On February 13, 2024, the European Court of Human Rights (ECtHR) issued a landmark ruling in the case of Podchasov v Russia, asserting that the erosion of end-to-end encryption (E2EE) or the establishment of backdoors constitutes a violation of the right to privacy as articulated in Article 8 of the European Convention on Human Rights. This decision heralds a pivotal milestone, embodying a landmark judgment in which an international court has, for the first time, eloquently articulated the paramount significance of E2EE in safeguarding the sanctity of online communications. This ruling constitutes a pivotal victory for privacy rights on a global scale, resonating with the historical context of the 1990s Crypto Wars and contemporary surveillance issues.
Encryption Explained: The Imperative of E2EE
Encryption transforms plain text into an unreadable format, accessible only to the intended recipient, thereby ensuring confidentiality and safeguarding data integrity. David Kaye, the UN Special Rapporteur on Freedom of Opinion and Expression, asserts that encryption is cardinal for upholding fundamental human rights by establishing a ‘zone of privacy’ that fortifies freedom of opinion and expression. Consequently, encryption is protected under various international conventions, including the International Covenant on Civil and Political Rights (ICCPR) (Articles 17 and 19), the Universal Declaration of Human Rights (UDHR) (Articles 12 and 19), and the European Convention on Human Rights (ECHR) (Articles 8 and 10).
Among the myriad forms of encryption, E2EE emerges as particularly distinguished, possessing the remarkable ability to shield data from access by the hosting platform itself. The United Nations has aptly designated E2EE as “the most fundamental building block” of privacy in contemporary messaging applications such as WhatsApp, Instagram, and etc. This singular characteristic renders it technologically infeasible for messaging platforms to acquiesce to law enforcement requests (impossibilium nulla obligatio est), as tracing the originator of even a solitary message would necessitate the dismantling of E2EE for all users on that platform. This technical limitation raises important legal and ethical questions regarding privacy and state intervention.
The interplay between encryption technologies and fundamental rights, particularly the right to freedom of expression as enshrined in Article 10 of the ECHR, constitutes a pivotal domain of scholarly discourse. Both renowned legal scholars and technologists in the field of technology law, such as David Cole and Bruce Schneier, assert that robust encryption is essential not only for the preservation of privacy but also for facilitating the expression of dissenting viewpoints without the looming threat of surveillance or reprisal.
The ruling in Handyside v United Kingdom serves as a foundational precedent that not only underscores the intrinsic importance of freedom of expression under Article 10 of the ECHR, but also provides a compelling basis for arguing the vital role encryption technologies play in safeguarding this right in the digital age.
In Stoll v Switzerland the judgment of Handyside was relied upon, the ECtHR asserted that freedom of speech encompasses ideas that may “offend, shock, or disturb.” This affirmation implicitly underscores the necessity of encryption as a protective mechanism for dissenting voices. In an era increasingly defined by pervasive surveillance and censorship, robust encryption is not merely advantageous but essential. It serves as a vital shield, empowering individuals to express themselves without fear of government or corporate reprisals. The confidentiality afforded by encryption is crucial for fostering an environment conducive to controversial discourse, enriching democratic dialogue, and allowing a plurality of voices to flourish.
Moreover, Handyside was also reiterated in Morice v France and Pentikäinen v Finland where the Court emphasised that freedom of expression is integral to democratic governance and the public interest. This perspective fortifies the argument that secure transmission of information is not merely beneficial but essential for preserving journalistic integrity and facilitating investigative reporting on sensitive issues. In this context, encryption emerges as a crucial safeguard for journalists and whistle-blowers, enabling them to disclose vital information without jeopardising their safety. The argument is unequivocal: without encryption, the very fabric of free expression is at risk, as the fear of surveillance can stifle critical reporting and dissent.
Thus, the legal protections established in these cases extend beyond mere speech to encompass the mechanisms that safeguard it. From the rulings above, one can deduce that technological tools, such as encryption, are not optional but essential for upholding the rights enshrined in Article 10. As digital communication continues to dominate, the intersection of encryption and freedom of expression underscores an urgent imperative: the development of evolving international jurisprudence that not only protects individual rights but also recognises encryption’s indispensable role in fostering an open and vibrant society. Without such protections, we risk undermining the very principles of democracy that these rulings endeavour to uphold.
Understanding Podchasov v Russia
The distinctiveness of E2EE has ushered in a new phase in the ongoing “Privacy vs. National Security” discourse, inciting a legislative movement that demands the dismantling of E2EE on messaging platforms in various countries, including the UK, EU, and USA. Russia has also aligned itself with this trend, through Section 10.1(4.1) of the Russian Information Technology Act, which requires digital communication providers to retain all user data, including content, and to grant law enforcement—specifically the Federal Security Service (FSB)—decryption capabilities for designated periods. Telegram has contested this mandate, asserting that the “decoding of communications” for particular users would effectively create a backdoor, compromising encryption for all 700 million of its monthly active users due to the inherent nature of E2EE.
