This article was written on the basis of information related to the so-called “8 December” case (see the footnotes for a global overview of the case, we focus on the “numerical part” of it in this article)in which 7 people were indicted for “association of terrorist criminals” (“association de malfaiteurs terroristes”) in December 2020. Their trial is scheduled for October 2023. This will be the first counterterrorist trial targeting the “ultra-left” since the fiasco of the Tarnac case[^2].

The charge of terrorism has been roundly rejected by the defendants. The defendants denounce a political trial, an incriminating investigation and a lack of evidence. In particular, they point to decontextualised statements and the use of trivial facts (sports and digital activities, reading and listening to music, etc.)as evidence against them.

The defendants have received the support of numerous personalities, media and groups

The state was recently condemned for keeping him in solitary confinement one of the defendant for 16 months. Another defendant took the State to court for the repeated strip-searches she was subjected to in pre-trial detention.

“All members contacted adopted a clandestine behaviour, with increased security of means of communication (encrypted applications, Tails operating system, TOR protocol enabling anonymous browsing on the Internet and public wifi)”.

General Directorate for Internal Security (Direction générale de la Sécurité intérieure, DGSI)

“All members of this group were particularly suspicious, only communicating with each other using encrypted applications, in particular Signal, and encrypting their computers and devices […].

The Investigating Judge

La Quadrature du Net has been alerted to the fact that, in the context of the “8 december” case, not only the use of communications encryption tooals (WhatsApp, Signal, Protonmail, Silence, etc.) but also the possession of technical documentation and the organisation of digital hygiene training courses are being used to “demonstrate” a so-called “clandestine behaviour” that can only be explained by the “terrorist nature” of the group.

We have had access to certain elements of the file confirming this information. We have chosen to make them visible in order to denounce the criminalisation of digital practices at the heart of our day-to-day work and the manipulation to which they are subjected in this affair.

Mixing fantasies, bad faith and technical incompetence, a police story has been constructed around the (good) digital practices of the accused, with the aim of staging a “clandestine” or “conspirative” group.

The elements of the investigation that have been communicated to us are staggering. Here are just some of the practices that are being misused as evidence of terrorist behavior:

– the use of applications such as Signal, WhatsApp, Wire, Silence or ProtonMail to encrypt communications ;

– using Internet privacy tools such as VPN, Tor or Tails ;

– protecting ourselves against the exploitation of our personal data by GAFAM via services such as /e/OS, LineageOS, F-Droid ;

– encrypting digital media;

– organizing and participating in digital hygiene training sessions;

– simple possession of technical documentation.

Communications encryption used to prove clandestinity…

The link made between encryption and terrorism is far from being a secondary aspect of the affair as it appears in the document that started this whole affair.

A short intelligence note, of which many elements will turn out to be false and in which the DGSI requests the opening of a preliminary investigation reads as follows: “All members contacted adopted a clandestine behavior, with an increased security of the means of communication (encrypted applications, Tails operating system, TOR protocol enabling anonymous browsing on the Internet and public wifi).”

This sentence will appear more than a hundred times in the file. Written by the DGSI, it will be repeated uncritically by all the magistrates involved: first and foremost the Investigating Judge, but also the magistrates of the Investigating Chamber and the judges of freedoms and detention.

During the investigation phase, the amalgam between encryption and clandestinity will be used by the DGSI to justify the implementation of the most intrusive means of surveillance, in particular bugging private places. The DGSI will consider them necessary to monitor “individuals who are leery of phones” and “use encrypted applications to communicate”.

After their arrests, the defendants will be systematically questioned, both by the DGSI and the investigating judge, about their use of encryption tools and will be asked to justify them: “Do you use encrypted messaging (WhatsApp, Signal, Telegram, ProtonMail)? “, “For your personal data, do you use an encryption system? “, “Why do you use this kind of encryption and anonymization applications on the Internet? “. In total, there are more than 150 questions related to the issue of encryption and digital practices in the investigation file.

While most of the defendants seem somewhat destabilized by having to justify, in 2022, the encryption of their communications via consumer applications, the questions are more direct: **”Have you done anything illegal in the past that required the use of these encryptions and protections? “, “Are you looking to hide your activities or have better security? “, “Do you have anything to hide? “.

And evidence of « conspiracy actions »

The use of encryption will be at the center of two documents closing the investigation: the National Antiterrorist Prosecution Office’s (Parquet National Antiterroriste, PNAT) conclusions and the investigating judge’s referral order.

The PNAT writes an entire chapter about it named “Secure means of communication and browsing” as part of a section titled “conspiracy actions”. Over four pages, the PNAT takes stock of the “evidence” of the use by the accused of encrypted messaging systems in order to draw the picture of a dangerous group cloistered in clandestinity. The Signal application is particularly pointed out.

