WEBVTT 00:00:00.000 --> 00:00:05.920 JACK: I’m mad. I’m honestly really upset about the current state of our mobile 00:00:05.920 --> 00:00:12.440 phone options. I want privacy and security when it comes to my communication devices, 00:00:12.440 --> 00:00:17.160 and I often lie to myself and say that’s the single most important feature of a phone. 00:00:17.160 --> 00:00:22.760 I don’t want anyone eavesdropping on what I do when I’m on my phone, but the reality is, 00:00:22.760 --> 00:00:26.260 every single thing I do on my phone is being recorded and sent somewhere. 00:00:26.260 --> 00:00:30.640 [MUSIC] See, the two biggest smart phones out there are Google’s Android and Apple’s iPhone. 00:00:30.640 --> 00:00:35.920 Something like 95% of all phones out there are either Android or Apple phones, and I’m telling 00:00:35.920 --> 00:00:42.960 you both are huge data collectors. Google’s privacy policy says it logs your phone numbers, 00:00:42.960 --> 00:00:46.800 calling party numbers, forwarding numbers, time and date of calls, duration of calls, 00:00:46.800 --> 00:00:50.800 SMS routing information, types of calls, and your IP address. 00:00:50.800 --> 00:00:56.080 Apple collects your account information, device information, contact details, browsing history, 00:00:56.080 --> 00:01:01.520 search history, and your location. This is not privacy. On top of that, 00:01:01.520 --> 00:01:21.725 there are so many apps and websites out there that are fiendishly trying to get all my data, 00:01:21.725 --> 00:01:21.820 and the phone’s operating system could do quite a bit to stop my data from just leaking out, 00:01:21.820 --> 00:01:21.920 but they don’t do enough. Like, I can’t stand using normal text messaging anymore or a standard 00:01:21.920 --> 00:01:22.760 browser on these phones, because neither are private. But that’s all fine and good. Actually, 00:01:22.760 --> 00:01:27.400 I don’t even care if Google and Apple does that. But here’s the part where I’m mad; 00:01:27.400 --> 00:01:33.000 I’m mad that there’s no good options for privacy-focused phones out there. You can’t walk 00:01:33.000 --> 00:01:38.320 into any of the mobile phone stores and say hey, I want a phone that actually respects my privacy. 00:01:38.320 --> 00:01:43.360 None of the mobile phone stores carry privacy-focused phones. We are currently 00:01:43.360 --> 00:01:49.960 facing [MUSIC] an all-out war, and we’re losing. The war is all about our privacy. 00:01:49.960 --> 00:01:54.600 Marketing companies want to get to know us intimately so they can run targeted ads just 00:01:54.600 --> 00:02:00.760 for you. If you have a death in the family, the OfficeMax marketing team will take note, 00:02:00.760 --> 00:02:06.080 and if you get pregnant, Target will send you coupons for baby items. But how does Target know 00:02:06.080 --> 00:02:11.320 that you’re pregnant? Well, it’s because they saw you buying unscented soaps and lotions, and yeah, 00:02:11.320 --> 00:02:16.520 they have statisticians watching your buying habits, and some stores track your phone’s Wi-Fi 00:02:16.520 --> 00:02:21.360 signals and watch where you stop and look at certain items or sections of the store. 00:02:21.360 --> 00:02:25.920 Yes, when your purchase things at stores, they will store all the items you buy and create a 00:02:25.920 --> 00:02:33.160 whole dossier on you and your buying habits and likes and wants and desires. That’s just retail 00:02:33.160 --> 00:02:37.400 stores. There are actual adversaries that we have that are all trying to find our private 00:02:37.400 --> 00:02:43.920 information, too. It’s an all-out war. When a war like this is waged, the very last thing I 00:02:43.920 --> 00:02:51.120 want is for my own device that’s in my pocket to be on the enemy’s side. One of the first 00:02:51.120 --> 00:02:55.920 things you learn about when you’re getting into information security is the CIA triad, 00:02:55.920 --> 00:03:00.760 and this stands for confidentiality, integrity, and availability. These 00:03:00.760 --> 00:03:08.160 are the three main pillars of security, and I believe that both Android and Apple violate our 00:03:08.160 --> 00:03:15.160 confidentiality the entire time the phone is on, and sometimes even when the phone is off. 00:03:15.160 --> 00:03:20.280 But I lie to myself when I say that privacy is the most important feature when it comes 00:03:20.280 --> 00:03:25.560 to buying a phone, because I always end up buying one of these phones that logs, 00:03:25.560 --> 00:03:32.320 collects, and sells my data instead of one that’s actually private. So, if I’m being real, 00:03:32.320 --> 00:03:38.760 features and functionalities really are the most important aspect of buying a phone for me, 00:03:38.760 --> 00:03:44.760 even though I’m so privacy-focused. But I’m still mad that there’s a lack of options out 00:03:44.760 --> 00:03:51.320 there for an actual secure phone that’s for me, one that’s stable, updated, works good, 00:03:51.320 --> 00:03:57.360 and just has some basic features that respect my privacy. There are some privacy-focused 00:03:57.360 --> 00:04:10.617 phones out there, but unfortunately these privacy-focused phones have some dark secrets. 00:04:10.617 --> 00:04:12.920 (INTRO): [INTRO MUSIC] These are true stories from the dark side of 00:04:12.920 --> 00:04:33.000 the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:04:33.000 --> 00:04:39.960 JACK: Now, I’m not the only one out there who wants a secure phone. There’s quite a market 00:04:39.960 --> 00:04:44.680 for this type of thing, and because of that, there are companies that make private phones. 00:04:44.680 --> 00:04:49.180 One of the first popular ones to show up on the scene was a phone called Phantom Secure. 00:04:49.180 --> 00:04:55.240 JOSEPH: Yeah. Phantom is certainly the first major one. There were others potentially 00:04:55.240 --> 00:05:01.420 slightly earlier or at least around about the same time which were particularly popular in Europe. 00:05:01.420 --> 00:05:03.080 JACK: Oh, and for this episode, 00:05:03.080 --> 00:05:08.160 I have the legendary Joseph Cox to give us a tour of the world of encrypted phones. 00:05:08.160 --> 00:05:11.600 JOSEPH: I’m Joseph Cox, Senior Staff Writer at Motherboard, 00:05:11.600 --> 00:05:13.480 which is the technology section of Vice. 00:05:13.480 --> 00:05:17.600 JACK: Joseph has done amazing investigative journalism work in this area, getting deep 00:05:17.600 --> 00:05:22.200 into the world of encrypted phones. He’s spoken directly with insiders, users, 00:05:22.200 --> 00:05:26.000 he’s acquired these phones himself when he can, and he’s combed through so many 00:05:26.000 --> 00:05:30.740 court cases. He’s the perfect tour guide for this. So, what is Phantom Secure? 00:05:30.740 --> 00:05:38.800 JOSEPH: Phantom Secure was a so-called encrypted phone firm started in the mid-aughts. All they 00:05:38.800 --> 00:05:46.400 would do, essentially, was take a BlackBerry, load it with sort of custom PGP-encrypted e-mail 00:05:46.400 --> 00:05:51.640 software, and then sell that to clients. They also introduced a feature where you 00:05:51.640 --> 00:05:59.320 can remotely wipe what was stored on the phone. Of course, we all know about Apple and iCloud, 00:05:59.320 --> 00:06:04.680 and apps like maybe the Find My phone feature or maybe wipe your phone remotely. This was more, 00:06:04.680 --> 00:06:09.540 if it lands in the wrong hands, our company will take care of it for you. 00:06:09.540 --> 00:06:12.560 JACK: Those were the only two features. Let me say them again; 00:06:12.560 --> 00:06:17.080 a way to e-mail people securely using PGP and a way to remotely wipe the 00:06:17.080 --> 00:06:22.640 phone. That’s it. These phones couldn’t even text someone or make a phone call. In fact, 00:06:22.640 --> 00:06:26.440 Phantom Secure phones were physically modified so that wasn’t even possible. 00:06:26.440 --> 00:06:32.960 JOSEPH: Yes, they removed the microphone, the GPS, and the camera. That’s what a lot 00:06:32.960 --> 00:06:35.840 of these companies do, and of course they vary case by case, 00:06:35.840 --> 00:06:41.100 but they do try to lock them down in some way, in both software and in hardware. 00:06:41.100 --> 00:06:45.440 JACK: Actually, now that I think about it, I kinda like the idea of no microphone in my 00:06:45.440 --> 00:06:49.920 phone. I don’t like making phone calls, and it gives me the peace of mind that 00:06:49.920 --> 00:06:56.280 my mic can’t spy on me. Okay, but when you have a phone that has no mic or camera and 00:06:56.280 --> 00:07:01.680 the only thing you can do is e-mail someone, that should mean it’s really cheap, right? 00:07:01.680 --> 00:07:06.280 JOSEPH: Exactly the opposite. These phones could go for anywhere between 00:07:06.280 --> 00:07:12.440 $1,000 to $2,000 to $3,000 depending on the company, and that’s for a yearly subscription 00:07:12.440 --> 00:07:17.720 to the service. These people aren’t just selling a piece of hardware or a phone; 00:07:17.720 --> 00:07:25.400 they’re also selling basically your spot in the network. If your colleagues, 00:07:25.400 --> 00:07:28.960 for lack of a better way of putting it, are using a Phantom Secure phone, well, 00:07:28.960 --> 00:07:33.120 you need to be on a Phantom Secure device as well, and you need to buy your way into that network. 00:07:33.120 --> 00:07:38.120 JACK: Oh, yeah. Explain that a little bit more. So, could people without Phantom 00:07:38.120 --> 00:07:41.480 Secure phones communicate at all to people with Phantom Secure phones? 00:07:41.480 --> 00:07:48.040 JOSEPH: So, originally, a lot of these companies did allow phones to communicate with each other, 00:07:48.040 --> 00:07:50.680 so maybe you’d have a Phantom device and you could 00:07:50.680 --> 00:07:54.920 communicate with – just hypothetically – another one from a company called Sky, 00:07:54.920 --> 00:08:01.226 let’s say. Eventually though, some of these companies did decide to lock each other out. 00:08:01.226 --> 00:08:04.600 JACK: [MUSIC] Okay, so this is worse than I thought. You can’t just e-mail whomever you like. 00:08:04.600 --> 00:08:09.200 You can only e-mail other users of Phantom Secure. I wouldn’t even call this e-mail at this point; 00:08:09.200 --> 00:08:13.820 it’s just a device that has a secure way of messaging other people who have the same device. 00:08:13.820 --> 00:08:20.880 JOSEPH: The person who created Phantom Secure was Vince Ramos. He was a business man from Canada. 00:08:20.880 --> 00:08:27.080 He worked for a phone company. Family members I spoke to earlier said that he won employee 00:08:27.080 --> 00:08:32.920 of the month awards. By all standards, he was just an upstanding guy trying to make a buck, 00:08:32.920 --> 00:08:37.440 basically. But of course, he wanted to be something of an entrepreneur and he came 00:08:37.440 --> 00:08:43.320 up with this idea for Phantom Secure, making these secure devices themselves 00:08:43.320 --> 00:08:49.080 to then sell. He starts doing this. He sells them just by word-of-mouth, really, 00:08:49.080 --> 00:08:55.840 in the Canadian nightlife scene. So, maybe VIPs would get them, some athletes, some rappers. 