Encryption backdoors violate human rights, says EU court

Implications for EU's own efforts to regulate encryption

The European Court of Human Rights (ECHR) has declared that giving law enforcement access to encrypted messages through backdoors violates fundamental rights outlined in the European Convention on Human Rights.

The ruling, delivered on Tuesday, stems from a case originating in Russia, involving a Telegram user and the Russian government's demands for access to encrypted messages.

The user, Anton Podchasov, challenged the Federal Security Service's (commonly known as the FSB) requirement for Telegram to decrypt messages, arguing that it violated his right to privacy and the rights of all Telegram users.

Russian courts dismissed Podchasov's efforts, leading him to bring the matter to the ECHR in 2019.

Russia withdrew from the European Convention on Human Rights in March 2022. However, the ECHR determined that, as the events preceded the withdrawal, it would continue to consider the matter.

Podchasov's legal challenge contends that complying with the FSB's demand would grant authorities unrestricted access to all communications, without the judicial oversight mandated by Russian law.

While the Russian government claimed the request was limited to specific users and necessary for combating terrorism, the ECHR sided with privacy advocates and Telegram, ruling that creating backdoors would inevitably weaken encryption for all users.

The ECHR highlighted encryption's role in safeguarding privacy and other fundamental rights, such as freedom of expression, in the digital realm. It concluded the legislation requiring decryption of end-to-end encrypted communications disproportionately infringes upon these rights.

"In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression," the ECHR said.

"[I]n the present case the [internet communication organisers'] statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued."

The court also expressed concerns about Russia's broad data retention requirements, highlighting the lack of adequate safeguards against abuse.

Ioannis Kouvakas, senior legal officer for Privacy International, hailed the decision as a blow against authoritarianism and a reaffirmation of the protection of fundamental rights.

Martin Husovec, a law professor involved in drafting testimony for the case, expressed his satisfaction with the court's recognition of encryption's value and the dangers of state-imposed weakening.

Broader implications

The ruling has broader implications for the European Union's own efforts to regulate encryption.

In particular, it casts doubt on proposals aimed at using technology to detect child sexual abuse material (CSAM) in encrypted content, such as the regulation submitted by the European Commission in 2022.

Critics, including the Irish Council for Civil Liberties, have raised concerns about the potential for mass surveillance and the erosion of encryption standards inherent in such measures.

Similar privacy concerns have been voiced regarding the UK's Online Safety Bill, which critics argue could compromise end-to-end encryption.

Companies like Apple and Meta have opposed certain provisions of the bill, with Signal even threatening to exit the UK market if changes are not made.

The UK government has defended its stance, saying that companies must develop technologies capable of targeting specific users without undermining encryption for all users.

Computing says:

Governments around the world have been struggling for years to balance national security and the right to privacy when it comes to encryption. Historically they favour the former, while the general public tends to prefer the latter (although not always).

Governments defend their position by saying they'll only spy on bad people, but that - as tech companies point out - isn't possible at present, or possibly at all. Any system that allows a government to break encryption holds the potential for mass surveillance and abuse by bad actors, hence why the ECHR quite rightly made its new ruling.

This is exactly why the UK government had to climb down in the closing days of the Online Safety Bill coming into law, though it remains committed to the idea of message scanning; all its really done is kick the can down the road until ministers think it's worth another shot at breaking encryption.