It reads: “The protagonists of the case were all characterised by their cult of secrecy and obsession with discretion both in their exchanges, and in their browsing on the Internet. The encrypted application Signal was used by all of the accused, some of whom communicated exclusively [highlighted in the text] through it. “.

The investigating judge equally takes up much of the DGSI’s narrative and makes an exhaustive list of the encryption tools that each of the defendants has “admitted” using. He uses almost systematically the lexical field of confession: “He admitted to the investigators that he used the Signal application”, “X did not deny using the encrypted application Signal”, “He also admitted using the Tails and Tor applications “

Criminalisation of computer literacy…

Beyond the criminalisation of encrypted means of communication, computer literacy is also pointed at in this case. Considered as a sign of dangerousness, IT skills are put forward to build an alarming narrative.

The note from the DGSI opening the case and mentioned above specifies that among the “profiles “ of the group members with the “necessary skills to carry out violent actions “ is a person who would have “solid skills in IT and encrypted communications “. This person and their relatives have been questioned at length on this topic after his arrest.

While their knowledge will finally prove to be far from what the DGSI claimed (they know how to use Tails and Tor, but their profile is not that of a computer scientist versed in the art of cryptography or hacking), the investigating judge nevertheless specifies in his referral order that this person has “indicated that they have installed the Linux operating system on their computers with an encryption system “.

The simple fact of owning computer documentation is also retained as evidence. Among the technical documents seized following the arrests are handwritten notes relating to the set up of a general public operating system for phones (/e/OS), alternative to Google Android, and various privacy applications (such as Signal, Silence, Jitsi, Tor and RiseUp Vpn).

The DGSI also wrote that “these elements confirm their will to live in clandestinity”. The PNAT pursues the same reasoning: “These writings constituted a real guide to using their phone anonymously, confirming X’s desire to go underground, to hide their activities […]. “.

The DGSI further noted in its report ” […] the presence of documents related to the encryption of computer or mobile data […]. Which can materialise a will to communicate by clandestine means.”.

And of their transmission

The criminalisation of IT skills is coupled with an attack on their transmission to others. An entire section of the PNAT’s conclusions titled “Training in secure communications and browsing” is dedicated to criminalising digital hygiene trainings, also known as “Cryptoparties” or “Privacy cafés”. These collective and common practices, which La Quadrature Du Net itself often organises or promotes, help to disseminate knowledge and awareness on the issues of privacy, protection of personal data and free software.

What is exactly the subject of accusation here? A workshop presenting the Tails tool organised during the COVID-19 lockdown. According to the PNAT, it was during this training that “X provided them with secure software and introduced them to the use of encrypted means of communication and Internet browsing, in order to guarantee their anonymity and impunity“. The link made between the right to anonymity and impunity has at least the merit of being very clear.

The PNAT adds: “X was not only using these privacy applications, they were teaching those close to them to do so.”. A sentence that will be repeated, word for word, by the investigating judge.

The investigating judge considers this training as one of the “material facts” characterising “the participation in a group formed […] with a view to preparing acts of terrorism”, both for the person who organised it (“By training them in using secure means of communication and Internet browsing “) and for those who attended (“By attending training sessions on secure means of communication and Internet browsing “).

For its part, the DGSI systematically asked the relatives of the defendants if they had recommended the use of encryption tools: “Did they suggest that you communicate together by encrypted messaging?“, “Did they ask you to install Signal beforehand?”. *The response of a mother of defendant led the PNAT to report: “He had convinced his mother to use non-interceptable modes of communication like the Signal application.”.*

Are you anti-GAFA?

Likewise, the critical attitude towards technologies, and in particular to Big Tech (Google, Amazon, Facebook Apple and Microsoft, GAFAM), is considered as a sign of radicalisation. Among the questions asked to the defendants, one can read: Are you anti-GAFA?”, “What do you think of GAFA?” or “Do you feel a certain reserve towards communication technologies?”.

These questions are to be read in light of one report from the DGSI titled “The ultra-left movement”, which states that “members” of this movement are alledgedly showing “a great culture of secrecy […] and a certain reserve towards technology”.

From this perspective the alternative phone operating system for the general public /e/OS is of particular interest for the DGSI. The interception of an SMS mentioning this system is commented at length. The PNAT indicates that a defendant asked about a “new operating system called /e/ […] guaranteeing to its users total privacy and confidentiality “. This is a dishonest argument as avoiding Google services does not grant “total privacy” -, the importance given to this kind of information in an anti-terrorist investigation leaves one wondering.

Is this instrumentalisation a sign of police technical incompetence?