00:08:55.840 --> 00:09:00.440 Apparently, according to people who sold the phones at the time, that’s what they told me. 00:09:00.440 --> 00:09:07.440 It grew from that into a larger business. So, it started as this word-of-mouth thing, 00:09:07.440 --> 00:09:12.920 but eventually it found a new market, specifically in Australia. This is just 00:09:12.920 --> 00:09:19.440 where Phantom really took off. It exploded across the country. It got introduced to organized crime 00:09:19.440 --> 00:09:24.640 elements there and they just went crazy for it. They were buying these phones, 00:09:24.640 --> 00:09:30.320 but of course, eventually Ramos realized that criminals were buying these devices, 00:09:30.320 --> 00:09:37.300 but he didn’t do anything to stop it, and that may have been his failing decision. 00:09:37.300 --> 00:09:42.240 JACK: If privacy was my top concern, I think I would consider a phone like this. But it’s 00:09:42.240 --> 00:09:47.520 just lacking too many features for me. But let’s be clear; there’s nothing illegal about making 00:09:47.520 --> 00:09:53.240 or selling or owning a secure phone. It doesn’t even matter if criminals use it or not. I mean, 00:09:53.240 --> 00:09:58.760 criminals use iPhones, right? So, can you charge Apple with a crime? Apple has to know that there 00:09:58.760 --> 00:10:03.680 must be many criminals using their phones, right? So even if they’re aware that criminals 00:10:03.680 --> 00:10:08.920 use their product, it still isn’t illegal to sell it to them. The same with Phantom Secure; 00:10:08.920 --> 00:10:13.240 even though they were selling these encrypted phones, no police or criminal investigation was 00:10:13.240 --> 00:10:18.440 taking place to find the owner, Vince Ramos, because everything was legal, 00:10:18.440 --> 00:10:25.384 until there was a crime committed where Phantom Secure hindered the investigation. 00:10:25.384 --> 00:10:30.160 JOSEPH: [MUSIC] One of the earliest published cases of this actually happening was where a 00:10:30.160 --> 00:10:36.400 Phantom Secure device was implicated in the assassination of somebody in a biker 00:10:36.400 --> 00:10:41.000 gang there. Law enforcement weren’t able to get information because this sort of device 00:10:41.000 --> 00:10:47.520 had been used. But as you say, selling a phone is not illegal. Making a secure communications 00:10:47.520 --> 00:10:53.800 device is not illegal. What happened though is that when investigators dug in, they found that 00:10:53.800 --> 00:10:59.120 at least some of the distributors knew that they were providing encrypted communication 00:10:59.120 --> 00:11:06.900 devices to criminal entities, individual criminals or larger organized crime groups. 00:11:06.900 --> 00:11:10.200 JACK: So, the police discovered this Phantom Secure phone that 00:11:10.200 --> 00:11:13.760 was part of this assassination and started to investigate the company 00:11:13.760 --> 00:11:17.980 a little closer. What are these phones? Who’s selling them? Who’s buying them? 00:11:17.980 --> 00:11:22.600 JOSEPH: Yeah, it’s Australia and then also the Canadians started to notice they were 00:11:22.600 --> 00:11:29.080 bumping into the phones as well, presumably in the local crime market, obviously where 00:11:29.080 --> 00:11:33.440 Phantom Secure and Vince Ramos were from in the country. They also encountered it, and then it 00:11:33.440 --> 00:11:38.520 seems the Americans started finding the phones themselves in their own investigations as well. 00:11:38.520 --> 00:11:42.880 JACK: How were they encountering this? 00:11:42.880 --> 00:11:48.680 JOSEPH: It’s usually when they will bust somebody. They will go and they will try to grab the phone. 00:11:48.680 --> 00:11:52.680 They want to gather evidence and see who else they’ve been communicating with or of course, 00:11:52.680 --> 00:11:57.320 their own incriminating texts, perhaps. They go to the phone and it’s already been wiped. 00:11:57.320 --> 00:12:03.520 Somebody has wiped it. In these cases, it’s going to have been Phantom Secure. Someone has 00:12:03.520 --> 00:12:08.760 contacted the company saying hey, my phone has been seized by the feds. Please, could you wipe 00:12:08.760 --> 00:12:14.720 it? Phantom Secure, as part of their business, offers that. At one point, the Royal Canadian 00:12:14.720 --> 00:12:20.600 Mounted Police actually went undercover and they pretended to be a drug trafficker whose phone had 00:12:20.600 --> 00:12:27.720 been seized. They said very explicitly, hi, there are discussions of drug deals on my phone; please 00:12:27.720 --> 00:12:32.980 remove them, of course showing that Phantom Secure was willing to destroy evidence, essentially. 00:12:32.980 --> 00:12:39.200 JACK: Ah, there it is; the Canadian authorities posed as criminals, telling Phantom Secure hey 00:12:39.200 --> 00:12:43.400 look, I’ve got some criminal activity on my phone and I need you to wipe it. Can you do 00:12:43.400 --> 00:12:50.600 it? Phantom Secure was happy to do it. That means Phantom Secure knew they were destroying criminal 00:12:50.600 --> 00:12:56.240 evidence. That’s a sticky situation for them to be in. I mean, imagine you’re working at a 00:12:56.240 --> 00:13:00.280 grocery store and someone wants to buy a lighter, and they specifically tell you as you’re ringing 00:13:00.280 --> 00:13:05.000 them up that they’re gonna use this lighter to go burn the building down across the street. 00:13:05.000 --> 00:13:08.080 Do you sell them the lighter? Because that’s what a store does; 00:13:08.080 --> 00:13:13.160 they sell lighters. Or do you refuse because they said they’re going to commit a crime with 00:13:13.160 --> 00:13:18.320 it. Perhaps a grocery store is protected in this way, but what if someone you know 00:13:18.320 --> 00:13:23.400 asks to borrow a lighter from you to burn a building down? You could be in trouble for 00:13:23.400 --> 00:13:28.160 giving them a lighter if you knew that’s what they were going to do with it. In this case, 00:13:28.160 --> 00:13:33.000 where the Canadian authorities asked Phantom Secure to delete criminals’ evidence, 00:13:33.000 --> 00:13:40.480 it’s hard to know if this was enough to prove that Phantom Secure knowingly was helping criminals. 00:13:40.480 --> 00:13:45.240 It wasn’t enough for the Royal Canadian Mounted Police to arrest him, because years and years go 00:13:45.240 --> 00:13:50.480 by, and the company continued to operate and grow without a problem. The team was growing, 00:13:50.480 --> 00:13:54.560 too; as the phones were entering more countries, they needed more distributors 00:13:54.560 --> 00:13:59.280 to pass the phones out in those areas. Over time, more criminals were being arrested in 00:13:59.280 --> 00:14:04.200 Canada with Phantom Secure phones on them. But here’s the thing; in Canada, 00:14:04.200 --> 00:14:08.240 even if you’re selling phones to criminals and marketing it to them and you know they’re 00:14:08.240 --> 00:14:13.860 committing crimes with your devices, there isn’t a law in Canada which they would be violating. 00:14:13.860 --> 00:14:19.080 JOSEPH: No, as far as I know, and I don’t think he was really breaking a law in Australia, 00:14:19.080 --> 00:14:24.720 either. I’ve spoken to Australian lawyers and Australian lawyers who defend people involved in 00:14:24.720 --> 00:14:29.040 the encrypted phone industry in that country, and they’ve told me this business is legal. 00:14:29.040 --> 00:14:36.900 Same in Canada. As we’ve said, the Canadians didn’t just arrest Vince Ramos there and then. 00:14:36.900 --> 00:14:43.400 JACK: But it’s not legal to knowingly aid and help criminals in the USA. Once some phones 00:14:43.400 --> 00:14:47.320 started showing up in crime scenes in California and the US authorities 00:14:47.320 --> 00:14:52.560 started investigating the company, that’s when things started to unravel for Phantom Secure. 00:14:52.560 --> 00:14:58.840 JOSEPH: When they saw the phones, my understanding is that one of the people 00:14:58.840 --> 00:15:02.840 implicated told them hey look, this is how we get the phones. This is how the business 00:15:02.840 --> 00:15:08.200 operates. That triggered something of a light bulb in the San Diego FBI, and then 00:15:08.200 --> 00:15:13.880 that’s when they started much more earnestly looking into Phantom Secure and in their eyes, 00:15:13.880 --> 00:15:19.506 realizing it was an actual criminal organization that they should target in and of itself. 00:15:19.506 --> 00:15:23.240 JACK: [MUSIC] The FBI was not happy about these encrypted devices and 00:15:23.240 --> 00:15:27.360 wanted to learn more. That’s when they started investigating this company and 00:15:27.360 --> 00:15:34.040 found heaps of evidence suggesting that Vince Ramos and Phantom Secure knowingly 00:15:34.040 --> 00:15:38.440 met with buyers who would say they’re going to use the phones to commit crimes. 00:15:38.440 --> 00:15:45.080 JOSEPH: Particularly, Phantom was not vetting its distributors or its resellers enough. So, 00:15:45.080 --> 00:15:49.840 it would give these people power to sell the phones to whoever they want, and then it would 00:15:49.840 --> 00:15:54.360 turn out there would be criminal elements buying them, right? Then when this is brought 00:15:54.360 --> 00:16:00.080 to Vince Ramos’ attention, he kind of – either he doesn’t do anything with it or unfortunately puts 00:16:00.080 --> 00:16:05.300 his fingers in his ears and sorts of – sort of turns a blind eye to the issue as well. 00:16:05.300 --> 00:16:09.280 JACK: As more crimes were committed by people using Phantom Secure, 00:16:09.280 --> 00:16:11.220 it frustrated the authorities even more. 00:16:11.220 --> 00:16:16.920 JOSEPH: Australia and Canada, they basically set up a plan which is that well, it’s all well 00:16:16.920 --> 00:16:21.400 and good if people say that criminals are using these phones, but we need to show that the CEO, 00:16:21.400 --> 00:16:28.000 Vince Ramos, also knows that and potentially will lean into that market as well. So, 00:16:28.000 --> 00:16:36.600 a confidential human source, a CHS, in the FBI and the DOJ’s turn of phrase, someone close to 00:16:36.600 --> 00:16:41.880 Ramos who was a distributor, convinces the CEO to come to Las Vegas for a meeting, 00:16:41.880 --> 00:16:49.560 saying I have these guys who are really, really big. They want to buy a large order of phones. So, 00:16:49.560 --> 00:16:55.200 they set up a meeting in a Las Vegas hotel suite. Vince Ramos goes in, 00:16:55.200 --> 00:17:00.480 and these drug traffickers are sat there and they’re saying, we know you removed the GPS 00:17:00.480 --> 00:17:05.880 functionality from the phone, but we have a problem with snitches, basically, right? 