Cracking the Code: How Podchasov v. Russia Upholds Encryption and Reshapes Surveillance

Written by

On February 13, 2024, the European Court of Human Rights (Strasbourg Court) issued its verdict in Podchasov v. Russia. The case involved a statute that (i) established a data retention scheme, and (ii) permitted law enforcement to order the decryption of collected data. The applicant in this case, a Telegram user, challenged an order that required Telegram to decrypt their communications protected by end-to-end encryption (E2EE).

This decision is particularly important because a case involving the weakening of E2EE encryption is uncharted waters for both the Strasbourg Court and the European Court of Justice (Luxembourg Court). This represents a significant victory for privacy advocates as the Strasbourg Court ruled that mandating the decryption of E2EE data constituted a violation of Article 8 of the European Convention of Human Rights – the right to privacy. In this analysis, I will delve into the Strasbourg Court’s decision, examining both its ruling on the data retention scheme and the decryption of E2EE data.

Data Retention Scheme

The case hinged on the contentious Russian Code of Criminal Procedure and the Operational-Search Activities Act. This law demanded that “internet communication organisers” (ICOs) store all communication data (metadata) for one year and the content of communications for six months in Russia.  The ICOs were mandated to provide all metadata and content data collected by them to law enforcement authorities upon request (Section 10.1(3.1)).

The Strasbourg Court noted that the data retention scheme was very broad in nature. It required the retention of all internet content data and metadata for a prolonged period, without any “circumscription of the scope of the measure in terms of territorial or temporal application or categories of persons liable to have their personal data stored (Para 70).” The Court found the retention scheme to be “exceptionally wide-ranging and serious” because:

“It affects all users of Internet communications, even in the absence of reasonable suspicion of involvement in criminal activities or activities endangering national security, or of any other reasons to believe that retention of data may contribute to fighting serious crime or protecting national security (Para 70).”

The Strasbourg Court held that the data retention and access scheme violated the right to privacy, as it did not offer adequate safeguards against abuse, considering the seriousness of the interference. The Court noted that it had previously examined the same statute in the case of Roman Zakharov v. Russia (2015), and the data retention and access scheme were subject to the same procedures and safeguards (Para 74). Therefore, the Court did not carry out its analysis of legality (quality of law) de novo, it found – “no reasons to reach a different conclusion in the present case (Para 75).” The Court concludes that “this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications.” Therefore, “it impairs the very essence of the right to respect for private life (Para 80).” The language in the concluding paragraph and the rationale of the Court, closely aligns with the Luxembourg Court decision in Schrems I (2015), even though it’s not directly referenced here.

Podchasov continues the Strasbourg Court’s trend of focusing on procedural inadequacies rather than substantive issues, a phenomenon termed “procedural fetishism” by Zalnieriute. For example, in the case of Big Brother Watch and Centrum för Rättvisa (2021), the Court highlighted procedural flaws in the bulk surveillance law without explicitly examining whether bulk interception itself is inherently impermissible. These two decisions have normalised mass surveillance/bulk interception within the Strasbourg Court’s jurisprudence. This trend can also be observed in the approach of the Luxembourg Court, exemplified by the verdicts in Privacy International and La Quadrature du Net (2020).

Similarly, in Podchasov, the Court limits its analysis to the legality of the data retention and access scheme without considering whether such a broad scheme could inherently violate Article 8 (right to privacy). While Podchasov recognizes that bulk data retention constitutes a serious interference, affecting “all users of Internet communications, even in the absence of reasonable suspicion.” (Para 70)” However, it fails to take the next step and concludes that such a significant infringement cannot be justified.

Decryption Order

Section 10.1(4.1) of the Russian Code of Criminal Procedure and the Operational-Search Activities Act, requires ICOs to provide, along with the requisite metadata and content data, any information necessary to decrypt communications. The Federal Security Service ordered Telegram to help decrypt communications for six mobile numbers, including the applicant’s, by providing “data relating to the [encryption] keys.” These six users were using the “secret chat” feature on Telegram, which enables E2EE protection for the messages. This order was challenged by Telegram, the applicant, and others.

The Strasbourg Court at the outset, before initiating its analyses, explains the important role played by encryption within the Internet age:

“In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression (see paragraphs 28 and 34 above). Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption (Para 76).”

The Strasbourg Court held that the requirement for ICOs to facilitate the decryption of E2EE-protected communication data was a disproportionate measure (Para 79). Two key facts led the Court to an adverse conclusion. Firstly, the Court highlights that enabling decryption for specific individuals would necessitate creating a backdoor, accessible to both law enforcement and malicious actors. Noting:

“in order to enable decryption of communications protected by end-to-end encryption, such as communications through Telegram’s “secret chats”, it would be necessary to weaken encryption for all users. These measures allegedly cannot be limited to specific individuals and would affect everyone indiscriminately, including individuals who pose no threat to a legitimate government interest. Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications (Para 77).”

The Court observation here is an important win for privacy advocates who have argued over the years that E2EE-protected data cannot be accessed without introducing systemic vulnerabilities, posing risks to users, commercial entities, and national interests alike.

Second, while acknowledging that encryption may pose challenges to criminal investigations, the Court observed, relying on expert submissions, that there are alternative encryption-preserving methods of investigation (Para 78). This is indeed correct. There are alternatives to rolling back E2EE that can contribute to the state goals in a ‘real and substantial’ manner—relying on metadata or circumventing encryption, for example, by indirectly hacking. Thus, the Court concludes that:

“in the present case the ICO’s statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued (Para 79).”

A close reading of this conclusion would suggest that unlike the Court’s holding vis-à-vis the data retention provisions, the Court’s determination here of the privacy violation is not contingent on the absence of adequate safeguards. Therefore, the Court’s holding is that decryption of E2EE data is, in principle, against the right to privacy, regardless of the degree of robustness of safeguards in place. In this context, member states do not possess “any acceptable margin of appreciation (Para 80).”

Conclusion

Podchasov is a landmark decision, which safeguards encryption, which has become sine qua non for secure and confidential communication in the digital age. The decision offers valuable lessons for other courts where similar issues may arise, given that E2EE has been under threat in multiple countries globally in the last decade. The Court did not afford the state any leeway while examining the decryption provision, considering the severity of potential harm.

While adjudicating on technical or digital measures, the Court must understand the architecture of the technical measure, including its capabilities, and limitations Equally vital is an appreciation of the socio-political and economic context in which these measures are deployed. The Strasbourg Court’s verdict demonstrates a commendable grasp of the cryptographic tools at the heart of this case and the gravity of potentially weakening the encryption standard. This is a result of the Court properly engaging with technical expert evidence.

There is a legal challenge to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, pending before the Indian Supreme Court (SC). This law requires significant social media intermediaries to enable the tracing of the first originator of the information, and critics claim this can weaken the E2EE standard. The Podchasov decision would be a valuable precedent for the Indian SC, which has in the past significantly relied upon the jurisprudence of the Strasbourg Court and Luxembourg Court to develop its conception of informational privacy and the principles of data protection.

The Strasbourg Court’s ruling may cast a long shadow over future negotiations for the regulation of child sexual abuse material, proposed by the EU Commission in May 2022. It requires the scanning of messages that could weaken E2EE. This decision may provide greater leverage to representatives from the EU Parliament who oppose scanning and lead to stronger pushback by civil societies and other advocacy groups.

Print Friendly, PDF & Email

Leave a Comment

Your comment will be revised by the site if needed.

Comments