It is legitimate to wonder how such a situation can occur. None of prosecutors involved, the investigating judge and the judges of freedoms and detention, recalled at one point during the investigation that these practices are perfectly legal and necessary for the exercise of our fundamental rights. The various approximations and errors in the technical analyses made by the police suggest that a lack of computer literacy has certainly facilitated the general acceptance of the incriminating framing.

For example, the reports based on two technical analysis centers contradict each other on… the phone model of the main accused.

Tor and Tails seem to be vague notions both for the DGSI and the prosecutors although these tools are at the core of the charges of “clandestinity”.

As a reminder, Tor is a protocol for secure Internet browsing. It allows to limit the tracking of our connections and to protect us against censorship. It can be easily used on any computer. Tails, on the other hand, is a general public operating system, just like Ubuntu/Windows, which is installed on a USB key. It allows you to browse securely via the automatic use of Tor on any computer. This tool is recommended to benefit from the protections provided by Tor and to limit the risks of cyberattacks.

For example, the DGSI likens Tor to Tails: “Thor [sic] allows you to connect to the Internet and use trusted communication and data encryption tools. All data is stored in the computer’s RAM and is therefore deleted when the machine is turned off.”.

The Investigating Judge cites documents related to Tails keys, which do not work on cell phones, as evidence of knowledge relating to “complex techniques for reconfiguring one’s phone in order to make it anonymous”. He also added, as did the PNAT, that Tor allows “anonymous Internet browsing thanks to public wifi “*, as if he thought that public wifi was necessary for its use.

The DGSI asked the suspects in police custody for the “logins and passwords for Tor “ -*which do not exist- and wrote that the application “Orbot “, or “Orboot “ for PNAT, is “a TOR ‘proxy’ server that anonymizes the connection to this network “, which makes no sense. If Orbot is indeed a proxy server, which is necessary to connect to Tor, its use does nothing to mask the use of Tor.

What to say finally of the recurring remarks of the Investigative Judge and the PNAT on the fact that the accused encrypt their hard drives and use Signal?

They simply suggest that they do not even know that their own computers, which we imagine run on Windows, and their phones are also encrypted by default (unless they are over 10 years old). As for Signal, would they also accuse the European Commission of being clandestine because it recommended in 2020 to its staff to use the app?

And would they lump the United Nations Rapporteur for Freedom of Expression and Information, who recalled in 2015 the importance of encryption for fundamental rights, with terrorists together? Or even the ANSSI and the CNIL (the French Data Protection Authority) who, in addition to recommending encryption of digital media for both personal and professional use, even dare to put technical documentation online to do so?

In short, we can only invite them to go to the much talked about “cryptoparties” where they could learn some digital hygiene basics. Instead of trying to ban them.

Or the need to build a police narrative?

While such a level of technical incompetence may highlight how digital practices can weight in a counterterrorism case, it cannot explain why the DGSI has not provided any further evidence of the supposedly “clandestine” life of the accused.

However, from the very beginning of the investigation, the DGSI held already considerable amount of information on the future defendants. In the digital age, it collects data held by public administrations (health insurance, employment services, family allowances, taxes), consults administrative files (driving licences, vehicle registration, etc.) and police files and analyses phone records. Data access orders are sent to many companies (Blablacar, Air France, Paypal, Western Union, Netco. . . ) and bank accounts are meticulously analysed.

In addition, information is further gathered through the many surveillance measures that have been authorised (sounding of private places, tapping, real-time geolocation via GPS beacons or phone tracking, IMSI catcher. . . ) and, of course, numerous surveillance operations deployed against the “targets”.

Every phone interception mentioning the use of encrypted messaging (Signal, WhatsApp or Silence) or email providers such as Protonmail or Riseup is registered in an official report indicating the “desire to conceal “ or the “precautions “ taken, demonstrating “suspicious “ or “conspiracy-minded “ behaviour. However, how can we explain that the DGSI can find nothing else to validate its theory among the wealth of information it holds?

Perhaps it is because the agents are coming up against the limits of their own conflation of encryption and clandestinity: the accused have a social life, are registered with the social authorities, have bank accounts, a family, friends, travel by plane under their own real name, some work, have romantic relationships… In short, the accused use Signal, while at the same time leading a normal life. Just like the members of the European Commission…

This suggests that the lack of evidence of supposed clandestinity can explain the big confusion between encryption and terrorism. In the absence of concrete evidence, the DGSI is taking advantage of the fantasy surrounding encryption tools.

Encryption used to explain the lack of evidence

The emphasis put on encryption offers another advantage to the police narrative-building objective. It is used as an alibi to explain the lack of evidence of a supposed terrorist plot. The police thus justifies: the evidence exists, but it cannot be deciphered.