00:17:05.880 --> 00:17:11.240 What if, they hypothesized, could you maybe also turn the phone into a tracking device 00:17:11.240 --> 00:17:17.160 if we needed to kill one of our snitches? They didn’t say it exactly like that; I’m paraphrasing, 00:17:17.160 --> 00:17:20.920 but when you read the transcript, that’s the quite clear context of what’s going 00:17:20.920 --> 00:17:29.600 on. Ramos doesn’t seem to really push against that idea. But the key thing that really seals 00:17:29.600 --> 00:17:37.120 Vince Ramos’ fate is when the drug traffickers say we don’t know you. We don’t know if we 00:17:37.120 --> 00:17:44.240 can trust you. Why should we trust you? In so few words. Vince Ramos says well, look, look; 00:17:44.240 --> 00:17:48.360 I know you don’t know me, but this is what I made it for. I made it exactly for this, 00:17:48.360 --> 00:17:52.560 apparently meaning drug trafficking, is how the FBI said. That was it, basically. After 00:17:52.560 --> 00:17:57.840 that quote, prosecutors and the FBI would be able to say look, he has no problem selling 00:17:57.840 --> 00:18:03.460 to drug traffickers deliberately and knowingly. They had what they needed, basically, on tape. 00:18:03.460 --> 00:18:07.600 JACK: Around this time, it appears that Vince Ramos met with members of 00:18:07.600 --> 00:18:11.680 the Sinaloa Cartel, which is a major drug trafficking cartel in Mexico. 00:18:11.680 --> 00:18:18.360 JOSEPH: On February 8th, 2018, it appears that Vince Ramos is just traveling for business and 00:18:18.360 --> 00:18:23.760 he’s just had a meeting. He’s sending a text message to one of his associates and he says, 00:18:23.760 --> 00:18:28.720 we are fucking rich, man. I swear, you better go fucking appreciate it. Get the fucking Range 00:18:28.720 --> 00:18:34.600 Rover, brand-new, ‘cause I just closed a lot of business. This week, man, Sinaloa Cartel; 00:18:34.600 --> 00:18:41.400 that’s what up, and my boy is Punjabi cartel. Lol. So, this text message does seemingly suggest 00:18:41.400 --> 00:18:46.480 that he met with people from the Sinaloa Cartel and either offered them phones or 00:18:46.480 --> 00:18:50.720 did sell them phones or something like that, but this is one of the key pieces of evidence 00:18:50.720 --> 00:18:56.760 that later appears in the criminal complaint against him, a screenshot of the text message. 00:18:56.760 --> 00:19:01.680 JACK: So, by this time, the FBI has enough information to arrest Ramos. But they sort 00:19:01.680 --> 00:19:07.280 of wait a year before they do anything, perhaps to collect even more information. 00:19:07.280 --> 00:19:12.320 My theory is that the FBI wanted time to think about what to do with these encrypted phones. 00:19:12.320 --> 00:19:17.480 One option is to try to arrest Vince and take down the whole company. Another option though 00:19:17.480 --> 00:19:22.600 might be to try to find a way to infiltrate the network so they can read the messages 00:19:22.600 --> 00:19:27.640 and have a jump on criminals using it. These phones were sort of a watering hole 00:19:27.640 --> 00:19:32.040 for criminals and would be a major source of information if they could somehow get 00:19:32.040 --> 00:19:37.480 access to the messages or customer data. But eventually one of the FBI agents posed as a 00:19:37.480 --> 00:19:44.200 drug trafficker and invited Vince Ramos out to Las Vegas, Nevada to discuss business. 00:19:44.200 --> 00:19:51.560 JOSEPH: But this time, when Ramos walked into a hotel suite, it’s – there aren’t drug traffickers 00:19:51.560 --> 00:19:58.760 waiting for him; it’s the FBI and the attorney’s office. They tell him what’s happening, obviously. 00:19:58.760 --> 00:20:06.680 We have charges ready for you, but we want to make you an offer. We want you to put a backdoor into 00:20:06.680 --> 00:20:13.120 Phantom Secure. We want to see who the customers are and what they’re saying. That is the ultimate 00:20:13.120 --> 00:20:16.960 goal here, right? They could try and take down the company, but law enforcement really wants to 00:20:16.960 --> 00:20:24.360 see what’s actually going on there so they can prosecute the end users. Vince Ramos declines. 00:20:24.360 --> 00:20:29.880 Some people I spoke to said it’s because he puts the privacy of his clients first. Others said 00:20:29.880 --> 00:20:33.920 that well, actually, he didn’t have the technical know-how to do that because that’s the CTO’s job. 00:20:33.920 --> 00:20:40.800 [MUSIC] He is more the business guy. Regardless, he refuses and doesn’t put the backdoor in. 00:20:40.800 --> 00:20:46.440 JACK: Now, this is a part of the story which gets weird for me. Vince actually traveled to 00:20:46.440 --> 00:20:51.960 Vegas with his wife and child who were staying in another room in the same hotel. This meeting with 00:20:51.960 --> 00:20:57.640 Vince went on for a long time. They didn’t quite arrest him, and he was cooperating with them by 00:20:57.640 --> 00:21:04.480 talking openly about Phantom Secure and how the company operated. But there was something the FBI 00:21:04.480 --> 00:21:10.720 wanted and didn’t want to let him go until they got it. There were four or five agents there. 00:21:10.720 --> 00:21:15.480 Some were FBI, some were international agents. They ordered food to the room and he could use 00:21:15.480 --> 00:21:22.840 the toilet there. Vince and the FBI agents spent the entire day together, all in this hotel room. 00:21:22.840 --> 00:21:26.720 At night, they even let him go see his wife and child and say goodnight, 00:21:26.720 --> 00:21:30.560 and then bringing him back to the room for more questioning. Eventually, 00:21:30.560 --> 00:21:35.960 Vince and a few agents fell asleep while one or two agents stood guard all night, 00:21:35.960 --> 00:21:40.320 making sure Vince didn’t leave. Then the next day, after breakfast was brought to the room, 00:21:40.320 --> 00:21:47.040 Vince was questioned more by the FBI agents. This is just so weird for me, for the FBI to 00:21:47.040 --> 00:21:52.800 question someone for days in a hotel room. Like, why not take him down to the police station and 00:21:52.800 --> 00:21:57.360 question him there? Why keep him trapped in this room without officially arresting him? 00:21:57.360 --> 00:22:01.520 JOSEPH: I think it was because they really wanted or were hoping that this would be 00:22:01.520 --> 00:22:07.560 a more live operation. This wasn’t the end of it. This wasn’t let’s arrest him, 00:22:07.560 --> 00:22:12.400 let’s get a confession or whatever we can and let’s prosecute the guy. They were hoping, 00:22:12.400 --> 00:22:18.320 it seems, that this could live on for a little bit longer, and they needed him out. They say 00:22:18.320 --> 00:22:25.360 they did eventually get a backdoor into Phantom Secure. They needed to not raise suspicion. He 00:22:25.360 --> 00:22:31.880 needed to be out. He needed to be free to talk to people, eventually, if they did get a backdoor in. 00:22:31.880 --> 00:22:37.440 JACK: So, the FBI continued to pressure him to give them a backdoor into Phantom Secure. 00:22:37.440 --> 00:22:42.320 I presume that they showed him the evidence that they had on him and gave him hardball-type options 00:22:42.320 --> 00:22:47.160 of like hey, look; you’re either gonna go to prison or you’re gonna let us in. Even though 00:22:47.160 --> 00:22:52.760 he wasn’t letting them in, it seemed like the FBI really wanted to get in. So, instead of arresting 00:22:52.760 --> 00:22:57.240 him and taking him to the police station, they just kept interrogating him all the way through 00:22:57.240 --> 00:23:03.680 the night into Day 3. They gave him more breaks to see his family down the hall sometimes. His 00:23:03.680 --> 00:23:08.200 wife said he looked like a ghost, and maybe this is why he was talkative and cooperative, 00:23:08.200 --> 00:23:13.000 because his wife and kids were just down the hall and he didn’t want to lose them. 00:23:13.000 --> 00:23:17.480 The FBI continued to try to persuade him to give them some kind of access to 00:23:17.480 --> 00:23:22.680 the network. They wanted to see who the users were and any data Phantom Secure had on them, 00:23:22.680 --> 00:23:27.520 because this phone did have the remote-wipe capability, so it was able to interact with the 00:23:27.520 --> 00:23:33.840 customers’ devices in some ways. But Ramos still didn’t give them access. [MUSIC] Eventually, the 00:23:33.840 --> 00:23:40.480 interrogation went into the third night and into the fourth day. Vince fell asleep in the suite and 00:23:40.480 --> 00:23:46.920 the agents were so tired at this point, they all fell asleep at the same time, too. But Vince woke 00:23:46.920 --> 00:23:53.560 up during the night, and he got up and looked around the room, and saw everyone was asleep. 00:23:53.560 --> 00:23:57.880 JOSEPH: When all of the agents were asleep, Ramos, 00:23:57.880 --> 00:24:02.560 he sees a moment to escape and in a seemingly quick change of heart, 00:24:02.560 --> 00:24:09.560 he flees the hotel. Embarrassingly for these agents who have been guarding and talking to 00:24:09.560 --> 00:24:14.380 this guy for days now, the guy they’ve been hunting for years has left. He’s out the door. 00:24:14.380 --> 00:24:19.880 JACK: He stopped in one last time to say goodbye to his wife and contacted an associate who picked 00:24:19.880 --> 00:24:25.280 him up by car, and the two of them were gone. Vince immediately tried to get to Canada, 00:24:25.280 --> 00:24:28.840 and he thought he wouldn’t be able to get through airport security, so they decided to 00:24:28.840 --> 00:24:35.280 drive from Nevada all the way across the country to Washington state. When they got to Bellingham, 00:24:35.280 --> 00:24:39.560 Washington, about twenty miles from the border of Canada, Vince parted ways with 00:24:39.560 --> 00:24:44.060 his driver and was preparing his last leg to get across the Canadian border. 00:24:44.060 --> 00:24:50.320 JOSEPH: He was on the run. He was trying to evade law enforcement for some time until eventually 00:24:50.320 --> 00:24:56.760 they caught up with him in a cafe. Apparently it was a very unceremonious scene. They spoke 00:24:56.760 --> 00:25:03.920 to the cafe owner who said that several serious men – serious-looking men came into the cafe, 00:25:03.920 --> 00:25:09.240 they seemingly saw Vince Ramos sat in the corner, they went outside, made a phone call, and then a 00:25:09.240 --> 00:25:15.520 large group of men arrived, go up to Vince, and he doesn’t fight. He just stands up, puts his hands 00:25:15.520 --> 00:25:22.160 behind his back, and he’s led into the police car. That is finally the end for him, at least. 00:25:22.160 --> 00:25:28.600 JACK: Vince was arrested and brought to court in the US under RICO charges. RICO stands for 00:25:28.600 --> 00:25:34.600 Racketeer Influenced and Corrupt Organizations. The case hinged on whether they could prove that 00:25:34.600 --> 00:25:40.360 Phantom Secure was knowingly helping criminals. But the prosecutors had ample evidence showing 00:25:40.360 --> 00:25:45.600 that Vince knowingly sold phones to criminals and was helping support them. Vince told the judge, 00:25:45.600 --> 00:25:49.640 quote, “I would be lying if I said I wasn’t aware of what’s going on. 00:25:49.640 --> 00:25:53.480 The reality was that I turned a blind eye and didn’t want to face reality. I 00:25:53.480 --> 00:25:56.940 was making money and providing for my wife and children.” End quote. 00:25:56.940 --> 00:26:02.440 JOSEPH: At least according to one estimate from the Royal Canadian Mounted Police in 2016, 00:26:02.440 --> 00:26:06.560 they believe that Phantom was making something like $32 million from the 00:26:06.560 --> 00:26:11.280 sale of these phones. Then eventually, I believe another estimate from the FBI 00:26:11.280 --> 00:26:19.400 was closer to $80 million in selling these devices. Vince Ramos, they bought apartments, 00:26:19.400 --> 00:26:24.320 cars, cryptocurrency as well. So, they were making a lot of money from this operation. 