End-to-end encryption is a human right
A quick summary of an important judgment from Europe
On 13 February 2024, the European Court of Human Rights (ECtHR) handed down its judgment in a case concerning end-to-end encryption (E2EE). In short, it held that data acquisition orders requiring the decryption of communications protected by E2EE are unlawful.
The facts of the case are as follows:
In July 2017, the Federal Security Service (FSB), Russia's main security agency, ordered Telegram to provide the cryptographic keys to decrypt communications of users suspected of terrorism-related activities. This request was made on the basis of court decisions relating to the suspects.
Telegram refused to comply, arguing that the users in question had been using the 'secrets chat' feature meaning that the communications were protected by E2EE. It was therefore technically impossible to provide the FSB with a copy of the cryptographic keys.
The company was fined for refusing to comply with the data request. The Tanbanskiy District Court of Moscow even ordered the blocking of Telegram in Russia (though the app still remains available).
The case was eventually brought to the ECtHR by Telegram users contending that the FSB data request unlawfully infringed on their right to privacy under Article 8 of the European Convention on Human Rights (ECHR). This was one of the main issues that the court addressed in its judgment.
According to Article 8 ECHR and the relevant caselaw of the ECtHR, a state may only interfere with an individual's right to privacy if the following conditions are satisfied:
The interference is accordance with the law. This means that a law permitting the interference by the state must exist, be accessible (in nature and form) to the public, and clearly set out when it applies.
The interference must be in relation to a legitimate aim. Article 8 lists some of them, including national security, public safety and the prevention of disorder or crime.
The interference must be necessary in pursuance of that legitimate. This means that there must be evidence of a "pressing social need" for the interference.
The interference must be proportionate in the pursuance of the legitimate aim. This requires clear and precise rules about its scope and application and minimum safeguards to protect against arbitrary interference.
Before examining compliance with these conditions, the ECtHR acknowledged that the data protection "is of fundamental importance to a person's enjoyment of [their] right to respect for private and family life."1 Additionally, it stated that the "confidentiality of communications is an essential element of the right to respect for private life and correspondence."2
Accordingly, a request from the state to acquire communications from a messaging app constitutes an interference with the right to privacy. This interference only becomes illegal if any of the above conditions are not met.
The ECtHR identified several ways in which the data acquisition request, and the legal basis behind it, did not meet the conditions under Article 8 of ECHR:
While there was a legal basis that related to a legitimate aim,3 the court was struck by the broad duties it imposed on companies like Telegram. Under Russian law, all such service providers are required to keep the internet communications of all its users (including voice, text, visual and video data) for six months and related communications data for one year.4
Although access to that data had to be authorised by a court, law enforcement authorities (LEAs) are not required to show such authorisations to service providers when making requests. Plus, service providers must install equipment that gives LEAs direct access to data, making the acquisition system "particularly prone to abuse."5
The ECtHR had previously ruled on the unlawfulness of Russian state surveillance law in a judgment from 2015. In the current case, the Russian government admitted that the same laws were applicable, leading the court to conclude the such laws did not provide the "adequate and effective guarantees against arbitrariness and the risk of abuse."6
The ECtHR then addressed the specific issue of E2EE. On this, it found that the obligation to decrypt E2EE communications was not proportionate to the legitimate aims being pursued by the FSB. The court gave three reasons for this:
Complying with the FSB's order would have required Telegram to effectively disable or weaken encryption for all users. This is because true E2EE deprives Telegram of the cryptographic keys to decrypt any of its users communications, and so complying with the order would have impacted even "individuals who pose no threat to a legitimate government interest."7
Creating backdoors would "make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications."8
Such backdoors could be "exploited by criminal networks and would seriously compromise the security of all users' electronic communications."9
Here are the implications I think this case has for E2EE generally:
Orders to weaken the mechanism itself, or for its whole removal, is unlawful. This impacts different laws, both proposed and passed, that potentially jeopardise E2EE. The Investigatory Powers Act 2016 in the UK and the EU's proposed CSA regulation are of relevance here.
The court subtly clarified the difference between data protection and privacy and the role that encryption plays in this. Implementing measures to ensure that personal data are sufficiently protected helps to uphold other rights, such as the right to privacy. Accordingly, encrypting data in-transit ensures the confidentiality of communications, which form part of that right.
One issue that the court did not address was that of client-side scanning. This is a technique that LEAs have been advocating for as a way to detect for illegal content or activity without 'breaking' E2EE (though this is debatable). You can read by notes on E2EE client-side scanning E2EE below for more information on this.
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [para. 62].
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [para. 65].
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [paras. 67 and 68].
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [para. 70].
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [paras. 72 and 73].
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [paras. 74 and 75].
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [para. 77].
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [para. 77].
Podchasov v Russia, App no. 33696/19 (ECHR, 13 February 2024), [para. 77].