Over the past four years, I have handled numerous international cases involving SkyECC, Ennetcom, EncroChat, and other PGP- or crypto-phone networks. These networks were designed to guarantee privacy through end-to-end encryption and were allegedly used by criminals for secure communication, but they quickly attracted the attention of law enforcement.
What initially appeared to be an airtight weapon for prosecutors – massive hacks of encrypted messages that seemed to dismantle entire criminal networks – is becoming a legal minefield. To understand why, we first need a brief explanation of the technology. PGP (Pretty Good Privacy) and crypto-phones like EncroChat and SkyECC rely on asymmetric cryptography: messages are encrypted with public keys and can only be decrypted with private keys on the recipient’s device. This makes remote interception or cracking virtually impossible – unless the keys are intercepted or the network itself is hacked.
That is exactly what happened in the major police operations of 2019–2021. French and Dutch authorities developed advanced techniques in which they positioned themselves as a trusted party between the user and the server. Through invisible push notifications they injected malware to steal keys. This resulted in the seizure of millions of messages, which were then shared via European Investigation Orders (EIOs) with countries such as Italy, Spain, and Germany.
Now the tide appears to be turning: in various countries, defendants and their lawyers are demanding transparency about how the data was obtained. Judges across Europe can no longer ignore these requests; when access to the evidence is refused, the ultimate consequence is that the evidence can be excluded.
Let us start in France, the epicentre of these hacks. The Cour de Cassation, France’s highest court, delivered two judgments this year that pull the rug out from under the entire system. On 17 June 2025, the court ruled that intercepting or hacking phones located on the territory of an EU Member State without notification or consent is unlawful – even if the interception runs through French servers and the phone is temporarily outside France.
Questions of jurisdiction
Imagine a SkyECC user in Spain for example receiving a push notification that secretly forwards keys to the police. According to this ruling, Spain must be explicitly informed; otherwise, the hack is invalid. This aligns with an earlier judgment of the Court of Justice of the European Union (CJEU) of 30 April 2024 in the case Staatsanwaltschaft Berlin v. M.N., which emphasised that Article 31 of Directive 2014/41 protects not only states but also the rights of individual users. The focus is on the defence rights of suspects, not diplomatic courtesies. Technically, this concerns sovereignty: a hack does not only affect servers in France (such as those in Roubaix) but also the physical location of the phone, where local laws on privacy and data seizure apply.
Even more explosive was the judgment of 16 September 2025. In that case, the Cour de Cassation stayed proceedings and referred preliminary questions to the CJEU. The core issue: does the use of SkyECC or EncroChat data in other EU countries provide sufficient safeguards for the defence? Can the legality of the source collection (the hack itself) be left entirely to France via the European Investigation Order (EIO), without the defence in the receiving country gaining access to the French raw data or the procedure?
Preliminary questions are like an alarm bell: they ask the CJEU for a binding interpretation of EU law. These questions strike at the heart of tens of thousands of ongoing cases: if the CJEU rules that the French procedure is inadequate, the evidence will collapse like a house of cards – across the whole of Europe.
Technically, this revolves around “raw data”: the unprocessed capture files (such as PCAP or JSON) that include hashes and digital signatures to prove integrity. Without access to these, the defence cannot, for example, check whether data was manipulated during filtering – a process in which algorithms sort and translate messages.
Switzerland rejected Sky ECC evidence
Outside the EU, a similar message is being heard. On 15 August 2025, the Obergericht des Kantons Zürich in Switzerland fully excluded SkyECC data as evidence. Reason: a blatant violation of the territoriality principle. French authorities used a technique developed in the Netherlands, in which cryptographic keys (private keys) were intercepted directly from phones on Swiss territory via invisible push notifications. No mutual legal assistance request, no consent – pure infringement of Swiss sovereignty. The Swiss high court’s ruling: all related data, transcripts, and derivative evidence are invalid. This illustrates how non-EU countries reject this evidence and undermines the French narrative that the interception took place “purely on French servers.” In reality, the hack always affects the territory where the phone is located.
And then the latest news from Strasbourg: on 17 November 2025, the European Court of Human Rights (ECtHR) for the first time communicated questions in an EncroChat case (Silgir v. Germany). The ECtHR asks whether this constitutes an unlawful interference with private life (Article 8 ECHR) but, more importantly: did the defendant receive a fair trial (Article 6 ECHR)? The Court explicitly refers to its Grand Chamber judgment in Yalçınkaya v. Turkey (2023), which imposes strict requirements on the assessment of digital evidence in criminal proceedings. “Communication” by the ECtHR means that the complaint has passed admissibility and will be considered on the merits – potentially groundbreaking case law.
Striking judgments from Italy and Spain
Recently, three striking national judgments have accelerated this trend and demonstrated how widespread the criticism has become:
In Italy, the Tribunale di Imperia (judgment of 19 January 2026) excluded the entire EncroChat dataset as evidence. Reason: French state secrecy surrounding the parsing process makes verification of completeness, integrity, and absence of contamination impossible. Parsing is the technical process by which raw data are converted into readable messages; without insight into this, the defence cannot demonstrate whether selective filtering occurred.
The Tribunale di Catanzaro (preliminary judgment January 2026) issued a groundbreaking interim decision ordering a new European Investigation Order (EIO) to France to freeze original files, ensure notification, and enable the exercise of defence rights in France itself. This is a European first: a judge actively supporting the defence with an EIO to scrutinise the French procedure. Technically, this compels France to share raw data – precisely what we have been demanding for four years.
And then an Iberian surprise: in Spain, the Audiencia Provincial de Valencia acquitted all 14 defendants in a major cocaine case. The SkyECC evidence – the only substantial proof – was excluded. In short, the defence was unable to conduct its own investigation or counter-expertise.
France and the Netherlands – as the technical and operational core of the SkyECC and EncroChat operations – stand at the centre of criticism from southern and eastern Europe. The French hacking technique (largely, and possibly entirely, developed with Dutch input) and France’s refusal to share information and data are no longer accepted as given.
Now that both the CJEU and the ECtHR are addressing the substance, this matter may finally be assessed properly: with genuine scrutiny of the data and safeguarding of defence rights, rather than blind trust in foreign assertions.
Yehudi Moszkowicz is an international criminal defence lawyer and specialist in crypto/PGP evidence cases.