00:26:24.320 --> 00:26:28.880 JACK: The courts found Vince guilty and sentenced him to nine years in 00:26:28.880 --> 00:26:34.920 prison. Not for making secure phones, but for helping criminals commit crimes with them. 00:26:34.920 --> 00:26:42.000 JOSEPH: [MUSIC] I think he could have gotten more than that, but he did cooperate somewhat and 00:26:42.000 --> 00:26:49.480 this was his first offense. The judge even said that he appears to be a very upstanding person, 00:26:49.480 --> 00:26:55.400 a successful businessman, but he applied it to the wrong industry, ultimately. 00:26:55.400 --> 00:27:00.280 JACK: We’re gonna take a quick break here, but stay with us because there’s more to 00:27:00.280 --> 00:27:11.760 these encrypted phones that I think you’d be interested in hearing about. So, Phantom Secure 00:27:11.760 --> 00:27:17.560 started somewhere around 2006, and the feds took it down in 2018, but Phantom Secure phones did 00:27:17.560 --> 00:27:22.640 little in the way of innovation in those twelve years, sticking mainly with secure e-mail as 00:27:22.640 --> 00:27:27.600 their main feature. As technology was exploding, people wanted secure phones that did more than 00:27:27.600 --> 00:27:33.900 just e-mail. So, in 2016, a new encrypted phone company sprung up. This one was called Encrochat. 00:27:33.900 --> 00:27:41.480 JOSEPH: Encrochat was another encrypted phone company, but it was more clearly based on Android, 00:27:41.480 --> 00:27:47.600 and it had some of the more bells and whistles and features that Phantom was lagging behind on, 00:27:47.600 --> 00:27:53.520 so it was much more of a instant messaging platform when you used 00:27:53.520 --> 00:27:57.520 these devices. It also had a wipe functionality. 00:27:57.520 --> 00:28:01.360 JACK: Okay, this one might be more my style. I like the idea that you can do more things with 00:28:01.360 --> 00:28:05.960 it. But now, my problem is I’ve never heard of this company. Their phones aren’t in my 00:28:05.960 --> 00:28:11.600 local mobile phone shops, and there aren’t many trustworthy reviews of the phone online. That’s 00:28:11.600 --> 00:28:16.480 because Encrochat seemed to want to get these into the hands of criminals, and they weren’t 00:28:16.480 --> 00:28:23.240 meant for widespread adoption. Encrochat phones were getting distributed in Europe and in the UK, 00:28:23.240 --> 00:28:28.320 and authorities were starting to see these phones turn up in investigations, so much that 00:28:28.320 --> 00:28:33.880 the UK police were coming up with procedures when arresting people who had Encrochat phones on them. 00:28:33.880 --> 00:28:37.920 JOSEPH: They’ve encountered these devices and they’ve got smart to the fact that they 00:28:37.920 --> 00:28:43.440 need to deal with them very, very quickly. So, they’ll grab the Encrochat device. If it’s open, 00:28:43.440 --> 00:28:49.120 they will immediately start taking photos of the text messages, the images on there, 00:28:49.120 --> 00:28:53.360 almost manually archiving the material before it gets wiped, and then they will also put 00:28:53.360 --> 00:28:58.400 it in some sort of Faraday bag ‘cause they’re basically against the clock when it comes to, 00:28:58.400 --> 00:29:02.640 well, we don’t know if somebody has reported this phone to Encrochat – is in the hands of 00:29:02.640 --> 00:29:07.320 law enforcement and a wipe command could be coming at any time. The cops really 00:29:07.320 --> 00:29:13.540 have to act super quickly to try to grab evidence before it disappears entirely. 00:29:13.540 --> 00:29:18.000 JACK: Criminals were using Encrochat more and more in Europe to communicate between 00:29:18.000 --> 00:29:22.440 other criminals to facilitate drug trafficking and assassination plots. 00:29:22.440 --> 00:29:27.400 JOSEPH: The UK police, the National Crime Agency, they had been investigating Encrochat ‘cause they 00:29:27.400 --> 00:29:31.000 keep coming across these devices in their own investigations. The French 00:29:31.000 --> 00:29:34.880 police are then looking into the company as well because it turns out at least one 00:29:34.880 --> 00:29:41.560 of the servers of Encrochat is actually located in France on a – in an OVH data 00:29:41.560 --> 00:29:48.440 center. The French come up with what I think is a highly-controversial plan. [MUSIC] They decide 00:29:48.440 --> 00:29:54.760 to – rather than just try to identify the owners and shut down the company, 00:29:54.760 --> 00:30:01.280 they want to push malware to the end points, to the actual Encrochat devices themselves. 00:30:01.280 --> 00:30:07.040 JACK: So, these Encrochat phones did receive updates to patch security issues and introduce new 00:30:07.040 --> 00:30:13.120 features, and one of the servers used to update the phones was located in France. So, the French 00:30:13.120 --> 00:30:20.400 police got a warrant to access the data center and Encrochat’s server. They got into it and made an 00:30:20.400 --> 00:30:25.600 exact copy of it, and they left the server running untouched. This was the secret mission that they 00:30:25.600 --> 00:30:31.760 didn’t want Encrochat knowing about. They took their cloned copy back to the lab to study it. 00:30:31.760 --> 00:30:37.160 They learned how this server sends updates to Encrochat phones, and this gave them an 00:30:37.160 --> 00:30:43.280 idea. What if they could put their own update on the server that all phones would download? 00:30:43.280 --> 00:30:49.000 This could result in the French police having hooks in Encrochat phones. So, 00:30:49.000 --> 00:30:53.520 that was the plan that the French police went with. They studied this clone and figured out 00:30:53.520 --> 00:30:56.920 how the updates worked, and wrote some malware and even tested this with their 00:30:56.920 --> 00:31:01.420 clone to make sure that the phone got the updates and sent the data to the police. 00:31:01.420 --> 00:31:06.240 JOSEPH: They figured that out, they then went back to the server, I believe, 00:31:06.240 --> 00:31:09.660 and then pushed this malicious update to the Encrochat devices. 00:31:09.660 --> 00:31:12.960 JACK: French police were successfully able to 00:31:12.960 --> 00:31:17.220 plant malware on thousands of Encrochat users’ phones. 00:31:17.220 --> 00:31:24.840 JOSEPH: Now, this piece of malware, it would silently send copies of the messages sent 00:31:24.840 --> 00:31:31.400 and received. It would potentially grab GPS locations, but it sort of depends on well, 00:31:31.400 --> 00:31:35.720 did this device actually have GPS? Did this one not? That sort of thing. But the main thing, 00:31:35.720 --> 00:31:39.520 of course, is that it captured message content, 00:31:39.520 --> 00:31:44.320 and that would include the username of the person who sent this message, and of course, all of the 00:31:44.320 --> 00:31:49.460 discussions about drugs and money laundering and assassinations and Bitcoin laundering as well. 00:31:49.460 --> 00:31:55.000 JACK: What the French authorities did here is astonishing. They hacked into the servers 00:31:55.000 --> 00:32:01.160 of this company to spy on its users. [MUSIC] Well, yes, you can point out that most of the 00:32:01.160 --> 00:32:05.960 users were criminals. I still think this is controversial. Just because a company makes 00:32:05.960 --> 00:32:10.480 a privacy-focused secure phone doesn’t mean it’s just for criminals. Like I keep saying, 00:32:10.480 --> 00:32:14.880 I want a phone like this because I find the current eavesdropping done on my phone today 00:32:14.880 --> 00:32:20.000 to be disgusting. I want peace of mind knowing that my messages are not being snooped on and 00:32:20.000 --> 00:32:25.640 they are only going to who I want them to go to. There’s nothing illegal about having privacy. Yet, 00:32:25.640 --> 00:32:30.320 the French police have violated the privacy of Encrochat’s users because 00:32:30.320 --> 00:32:34.180 they thought this would give them an advantage while stopping crime. 00:32:34.180 --> 00:32:40.280 JOSEPH: It was probably the first time that law enforcement had really infiltrated one of 00:32:40.280 --> 00:32:45.800 these companies into the content of the actual communications on a really global scale. I mean, 00:32:45.800 --> 00:32:52.000 the French, they hacked into phones everywhere, and obviously they didn’t just limit the malware 00:32:52.000 --> 00:32:56.520 distribution to inside France. They did it to all Encrochat devices around the world. 00:32:56.520 --> 00:33:00.240 JACK: In case you were wondering how the police were able to see these secure messages, well, 00:33:00.240 --> 00:33:04.320 they had their malware on the phone itself, so when the phones send and receive messages, 00:33:04.320 --> 00:33:08.560 it has to be unencrypted so the person can read them. That’s when these messages were 00:33:08.560 --> 00:33:13.240 copied and sent to the French police. But I’ve really gotta hand it to the French police, 00:33:13.240 --> 00:33:17.960 here. This is some impressive high-tech police work; to be able to reverse-engineer how a 00:33:17.960 --> 00:33:22.200 server sends updates to phones and then create the update for it and push it out, 00:33:22.200 --> 00:33:26.200 and not just any update but a full, stealthy spyware toolkit, 00:33:26.200 --> 00:33:30.760 and then create a collection server to receive all this data captured from the phones, then to 00:33:30.760 --> 00:33:36.600 put this malware back onto the server and push it to users? This is amazing work that they did. 00:33:36.600 --> 00:33:43.160 JOSEPH: Yeah. Exactly, pushing a malicious update, it brings up all of these arguments of well, 00:33:43.160 --> 00:33:47.480 maybe we can’t trust updates, which of course we need to do to remain secure, 00:33:47.480 --> 00:33:54.480 and of course Encrochat is an unusual case. This is not a mainstream popular consumer device, 00:33:54.480 --> 00:33:59.200 but it does still show the lengths to which law enforcement will go. I mean, here, yes, 00:33:59.200 --> 00:34:04.240 it was French law enforcement, but it appears that the law used, at least in some capacity, 00:34:04.240 --> 00:34:09.440 was a national security law and it was the military – sort of the police arm of 00:34:09.440 --> 00:34:14.560 the French military that was involved as well. So, as court cases have come out and obviously 00:34:14.560 --> 00:34:19.200 defendants have tried to get information, the French basically aren’t talking because they 00:34:19.200 --> 00:34:23.360 use the national security exemption to not release any information about the malware. 00:34:23.360 --> 00:34:28.160 JACK: Right, yes. To this day, the French haven’t disclosed any details about how they did this, 00:34:28.160 --> 00:34:31.960 and have kept it quiet. But that’s kinda getting ahead of ourselves. When they were doing this, 00:34:31.960 --> 00:34:37.040 they had to be extremely stealthy and secretive to not tip their hands that they were in these 00:34:37.040 --> 00:34:41.560 phones, snooping on people, and it worked. [MUSIC] As soon as they pushed the malware to the phones, 00:34:41.560 --> 00:34:46.280 they immediately started seeing chat messages coming into their servers. Eventually, 00:34:46.280 --> 00:34:52.960 they would collect millions of chat messages this way. Not all of their users were French citizens. 