend millions every year buying up flaws located by “white-hat” hackers, known as bug bounty hunters.

“The whole idea of building secure software is to get more and more people to look at your software to find vulnerabilities that you normally would not see,” explains Stefan Soesanto, senior researcher at the Center for Security Studies at the Swiss Federal Institute of Technology. Cross-platform encrypted messaging service Signal, with its large user base and open-source, peer-reviewed code, is an industry leader in that respect. Companies that are secretive and provide a niche service to a small market, like EncroChat, may be less likely to spot vulnerabilities.

But perhaps the biggest security threat to bespoke encrypted phone services is that they simply attract unwanted attention. EncroChat’s marketing strategy contained “big flags” that its customers would be of interest to law enforcement, says Soesanto. For a start, he points out, the company had no real-world storefronts, so to get a phone required meeting a seller, “almost like a street-corner drug trade”, while its high subscription prices also meant it was “not the kind of device an average person is going to buy”.

Indeed, while encrypted phone services may market their devices as being super secure, tech experts point out that this is not always the case.

“The key takeaway from this story is don’t believe the hype,” says Doffmann. “Labelling a technology ‘military grade encryption’ is meaningless if the deployment of that encryption is flawed… If you want an encrypted messaging service, then go for something mainstream, something like Signal that’s open-source and used widely enough to have ironed out its issues. Anything smaller and more bespoke will be a risk. Or to put it another way – if you want to hide, then sometimes it’s better to do so in plain sight.”

Even if some users of Signal or WhatsApp are involved in illegal activities, “it just wouldn’t be justifiable for law enforcement to carry out a blanket hack and infringe other users’ privacy rights,” says Doffman. In contrast, “if you have a specialist platform, [easily adapted by] people who are up to no good, right down to the actual end devices which have been designed to be secure, then you know that if you can compromise it – then it’s rich pickings. We’ve seen parallels on the dark web, where just by [a site] being there it’s a target and invites interest.”

A man is led away by officers from Thames Valley Police after a raid on a property in High Wycombe, Buckinghamshire, as part of Operation Venetic

No details have yet been released about the grounds on which warrants to hack EncroChat were granted. However, law enforcement authorities have said that the initial probe into the service began as early as 2018 after several suspects in serious-crimes cases were found to be using the company’s encrypted phones. French police have said that at least 90 percent of EncroChat users were involved in illegal activity, while the British National Crime Agency called EncroChat a “bespoke encrypted communications service used exclusively by criminals”.

However, Abbas Nawrozzadeh, senior solicitor at the London-based Eldwick Law firm, which is representing several clients caught up in the EncroChat busts, rejects these claims. “I think what we see here is the NCA’s PR machine in full swing in a bid to effectively criminalise anyone who uses an encrypted mobile device,” he says. There have, Nawrozzadeh points out, been fewer than a thousand arrests so far despite surveillance of around 60,000 EncroChat users. “It’s a breach of rights to privacy and opens up the floodgates for intrusion into any other encrypted applications,” he tells me. “This does not appear to be targeted intelligence but resulted because a number of defendants [in earlier cases] were previously found with EncroChat devices. We need to decide how we want to be as a state – are we going to rely on intelligence-led policing or set out on other fishing expeditions with ‘raids’ being carried out on other applications? I have myself dealt with numerous serious cases where evidence of WhatsApp chats are relied upon. Does this justify a hack of the WhatsApp server?”

With EncroChat cases set to make their way into courts, lawyers across Europe are busy working on defences. Among them is Julian Richards, head of complex crime cases at Oxford-based Reeds Solicitors. He also points to the indiscriminate nature of the EncroChat hack as problematic. “There are a lot of people who would benefit from increased security that are not criminals…  celebrities, high-net-worth individuals, the man who’s having an affair and doesn’t want his wife on his phone – now that might be morally wrong, but it’s not illegal.”

The way in which the EncroChat hack was carried out, says Richards, will play a “big role” in determining the line of defence that is ultimately pursued. Section 56 of the Investigatory Powers Act prohibits the use of communications intercepted by British law enforcement sent and received by suspects in the UK from being used as evidence in courts. However, the location of the interception of the EncroChat messages is still up for debate. “There is some suggestion that the server was hacked overseas,” says Richards. “But equally there is some suggestion that the method involved spreading malware onto handsets via an app update, and some of those devices were physically in the UK. If that were the case, then there’s an argument that the interference took place in this country and that under section 56 the evidence was obtained unlawfully.”

