European Court Prohibits Authorities From Ordering Companies to Decrypt User Content

The European Court of Human Rights (ECHR) held that Russian intelligence and enforcement agencies may not compel Telegram, the popular messaging service, to decrypt user data or hand over decryption keys. The court found that such an order by the Russian internal intelligence agency (FSB) is in direct violation of Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, which protects privacy and confidentiality of communications.

Telegram was served with an order by the FSB to turn over the data and encryption keys but refused to do so. It explained that it has no access to the encryption keys because they are managed at the user level, not on its servers. Telegram explained that complying with the FSB’s order would require the company to develop a “back door”. Telegram’s refusal to comply resulted in a fine imposed by a court in Moscow.

One of the Russian residents whose messages were the focus of the FSB petitioned the ECHR. The court’s decision explained that violations of Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms are permitted where it is “limited to what was necessary in a democratic society”.

Yet the court found that the Russian system “which enables the secret services to access directly the Internet communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse”. According to the court, the Russian rules do “not provide for adequate and effective guarantees against arbitrariness and the risk of abuse”. Therefore, they do not meet the text of limited the violation of privacy to what is “necessary in a democratic society”.

The court also recognized that “in order to enable decryption of communications protected by end-to-end encryption … it would be necessary to weaken encryption for all users. These measures allegedly cannot be limited to specific individuals and would affect everyone indiscriminately, including individuals who pose no threat to a legitimate government interest”.

Click here to read the ECHR’s decision in the CASE OF PODCHASOV v. RUSSIA.