Encryption is essential for privacy: European Court of Human Rights ruling

Podchasov vs. Russia: A privacy milestone

On February 13, 2024, the European Court of Human Rights (ECtHR) handed down a decision in the Podchasov vs. Russia case. It states that governments requiring internet communication providers to log personal user data and weaken end-to-end encryption violate fundamental privacy rights, entrenched in Article 8 of the European Convention on Human Rights (ECHR), which declares that “Everyone has the right to respect for his private and family life, his home and his correspondence.”

Nord Security, a leading provider of cybersecurity solutions that values user privacy and data protection, welcomes this judgment and strongly supports the idea that end-to-end ​​​​encryption is crucial to ensure communication and information technology systems’ confidentiality, privacy, and security. That is why we have always prioritized robust encryption protocols throughout our services.

Inside the case

In 2017, the Russian government required Telegram and other internet communication service providers to log and store all user communications and content shared within the platform. It required communication platforms to pass on this information to Russian authorities for law enforcement purposes.

Besides requesting Telegram to store user correspondence, the Russian Federal Security Service (FSB) also demanded Telegram to help decrypt communications of users allegedly related to terrorism and anti-state activities. Telegram refused to provide the authorities with decryption keys explaining that this would compromise the encryption technology and user privacy. As a consequence, Telegram was fined and banned in Russia.

Anton Valeryevich Podchasov, a Russian Telegram user worried about personal privacy and data protection, sued the Russian government over concerns of government intrusion. However, his charges were dismissed. After pursuing every possible legal remedy domestically and achieving no success, Podchasov turned to the ECtHR. He sought to demonstrate that forced decryption and requests for digital communication services to store user correspondence violate the fundamental right to privacy under Article 8 of the ECHR.

The ECtHR agreed, concluding and sending a clear message to the governments everywhere that decrypting private communications and storing user data doesn’t comply with democratic principles. Encryption is a cornerstone of secure communication, allowing individuals to maintain their freedom of expression and privacy.

A closer look at the court’s analysis

After analyzing the request for digital communications services to store user data and provide decryption keys for state authorities, the ECtHR provided the following findings:

• Fundamental right to privacy and limits. The request to store user internet communication data and related information – regardless of whether this data is actually accessed or not – interferes with human rights protected under Article 8. While exceptional situations might allow for this intrusion, they must comply with the law. Russian law, however, allows for indiscriminate secret surveillance and forces providers to break the entire encryption protection mechanism, which does not meet the required standard.
• Encryption safeguards privacy and other rights. The ECtHR acknowledged that encryption protects the right to private life and “contributes to the enjoyment of freedom of expression” (§76), which is especially important for journalists, opposition leaders, or victims of cyber abuse.
• Encryption protects against abuse. Encryption defends individuals “against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information” (§76).
• Breaking encryption invites cybercriminals. The ECtHR acknowledged that weakening encryption creates backdoors that allow for “routine, general and indiscriminate surveillance of personal electronic communications.” (§77) Such backdoors may not only benefit authorities but “may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications.” (§77)

Better and safer future legislation

Currently, many crucial laws impacting encryption are under debate, and this case comes at the right time. It serves as a reminder that the encryption mechanism ensures online privacy and security and is absolutely necessary to safeguard fundamental human rights. All of the member states of the Council of Europe, including the EU Member States and the UK, must comply with the privacy and security principles in Article 8 and follow these standards when developing and implementing future legislation.

Such safety standards should become a matter of course for Europe and the global community. Laws worldwide should prioritize encryption, which safeguards our private digital communications. Authorities need to balance their responsibility to investigate crimes and protect privacy without compromising fundamental security mechanisms. So, any rules that force storing private correspondence, collecting encryption keys, or doing anything that inherently weakens the privacy of internet communication should be rejected at all costs.