Earlier this year, the technological underpinnings of organised crime were thrust into the spotlight by the ‘Encrochat’ arrests. It was a clear success for digital forensics and indeed for the safety of the nation. But we should be under no illusions – Encrochat was just one victory in a long-running game of cat and mouse. There will soon be a new criminal communications system to which we don’t have access, and for the digital forensics industry that will mean several more years of painstaking forensic work. Indeed, such a network probably already exists. So where is it, and what does it look like?
Of course, I don’t know – if I did, I’d have a somewhat more explosive article to write. But it is possible to consider the possible directions that County Lines communications could take next. To do so, we should first understand where the now-defunct Encrochat system lay within the structure of County Lines operations. Throughout this, it’s important to remember that a significant portion of gang life takes place offline, with the communications systems only acting to coordinate and document real-world activity.
While sophisticated encrypted systems have their place, there is at least a portion of County Lines activity posted on public social media. If one is so inclined, it’s not particularly difficult to find Twitter accounts belonging to gang members, replete with admissions of various low-level criminal behaviour. Despite appearances, inane online bragging serves some purpose for County Lines. Focus groups from 2017 reported that senior gang members monitor this low-level social media for engagement from potential recruits. This seems a fairly sensible strategy from the recruiters’ perspective – if a local young person starts liking and sharing gang-related content, it’s a good indication that they might be willing to take part in gang activity. This makes them a prime target for grooming.
Also present on these public forums are music videos for the ‘trap’ genre that has made headlines in recent years. For those unfamiliar, this is a style of rap music characterised by lyrics that glorify violence and gang culture. Often posted on YouTube, these videos also serve the purpose of attracting and identifying possible exploitees, but on top of that, they are a marketing tool for the illegal substances that financially underwrite the County Lines setup. The veneer of artistic creativity is pretty thin here, but it’s certainly plausible that at least some of the ‘artists’ making these videos believe they are doing so on expressive grounds, so it would be wrong to discount these posts as purely cynical, regardless of their de facto function in the wider County Lines operation.
Having identified people of interest (either new recruits for muling, or potential customers) from their interactions with these posts and videos, conversations will be taken out of the public eye onto private messaging services such as Facebook, WhatsApp, Snapchat, or simple texting. Along with the eponymous ‘County Line’, these calling, and messaging services provide the basis for the end-user distribution network, as well as the online portion of grooming for young drug runners. These media provide the illusion of privacy but in many cases, it is fairly trivial for law enforcement to make the necessary inferences about criminal activity from the metadata alone. At this level, the real security is provided by ‘safety in numbers’. Everyone using these services for gang crime simply assumes that they are sufficiently unimportant to avoid investigation.
Importantly, the use of conventional messaging services at the lower levels means that the exposure of Encrochat will not have substantially disrupted the operation of County Lines at the consumer, distributor, and retailer levels. Only at the top level of wholesalers and importers is there sufficient need and tech savvy for the use of complex encrypted services. For these people, comfortably removed from the end users, there is a much greater risk of investigation by law enforcement. As the volume of drugs being managed increases, so too does the value to police of a successful arrest. Safety in numbers won’t cut it. This is where services like Encrochat come in, but now that it’s gone these high-level criminals will be looking elsewhere. From their perspective, there are three options.
The first is to take communications offline. For those criminals who are paying attention, it should be clear that nothing is truly unhackable – the Encrochat arrests drive that point home. So, the sensible move might be to completely abandon the possibility of bits-and-bytes storage of self-incriminating evidence. A ‘conversation between two people in an empty room’ is the gold standard for criminal security. We know that because it’s exactly how Encrochat’s marketing materials described the messaging service. Taking communications offline would significantly enhance security. But of course, it’s more convenient to emulate an empty room than to find one, hence the move towards digital communications in the first place. The shady mystique that surrounds organised crime in the public eye does not protect its practitioners from the same basic forces of convenience that guide us all – they are just as addicted to digital technology as the rest of us. It may well be that it is simply not viable to coordinate a modern criminal operation without online communication – after all, it is the advent of such technology that brought about the County Lines model in the first place.
The second option would be to ‘hide in plain sight’, using a service so obscure it would appear unworthy of investigation by law enforcement. Increasingly, mobile games have chat functions that could be used for criminal coordination, and there is some limited evidence that this has already happened. For a marginally more secure option, there could be a rotation of such applications such that no chatroom alone contains a full conversation record. For serious criminals, however, this is a pretty bad idea. Such services mostly fall into the same security illusion as the private chat functions of popular social media sites. The difference is that while street-level distributors and consumers might be correct in thinking they won’t be extensively tracked online; high-level wholesalers would be wrong. Indeed, law enforcement operations on these chatrooms will likely prove trivial for forensics experts because these apps are less likely to be rigorously encrypted than the messaging services offered by popular social media.
Third, and perhaps most obviously, there could be an attempt to recreate Encrochat. Part of what made the system so attractive to criminals was its separation from normal consumer IT – it had its own encryption protocol, operating system, and a dedicated server in France. Crucially, it also used specialised hardware. The Encrochat devices were adapted Android handsets with modifications intended to preserve user privacy, including the removal of GPS functionality, and a ‘panic wipe’ function that allowed the user to delete all device data from the lock screen. To establish another system with this level of sophistication and then distribute new hardware to the rather unforthcoming customer base would be an enormous task, equal parts laborious and profitable. If it had to be built from scratch as a replacement for Encrochat, it probably wouldn’t be ready yet. But in weighing the probability of this option, we should remember that criminal high-privacy telecoms are a free market. Encrochat already had competitors like ‘Phantom Secure’, who ran a very similar business model, including custom hardware, before being taken down in 2018. It would be naïve, therefore, to imagine that a similar network could not already be in operation.
So which option will County Lines take? Perhaps the most important force in guessing where the criminals go next is not the actual security offering, but rather the aesthetics of the service. While there might be a certain allure to offline communications, it is likely to prove an unsustainable (or at least very high effort) method for coordinating high-level crime at the national level. Meanwhile, organising drug trafficking over Candy Crush is, practicalities aside, a bit embarrassing. While the architects of systems like Encrochat are no doubt skilled computer scientists, the sophistication of the user base should not be overestimated. At the end of the day, having a dedicated handset available only to the best-connected in the criminal world is just quite cool. So, while digital forensics experts should gear up for another challenge like Encrochat, there is a distinct possibility that the next platform won’t be the most secure, but rather the most stylish.
James Ackland is a Postgraduate Researcher at the Cambridge University Political Psychology Lab. https://www.psychol.cam.ac.uk/polpsych/
