Encryption backdoors violate human rights, EU court rules
The European Court of Human Rights (ECHR) has ruled that enabling governments to access everyone’s encrypted messages is a human rights violation. It probably won’t stop them from continuing to try, though.
In a 27-page judgement on Tuesday, the ECHR found that Russian legislation concerning online messaging services breach Article 8 of the European Convention on Human Rights, which protects the right to privacy. The case was brought by a Russian Telegram user who objected to laws requiring messaging services to store users’ communications for six months, keep their metadata for one year, and provide law enforcement with keys to decrypt their conversations upon request.
Russia stopped being a party to the Convention in Sept. 2022, six months after it was expelled from the Council of Europe, however the ECHR decided it was still able to hear the case as the events in question occurred prior to this.
The applicant successfully argued that it is impossible for Telegram to selectively provide authorities with decryption keys for some users and not others, as the technology simply does not work that way. Creating the ability to access any encrypted messages would enable access to all encrypted messages, weakening security and undermining privacy for everyone across the entire platform.
When encryption is an all or nothing deal, it seems better to err on the side of all.
“In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression,” wrote the ECHR.
“[I]n the present case the [internet communication organisers’] statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued.”
The ECHR also considered Russia’s data retention requirements “extremely broad,” with “exceptionally wide-ranging and serious” implications which would require significant safeguards against abuse. Unfortunately, such safeguards were nowhere to be found.
The court accepted the applicant’s claim that Russia’s laws violate the right to privacy by enabling the government to arbitrarily access anyone’s communication logs, even without cause. Russian law enforcement is not required to show messaging services judicial authorisation before accessing decryption keys, theoretically enabling them to conduct secret extrajudicial surveillance of users.
“Although the possibility of improper action by a dishonest, negligent or overzealous official can never be completely ruled out whatever the system, the Court considers that a system, such as the Russian one, which enables the secret services to access directly the Internet communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse,” wrote the ECHR.
Telegram refused Russia’s request to weaken encryption
The ECHR case concerned a 2017 order from Russia’s Federal Security Service, which demanded Telegram provide information allowing it to decrypt communications from six users suspected of “terrorism-related activities.” Telegram refused to comply with the order, stating that it was impossible to do so without creating a backdoor that would weaken encryption for all its users. It also noted that the users in question had activated Telegram’s optional end-to-end encryption, meaning even the company couldn’t access their messages.
Russia subsequently fined and blocked Telegram in the country. Though the ban was eventually lifted in 2020, it was upheld in domestic courts despite challenges by the current applicant and others. The applicant therefore took the matter to the ECHR, alleging that he was unable to get justice for the violation of their human rights through the Russian courts.
Tuesday’s ECHR ruling awarded the applicant €10,000 ($ 10,725) in damages, though whether he’ll actually receive that money is another question. In 2015 Russia passed a domestic law enabling its Constitutional Court to overturn ECHR rulings, a move which Human Rights Watch criticised as undermining victims’ ability to seek justice.
Governments vs Encryption
Governments around the world have tried forcing tech companies to weaken their encryption for years. In 2016, Apple CEO Tim Cook publicly opposed the U.S. government’s request for an iPhone encryption backdoor, stating that creating one would have “chilling” privacy and surveillance implications. Nevertheless, the U.S. has continued to pressure Apple to build a way for law enforcement to unlock people’s devices. WhatsApp also rejected a request from the UK government to build a backdoor to its encryption in 2017 — a conflict that could still end with it pulling out of the country altogether.
Encryption is further being threatened in the U.S. by the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, proposed legislation which was introduced to Congress in 2020. At the time, messaging app Signal warned that it may not be able to continue operating in the U.S. if the bill passed, alleging that the act would undermine end-to-end encryption. The bill was later amended in an attempt to address such concerns, though it wasn’t enough to assuage privacy experts.
The ECHR’s ruling this week is unlikely to put this long running encryption issue to rest. Still, it’s a notable victory for privacy and security advocates across the globe.