00:34:52.960 --> 00:34:59.240 These were chat messages from people all over the world. I think it’s pretty crazy that the 00:34:59.240 --> 00:35:06.440 French police were planting spyware on phones all over the world and collecting private messages 00:35:06.440 --> 00:35:11.160 from users who weren’t even in France. Well, the internet doesn’t have physical borders, 00:35:11.160 --> 00:35:15.480 so I can see why this is a difficult problem to solve. But reports show that the French 00:35:15.480 --> 00:35:23.240 police infected 50% of all Encrochat users worldwide, which is still thousands of users. 00:35:23.240 --> 00:35:28.200 JOSEPH: So, the French figure out how to distribute all of these messages they’ve 00:35:28.200 --> 00:35:33.880 been getting, and without getting too technical, they have to navigate a load of European laws. 00:35:33.880 --> 00:35:38.320 We give it to the Dutch and then we give it to the British and they basically join some 00:35:38.320 --> 00:35:43.560 sort of task force or group so we can share the data. But the long and short of it is that they 00:35:43.560 --> 00:35:48.680 give the content of these messages to various law enforcement agencies around the world, 00:35:48.680 --> 00:35:54.680 and they start digging through them. The things that are immediately flagged are threats to life. 00:35:54.680 --> 00:36:01.320 If any sort of system that the cops are using detects this person may be threatened soon or 00:36:01.320 --> 00:36:06.600 may even be potentially assassinated soon, here’s information we can act on immediately, whereas the 00:36:06.600 --> 00:36:13.440 rest is more used to build up cases. I’ve seen some of these documents from Encrochat cases. 00:36:13.440 --> 00:36:18.400 They’re not really court documents available in the public docket; they’re more available 00:36:18.400 --> 00:36:25.920 to the prosecution and the defense. But it’s extraordinary how detailed they are. There is, 00:36:25.920 --> 00:36:30.760 this person spoke to this person about this shipment of cocaine. Here’s a whole paragraph of 00:36:30.760 --> 00:36:35.320 them discussing well, we need to get our Bitcoin guy involved to launder the proceeds. Here’s 00:36:35.320 --> 00:36:40.240 another paragraph about where we’re storing the cocaine. It’s just, they were essentially looking 00:36:40.240 --> 00:36:48.080 over the shoulder of organized crime in their real time. This would be fascinating to see even if it 00:36:48.080 --> 00:36:56.400 was just a ordinary phone tap, as it used to be, but here it’s the proceeds from malware. Clearly, 00:36:56.400 --> 00:37:02.720 these people, these alleged organized criminals, thought they could speak with such impunity that 00:37:02.720 --> 00:37:07.760 they – some of them barely even used code words. It’s like, here’s the coke. Here’s 00:37:07.760 --> 00:37:15.200 all the drugs. Here is where we’re hiding it. It’s just extraordinary how blatant it is. 00:37:15.200 --> 00:37:21.120 JACK: Still, Encrochat was unaware that their phones were infiltrated. Business 00:37:21.120 --> 00:37:26.160 and crime went on like normal, which is just what the French police wanted. But 00:37:26.160 --> 00:37:31.160 when some of the more serious crimes were being planned through these chat messages, 00:37:31.160 --> 00:37:35.040 the police in the UK started arresting some users. 00:37:35.040 --> 00:37:40.800 JOSEPH: Operation Venetic, I think, is – they – the NCA was already doing sort 00:37:40.800 --> 00:37:44.520 of organized crime busts under that name, and then when the Encrochat data came in, 00:37:44.520 --> 00:37:51.080 I believe they put it under that umbrella as well, but hundreds of people arrested. 00:37:51.080 --> 00:37:59.120 That really follows the whole gambit of criminal hierarchy; you’ll have individual dealers and sort 00:37:59.120 --> 00:38:05.880 of mid-tier up to allegedly the higher levels as well. It’s a big thing in the UK for their 00:38:05.880 --> 00:38:10.520 gangsters to leave the country, and of course, a lot of them go to Spain which is very popular, 00:38:10.520 --> 00:38:15.760 or increasingly Dubai as well. Of course, those phones were potentially compromised as well. So, 00:38:15.760 --> 00:38:21.360 you don’t just have people on the ground in the UK being investigated by the UK police, 00:38:21.360 --> 00:38:24.840 but potentially some of the higher-tier people overseas as well. 00:38:24.840 --> 00:38:26.680 JACK: After some arrests started happening, 00:38:26.680 --> 00:38:31.420 Encrochat suspected something was wrong and began looking at their infrastructure for clues. 00:38:31.420 --> 00:38:38.280 JOSEPH: So, Encrochat, or the owners of Encrochat, actually discover that something odd is going on 00:38:38.280 --> 00:38:47.080 on their network. [MUSIC] They do seem to discover some sort of malicious activity, so they push out 00:38:47.080 --> 00:38:54.480 a message to their user base saying there’s been an unauthorized takeover of our domain, 00:38:54.480 --> 00:39:01.360 probably by law enforcement. We recommend that you essentially destroy your device 00:39:01.360 --> 00:39:07.160 and were exploring what to do next. I saw that message pop up on some crime blogs at the time, 00:39:07.160 --> 00:39:11.240 and then somebody else sent me the same message, and that helped verify it. 00:39:11.240 --> 00:39:16.160 That’s when I got into the story, and I thought I’d reach out to somebody I know connected to 00:39:16.160 --> 00:39:22.800 Encrochat, and they sent a very lengthy statement. I think it was one whole page saying that we’re a 00:39:22.800 --> 00:39:30.960 legitimate company, we’re been unfairly targeted, and we’re going to see what we can do about this. 00:39:30.960 --> 00:39:36.200 We didn’t hear back from them after that. We don’t know exactly what the owners are doing now, 00:39:36.200 --> 00:39:41.200 and the French police actually said we’ve been unable to identify the owners of Encrochat. If 00:39:41.200 --> 00:39:46.680 you are that owner, please come forward. I don’t know if that person has come forward. 00:39:46.680 --> 00:39:51.200 JACK: It just seems kind of surprising that they can’t figure out who makes these phones, 00:39:51.200 --> 00:39:55.680 because you just find well, where do I buy them? Okay, there’s this dealer. Where are you getting 00:39:55.680 --> 00:40:01.520 them from? Oh, I can’t say, or…? No, here I get it from this guy here. Then you go to that 00:40:01.520 --> 00:40:05.620 guy and say okay, who’s giving you the phones, right? You just go – you just follow the phones. 00:40:05.620 --> 00:40:10.880 JOSEPH: Yeah. We published a piece after the shutdown with some leaked e-mails I got which 00:40:10.880 --> 00:40:17.880 do name several people involved with Encrochat. I think it names the various companies involved 00:40:17.880 --> 00:40:22.120 in the corporate structure. We didn’t name the person who is mentioned in the e-mails 00:40:22.120 --> 00:40:27.920 because of course, they could potentially face threats or harm because if they were 00:40:27.920 --> 00:40:30.280 heavily involved with Encrochat and all these people have been arrested, 00:40:30.280 --> 00:40:34.280 we don’t want to contribute or amplify that name in case of harm. But yes, 00:40:34.280 --> 00:40:41.880 I find it unlikely or doubtful that the police don’t have any sort of leads on the owners 00:40:41.880 --> 00:40:47.100 of Encrochat. I mean, if we can get e-mails about it, imagine what law enforcement can do. 00:40:47.100 --> 00:40:50.920 JACK: So, once Encrochat discovered someone was in their network and phones, 00:40:50.920 --> 00:40:56.000 they shut the whole thing down. A few days after it was shut down, in the summer of 2020, 00:40:56.000 --> 00:41:01.880 that’s when the French police announced themselves that they’re the ones who infiltrated Encrochat. 00:41:01.880 --> 00:41:07.920 But still today, we don’t know what happened to the owners of Encrochat. But if they are arrested, 00:41:07.920 --> 00:41:13.040 it will be interesting to watch what happens, because once again, making an encrypted phone 00:41:13.040 --> 00:41:17.760 is legal. It all comes down to whether or not they knowingly were selling to criminals. 00:41:17.760 --> 00:41:25.520 JOSEPH: I still think it’s controversial for law enforcement to deploy malware en masse, 00:41:25.520 --> 00:41:31.200 you know, and beyond their own borders. There were just so many factors at play, 00:41:31.200 --> 00:41:38.040 which is that [MUSIC] we don’t know necessarily where all of these devices are located. Maybe in 00:41:38.040 --> 00:41:41.440 this case they did, but generally speaking, you may not always know that, especially because it’s 00:41:41.440 --> 00:41:48.640 all hidden. You don’t necessarily know if all of the users of these devices are criminal in nature, 00:41:48.640 --> 00:41:53.240 and the French prosecutors admitted that later when they said that only 90% were 00:41:53.240 --> 00:41:57.540 believed to be criminal. What happened to the other 10% of people who were hacked, you know? 00:41:57.540 --> 00:42:01.640 JACK: Oh yes, very interesting. I bet there were many legal disputes about 00:42:01.640 --> 00:42:05.440 whether this kind of data-collection was legal. Criminal cases in the US can 00:42:05.440 --> 00:42:10.640 be thrown out if the police illegally obtain evidence. So yeah, what about the people who 00:42:10.640 --> 00:42:14.840 weren’t criminals that got wrapped up in this and spied on? Do they have a case on 00:42:14.840 --> 00:42:19.960 their hands that they could claim that their privacy was violated by the police? Maybe, 00:42:19.960 --> 00:42:25.560 but citizens going up against governments like this rarely ends in favor of the citizen, and it 00:42:25.560 --> 00:42:32.160 definitely isn’t going anywhere when the person who got spied on isn’t even from France. There 00:42:32.160 --> 00:42:38.100 are more encrypted phone companies out there. Another one I find fascinating is called Sky ECC. 00:42:38.100 --> 00:42:44.040 JOSEPH: Sky is one of these encrypted phone companies, again, which kind of tries to position 00:42:44.040 --> 00:42:51.160 itself more as a platform. They’ll have messaging and potentially other chat functions as well; 00:42:51.160 --> 00:42:57.200 your e-mail. They were particularly popular all over, really. Whenever you’re looking 00:42:57.200 --> 00:43:03.000 into these encrypted phone firms, Sky often comes up among criminal elements. 00:43:03.000 --> 00:43:07.160 JACK: Sky’s website doesn’t look like it’s marketing to criminals. Like, it doesn’t even use 00:43:07.160 --> 00:43:13.120 a dark theme on it. It’s got a nice blue and white look, and it just feels friendly and modern. The 00:43:13.120 --> 00:43:17.480 website lists the features of the phone, saying it’s got a self-destruct messaging capability, 00:43:17.480 --> 00:43:22.960 group chat, and can even do audio messages. There’s even testimonials from customers. 00:43:22.960 --> 00:43:27.320 In no way when I look at this website do I think it’s marketed towards criminals. 