European Court of Human Rights confirms: weakening of encryption can violate the human right to privacy

In a milestone judgment - Podchasov v. Russia - the European Court of Human Rights (ECtHR) has ruled that weakening of encryption can lead to general and indiscriminate surveillance of the communications of all users and violates the human right to privacy.

By Electronic Frontier Foundation (EFF) (guest author) · March 20, 2024

Telegram Messenger Refusal to Decrypt User Messages

Everyone has the right to respect for his private and family life, his home and his correspondence”. This important fundamental right, embodied in Article 8 of the European Convention of Human Rights, was obviously not at heart of the statutory requirement for “internet communications organisers” in Russia to store the content of all Internet communications and to submit those data to law-enforcement authorities and security services at their request, as well as any information necessary to decrypt user messages.

The FSB (the Russian Federal Security Service) subsequently ordered Telegram Messenger LLP to assist in decrypting the communications of specific users suspected of engaging in terrorism-related activities. Arguing that it such requests would inevitably lead to encryption backdoors, Telegram refused and was consequently fined by Russian courts, which also ordered the blocking of the app within the country.

Telegram Users Complain Before the European Court of Human Rights

Encryption is vital for all internet users, and in particular for journalists and human rights defenders. Journalists active in the Ukraine or activists in Russia, for example, could face significant consequences if their identities, or those of their families, were released to the Russian authorities.

Consequently, the controversy extended beyond Telegram – which EDRi member Electronic Frontier Foundtion (EFF) is jointly supporting in a parallel complaint before the ECtHR, drawing in numerous users who contested the disclosure orders in Russian courts.

In a recent case before the European Court of Human Rights (ECtHR), A Russian citizen, Mr. Podchasov, argued that forced decryption of user communication would infringe on the right to private life under the European Convention of Human Rights.

The Court Agrees: Encryption is Important for Safeguarding Fundamental Rights

EFF has always stood against government intrusion into the private lives of users. Encryption not only safeguards users’ privacy, but also protects their right to freedom of expression, protected under international human rights law.

In a great victory for privacy advocates, the ECtHR agreed. The judges confirmed that indiscriminate data storage interferes with users’ privacy rights.

Importantly, the Court issued a number of important findings about the mandate for service providers to submit decryption keys to security services. First, the ECtHR emphasised the importance of encryption technologies for safeguarding users’ privacy as well as the exercise of other fundamental rights, such as freedom of expression.

The Court also underscored the role of encryption in providing a robust defense against unlawful access. Encryption helps citizens and businesses alike to defend themselves against abuses of information technologies.

Turning to the mandate to decrypt Telegram’s “secret chats”, the ECtHR determined that this measure would require the weakening of encryption for all users. The Court emphasised that backdoors could be exploited by criminal networks and would seriously compromise the security of users’ communications. The ECtHR noted that there are a range of alternative solutions for decryption that would not weaken the protective mechanisms, such as forensics on seized devices and better-resourced policing.

In light of these findings, the Court asserted that the mandate to decrypt end-to-end encrypted communications risks weakening the encryption mechanism for all users, which was a disproportionate measure. It concluded that the retention and unrestricted state access to internet communication data, coupled with decryption requirements, cannot be regarded as necessary in a democratic society. They are thus unlawful.

The ECtHR ruling will have an impact on current policy developments

The judges’ rigorous deliberations directly challenge Europe’s ongoing efforts to weaken encryption to allow access and scanning of our private messages and photos. In the UK, EFF and other groups have opposed the contentious UK Online Safety Act (OSA), which poses a risk of online platforms deploying software to search through all users’ photos, files, and messages for illegal content. Rather than making the UK the world’s “safest place” to use the internet, the OSA outlines a variety of ways to undermine our privacy and speech. EFF recently submitted comments to the relevant UK regulator (Ofcom) to avoid any weakening of encryption when this law becomes operational.

In the EU, we are concerned that the European Commission’s message-scanning proposal (CSAR) will be a disaster for online privacy. It would allow EU authorities to compel online services to scan users’ private messages and compare their photos against law enforcement databases or use error-prone AI algorithms to detect criminal behaviour. Such detection measures will inevitably lead to dangerous and unreliable Client-Side Scanning practices, undermining the essence of end-to-end encryption.

As the ECtHR deems general user scanning as disproportionate, and has specifically criticised measures that weaken existing privacy standards, forcing platforms like WhatsApp or Signal to weaken security by inserting a vulnerability into all users’ devices to enable message scanning must be considered unlawful.

The CSAR proposal is likely to be followed by other proposals to grant law enforcement access to encrypted data and communications. An EU high level expert group on ‘access to data for effective law enforcement’ is expected to make policy recommendations to the next EU Commission in mid-2024.

Together with EDRi, EFF is calling on lawmakers to take the Court of Human Rights ruling seriously: blanket and indiscriminate scanning of user communication and the general weakening of encryption for users is unacceptable and unlawful.

Contribution by: Christoph Schmon, PhD, International Policy Director, EDRi member, Electronic Frontier Foundation (EFF)