An end to end-to-end encryption? Not so soon

This case between a Russian user of Telegram and the Russian Federation led the European Court of Human Rights ('ECtHR') to rule in favour of end-to-end encryption ('E2EE').

This case presented the Court with the unique opportunity to assess the seriousness of interferences that seek to weaken modern encryption tools and uphold the rights of millions of users, by applying the European Convention on Human Rights ('ECHR') in the digital era.

This judgment could have profound implications for governments seeking access to information protected by E2EE.

Background

On 13 February, the ECtHR published its judgement in Podchasov v Russia [2024] ECHR 134. The case related to a requirement under Russian law for "Internet communication organisers" ('ICOs') to store all communications data for 12 months, the contents of communications for six months, along with the information necessary to decrypt any encrypted messages.

The Russian Federal Security Service ('FSB') requested Telegram, a designated ICO, to disclose information relating to Telegram accounts including the encryption keys necessary to decrypt messages. Telegram refused, on the basis that the messages were protected by E2EE and it was not therefore possible to comply with the FSB's request without creating a backdoor for all users.

The request was appealed in court and rejected at each instance of appeal domestically. At the ECtHR, the Court considered whether the applicant's (i.e. the Telegram user's) Article 8 rights – the right to private and family life – were interfered with.

The Court's findings

The ECtHR found that because the measures could not be limited to specific individuals, they would affect all users indiscriminately. Accordingly, the Court found that the applicant was affected by the legislation requiring a backdoor. Any backdoors implemented could also be exploited by malicious actors, and encryption was considered important to helping citizens and businesses protect themselves from hacking, identity theft and fraud. Consequently, the Court held that an obligation to decrypt E2EE messages amounting to a weakening of encryption for all users was not proportionate.

What the judgment means for legislators

The judgment also dealt with the requirements to store data for potential access for targeted surveillance. The Court noted there were legitimate aims pursued in the Russian surveillance law, but that there were no adequate and effective guarantees against arbitrariness and risk of abuse.

While other European countries may have more rigorous safeguards in place for their surveillance regimes, the Court's findings in relation to demands to decrypt or weaken E2EE communications should make legislators pause for thought. The weakening of encryption indiscriminately for users was in and of itself considered not to be necessary in a democratic society.

Comment

While the decision is unlikely to have any effect within Russia, it matters to countries that are contemplating or have enacted controversial decryption laws like the United Kingdom's Online Safety Act and the European Commission's 'chat control' proposals which aim to use technological solutions to scan encrypted data. The problem is that no technical solutions exist which maintain the integrity of E2EE. Instead, such obligations force providers to actively alter the software they offer users by inserting 'backdoors' - essentially degrading security.

While the references to storage and adequate safeguards in the judgment are specifically focused on the Russian system, what’s said about decryption is at least on its face applicable to any system which requires a universal ability to provide communications to law enforcement in decrypted form.

This judgment will give governments seeking to erode the sanctity of E2EE, which inevitably involves compromising the integrity and security of communications for billions of users globally, pause for very serious thought.

Although the judgment is unlikely to be the end of legislative efforts to undermine E2EE for users, it sends a clear signal that such efforts are unlikely to be compatible with the ECHR in the absence of robust safeguards.

Fieldfisher has a unique understanding of investigatory powers compliance and the laws relating to encryption. If you would like advice on how the IPA may apply to your business, or how to bring your business into compliance, please contact us.

Thank you to Jonathan Comfort for his contribution to this article.