On February 13, 2024, the European Court of Human Rights (Strasbourg Court) issued its verdict in Podchasov v. Russia. The case involved a statute that (i) established a data retention scheme, and (ii) permitted law enforcement to order the decryption of collected data. The applicant in this case, a Telegram user, challenged an order that required Telegram to decrypt their communications protected by end-to-end encryption (E2EE).
This decision is particularly important because a case involving the weakening of E2EE encryption is uncharted waters for both the Strasbourg Court and the European Court of Justice (Luxembourg Court). This represents a significant victory for privacy advocates as the Strasbourg Court ruled that mandating the decryption of E2EE data constituted a violation of Article 8 of the European Convention of Human Rights the right to privacy. In this analysis, I will delve into the Strasbourg Courts decision, examining both its ruling on the data retention scheme and the decryption of E2EE data.
Data Retention Scheme
The case hinged on the contentious Russian Code of Criminal Procedure and the Operational-Search Activities Act. This law demanded that internet communication organisers (ICOs) store all communication data (metadata) for one year and the content of communications for six months in Russia. The ICOs were mandated to provide all metadata and content data collected by them to law enforcement authorities upon request (Section 10.1(3.1)).
The Strasbourg Court noted that the data retention scheme was very broad in nature. It required the retention of all internet content data and metadata for a prolonged period, without any circumscription of the scope of the measure in terms of territorial or temporal application or categories of persons liable to have their personal data stored (Para 70). The Court found the retention scheme to be exceptionally wide-ranging and serious because:
It affects all users of Internet communications, even in the absence of reasonable suspicion of involvement in criminal activities or activities endangering national security, or of any other reasons to believe that retention of data may contribute to fighting serious crime or protecting national security (Para 70).
The Strasbourg Court held that the data retention and access scheme violated the right to privacy, as it did not offer adequate safeguards against abuse, considering the seriousness of the interference. The Court noted that it had previously examined the same statute in the case of Roman Zakharov v. Russia (2015), and the data retention and access scheme were subject to the same procedures and safeguards (Para 74). Therefore, the Court did not carry out its analysis of legality (quality of law) de novo, it found no reasons to reach a different conclusion in the present case (Para 75). The Court concludes that this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications. Therefore, it impairs the very essence of the right to respect for private life (Para 80). The language in the concluding paragraph and the rationale of the Court, closely aligns with the Luxembourg Court decision in Schrems I (2015), even though its not directly referenced here.
Podchasov continues the Strasbourg Courts trend of focusing on procedural inadequacies rather than substantive issues, a phenomenon termed procedural fetishism by Zalnieriute. For example, in the case of Big Brother Watch and Centrum fr Rttvisa (2021), the Court highlighted procedural flaws in the bulk surveillance law without explicitly examining whether bulk interception itself is inherently impermissible. These two decisions have normalised mass surveillance/bulk interception within the Strasbourg Courts jurisprudence. This trend can also be observed in the approach of the Luxembourg Court, exemplified by the verdicts in Privacy International and La Quadrature du Net (2020).
Similarly, in Podchasov, the Court limits its analysis to the legality of the data retention and access scheme without considering whether such a broad scheme could inherently violate Article 8 (right to privacy). While Podchasov recognizes that bulk data retention constitutes a serious interference, affecting all users of Internet communications, even in the absence of reasonable suspicion. (Para 70) However, it fails to take the next step and concludes that such a significant infringement cannot be justified.
Decryption Order
Section 10.1(4.1) of the Russian Code of Criminal Procedure and the Operational-Search Activities Act, requires ICOs to provide, along with the requisite metadata and content data, any information necessary to decrypt communications. The Federal Security Service ordered Telegram to help decrypt communications for six mobile numbers, including the applicants, by providing data relating to the [encryption] keys. These six users were using the secret chat feature on Telegram, which enables E2EE protection for the messages. This order was challenged by Telegram, the applicant, and others.