The Investigating Judge wrote that the reason why phone taps only provided “some useful information” is because of the “minimal use of these lines” in favour of “encrypted applications, in particular Signal”. This conclusion grossly ignores the fact that the analyses of tapped phone lines in fact show that almost all suspects make intensive use of SMS and traditional calls.

The same applies to the analysis of the digital seals, which did not lead to the evidence the police had hoped for. However, following the searches, the DGSI had access to all or part of six out of seven phones of the defendants, to five Signal accounts, to most of the digital devices seized and to the email and social network accounts of four of the defendants. Altogether, this represents thousands of gigabytes of personal data, conversations and documents. Entire lives at the disposal of intelligence services officers.

But nothing has been done. The judges took pains to explain how the refusal of three defendants to provide their decryption codes – two of whom nevertheless had their phones accessed thanks to advanced techniques – hindered “the progress of the investigations” and prevented “certain facts from being identified”. The PNAT goes so far as to regret that the refusal to communicate decryption codes prevents the use of… a broken phone and an unencrypted phone. One can only ask who is truly being “paranoid” in this case…

Moreover, this case only confirms our opposition to the obligation to provide decryption codes that led us to bring the matter before the Constitutional Council in 2018. We recently pointed out that coerced access to phones is massively used on individuals in police custody. In addition to being a particularly serious infringement of privacy and the right not to self-incriminate, this obligation was systematically used by the Investigating Judge as a means of exerting pressure to maintain pre-trial detention, and was even used to justify denying one of the accused access to the investigation file.

Counterterrorism, encryption and preventive justice

It is vital to bear in mind the shift in the fight against terrorism “from a repressive logic to a preventive one” in France when attempting to understand the association of digital practices with so-called clandestinity. The offence “association of terrorist criminals with a view to” is emblematic of this paradigm change. Professors Julie Alix and Oliver Cahn describe the “metamorphosis of the repressive system” whose objective has become “to deal not with a crime but with a threat”.

This shift towards a justice system that focuses on predicting behaviour “reinforces the importance of the evidence gathered by the intelligence services”, who have gradually more discretion as to define who is or is not a threat, “according to their own criteria of dangerousness”.

Replacing evidence with suspicion means substituting facts with police framing. It paves the way for the criminalisation of an ever-increasing number of “inept behaviours, innocent in themselves” in the words of François Sureau. This was already criticised in 1999 by the International Federation of Human Rights, which wrote that “any type of ‘evidence’, however insignificant, is given a certain importance”.

It is exactly what is happening in this present case. Widespread and innocuous digital habits are being used for the sole purpose of creating a ‘conspiracy’ atmosphere that supposedly betrays criminal intentions, however mysterious they may be. An atmosphere which, it would seem, is all the more necessary to the police narrative given the vagueness of these intentions.

It is striking to note that although clandestinity is characterised in the present affair by the fact that the accused make “advanced” use of technological tools, in the Tarnac case it was characterised by the fact that… the suspects had no mobile phone. Heads I win, tails you lose. Fifteen years after Tarnac, the criticisms denouncing scriptwriting in counterterrorist justice are still as relevant today as ever.

All terrorists?

As we conclude this article, the mood is dark. It is totally outrageous how people’s digital practices are being used in the present affair.

We are facing the fantasy of a State demanding total transparency from everyone at the risk of being called a “suspect”, a State whose desire for widespread surveillance seems limitless. In this context, we reaffirm our rights to privacy, intimacy and the protection of our personal data. Encryption is, and will remain, an essential element of our civil liberties in the digital age.

This case is a trial for the Ministry of Interior, which aims to normalise this framing for repressive purposes. During a Senate hearing that followed the violent repression of protests in Sainte-Soline [environmental protests severely repressed that happened in France in 2023], Gérald Darmanin, the French Minister of Interior, implored the legislature to change the law so that it would be possible to hack into demonstrators’ mobile phones, especially those using “Signal, WhatsApp, Telegram”: “Give us the same means for extreme violence as for terrorism”. His justification was that “there is a very strong, advanced paranoia in ultra-left circles […] who use encrypted messaging”, which can be explained by a “clandestine culture”. In an attempt to demonstrate the supposed violence of Sainte-Soline activists, he also cited the 8 December affair as an example of a “foiled attack” by the “ultra-left”, in defiance of any presumption of innocence.

This is how the criminalisation of digital practices fits in with the French government’s strategy of repressing all social protests. Reaffirming the right to encryption therefore means opposing the authoritarian abuses of the government that seeks to endlessly extend the scope of “counter-terrorism” policies by designating an ever-growing number of domestic enemies. After the repression of Muslims, now it’s the turn of “eco-terrorists”, “intellectual terrorists” and finally, geeks armed with encrypted messaging systems. Faced with such a situation, the only question left seems to be: “And you, what kind of terrorist are you?

Read More