00:43:27.320 --> 00:43:33.320 JOSEPH: Yeah, a guy called Jean-Francois ran Sky. Some people call it Sky Secure, 00:43:33.320 --> 00:43:37.320 some people call it Sky Global. It sort of depends where in the world you’re buying it 00:43:37.320 --> 00:43:45.240 with all these distant distributors and agents. But the San Diego FBI, after Phantom, they start 00:43:45.240 --> 00:43:51.560 looking at Sky as well. They’re clearly highly motivated to investigate these sort of companies. 00:43:51.560 --> 00:43:56.280 JACK: Not only was the San Diego police investigating Sky, but other European police 00:43:56.280 --> 00:44:01.400 agencies were too, because once again, these encrypted phones were showing up at crime scenes 00:44:01.400 --> 00:44:06.360 over and over. So, the police started tugging at the threads to see where these phones lead. 00:44:06.360 --> 00:44:11.960 JOSEPH: [MUSIC] Then we start seeing some very strange stuff coming out of Europe and Belgium, 00:44:11.960 --> 00:44:16.520 more specifically, that authorities there are claiming that they’ve 00:44:16.520 --> 00:44:22.000 managed to decrypt or crack – it really depends on which translation you read, 00:44:22.000 --> 00:44:26.000 but they’ve managed to get the content of messages from Sky phones. 00:44:26.000 --> 00:44:34.040 JACK: Whoa, the Belgian police were somehow able to see the contents of these secure messages that 00:44:34.040 --> 00:44:40.640 the Sky phone users were sending? That’s huge. How could they – how did they manage to do that? 00:44:40.640 --> 00:44:46.240 It wasn’t clear. We didn’t know. But the Belgian police were starting to make arrests of people 00:44:46.240 --> 00:44:51.600 based on messages they were seeing on the phones. In fact, the Belgian police said they intercepted 00:44:51.600 --> 00:44:58.200 500 million messages from Sky users, and arrested forty-eight people. So, Sky began investigating 00:44:58.200 --> 00:45:04.440 to try to figure out what happened. They did not see any signs of infiltration, so they issued a 00:45:04.440 --> 00:45:08.200 statement saying it’s not possible that the police did this, and there’s no evidence of 00:45:08.200 --> 00:45:12.590 infiltration. They told their customers that they’re not working with the police in any way. 00:45:12.590 --> 00:45:17.840 JOSEPH: But then the reporting comes out and I speak to Sky itself, actually, [MUSIC] and what 00:45:17.840 --> 00:45:26.360 they say is that somebody introduced fake Sky devices to the markets in Europe. So, 00:45:26.360 --> 00:45:31.360 these weren’t actually the quote, unquote, “real” Sky devices. They were ones that had some sort 00:45:31.360 --> 00:45:37.380 of fake or malicious app that then gathered the text messages and provided them to authorities. 00:45:37.380 --> 00:45:42.560 JACK: The details are scarce on this, but if I were to connect the dots, I would guess that the 00:45:42.560 --> 00:45:48.240 authorities got ahold of some brand-new phones, then installed their own versions of the secure 00:45:48.240 --> 00:45:53.280 chat apps that would collect chat logs and send that to the police. These weren’t the official 00:45:53.280 --> 00:45:58.280 Sky chat apps that were supposed to be secure. Instead, it was the police’s version they made 00:45:58.280 --> 00:46:04.120 and just disguised it to look like the Sky chat apps. Then they somehow gave these phones to Sky 00:46:04.120 --> 00:46:09.080 distributors to sell to their customers. I would call this a supply chain attack. 00:46:09.080 --> 00:46:14.320 Phones were somehow intercepted between where they were made and the customers who were buying them, 00:46:14.320 --> 00:46:19.440 which is a wild and scary attack; to think that the person you’re buying these devices from might 00:46:19.440 --> 00:46:25.640 be selling you a phone that was compromised by the police and didn’t even know it? So, 00:46:25.640 --> 00:46:32.800 if I’m putting one and one together here, Belgium said they infiltrated part of the 00:46:32.800 --> 00:46:37.560 network and arrested 160 people, and Sky is saying somebody’s putting out 00:46:37.560 --> 00:46:43.280 fake phones or fake apps to – that has some sort of malware or something on it, 00:46:43.280 --> 00:46:47.120 it sounds like the Belgian police may have been the ones who did that. 00:46:47.120 --> 00:46:51.840 JOSEPH: Potentially, yes. But honestly, we just don’t know at this point. It’s 00:46:51.840 --> 00:46:57.080 so unclear and it’s one of the cases we probably know the least about even 00:46:57.080 --> 00:47:00.400 though it’s one of the more popular encrypted phone companies, for sure. 00:47:00.400 --> 00:47:05.160 JACK: I think this is a sign that the police are becoming pretty sophisticated at fighting 00:47:05.160 --> 00:47:09.480 crime. The French authorities are advanced enough to be able to put malware on thousands 00:47:09.480 --> 00:47:16.000 of people’s phones, and now potentially the Belgian police are doing supply chain attacks? 00:47:16.000 --> 00:47:22.480 It’s a wild new world we’re in. Well, after this incident, the US Department of Justice 00:47:22.480 --> 00:47:29.120 indicted one of the owners of the Sky encrypted phone company, which means the DOJ believes they 00:47:29.120 --> 00:47:35.360 have enough evidence to bring this person to trial and prove they have violated RICO laws. 00:47:35.360 --> 00:47:40.880 JOSEPH: I contact a source at the company and I say hey, can I just get a comment on this 00:47:40.880 --> 00:47:49.000 indictment? They say sorry, what indictment is that? I send them the PDF and they go silent. 00:47:49.000 --> 00:47:56.360 Clearly I was the one who told them there was this indictment against their company. We don’t speak 00:47:56.360 --> 00:48:01.640 for a little while. Eventually Jean-Francois comes out with a statement, provides it to 00:48:01.640 --> 00:48:08.760 us that they really vehemently deny the charges against the company and about him specifically, 00:48:08.760 --> 00:48:13.440 and they’re gonna fight it. According to their statement or one of the most recent ones, 00:48:13.440 --> 00:48:18.960 they are really actually gonna try and fight this in court. So, completely different to the Phantom 00:48:18.960 --> 00:48:25.240 Secure case; they’re not cooperating and really thinking that it’s an unjust charge against them. 00:48:25.240 --> 00:48:29.560 JACK: Once again, that court case is going to hinge on one thing, 00:48:29.560 --> 00:48:34.360 whether Sky knew they were selling to criminals to help them commit crimes. 00:48:34.360 --> 00:48:41.360 JOSEPH: Yes; the way that the US will prosecute one of these under RICO is if they can prove 00:48:41.360 --> 00:48:49.680 that Sky or anyone else sold these phones deliberately to facilitate criminal activity 00:48:49.680 --> 00:48:55.680 and knowingly did that. We honestly have no idea if the DOJ has that sort of information. 00:48:55.680 --> 00:49:01.120 I’m gonna guess the DOJ wouldn’t file an indictment based on absolutely nothing, 00:49:01.120 --> 00:49:06.440 but we have to see what evidence they have eventually, [MUSIC] and we haven’t seen that yet, 00:49:06.440 --> 00:49:12.340 and Jean-Francois is gonna fight the case, is my understanding. 00:49:12.340 --> 00:49:20.800 JACK: So, we looked at Phantom Secure, Encrochat, and Sky ECC, but there’s so many more encrypted 00:49:20.800 --> 00:49:24.960 phone companies out there. They’re all coming and going. It’s hard to keep track of them, 00:49:24.960 --> 00:49:29.320 which means there’s no lack of wild stories that happen with these companies. Another 00:49:29.320 --> 00:49:33.720 story I find fascinating is one that comes from an encrypted phone company called Ennetcom. 00:49:33.720 --> 00:49:37.960 JOSEPH: So, yeah, Ennetcom was one of these early encrypted phone companies that were 00:49:37.960 --> 00:49:44.320 using BlackBerries. Pretty popular at the time, especially in Europe, 00:49:44.320 --> 00:49:48.760 and this was sort of the first – for lack of a better word – takedown of 00:49:48.760 --> 00:49:54.680 an encrypted phone company that I saw and I reported on at the time. In this case, 00:49:54.680 --> 00:50:01.360 Dutch police were able to get the content of the messages which was very unusual at the time. 00:50:01.360 --> 00:50:06.960 Eventually it came out, it appears that there was some sort of misconfiguration 00:50:06.960 --> 00:50:13.840 with how Ennetcom encrypted these communications. Authorities managed to get hold of the server, 00:50:13.840 --> 00:50:20.440 and I think it was potentially – the keys were also stored on the server, and they were able 00:50:20.440 --> 00:50:26.800 to decrypt the communications like that. So, it advertises itself as end-to-end encrypted, 00:50:26.800 --> 00:50:33.600 but that wasn’t really the case if they were able to get hold of the server and then actually obtain 00:50:33.600 --> 00:50:37.200 the contents of communications that way. It was an implementation issue, basically. 00:50:37.200 --> 00:50:41.760 JACK: Wow, again, the European police are really blowing my mind here with their attack 00:50:41.760 --> 00:50:47.680 capabilities. To find an implementation flaw in Ennetcom’s communication network and to exploit 00:50:47.680 --> 00:50:53.880 that to be able to relay messages back to the police is really incredible work. This resulted 00:50:53.880 --> 00:50:59.280 in the Dutch police collecting and decrypting three million messages sent over Ennetcom’s 00:50:59.280 --> 00:51:04.760 devices. Ennetcom must have been furious over this [MUSIC] but were quiet about it. 00:51:04.760 --> 00:51:08.360 JOSEPH: We didn’t hear much at all. I mean, I think the authorities, they shut down the 00:51:08.360 --> 00:51:15.360 network themselves at the time. I remember the owner of Ennetcom had some very expensive-looking 00:51:15.360 --> 00:51:21.240 lawyers when I went to their website and tried to chat to them for a bit. But no, they kind of 00:51:21.240 --> 00:51:27.600 fizzled out and they kind of faded into obscurity along with the owner. Meanwhile, everybody moves 00:51:27.600 --> 00:51:33.480 onto the other companies as well at the time. There’s still business to be done for these guys. 00:51:33.480 --> 00:51:39.480 JACK: Yes, this is offensive operations being carried out by the police. They are 00:51:39.480 --> 00:51:46.520 actively hacking into and infiltrating networks, servers, and phones in order to collect evidence 00:51:46.520 --> 00:51:51.600 on criminals. This is way different than what I previously imagined the police were doing 00:51:51.600 --> 00:51:55.480 in regards to computers, which I thought they were doing more forensic-type computer work, 00:51:55.480 --> 00:52:00.440 trying to look through the logs of a seized device to figure out what someone did, 00:52:00.440 --> 00:52:05.720 and that’s totally different work than hacking into a network covertly, placing malware on it, 00:52:05.720 --> 00:52:10.920 and collecting user data. So, the police must have had to put a lot of time and 00:52:10.920 --> 00:52:16.120 effort and resources just into building the team which would be capable of doing this. 00:52:16.120 --> 00:52:20.400 JOSEPH: Yeah, totally. This must be a real thorn in their side if they’re 00:52:20.400 --> 00:52:29.040 willing to contribute this time, resources, expertise to disrupting or shutting down 00:52:29.040 --> 00:52:34.160 or ultimately getting to the contents of the communications of these phones. As I mentioned, 00:52:34.160 --> 00:52:36.440 while everybody’s been looking at Facebook, Messenger, and WhatsApp, 00:52:36.440 --> 00:52:40.520 this is the real stuff that’s been going on with the organized crime people. 