Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: ECtHR rules in case regarding the de-encryption of communications services in violation of the ECHR

On February 13, 2024, the European Court of Human Rights (ECtHR) issued its ruling in Podchasov v. Russia (Application no. 33696/19), ruling that the storage of communications data without adequate safeguards against abuse cannot be regarded as necessary in a democracy society.

Background to the case

In particular, ECtHR highlighted that the case concerned a user of Telegram Messenger LLP, but noted that Telegram does not have end-to-end encryption by default and instead uses a custom-built server-client encryption scheme, although it is possible to switch to end-to-end encryption by activating the 'secret chat' feature. In addition, the ECtHR stated that the Russian Federal Security Service (FSB) required Telegram, in July 2017, to disclose technical information that would facilitate the decryption of communications with respect to Telegram users who were suspected of terrorism-related activities. Telegram was required to submit information including IP address and data relating to the encryption keys, but refused to comply, citing that the disclosure was technically impossible without creating a backdoor that would weaken the encryption mechanism of all users.

Regarding the case, the applicant's complaint concerned the statutory requirement under the Information Act and Order No. 432 of July 19, 2016 (the Legislation), which provided for an information communications organizer, namely Telegram in this case, to store all internet communications and related data, and to submit such data to law enforcement authorities at their request together with the information necessary to decrypt electronic messages.

Findings of the ECtHR

The ECtHR found that the broad scope of the Legislation affecting all users of communications networks and the lack of effective means to challenge the alleged application of surveillance measures at the domestic level constituted an interference with a user's private life. Specifically, the ECtHR considered that the legislation affected all users of internet communications, even in the absence of a reasonable suspicion of involvement in criminal activities or activities endangering national security. Regarding the access of law enforcement authorities to such data, the ECtHR found that the legal provisions governing the surveillance did not provide adequate and effective guarantees against arbitrariness and the risk of abuse.

Finally, regarding the de-encryption of communications protected by end-to-end encryption, such measures would affect everyone indiscriminately, including individuals who pose no threat to a legitimate Government interest. Weakening encryption by creating backdoors was found to make it possible to perform routine, general, and indiscriminate surveillance of personal electronic communications.

Outcomes

Accordingly, the ECtHR held that the access to the content of electronic communications, on a generalized basis and without sufficient safeguards, impairs the right to respect for private life, in violation of Article 8 of the European Convention on Human Rights.

You can read the case here.