This type of technical and legal wrangling could make or break some of the cases against those facing charges resulting from the EncroChat hack. Unlike in American crime dramas, where evidence is struck out if it was obtained without a proper warrant, the UK has no “fruit of the poisonous tree” doctrine. That means that evidence found in police raids – such as drugs, money or arms – can be used in court even if the EncroChat messages, which provided the basis for those warrants, are struck out. However, those higher up the criminal hierarchy, who are “unlikely to get their hands dirty”, could get a reprieve if the messages are ruled inadmissible. This is because they’re much less likely to have been caught in possession of incriminating items than “lower-ranking criminals, who are typically those bearing the risk of carrying the drugs or money,” explains Richards.

Another group that could benefit is those who are charged with more serious crimes based on the EncroChat data. Richards gives the example of someone caught with one kilogram of cocaine but charged with supplying 40 kilograms based on message evidence. That, he says, could see a massive jump in sentence from seven years to the top bracket, which is 16 years or more.

“It opens up the floodgates for intrusion into any other encrypted applications”

Since the hack was discovered, EncroChat has vanished into thin air. Little is known about the company or the “few dozen people” that law enforcement believe could be behind the operation. Although Bloomberg has reported that the company is under investigation in France for not having authorisation to sell encrypted devices, police have been unable to trace those who ran it beyond a dead-end address for a legal firm in Panama. French police have said they are still hunting those behind EncroChat whom they view as the “main suspects”.

While running an encrypted telecommunications service is perfectly legal, owners of operations with technology similar to EncroChat have nonetheless run into problems. In 2018 Vincent Ramos, the CEO of Canada-based Phantom Secure, a company that operated under the slogan “Leave no trace” and sold modified security-focused BlackBerry phones, was sentenced to nine years in prison for racketeering conspiracy. Evidence against Ramos included messages he’d sent to employees acknowledging that his phones were being used by the Sinaloa cartel – one of the largest Mexican drug gangs – to distribute narcotics.

At Ramos’s sentencing, which resulted from a plea deal, the San Diego court also ordered him to surrender $80 million as proceeds of crime, including international bank accounts, real estate, cryptocurrency accounts and gold coins. “Vincent Ramos is going to prison because he provided violent, drug trafficking organisations with a high-tech tool that enabled them to coordinate their crimes while staying in the shadows,” said US Attorney Robert Brewer following the verdict.

The strong arm of the law isn’t the only threat these business owners face, though. “If I were running this type of service and my customers were criminals, I’d be very worried, not just about the police, but about clients being extremely angry their secrets have been exposed,” says Brown. A case in point is Danny Manupassa. In 2016, the owner of Ennetcom was arrested and held for two weeks on suspicion of money laundering and possessing an illegal firearm following the hack on his company’s servers, but that turned out to be the least of his problems. Manupassa denied knowledge of his company’s involvement in criminal activity, but following firebomb attacks on his street and police picking up a car full of heavily armed criminals near his house, he and his family were forced into hiding. There is reportedly a €250,000 bounty on his head.

Yet, despite the high risks, it’s still worth the gamble for some. Earlier this year Craig Buchan launched Omerta, a company selling “fully encrypted, anti-surveillance security-hardened smartphones”. His background is in “information technology and security” but he’s not your stereotypical tech geek. Buchan’s got a strong sales patter, a charming Aberdeen accent and ends his sentences with “yeah?” and “right?” – a tendency that leads you to nod in agreement with whatever he’s saying.

After graduating, Buchan landed a job designing 3D animations for a double-glazing marketing video company which was, he says with a laugh, “a bit of a disappointment”. Soon, though, he struck gold with a position in software development for casino games, work that saw him travel all over South-East Asia. That lasted until the financial crash in 2008, when he returned to the UK to work for the University of Liverpool in IT security for departments conducting sensitive research. After ten years in that job, Buchan moved back up to Scotland to be closer to his family after his “granny got sick”. It was a depressing period. He was either “overqualified or underqualified” for every job he saw. During that time, he kept busy modifying the operating systems on mobile phones for friends to use in virtual-reality games. Then he had an idea. Why not strike out on his own by combining the skills he’d learned in his hobby with his background in securing IT systems?

Buchan is not shy about courting controversy, so long as it brings in customers. Commenting on the EncroChat hack he calls it “criminal” – though he’s not referring to the company’s business model or clients, but rather the service’s failure to guard the privacy of its customers. “They completely failed to protect the people they said they were going to protect, and I find that quite incredible, quite shocking,” says Buchan. He’s also been quick to try to turn EncroChat’s loss into Omerta’s gain. When news of law enforcement’s infiltration of his competitor broke he dashed out a blog on it: “EncroChat hacked, users exposed & arrests galore – the King is dead.” The post has attracted a “massive influx in business” according to Buchan, with more than 20,000 people visiting Omerta’s website after he put it up. “That’s incredible for a piece of literature written in my boxer shorts,” he says proudly.