00:52:40.520 --> 00:52:44.320 JACK: Clear that up for me. What do you mean? What is everyone looking at Facebook and Messenger…? 00:52:44.320 --> 00:52:49.440 JOSEPH: Sure, so – sorry. I just mean very generally that when we have the so-called 00:52:49.440 --> 00:52:58.080 going dark debate among law enforcement and civil liberties, advocates, and just your 00:52:58.080 --> 00:53:04.760 privacy advocates, that sort of thing, a lot of the commentary is on popular consumer devices. You 00:53:04.760 --> 00:53:11.560 know, the San Bernardino Apple case where the DOJ tried to legally force Apple to unlock the phone, 00:53:11.560 --> 00:53:19.400 the case where the DOJ tried to secretly get Facebook to somehow bug an encrypted 00:53:19.400 --> 00:53:27.640 communication, and then various laws potentially impacting the security of WhatsApp. There’s a 00:53:27.640 --> 00:53:32.840 lot of discussion around that, and then more recently, a lot of stuff around child sexual 00:53:32.840 --> 00:53:38.440 abuse imagery and catching people [MUSIC] who are using consumer devices for that sort of thing. 00:53:38.440 --> 00:53:43.160 I mean, in my opinion, the so-called going dark debate is really happening with these 00:53:43.160 --> 00:53:49.800 encrypted phones. This is where law enforcement are being very aggressive with their techniques, 00:53:49.800 --> 00:53:54.920 both in a legislative sense when it comes to RICO and using that, and in a technical sense 00:53:54.920 --> 00:53:58.720 when they’re deploying malware en masse. If we’re gonna have this conversation 00:53:58.720 --> 00:54:02.840 around what sort of access should law enforcement have to private messages, 00:54:02.840 --> 00:54:10.320 what sort of messages should be available to authorities, what’s off-limits, what’s on-limits, 00:54:10.320 --> 00:54:14.080 I don’t know what the outcome of that discussion is, and as – my place as a journalist is not 00:54:14.080 --> 00:54:18.440 really to say where it should go, but I do think that people should be including this 00:54:18.440 --> 00:54:25.080 sort of stuff in that conversation, because it’s real-world case studies of this going on. 00:54:25.080 --> 00:54:31.440 JACK: There’s another encrypted phone company called MPC, and this one is crazy. 00:54:31.440 --> 00:54:36.440 JOSEPH: MPC is, in my opinion, the most interesting encrypted phone company. We’ve 00:54:36.440 --> 00:54:45.160 had these stories of tech entrepreneurs or just business people deciding to make these 00:54:45.160 --> 00:54:49.720 encrypted phone firms. Maybe they want the money, maybe they care about privacy, maybe it’s a mix, 00:54:49.720 --> 00:54:59.600 whatever. Here, MPC is a company made by organized crime for organized crime. 00:54:59.600 --> 00:55:04.680 It’s run, as we found talking to multiple sources in and around the industry, 00:55:04.680 --> 00:55:11.880 that it’s run by two serious top-tier gangsters, colloquially known as the brothers from Scotland. 00:55:11.880 --> 00:55:19.560 They deal with a lot of the drug trade going into Scotland and then obviously beyond its 00:55:19.560 --> 00:55:25.400 borders as well. They did use Ennetcom for a while, but then they decided to – well, 00:55:25.400 --> 00:55:30.000 no; we don’t want to trust our security to this company. Why don’t we make our own? 00:55:30.000 --> 00:55:36.400 They did that with MPC, but they also see an opportunity; if people want to work with us, 00:55:36.400 --> 00:55:42.000 they need to use our phones. So, they’ll sell the devices as well. It actually became a business 00:55:42.000 --> 00:55:46.880 opportunity in its own right, and actually running this company to then sell the devices 00:55:46.880 --> 00:55:52.860 to other organized criminals as well. It’s diversifying their portfolio, essentially. 00:55:52.860 --> 00:55:58.400 JACK: Well, nobody really knew who was running it at first, but because it was run 00:55:58.400 --> 00:56:02.960 by gangsters, they conducted their business differently than the others. For instance, 00:56:02.960 --> 00:56:06.680 they didn’t like the competition that was in the encrypted phone market, 00:56:06.680 --> 00:56:11.904 so they started threatening their distributors who also sold their competitors’ phones. 00:56:11.904 --> 00:56:16.960 JOSEPH: [MUSIC] One of the people I spoke to was threatened to be killed because they were 00:56:16.960 --> 00:56:24.400 selling a competitor’s phones in the same sort of area that MPC was also involved in. At least 00:56:24.400 --> 00:56:31.640 one person was slashed, my understanding, where you take a knife and you slash their 00:56:31.640 --> 00:56:37.120 cheeks so their mouth has a very large cut on it. That’s the sort of violence 00:56:37.120 --> 00:56:41.620 that these people were perpetrating as well as intimidating phone calls and that sort of thing. 00:56:41.620 --> 00:56:45.440 JACK: At some point, MPC messaged Joseph out of the blue. 00:56:45.440 --> 00:56:52.640 JOSEPH: They were asking me hey, do you do reviews of encrypted phones or anything like that? Just 00:56:52.640 --> 00:56:56.680 what anybody would do with an iPhone; you know, a sort of normal tech outlet where they send you 00:56:56.680 --> 00:57:01.600 the new iPhone and you review it or whatever. I don’t do that. That’s just not the sort of work 00:57:01.600 --> 00:57:07.920 I do. I said if you send me the phone, I’ll look at it, but I’m not going to be paid for a review, 00:57:07.920 --> 00:57:12.880 ‘cause they were offering payment and obviously that’s unethical. I said sure. They never ended 00:57:12.880 --> 00:57:19.240 up sending the phone, but they were clearly trying to establish some sort of legitimacy 00:57:19.240 --> 00:57:25.760 in the space by getting journalists or anybody else just to write what they thought about the 00:57:25.760 --> 00:57:31.720 device. I should say that the MPC did say just do an honest review or whatever, but that’s a very 00:57:31.720 --> 00:57:38.040 unusual dynamic to then – for a company you then later find out is run by top-tier organized crime. 00:57:38.040 --> 00:57:41.240 JACK: The police started investigating MPC and they 00:57:41.240 --> 00:57:45.280 also said this is very unusual for an organized crime group to create 00:57:45.280 --> 00:57:49.544 their own encrypted phone business. But the story gets even darker after that. 00:57:49.544 --> 00:57:54.480 JOSEPH: [MUSIC] So, one of the other ways beyond trying to get reviews from journalists that MPC 00:57:54.480 --> 00:58:01.440 was trying to get marketing was just sort of these brand deals. There’s a fairly famous 00:58:01.440 --> 00:58:10.000 former-criminal-turned-blogger-turned-sort of-journalist in Amsterdam called Martin Kok. 00:58:10.000 --> 00:58:18.040 He’s out of prison after murder convictions and he writes on his blog called Butterfly Crime. There, 00:58:18.040 --> 00:58:24.520 he makes a lot of enemies. He will name people, he will say what various crime elements are up 00:58:24.520 --> 00:58:29.760 to. There were lots of attempts on his life. You can go on YouTube and you can check out 00:58:29.760 --> 00:58:34.600 – the Dutch police showed a car bomb that was targeted against him, and it’s a truly 00:58:34.600 --> 00:58:41.680 huge explosion that they – they do a controlled explosion just to get rid of the bomb. Anyway, 00:58:41.680 --> 00:58:48.160 MPC worked with Martin for some branding. It’s like hey, just tweet some photos of you wearing 00:58:48.160 --> 00:58:56.120 this MPC shirt and the phones, and we can run adverts on your website, that sort of thing. 00:58:56.120 --> 00:59:02.000 Eventually, MPC say well, let’s keep this business relationship going. Why don’t you meet with one of 00:59:02.000 --> 00:59:09.600 our associates? Him and the associate, they go to a sex club on the outskirts of Amsterdam. There’s 00:59:09.600 --> 00:59:14.720 CCTV footage of Martin Kok walking around with somebody down the streets of Amsterdam, 00:59:14.720 --> 00:59:22.600 and a man in a hoodie runs up behind him, puts a gun to Martin’s head, and for some reason, 00:59:22.600 --> 00:59:28.000 he – Martin isn’t shot. Maybe the guy freaks out, maybe the trigger jams or whatever, 00:59:28.000 --> 00:59:33.800 but he points the gun; it doesn’t work, and then he runs away. That’s the first attempt on his life 00:59:33.800 --> 00:59:39.560 that day. Then when they eventually leave sort of blurry-eyed from the sex club and Martin Kok 00:59:39.560 --> 00:59:47.400 is getting into his car, a man jumps from the bushes and shoots him and kills him. We were 00:59:47.400 --> 00:59:55.400 told shortly after that or some time after that that this was an assassination with the consent 00:59:55.400 --> 01:00:00.940 and the help of MPC, the phone company, and by extension, the brothers who ran that company. 01:00:00.940 --> 01:00:06.800 JACK: Whoa. Now, that’s scary. I suppose it means you can’t trust an encrypted phone 01:00:06.800 --> 01:00:12.640 company that’s run by criminals. It also means that MPC is clearly breaking laws, 01:00:12.640 --> 01:00:16.680 while some of these other phone companies, it’s not so clear. Which, yeah, it’s going to cause 01:00:16.680 --> 01:00:21.320 them to be investigated by the police, and they’re gonna want to probably shut this company down. So, 01:00:21.320 --> 01:00:27.280 the police started investigating MPC to figure out who’s running it, and this did lead them to find 01:00:27.280 --> 01:00:33.540 out it’s being run by some known criminal brothers in Scotland, and this revealed their identities. 01:00:33.540 --> 01:00:40.800 JOSEPH: Yes, so my source provided the name of the two brothers beforehand; 01:00:40.800 --> 01:00:45.640 James Gillespie and his brother as well. Then, the police do announce that. They 01:00:45.640 --> 01:00:50.520 announce the two names of them and their various associates as well. Later on, 01:00:50.520 --> 01:00:56.280 they arrest one of the associates in South America, I believe. But at the moment, 01:00:56.280 --> 01:01:01.660 it seems that the brothers – at least from my understanding – are still on the run. Yeah. 01:01:01.660 --> 01:01:03.760 JACK: Ah, so they went into hiding. 