Podchasov v. Russia: the European Court of Human Rights emphasizes the importance of encryption

 

 

 

Mattis van ’t Schip & Frederik Zuiderveen Borgesius*

*Both authors work at the iHub and the Institute for Computing and Information Sciences, Radboud University, The Netherlands - mattis.vantschip[at]ru.nl & frederikzb[at]cs.ru.nl

Photo credit: Gzen92, on wikimedia commons 

 

In a judgment from February 2024 in the case Podchasov v. Russia, the European Court of Human Rights emphasised the role of encryption in protecting the right to privacy. The judgment comes at a time where encryption is central to many legal debates across the world. In this blog post, we summarise the main findings of the Court and add some reflections.

Summary

Podchasov, the applicant in the case, is a user of Telegram. Russia listed Telegram as an ‘internet communication organiser’ in 2017. This registration meant that Telegram, according to Russian law, had to store all its communications data for one year, and the contents of communication data for six months. The obligation concerns all electronic communications (e.g., textual, video, sound) received, transmitted, or processed by internet users. Law enforcement authorities could request access to that data, including access to the decryption key in case communications are encrypted (para 6 of the judgment).

Telegram is a messaging app that users often employ because of its end-to-end encrypted messaging. For instance, Telegram is an important communication channel for Ukrainians to receive updates about the current war. End-to-end encryption means, roughly summarised, that only the sender and the intended recipient can access the content of the encrypted data, in this case Telegram messages.

In July 2017, the Russian Federal Security Service (FSB) required Telegram to disclose data that would allow the FSB to decrypt messages of suspects of ‘terrorism-related’ activities (para 7 of the judgment). Telegram refused. Telegram said that it was impossible to allow the FSB to access encrypted messages without creating a backdoor to their encryption that malicious actors might also use. Because of Telegram’s refusal, a District Court in Moscow ordered the nation-wide blocking of Telegram in Russia. The applicants challenged the disclosure order, but their challenge was dismissed across several Moscow courts. Meanwhile, Telegram remains operational in Russia today. Finally, the applicants lodged their complaint with the European Court of Human Rights. They complained that Russia violated their right to private life in Article 8 of the European Convention on Human Rights (ECHR).

Russia is not a member of the Council of Europe anymore. The Council of Europe stopped Russia’s membership in March 2022, in response to Russia’s invasion of parts of Ukraine. Six months later, on 16 September 2022, Russia ceased to be party to the European Convention on Human Rights. Nevertheless, the Court gives this judgment. The Court says that it has jurisdiction over this case, as the alleged violations occurred before the date that Russia ceased to be a party to the Convention.

The Court quotes several documents that are not directly related to the ECHR, including surveillance case law of the Court of Justice of the European Union, a report on the right to privacy in the digital age by the Office of the United Nations High Commissioner for Human Rights, a statement by Europol and the European Union Agency for Cybersecurity, and an Opinion of the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB).

The surveillance scheme before the European Court of Human Rights resembles earlier Russian surveillance schemes, which the Court held as a violation of providing adequate and sufficient safeguards to protect against indiscriminate breaches of the right to private life in Article 8 ECHR. Earlier holdings thus also apply in the underlying case. Unlike in previous judgments about surveillance in Russia, the Court discusses the role of encryption in protecting the right to private life.

On encryption, the Court holds that the underlying case only concerns the encryption scheme of ‘secret chats’. Telegram offers ‘cloud chats’ by default with ‘custom-built server-client encryption’, but users can also decide to activate ‘secret chats’ which are end-to-end encrypted (para 5 of the judgment). The Court explicitly excludes any considerations of so-called ‘cloud chats’ in the case, as the complaints only concern the ‘secret chats’. The scope of the Court’s holdings is therefore limited to only end-to-end encryption as used for secret chats.

The applicants and several privacy-related civil organisations say that decryption of end-to-end encrypted messages would concern all users of that system, in this case Telegram, as technical experts can never create an encryption backdoor for a specific instance, case, or user. The Russian government did not refute these statements. The Court therefore holds that the Russian authorities interfered with right to private life of Article 8 ECHR. The Court then investigates whether the Russian authorities can justify this violation, for instance because the violation is necessary in a democratic society. The Court analyses encryption in this light.

The Court emphases that encryption contributes to ensuring the enjoyment of the right to private life and other fundamental rights, such as freedom of expression:

[T]he Court observes that international bodies have argued that encryption provides strong technical safeguards against unlawful access to the content of communications and has therefore been widely used as a means of protecting the right to respect for private life and for the privacy of correspondence online. In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression (…) (para 76).

The Court adds that encryption is important to secure one’s data and communications:

Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption. (para 76)

The Court observes that legal decryption obligations cannot be specific or limited to certain circumstances: once a messaging provider creates a backdoor, there is a backdoor to all communications on the messaging platform:

Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field. (par 77)

Based on the above-mentioned arguments, the Court holds that the requirement to decrypt communication messages cannot be ‘regarded as necessary in a democratic society.’ (para 80 of the judgment) The Court concludes that Russia breached the right to private life, protected in article 8 ECHR.

Comments

The Podchasov case follows a long debate about the value of end-to-end encryption in democratic societies globally. As the Court mentions, end-to-end encryption is valuable for privacy as it enables people to communicate in such a way that third parties cannot access the communication. In this context, experts herald end-to-end encryption for its capacity to support, for instance, journalists in performing their work safely, or historically marginalised groups to express themselves freely.

At the same time, some law enforcement agencies consider end-to-end encryption a threat to public safety, as malicious actors can benefit from the privacy provided by secure messaging and similar methods, such as data encryption, too.

For instance, the FBI is in a long battle with Apple over the encryption of iPhones, which several suspects employed to keep their phone information and data private. On each occasion, Apple refused to offer decryption keys or software to the FBI, citing security concerns that can stem from enabling such backdoors.

The battle between security and privacy is, of course, long-standing. Encryption is now central to this debate. The EU Commission recently joined the debate with a proposal for a Child Sexual Abuse Material Regulation (CSAM proposal). Roughly summarised, the proposal would require communication providers (such as Telegram or WhatsApp) to analyse people’s communications to find, block, and report child sexual abuse materials, such as inappropriate pictures. Experts agree that communication providers can only do so if they do not encrypt communications, if they include a type of backdoor, or if they analyse communications on people’s devices before they are encrypted. Experts warn that such on-device analysis can be seen as a kind of backdoor of encrypted communications too. Many civil organisations, technical experts, and academics oppose the CSAM proposal. Opponents of the CSAM proposal can be expected to cite his judgment. 

The European Court of Human Rights is clear about the role of end-to-end encryption for the right to private life. In one paragraph, the Court states that end-to-end encryption is vital to privacy. The Court bases its reasoning partly on an opinion of the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) which discusses encryption in the context of the above-mentioned CSAM proposal. The Court also refers to responses from civil society organisations, who can present their views to the Court as amici curiae. The Court follows the reasoning of the EDPS, the EDPB, and privacy organisations regarding the conclusion that once encryption is broken, the entire system is no longer secure for its users.

The Court also mentions that encryption is vital to security of users. Consider, for instance, the importance of data protection in the current privacy context. Without adequate data encryption, people cannot be sure that the data they store in, for instance, cloud storage, is accessible to only them. Encryption therefore also helps against hacking, identity fraud, and data theft (para 76 of the judgment).

The Podchasov case is straight-forward: encryption is vital to the protection of the right to privacy. The Court’s clear statements will influence ongoing encryption debates, but the end of the debate is not in sight.