Quick money is undoubtedly part of the lure for those working in the encrypted telecommunications industry. Every 100 customers who buy a mid-range phone combined with the cheapest six-month encrypted SIM package earn Omerta around £250,000 – extrapolate that calculation to EncroChat’s 60,000 clients and you get £150 million. Omerta’s not there yet, but it’s not doing badly either. Buchan runs an obsessively tight ship, personally responding to all customer enquiries himself. It’s partly about wanting to “educate” customers about how to protect their privacy, he says, but also reflects his view that “staff growth is a weakness” that introduces security risks. As the business expands, Buchan says he plans to use artificial intelligence to handle some of his workload – robots can be trusted not to blab secrets. Low staffing costs coupled with no expensive overheads like storefronts also helps increase profit margins. “I’m not chartering flights just yet,” Buchan tells me. “But I am very, very happy and pleased with what we’ve achieved.”

“They completely failed to protect the people they said they were going to protect”

While the demise of EncroChat has been good news for Omerta, the obscure nature of the hack and the apparent disappearance of the company and its employees have left some tech experts wondering whether EncroChat might have been set up as a police sting operation from the start. “You never know,” says Soesanto. “Law enforcement has done crazier things in the past and sting operations of that size are not unusual, so it might be possible.”

Indeed, in the murky world of cyber cops and criminals the endless chasing and subterfuge can sometimes make it hard to distinguish between the good guys and the bad guys. Dutch law enforcement’s takedown of Hansa, an online drugs bazaar, is a case in point.

The marketplace was hosted on the dark web – a part of the internet that isn’t visible to search engines and requires the use of an anonymising browser called Tor – meaning dealers could openly peddle heroin, cocaine and MDMA via the site to buyers across Europe with little fear of being caught. But in 2016, the authorities in the Netherlands got a tip-off about the site’s server location. In the course of their investigations into the server’s contents, the police struck gold. A cache of old messages between the website’s hosts, accidentally stored on one of its servers, provided investigators with the names and home address of the two German men running it. The story could have ended there, with the arrest of Hansa’s creators and the closure of the marketplace. But investigators decided to go a step further.

This time police didn’t just want to take the marketplace down – they wanted to take it over. Their plan was bold but simple. Investigators had discovered that the two men behind Hansa were already wanted by German police for running another website selling pirated ebooks and audiobooks. If they were arrested on those charges and persuaded to hand over their site-administrator passwords, police could hijack Hansa without its users realising it had been compromised. Amazingly, they pulled it off. And to add to the coup, just at that moment the closure of Alphabay, a similar site based in the US, drove even more illegal traders onto Hansa.

For more than two months, undercover police officers ran the online drugs marketplace as the number of users increased eight-fold and some 27,000 deals went down. The only drug they stopped the sale of was fentanyl, a highly addictive and deadly synthetic opioid. The audacious plan meant that cops were effectively overseeing the sale of narcotics of every kind. The trade-off, however, was access to those buying and selling them. Posing as the site’s administrators enabled police to covertly rewrite its code so that it captured metadata from photos, stored pre-encryption messages and logged passwords.

Cops who end up enabling drugs sales in order to catch criminals may well ask themselves some searching moral questions. Buchan, however, has no qualms about the ethics of Omerta. “It’s like with all technology: there are always benefits and there are always bad uses of it. The example that springs to mind is nuclear power – you know, there’s the nuclear bomb, which can be so bad, but there  are lots of other benefits to having nuclear technology… Just because some technology will be used in a bad way, it doesn’t mean [you should] stop developing it.”

Services like Omerta, Buchan points out, can be useful in industries that involve the exchange of highly sensitive information – such as journalism, political activism and legal work – or for high-net-worth individuals and celebrities who have greater privacy needs. Recently, Buchan says, he waived charges for a vulnerable client whose ex-partner had begun monitoring and recording their communications and effectively stalking them. In exchange, Buchan requested a case study for his website to demonstrate the diversity of Omerta’s offerings.

Still, Omerta’s website hints at some darker motivations for wanting a secure smartphone. A recent post by Buchan is accompanied by a cartoon depicting the Omerta phone, ‘The Titan’, versus ‘The British Bobby’. Then there’s the name – according to the website, Omerta means: “the south Italian code of honour that places importance on silence in the face of questioning by authorities or outsiders”. And Buchan, by and large, follows that code. “The reason I don’t have concerns is because I don’t talk to my clients about their business and they don’t need to tell me about their business,” he says. “In much the same way that if a bad player needed an escape vehicle and they went to BMW for the escape vehicle, they’re probably not going to talk to the salesman about what they intend to do with the aforementioned vehicle,” he tells me.

As for the choice of brand name, Buchan dismisses it with a cheeky chuckle. “It’s mafioso, it’s fashionable, it’s stylish… and if it makes it a bit notorious, well, from a marketing point of view, is that a bad thing?”

Posted on Thursday, September 14th, 2023 - Categories: #39 - Apr-Jun 2020, App Issues.