The EU police agency processes billions of personalised “big data”, much of it from governmental hacks or intelligence sources. The new Europol vice-director, who was trained in the French military, plays a special role. Now it’s up to the EU Parliament to decide.
The day before yesterday, the EU interior ministers agreed on a mandate for negotiations on the amendment of the Europol Regulation. The final draft has already been published by the British civil rights organisation Statewatch. This means that negotiations on the planned law with the EU Parliament can begin. The proposal is controversial, as Europol would be allowed to process data from private entities on a large scale, even if they include innocent people or contact persons of suspects.
Six months ago, the Commission had presented the draft for the new Europol Regulation. According to the proposal, Europol should have an additional 178 million euros and 160 new posts by 2027. Because the police agency would then also be allowed to use the Schengen Information System (SIS II), a proposed amendment of the SIS Regulation is also being discussed. With the new legal and financial powers, Europol would be on its way to becoming a “European FBI”, as some German interior politicians have demanded in recent months.
Europol is to become a contact point for “big data”. According to the regulation, the police agency could obtain personal data directly from private companies and compare it with its own databases or systems such as the SIS II. Europol then determines which member states might be interested in these data sets and forwards them to the law enforcement authorities there.
Hack of “EnchroChat” as a prelude
How this works in practice was shown first by the investigations into the encrypted “EnchroChat” telephone network a year ago. This involved millions of recordings of chats and conversations that originated from a hack of the French secret service. As part of “Operation EMMA”, Europol assisted member states in dismantling “high-value targets” based on the “EnchroChat” information. From March to July 2020, around 40 Europol employees were involved in the forensic analysis and evaluation of the material. They were supplemented by around a dozen representatives from the member states.
Together with France and the Netherlands, Europol set up a joint investigation group in which member states could participate to use the data. In total, more than 1,800 suspects are said by the Commission to have been arrested as a result, the “threat-to-life situations” of over 200 persons prevented and cash worth more than 130 million euros seized. Raids and investigations are still taking place in EU member states based on the material.
The dismantling of the “EncroChat” platform took place under the direction of the French Gendarmerie. Supervision was in the hands of the Frenchman Jean-Philippe Lecouffe, who was previously stationed at the French embassy in Kabul as part of the EU police mission EUPOL Afghanistan, as head of the National Criminal Investigation Directorate of the Gendarmerie. A graduate of the French Military Academy, Lecouffe has now been appointed by the Council of the EU to Europol as Deputy Executive Director for the Operations Division, and took up his post there two months ago.
Questionable investigations into “Sky ECC”, “ANOM”, “Double VPN”
This year Europol has coordinated numerous other similar investigations. With judicial and law enforcement authorities from France, Belgium and the Netherlands, Europol processed data originating from the supposedly encrypted communication service of the Canadian provider “Sky ECC”. This is said to have been done through a fake phishing application. Europol claims to have gained “invaluable insights into hundreds of millions of messages exchanged between criminals” as a result. Around 70,000 users are affected, and the first raids were carried out with around 50 arrests in Belgium and the Netherlands.
A month ago, the US FBI and the Australian Federal Police announced that they had covertly operated a bogus encrypted phone company under the name “ANOM”. The authorities claim to have supplied more than 12,000 encrypted devices to “over 300 criminal syndicates operating in more than 100 countries”. The 27 million messages obtained through them were then analysed by Europol and 16 other countries and used for 700 raids, with more than 800 arrests allegedly made.
In the latest action so far, Europol is coordinating European investigations after authorities in Europe, Canada and the US seized the servers and internet domains of the virtual private network “DoubleVPN”. The Dutch police is in the lead, and the German Federal Criminal Police Office is also said to take part. As in the previous investigations into “EnchroChat”, “Sky ECC” and “ANOM”, the EU justice agency Eurojust is also involved. Europol is said to have organised 30 preparatory meetings regarding “DoubleVPN”, Eurojust an additional six.
Chloé Berthélémy of the organisation “European Digital Rights” (EDRI) describes Europol’s new methods as “NSA-style” surveillance in a commentary on the EU news website Euractiv. Critical safeguards in criminal procedure law and the presumption of innocence would be circumvented. This is by no means an exaggeration, as Europol is also increasingly receiving data directly from secret services.
The information comes, for example, from the military, which has collected it on “battlefields” in Iraq or Syria. Europol receives further lists with thousands of persons from secret services from the Western Balkan states or from North Africa, so that they can be put out for “discreet checks” in the SIS II. Although the fundamental rights protection of the persons concerned cannot be checked by authories in Europe, Europol then looks for a willing member state to make this SIS-entry. With the new regulation, the police agency could also carry out corresponding searches itself and then inform the intelligence services of the third countries of the results.
After the agreement in the Council, it is now up to the Parliament to decide on the new Europol Regulation. MEPs will then also have to deal with a submission from the European Data Protection Supervisor (EDPS), who has questioned the legality of Europol’s processing of “Big Data”. The agency has already responded to the criticism and promised a model for “data minimisation”. However, Europol wants to use the operational data not only for investigations but also for “research and innovation” purposes, this too would be laid down in the new regulation.