Mattis van ’t Schip & Frederik Zuiderveen Borgesius*

*Both authors work at the iHub and the Institute for Computing and Information Sciences, Radboud University, The Netherlands - mattis.vantschip[at]ru.nl & frederikzb[at]cs.ru.nl

Photo credit: Gzen92, on wikimedia commons 

A February 2024 ruling by the European Court of Human Rights in the case of Podchasov v. Russia highlighted the crucial role of encryption in safeguarding privacy rights. This judgment comes at a time when encryption is at the heart of many global legal discussions. This blog post summarizes the Court’s key findings and offers some reflections.

Summary

The case revolves around Mr. Podchasov, a Telegram user. In 2017, Russia categorized Telegram as an ‘internet communication organizer,’ requiring it to retain all communication data for one year and communication content for six months, as per Russian law. This obligation covers all electronic communications, including text, video, and audio, that internet users receive, send, or process. Law enforcement agencies were granted access to this data, including decryption keys for encrypted communications (paragraph 6 of the judgment).

Telegram, a messaging app, is often favored by users because of its end-to-end encryption. For instance, Ukrainians rely heavily on Telegram to stay informed about the ongoing war. In simple terms, end-to-end encryption ensures that only the sender and the intended recipient can access the content of encrypted data, such as Telegram messages.

In July 2017, Russia’s Federal Security Service (FSB) demanded that Telegram hand over data that would allow them to decrypt messages from individuals suspected of ‘terrorism-related’ activities (paragraph 7 of the judgment). Telegram declined, arguing that granting the FSB access to encrypted messages would necessitate a backdoor in their encryption, potentially exploitable by malicious actors. Due to Telegram’s refusal, a Moscow District Court ordered a nationwide block of Telegram in Russia. Despite the applicants’ challenges against the disclosure order being rejected by multiple Moscow courts, Telegram remains accessible in Russia today. The applicants ultimately took their case to the European Court of Human Rights, alleging that Russia’s actions violated their right to privacy as outlined in Article 8 of the European Convention on Human Rights (ECHR).

It’s important to note that Russia is no longer a member of the Council of Europe, having been suspended in March 2022 in response to its invasion of Ukraine. Subsequently, on September 16, 2022, Russia ceased to be a party to the European Convention on Human Rights. However, the Court asserted its jurisdiction over this case, as the alleged violations took place before Russia’s withdrawal from the Convention.

The Court referenced several documents not directly linked to the ECHR, including surveillance case law from the Court of Justice of the European Union, a report on digital privacy rights by the Office of the United Nations High Commissioner for Human Rights, a joint statement from Europol and the European Union Agency for Cybersecurity, and an opinion from the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB).

The surveillance system in question mirrors previous Russian surveillance practices deemed by the Court as violating Article 8 of the ECHR due to insufficient safeguards against indiscriminate breaches of privacy. Consequently, prior rulings are applicable to this case. However, unlike past judgments concerning surveillance in Russia, the Court delves into the role of encryption in safeguarding privacy.

The Court clarifies that the case specifically pertains to the encryption used for ‘secret chats’ on Telegram. While Telegram offers default ‘cloud chats’ with ‘custom-built server-client encryption’, users have the option to activate ‘secret chats’ that are end-to-end encrypted (paragraph 5 of the judgment). The Court explicitly excludes ‘cloud chats’ from its considerations, focusing solely on end-to-end encrypted ‘secret chats’ based on the applicants’ complaints.

The applicants, along with several privacy advocacy groups, contend that decrypting end-to-end encrypted messages would impact all users of that system (in this case, Telegram), as technical experts cannot create encryption backdoors for specific instances, cases, or users. The Russian government did not refute these claims. Therefore, the Court concluded that the Russian authorities interfered with the right to private life under Article 8 ECHR.

The Court then examines whether the Russian authorities can justify this infringement, such as by claiming it was necessary in a democratic society. Encryption is analyzed in this context.

The Court emphasizes encryption’s role in upholding privacy and other fundamental rights, such as freedom of expression:

[T]he Court observes that international bodies have argued that encryption provides strong technical safeguards against unlawful access to the content of communications and has therefore been widely used as a means of protecting the right to respect for private life and for the privacy of correspondence online. In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression (…) (para 76).

Furthermore, the Court highlights encryption’s significance in securing data and communications:

Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption. (para 76)

The Court observes that legal decryption mandates cannot be case-specific or restricted to certain situations. Creating a backdoor essentially creates a backdoor to all communications on the platform:

Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field. (par 77)

Based on these arguments, the Court determined that the demand for decrypting communication messages cannot be ‘regarded as necessary in a democratic society’ (paragraph 80 of the judgment). It concludes that Russia violated the right to privacy, protected by Article 8 ECHR.

Comments

The Podchasov case is part of a broader, ongoing global debate surrounding the value of end-to-end encryption in democratic societies. As the Court notes, end-to-end encryption is crucial for privacy, enabling individuals to communicate without third-party access. Experts praise its capacity to support journalists’ safety and facilitate free expression for historically marginalized groups.

Conversely, some law enforcement agencies view end-to-end encryption as a threat to public safety, fearing its potential misuse by malicious actors seeking to exploit its privacy features.

The FBI, for example, has been engaged in a prolonged battle with Apple regarding iPhone encryption, which some suspects have used to shield their phone data. Apple has consistently refused to provide decryption keys or software to the FBI, citing security risks associated with such backdoors.

This tension between security and privacy is not new, and encryption is now central to this debate. The EU Commission recently weighed in with a proposal for a Child Sexual Abuse Material Regulation (CSAM proposal), which, in essence, would compel communication providers like Telegram and WhatsApp to scan users’ communications for, block, and report child sexual abuse material. Experts generally agree that this would necessitate either unencrypted communication, a form of backdoor, or pre-encryption analysis of communications on users’ devices. The latter, experts warn, could be considered a backdoor in itself. The CSAM proposal faces significant opposition from various civil organizations, technical experts, and academics, with opponents likely to cite this judgment.

The European Court of Human Rights is unequivocal in its stance on the importance of end-to-end encryption for privacy. It asserts that end-to-end encryption is fundamental to privacy, basing its reasoning partly on an opinion from the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) concerning encryption in the context of the CSAM proposal. The Court also references submissions from civil society organizations, acting as amici curiae. The Court echoes the EDPS, EDPB, and privacy organizations’ stance that compromising encryption undermines the security of the entire system for all users.

Moreover, the Court emphasizes the importance of encryption for user security, particularly in the context of data protection. Without proper data encryption, individuals cannot be assured that their data stored in cloud storage, for instance, remains accessible only to them. Therefore, encryption serves as a safeguard against hacking, identity fraud, and data theft (paragraph 76 of the judgment).

The Podchasov case delivers a clear message: encryption is paramount for protecting privacy. While the Court’s unambiguous statements will undoubtedly influence ongoing encryption debates, a definitive resolution to this debate remains elusive.