European Human Rights Courts Rules That Encryption Backdoors Are Illegal Under European Law
Well... this is an unexpected (and fun!) turn of events. The EU Commission has spent most of the last couple of years trying to talk EU members into voting in favor of weakened encryption, if not actual encryption backdoors. You know, for the children.
On the table are things ranging from mandated client-side content scanning to the compelled breaking of encryption whenever law enforcement wants access to communications. These plans - including parallel efforts by the UK government (which is no longer an EU member) - have attracted more opposition than support, but that hasn't stopped the commission from moving forward with these efforts, even when its own legal counsel has stated these mandates would violate EU laws.
While it's possible (but extremely unwise) to blow off your own internal legal guidance to get with the encryption breaking, it's much more difficult to ignore overriding external legal guidance that says what you're trying to do is blatantly illegal. You can always hire more subservient lawyers if you don't like what's being said by the ones you have. But you can't blow off the European Court of Human Rights quite as easily.
As Thomas Claburn reports for The Register, a long-running case involving (of all things) the Russian government's attempt to force Telegram to decrypt communications has resulted in a loss that will be felt by all of the EU's anti-encryption lawmakers.
The European Court of Human Rights (ECHR) has ruled that laws requiring crippled encryption and extensive data retention violate the European Convention on Human Rights - a decision that may derail European data surveillance legislation known as Chat Control.
The court issued adecisionon Tuesday stating that the contested legislation providing for the retention of all internet communications of all users, the security services' direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society."
Ouch. Good luck pushing anti-encryption mandates when the court has declared them unnecessary in a democratic society. And, somehow, we have the Russian government to thank for this turn of events.
The case dates back to 2017, which is when Russia's Federal Security Bureau (FSB) tried to force Telegram to engage in compelled decryption of Anton Podchasov's communications. Podchasov challenged the order in Russia but the Russian court dismissed it. So, Podchasov brought the matter to the ECHR because - prior to its 2022 invasion of Ukraine - Russia was still part of the Council of Europe and (at least theoretically) subject to ECHR rulings.
Well, Russia may have exited the Council with its illegal invasion, but the courtroom challenge was still active. The final ruling - which will have zero effect on how Russia handles compelled decryption - is throwing a considerably sized wrench into the mechanations of anti-encryption legislators in the EU government.
The court concluded that the Russian law requiring Telegram to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users." As such, the court considers that requirement disproportionate to legitimate law enforcement goals.
The EU Commission dropped its anti-encryption demands last summer following considerable pushback from EU member governments. But that doesn't mean those desires aren't still there, even if they're dormant at the moment.
But this ruling will make it almost impossible to resurrect most of the EU Commission's anti-encryption efforts. The court's ruling makes it clear there's no legally justifiable reason for breaking end-to-end encryption. And the ancillary stuff - like client-side scanning and extensive logging demands - is far less likely to receive a warm welcome from member states, not to mention EU courts, following this ruling (even as the European Court of Human Right is not a part of the EU, its judgments cover the EU members as well as other members in the Council of Europe).
Most of the stuff the EU Commission has been trying to enact over the past few years has been declared illegal. If it wants to do these things, it will have to change several other laws first. And that effort is far less likely to succeed, since changing these laws means breaking the law. You can always write illegal laws. You just can't enforce them.
So, unless the EU Commission has the power to talk its members into backing its preferred brand of friendly fascism, it will just have to dial back its expectations. Sure, those who think any means can be justified by the ends will throw up their hands in despair and proclaim this is the beginning of a new criminal apocalypse. But for everyone else, this ruling means their communications will remain secure - both from EU government agencies as well as entities far more malicious.