In the case of Podchasov, the Court evaluated three distinct yet interrelated violations of the applicant’s rights. First, it considered the overarching concern of the indiscriminate retention of personal communication data on a bulk scale. Second, the Court scrutinised the capacity of the FSB to access this data with minimal judicial oversight, which raised significant questions regarding due process. Third, a more specific issue addressed the accessibility of end-to-end encrypted communications, as well as the mandated obligation to disclose decryption keys.
The Oversight of E2EE Protection in Freedom of Opinion: An Opportunity Lost?
This blog post primarily addresses the third issue, specifically the dismantling of E2EE. The Court noted that such dismantling would extend beyond the targeting of specific individuals, affecting all users indiscriminately, regardless of any perceived threats (paras 57, 77). The introduction of backdoors could facilitate pervasive surveillance practices, creating vulnerabilities that may be exploited by malicious actors and fundamentally compromising the overall cybersecurity of electronic communications for all users (paras 65, 77). Furthermore, the Court identified several viable alternatives to the dismantling of E2EE, ultimately concluding that the Russian legislation was disproportionate to the legitimate objectives it sought to achieve (paras 78, 79).
While scholars have critiqued the judgment for its alleged “procedural fetishism,” an overlooked consideration is the Court’s exclusive reliance on the right to privacy (Article 8, ECHR) to prevent the dismantling of E2EE. This post contends that the Court insufficiently addressed the intricate relationship between E2EE and the freedoms of expression and opinion (Article 10, ECHR). David Kaye has observed that encryption functions as a conduit for privacy, thereby facilitating the exercise of freedom of opinion and expression while protecting against arbitrary and unlawful interference. Recognising the protection of E2EE under the right to freedom of opinion and expression would provide an additional layer of legal protection, given that the threshold for violation differs from that associated with the right to privacy.
The relationship between E2EE and the freedoms of expression and opinion, as protected under Article 10 of the ECHR, merits deeper exploration, especially given the growing importance of digital communication in contemporary society. While the ECtHR has rightly acknowledged the right to privacy in Podchasov as a crucial aspect of safeguarding individuals’ communications, it is essential to emphasise that E2EE serves not merely as a privacy tool, but as a foundational mechanism that underpins the broader exercise of freedom of opinion and expression. By ensuring the confidentiality of messages, E2EE empowers individuals to share their thoughts and ideas without fear of interception or reprisal, thus reinforcing the core principles of a political liberal society.
Considering the contexts where E2EE is indispensable: activists communicating about human rights abuses (Steel and Others v the United Kingdom, & Açık and Others v Turkey) , journalists safeguarding sources (Goodwin v United Kingdom). In each case, E2EE not only protects the content of these communications but also emboldens individuals to articulate their opinions without self-censorship. The chilling effect of potential surveillance is significantly mitigated by the assurance that their conversations remain secure.
Recognising E2EE under Article 10 could enhance legal protections beyond the existing framework established under Article 8, which primarily focuses on privacy. The legal threshold for intervention in cases concerning privacy is often more lenient, as states may justify intrusions on privacy with a range of interests, such as national security or crime prevention. In contrast, restrictions on freedom of expression require a more compelling justification, often demanding that they be “prescribed by law” and “necessary in a democratic society.” It is primarily the responsibility of national authorities, particularly the courts, to interpret domestic law. The role of the Court is limited to determining whether the outcomes of that interpretation align with the Convention, unless such an interpretation is arbitrary or blatantly unreasonable as per Cangi v Turkey.
By framing E2EE as essential to free expression, the legal argument emphasises the necessity of unfettered communication in a democratic context. This aligns with the ECtHR’s established jurisprudence that recognises free expression as a cornerstone of democracy, positioning E2EE within a framework where any restrictions must meet a higher threshold. The rise of digital platforms necessitates a revaluation of traditional legal frameworks to address the complexities of modern communication. Recognising E2EE under Article 10 could foster robust discourse on the implications of encryption for societal participation, prompting lawmakers and courts to consider the broader consequences of dismantling such technologies for both individual privacy and collective public engagement.
Conclusion
Regardless of any criticism, it is irrefutable that Podchasov constitutes a robust assertion against the global dismantling of E2EE. As previously noted, legislative initiatives have emerged worldwide aimed at abolishing E2EE, including the EU’s CSAM Proposal, the UK’s Online Safety Act 2023, Australia’s Assistance and Access Act 2018, and the USA’s EARN IT Act. These proposals have faced considerable opposition, with several already challenged in the courts of their respective jurisdictions. As the first international ruling of its kind, Podchasov holds significant potential to serve as a guiding precedent for domestic courts globally. This landmark decision reinforces the legality of E2EE in protecting fundamental human rights. Importantly, while the ruling emphasises the protection of privacy, it also underscores the essential role that E2EE plays in facilitating free expression.
Recognising E2EE as critical for both privacy and freedom of expression is essential in light of ongoing legislative efforts to undermine these protections. Framing the Podchasov case in this dual context enhances our understanding of its implications, highlighting how the erosion of encryption could jeopardise not just individual privacy, but also the broader democratic discourse necessary for a vibrant society. As we navigate the complexities of digital communication, the affirmation of E2EE stands as a vital safeguard against censorship and state overreach, ultimately enriching our collective engagement in public discourse.
Muhammad Siddique Ali Pirzada, is a Final Year LLB student at Pakistan College of Law (University of London).