Data Privacy: 1 Russia: 0
Introduction
End-to-end encryption (EE2E) is a human right. In essence, that paraphrases the recent judgment of the European Court of Human Rights (ECtHR) in Podchasov v. Russia. The case is being discussed as a milestone for online data protection. According to the court, governments cannot force companies to weaken encryption because it would lead to indiscriminate surveillance and a violation of the human right of privacy.
The Facts
In July 2017, the Federal Security Service (FSB), the Russian Federation's main security agency and successor to the KGB, ordered the Telegram Messenger LLP messaging app to provide cryptographic keys to decrypt conversations of users suspected of terrorism-related activities.
Under Russian law, communications providers like Telegram are required to store all communication data (including content) for specified durations (6 months to 1 year), and providers are required to supply law enforcement authorities with user data, including the content of their communications, as well as any information necessary to decrypt user messages.
Telegram refused, arguing that the users were using the “secret chat” feature. Conversations using secret chat are protected by E2EE. Therefore, it was technically impossible to provide the Russian government a copy of the cryptographic keys.
Telegram was fined for refusing to comply with the Russian government’s access request. A Russian District Court in Moscow ordered that the Telegram app be blocked in Russia. The app remains available and is popular among Russian military bloggers.
The case came to the ECtHR from Telegram users who argued that the FSB data request unlawfully infringed on the right to privacy under Article 8 of the European Convention on Human Rights (ECHR).
The Holding
The requirement of blanket, continuous storage of personal, private user data interferes with the right to privacy (Article 8) under the European Convention of Human Rights.
The requirement to decrypt E2EE communications would weaken the encryption mechanism for all users, which is disproportionate to the legitimate counter-terrorism aims pursued.
The Law
Data protection "is of fundamental importance to a person's enjoyment of [their] right to respect for private and family life (see para 62). Moreover, the "confidentiality of communications is an essential element of the right to respect for private life and correspondence.”
A person’s right to privacy may be limited by government only if the following conditions are met
The interference must comply with the law. The law must exist, it must be accessible to the public, and the law must clearly set out how it applies.
Government interference must relate closely to a legitimate interest or aim. Article 8 lists some of these aims, and they include national security, public safety, and crime prevention.
Government interference must be necessary to pursue that legitimate interest. There must be evidence of a "pressing social need" for the interference.
Government interference must be proportionate to pursue the legitimate interest. This requires clear and precise rules about the scope, application, and minimum safeguards to protect against arbitrary interference.
The Court’s Reasoning
Regarding Collection and Storage
Following its reasoning in Roman Zakharov v. Russia, Russia's law failed to satisfy the quality of law standards (permitting arbitrary government action in secret surveillance) and lacked adequate and effective safeguards against misuse.
The court reminded Russia that a law limiting a human right, such as privacy, must carefully balance the use of modern data storage and processing technologies with important private-life interests, like confidential personal communications.
Here, although access to data had to be authorized by a court, law enforcement was not required to show such authorisation to service providers when making requests. Moreover, service providers were obligated to install equipment that provided law enforcement with direct access to data. This made the acquisition system "particularly prone to abuse (see para 72 and 73).”
Regarding Breaking EE2E
To comply with the FSB access order, Telegram would be required to disable or weaken encryption for all users. Why? Because true E2EE deprives Telegram of the cryptographic keys to decrypt user communications (only the recipients have access to the private keys). Therefore, complying with the order would impact all users, even "individuals who pose no threat to a legitimate government interest."
By creating a backdoor to EE2E communications, Telegram would "make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications."
Finally, such backdoors can be "exploited by criminal networks and would seriously compromise the security of all users' electronic communications (see para 77)."
So What?
Justification to resist government requests for user data.
If you operate in the jurisdiction of a ECtHR member state, you now have solid ground to refuse to comply with a government request to disproportionately retain user data and to break encryption.
Client-Side Scanning - Bypassing EE2E.
Even greater scrutiny will be applied to laws that bypass EE2E, such as client-side scanning (CSS). Although the Court’s decision did not address client-side scanning, the reasoning will be used to support government efforts to defeat EE2E.
The EU is currently considering legislation that would permist CSS to thwart the distribution of child sexual abuse material (CSAM). While the justification for such a law is noble, the technical application will likely face stiff resistance from data protection advocates.
Banning Apps
The Electronic Frontier Foundation (EFF) continues to represent Telegram in its case before the ECtHR regarding the issue of blocking the Telegram app in Russia. EFF submits that blocking an entire app infringes upon fundamental rights and is a serious and disproportionate restriction on freedom of expression. The United States (US) Congress may take notes regarding its current effort to ban Tik Tok or force its sale to a non-Chinese entity in the US.
A Lesson for the United States
Remember when the FBI obtained a court order to compel Apple to break the encryption of the iPhone used by the gunman in San Bernardino in 2015? At the time, Tim Cook took a principled stand. As heinous as the crime was, Apple would not break encryption and create a backdoor for law enforcement. Before the case could be heard in court, it became moot because the US Government found an alternate method to unlock the phone.
Today, the US lacks legal certainty regarding the question of breaking encryption. The US also lacks a comprehensive federal privacy law and an explicit right to privacy in the Constitution. In 2016, candidate Donald Trump called for a boycott of Apple because of Tim Cook’s stance.
How do you think this dispute would be resolved today? Would a US court apply legal reasoning that is similar to the ECtHR?
Conclusion
In an enormous win for data protection and human rights, the ECtHR held that the retention and unrestricted government access to digital communication data, coupled with decryption requirements, are not necessary in a democratic society and are, thus, unlawful.
Privacy and human rights: 1. Russian Federation: 0.
If your organization does not yet have a mature data governance, risk, and compliance (GRC) program, a data protection strategy, or a documented approach to cybersecurity, then 1 Global Data Protection Advisors (1GDPA) may be able to help. Consider a free consultation to discuss how 1GDPA can ease your compliance burden when doing business internationally.
Attribution:
ECtHR image by CherryX on Wikimedia Commons, licensed under CC BY-SA 3.0.
Mahdi Assan, End to End Encryption is a Human Right, The Cyber Solicitor, 23 February 2024.
Christopher Schmon, European Court of Human Rights Confirms: Weakening Encryption Violates Fundamental Rights, Electronic Frontier Foundation
Silvia Lorenzo Perez, The European Court of Human Rights Concludes Encryption Backdoor Mandates Violate the Right to Private Life of All Users Online, The Center for Democracy and Technology, 22 February 2024.