The Strasbourg Court at the outset, before initiating its analyses, explains the important role played by encryption within the Internet age:
In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression (see paragraphs 28 and 34 above). Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption (Para 76).
The Strasbourg Court held that the requirement for ICOs to facilitate the decryption of E2EE-protected communication data was a disproportionate measure (Para 79). Two key facts led the Court to an adverse conclusion. Firstly, the Court highlights that enabling decryption for specific individuals would necessitate creating a backdoor, accessible to both law enforcement and malicious actors. Noting:
in order to enable decryption of communications protected by end-to-end encryption, such as communications through Telegrams secret chats, it would be necessary to weaken encryption for all users. These measures allegedly cannot be limited to specific individuals and would affect everyone indiscriminately, including individuals who pose no threat to a legitimate government interest. Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users electronic communications (Para 77).
The Court observation here is an important win for privacy advocates who have argued over the years that E2EE-protected data cannot be accessed without introducing systemic vulnerabilities, posing risks to users, commercial entities, and national interests alike.
Second, while acknowledging that encryption may pose challenges to criminal investigations, the Court observed, relying on expert submissions, that there are alternative encryption-preserving methods of investigation (Para 78). This is indeed correct. There are alternatives to rolling back E2EE that can contribute to the state goals in a real and substantial mannerrelying on metadata or circumventing encryption, for example, by indirectly hacking. Thus, the Court concludes that:
in the present case the ICOs statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued (Para 79).
A close reading of this conclusion would suggest that unlike the Courts holding vis--vis the data retention provisions, the Courts determination here of the privacy violation is not contingent on the absence of adequate safeguards. Therefore, the Courts holding is that decryption of E2EE data is, in principle, against the right to privacy, regardless of the degree of robustness of safeguards in place. In this context, member states do not possess any acceptable margin of appreciation (Para 80).
Conclusion
Podchasov is a landmark decision, which safeguards encryption, which has become sine qua non for secure and confidential communication in the digital age. The decision offers valuable lessons for other courts where similar issues may arise, given that E2EE has been under threat in multiple countries globally in the last decade. The Court did not afford the state any leeway while examining the decryption provision, considering the severity of potential harm.
While adjudicating on technical or digital measures, the Court must understand the architecture of the technical measure, including its capabilities, and limitations Equally vital is an appreciation of the socio-political and economic context in which these measures are deployed. The Strasbourg Courts verdict demonstrates a commendable grasp of the cryptographic tools at the heart of this case and the gravity of potentially weakening the encryption standard. This is a result of the Court properly engaging with technical expert evidence.
There is a legal challenge to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, pending before the Indian Supreme Court (SC). This law requires significant social media intermediaries to enable the tracing of the first originator of the information, and critics claim this can weaken the E2EE standard. The Podchasov decision would be a valuable precedent for the Indian SC, which has in the past significantly relied upon the jurisprudence of the Strasbourg Court and Luxembourg Court to develop its conception of informational privacy and the principles of data protection.
The Strasbourg Courts ruling may cast a long shadow over future negotiations for the regulation of child sexual abuse material, proposed by the EU Commission in May 2022. It requires the scanning of messages that could weaken E2EE. This decision may provide greater leverage to representatives from the EU Parliament who oppose scanning and lead to stronger pushback by civil societies and other advocacy groups.
Originally posted here:
Cracking the Code: How Podchasov v. Russia Upholds Encryption and Reshapes Surveillance - EJIL: Talk!
- WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- GOP demands inquiry into EPA use of encrypted messaging apps - CNET [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Gmail v7.2 Prepares to Add Support for S/MIME Enhanced Encryption - XDA Developers (blog) [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Top 6 Data Encryption Solutions - The Merkle [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Google helps put aging SHA-1 encryption out to pasture - Engadget [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Decipher your Encryption Challenges - Infosecurity Magazine [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How the Politics of Encryption Affects Government Adoption - Freedom to Tinker [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog) [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Set up VMware VM Encryption for hypervisor-level security - TechTarget [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Encryption patent that roiled Newegg is dead on appeal | Ars Technica - Ars Technica [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Research proposes 'full-journey' email encryption - The Stack [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Database-as-a-service platform introduces encryption-at-rest - BetaNews [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Germany, France lobby hard for terror-busting encryption backdoors ... - The Register [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- The Best Email Encryption Software of 2017 | Top Ten Reviews [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- No, you shouldn't delete Signal or other encrypted apps - TechCrunch [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Best encryption software: Top 5 - Computer Business Review [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- That Encrypted Chat App the White House Liked? Full of Holes - WIRED [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Customer Letter - Apple [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- BT to offer customers encryption service for data - Capacity Media (registration) [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Encryption - technet.microsoft.com [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Use FileVault to encrypt the startup disk on ... - Apple Support [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Viber launches secret chats to go beyond encryption - SlashGear [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- Zix wins 5-vendor email encryption shootout - Network World [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- A lesson from the CIA WikiLeaks dump: Encryption works - The Seattle Times [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Google Cloud adds new customer-supplied encryption key partners ... - ZDNet [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Preseeding Full Disk Encryption - Linux Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- 'Always Be Concerned': US Court Slaps Down Fifth Amendment Defense of Encryption - Sputnik International [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Wikileaks Only Told You Half The Story -- Why Encryption Matters More Than Ever - Forbes [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- EPA Sued For Withholding Info On Encrypted Text Messages | The ... - Daily Caller [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Opinion Data encryption efforts ramp up in face of growing security threats - Information Management [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Bypassing encryption: Lawful hacking is the next frontier of law enforcement technology - Salon [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- NeuVector Announces Container Visualization, Encryption, and Security Solution for NGINX Plus - DABCC.com [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Is encryption one of the required HIPAA implementation specifications? - TechTarget [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Paper Spells Out Tech, Legal Options for Encryption Workarounds - Threatpost [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Encryption debate needs to be nuanced, says FBI's Comey - TechTarget [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Comey Renews Debate Over Encryption - 550 KTSA [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- UK minister says encryption on messaging services is unacceptable - Reuters [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- The why and how of encrypting files on your Android smartphone - Phoenix Sun [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- UK targets WhatsApp encryption after London attack - Yahoo News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Critical flaw alert! Stop using JSON encryption | InfoWorld - InfoWorld [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- SecureMyEmail is email encryption for everyone - TechRepublic - TechRepublic [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Apple iOS 10.3 will introduce encryption which makes it MORE difficult for cops and spooks to crack into ISIS nuts ... - The Sun [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- How to Analyze An Encryption Access Proposal - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Questions for the FBI on Encryption Mandates - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Justice Department anti-terror chief keeps pressing on encryption - Politico (blog) [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- UK government can force encryption removal, but fears losing, experts say - The Guardian [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Encryption FAQs [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Why isn't US military email protected by standard encryption tech? - Naked Security [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- How have ARM TrustZone flaws affected Android encryption? - TechTarget [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Keeping the enterprise secure in the age of mass encryption - Information Age [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Lack of encryption led to Dallas siren hack - WFAA [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Internet Society tells G20 nations: The web must be fully encrypted - The Register [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Can we encrypt the web while giving governments a backdoor to snoop? - SC Magazine UK [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Why we need to encrypt everything - InfoWorld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Hacked Dallas sirens get extra encryption to fend off future attacks - Computerworld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- SHA-1 Encryption Has Been Broken: Now What? - Forbes [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Encryption on the Rise in Age of Cloud - Infosecurity Magazine - Infosecurity Magazine [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Lawmaker Pushes Bill That Requires Encryption by Pennsylvania State Employees - Government Technology [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Disk encryption - Wikipedia [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- The apps to use if you want to keep your messages private - Recode [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]