01:01:03.760 --> 01:01:10.880 JOSEPH: Yes, yeah. There’s some reporting on crime blogs that they’re also in South America, 01:01:10.880 --> 01:01:18.680 but there’s – it’s hard to say. These people may move around. These are highly-technical, 01:01:18.680 --> 01:01:23.820 highly-resourced individuals, right? I doubt they’re gonna stay in one place for too long. 01:01:23.820 --> 01:01:28.980 JACK: But when one secure phone company goes down, it just seems like two more pop up. 01:01:28.980 --> 01:01:35.280 JOSEPH: A constant theme with these companies is that one – once one shuts down either of 01:01:35.280 --> 01:01:40.240 their own volition or law enforcement hacks them or otherwise carry out – carries out an 01:01:40.240 --> 01:01:45.600 operation against them, these criminal users or users in general, they still need a phone, 01:01:45.600 --> 01:01:52.480 so they will go to another one. So, when Encrochat was closed, another company called Omerta did a 01:01:52.480 --> 01:01:56.480 sort of discount offer where you could either get phones cheap or buy one get one free, 01:01:56.480 --> 01:02:04.160 or something like that. Presumably, maybe some people went over to that. When Phantom shut down, 01:02:04.160 --> 01:02:10.720 a lot of the user base was absorbed by Sky, and then also by Ciphr as well. Ciphr is still going. 01:02:10.720 --> 01:02:18.920 It’s probably the biggest or at least the most established and longest-living encrypted phone 01:02:18.920 --> 01:02:26.080 company that is still going right now. But is Ciphr being investigated? Probably in 01:02:26.080 --> 01:02:32.040 some capacity, right? It’s been going on for so long that maybe they could be the next target. 01:02:32.040 --> 01:02:37.120 JACK: There’s another encrypted phone out there that looks really promising. It’s called ANOM, 01:02:37.120 --> 01:02:42.360 kind of short for anonymous, and it has a cool dual-boot thing. Check this out; 01:02:42.360 --> 01:02:45.520 when you boot it up, it asks for a pin to unlock it. That’s normal, 01:02:45.520 --> 01:02:51.240 right? If you type it in, you see normal apps like Instagram, Facebook, Tinder, Netflix, 01:02:51.240 --> 01:02:56.200 even Candy Crush. But if you try to click on any of these apps, they just don’t work. 01:02:56.200 --> 01:03:01.960 They’re just dummy apps to make the phone look normal. What you need to do is reboot the phone, 01:03:01.960 --> 01:03:07.880 but this time enter a different pin code. When you enter the second secret pin, 01:03:07.880 --> 01:03:14.160 it unlocks access to a secret area of the phone. But there are only three apps in this secret area, 01:03:14.160 --> 01:03:21.000 and at first glance, they look boring. One is a clock and the other is a calculator. The third 01:03:21.000 --> 01:03:27.040 is device settings. The secret is to open the calculator app which then asks you for your 01:03:27.040 --> 01:03:33.160 ANOM ID and password. Once you get in there, you can send and receive encrypted messages. 01:03:33.160 --> 01:03:39.280 This phone is slick and stealthy, and more clever than you realize. ANOM started up in I think 01:03:39.280 --> 01:03:44.920 2019 and it was first introduced in Australia. Specifically, people who typically distributed 01:03:44.920 --> 01:03:50.240 encrypted phones were getting these and passing them around. People were slowly adopting them and 01:03:50.240 --> 01:03:56.080 using them. Eventually, they made their way into other countries. Criminals, yeah, they like these 01:03:56.080 --> 01:04:01.880 phones, and started using them. [MUSIC] But ANOM had a secret. It wasn’t what people thought it 01:04:01.880 --> 01:04:11.320 was. It was a honeypot created entirely by the FBI to snoop, spy, and gather incriminating evidence 01:04:11.320 --> 01:04:16.840 from criminals. They worked with the Australian law enforcement to spy on Australian criminals, 01:04:16.840 --> 01:04:24.480 too. But this posed some massive challenges for the FBI. What are the legalities of marketing 01:04:24.480 --> 01:04:29.960 and selling spy phones like this? How do you even create a shady underground encrypted 01:04:29.960 --> 01:04:36.200 phone company without it being so good that it goes mainstream? Clearly, the FBI wanted 01:04:36.200 --> 01:04:41.920 in Phantom Secure phones, but didn’t get in. This may have been where they got the idea. 01:04:41.920 --> 01:04:48.600 If they can’t find a way in, they can make their own phone. This was dubbed Operation Trojan Shield 01:04:48.600 --> 01:04:54.840 in the FBI, and their ANOM phones were able to collect 27 million messages from its users. We 01:04:54.840 --> 01:05:00.360 don’t know how many arrests this resulted in, but it’s yet another incredible amount 01:05:00.360 --> 01:05:08.880 of resources that law enforcement has spent to try to infiltrate encrypted, secure phones. But man, 01:05:08.880 --> 01:05:14.920 now that we’ve taken this tour of the world of encrypted phones, I feel like I can’t trust 01:05:14.920 --> 01:05:20.920 them. In four of these stories, law enforcement infiltrated the chats. I don’t want the police 01:05:20.920 --> 01:05:25.800 reading my chats. So many of these phones seem like it’s just for criminals to use, and I don’t 01:05:25.800 --> 01:05:30.600 want that, either. I just want a secure phone that doesn’t vacuum up all my data, and I’m 01:05:30.600 --> 01:05:35.760 not a criminal; I just like privacy. There’s got to be some kind of phone out there for me. 01:05:35.760 --> 01:05:40.200 JOSEPH: There was Silent Circle, which is of course, is a slightly different user base and 01:05:40.200 --> 01:05:46.920 that is made by Phil Zimmermann, the creator of PGP. They have this platform where you have silent 01:05:46.920 --> 01:05:51.040 text which is obviously text messages, and then if you get an encrypted e-mail or something as well, 01:05:51.040 --> 01:05:55.520 and they had the black phone. This communications platform essentially, 01:05:55.520 --> 01:06:02.080 they did try to sell to governments. I think I’ve seen some – I believe it was the US Navy 01:06:02.080 --> 01:06:07.360 contracts and that sort of thing. So, that isn’t the same sort of space, but I don’t know 01:06:07.360 --> 01:06:10.520 if criminals would gravitate towards that because they’ll see oh, it’s working with the government; 01:06:10.520 --> 01:06:14.440 then they can’t be trusted. You know, that sort of thing. So many of these criminals will 01:06:14.440 --> 01:06:20.680 be better off with a fully up-to-date iPhone or a fully up-to-date Android device if it’s 01:06:20.680 --> 01:06:26.080 a higher-tier one with Signal installed and just use that, or Wickr, or whatever. 01:06:26.080 --> 01:06:31.480 JACK: So, Wickr and Signal, and there’s Wire, too. These are apps that you can get on your 01:06:31.480 --> 01:06:37.320 Android and Apple devices that lets you call and message people, and it uses end-to-end encryption, 01:06:37.320 --> 01:06:42.120 which means anyone in-between won’t be able to decipher the messages, including the companies of 01:06:42.120 --> 01:06:47.680 Signal, Wickr, or Wire themselves. If security and privacy is important to you, which it should be, 01:06:47.680 --> 01:06:52.880 you should move your communications to one of these apps. Signal seems to be the most popular, 01:06:52.880 --> 01:06:57.720 where you probably already have friends and family using it. [MUSIC] But what about securing the 01:06:57.720 --> 01:07:03.720 phone itself? Well, I guess we’re gonna have to go with iPhone or Android on this, but you should 01:07:03.720 --> 01:07:09.080 do things to lock it down. To start with, keep them updated. Updates fix vulnerabilities, and 01:07:09.080 --> 01:07:13.520 I think what we’ve learned in this story is that authorities will exploit vulnerabilities to gather 01:07:13.520 --> 01:07:18.080 evidence, and some of these companies just weren’t very good at securing their own infrastructure. 01:07:18.080 --> 01:07:22.160 I mean, it sounds like Ennetcom left the keys to their server out in the open, 01:07:22.160 --> 01:07:25.720 and these little startup companies aren’t going to have the resources to properly 01:07:25.720 --> 01:07:30.880 secure their networks and devices to be able to withstand attacks from law enforcement. However, 01:07:30.880 --> 01:07:36.600 a big company like Apple and Google do have the resources to keep things secure from outsiders 01:07:36.600 --> 01:07:41.560 getting in. Now, if you’re going to get an Android device, I recommend getting the Google Pixel over 01:07:41.560 --> 01:07:46.960 the other Android phones, since Google makes the Pixel phones and the Android operating system. 01:07:46.960 --> 01:07:51.640 This means the latest security updates will be available on the Pixel first. These updates 01:07:51.640 --> 01:07:57.640 can take a long time to trickle down into other makers like Samsung or OnePlus phones. I’ve seen 01:07:57.640 --> 01:08:02.520 some phones sold in stores that are so far behind on Android updates that the software is already 01:08:02.520 --> 01:08:08.160 end-of-life on brand-new phones. So, you want to get closest to the source with Android, which is 01:08:08.160 --> 01:08:13.520 getting the Google Pixel. But one big security flaw still with these phones is SIM-swapping. 01:08:13.520 --> 01:08:17.920 This is where criminals will call up your phone company and impersonate you to tell them to 01:08:17.920 --> 01:08:23.000 move your phone number to their phone. Once a criminal gets control of your phone number, 01:08:23.000 --> 01:08:28.120 they can get into a ton of your accounts, and it’s a horrible problem to try to figure out. So, 01:08:28.120 --> 01:08:34.120 because of this, I use an iPod Touch as my phone. Joseph actually taught me this and wrote a great 01:08:34.120 --> 01:08:38.440 article on how to do this, because the iPod touch doesn’t have a SIM card. It’s Wi-Fi only, 01:08:38.440 --> 01:08:43.240 so it’s impossible to SIM-swap me. I use a combination of Google voice and other apps 01:08:43.240 --> 01:08:48.440 to get the iPod touch to be a regular phone when it has a Wi-Fi signal, and this is what I use as 01:08:48.440 --> 01:08:54.720 my primary work phone. Honestly, the only app I use on it is Signal, which allows me to text and 01:08:54.720 --> 01:09:00.440 make calls securely using end-to-end encryption. If you want to go even deeper to lock down your 01:09:00.440 --> 01:09:05.960 phones like I do, I highly recommend the book Extreme Privacy: What It Takes to Disappear, 01:09:05.960 --> 01:09:10.640 by Michael Bazzell. This is a massive book which is all about how to secure your digital 01:09:10.640 --> 01:09:22.903 life. It’s fantastic, and I’ll have a link in the episode description if you’re interested. 01:09:22.903 --> 01:09:27.280 (OUTRO): [MUSIC] A big thank you to Joseph Cox, senior staff writer at Vice’s Motherboard. There’s 01:09:27.280 --> 01:09:32.120 always news coming out about these encrypted phones, and Joseph is always all over it. So, you 01:09:32.120 --> 01:09:36.960 should definitely follow him on Twitter to stay updated. If you like this show, if it brings value 01:09:36.960 --> 01:09:41.400 to you, consider donating to it through Patreon. By directly supporting this show, it helps keep 01:09:41.400 --> 01:09:45.480 ads at a minimum, it helps get new people to make the show, and it tells me that you want more of 01:09:45.480 --> 01:09:52.320 it. So, please visit patreon.com/darknetdiaries and consider supporting the show. Thank you. This 01:09:52.320 --> 01:09:57.560 show is made by me, the decompiled Jack Rhysider. Editing help and sound design by the cipher-sweet 01:09:57.560 --> 01:10:02.680 Andrew Meriwether. Our theme music is by the elliptical curve known as Breakmaster Cylinder. 01:10:02.680 --> 01:10:23.640 In the future, everyone will have fifteen minutes of privacy. This is Darknet Diaries.