European Human Rights Courts Rules That Encryption Backdoors Are Illegal Under European Law
from the lol-good-luck-EU-encryption-haters dept
Well… this is an unexpected (and fun!) turn of events. The EU Commission has spent most of the last couple of years trying to talk EU members into voting in favor of weakened encryption, if not actual encryption backdoors. You know, for the children.
On the table are things ranging from mandated client-side content scanning to the compelled breaking of encryption whenever law enforcement wants access to communications. These plans — including parallel efforts by the UK government (which is no longer an EU member) — have attracted more opposition than support, but that hasn’t stopped the commission from moving forward with these efforts, even when its own legal counsel has stated these mandates would violate EU laws.
While it’s possible (but extremely unwise) to blow off your own internal legal guidance to get with the encryption breaking, it’s much more difficult to ignore overriding external legal guidance that says what you’re trying to do is blatantly illegal. You can always hire more subservient lawyers if you don’t like what’s being said by the ones you have. But you can’t blow off the European Court of Human Rights quite as easily.
As Thomas Claburn reports for The Register, a long-running case involving (of all things) the Russian government’s attempt to force Telegram to decrypt communications has resulted in a loss that will be felt by all of the EU’s anti-encryption lawmakers.
The European Court of Human Rights (ECHR) has ruled that laws requiring crippled encryption and extensive data retention violate the European Convention on Human Rights – a decision that may derail European data surveillance legislation known as Chat Control.
The court issued a decision on Tuesday stating that “the contested legislation providing for the retention of all internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society.”
Ouch. Good luck pushing anti-encryption mandates when the court has declared them unnecessary in a democratic society. And, somehow, we have the Russian government to thank for this turn of events.
The case dates back to 2017, which is when Russia’s Federal Security Bureau (FSB) tried to force Telegram to engage in compelled decryption of Anton Podchasov’s communications. Podchasov challenged the order in Russia but the Russian court dismissed it. So, Podchasov brought the matter to the ECHR because — prior to its 2022 invasion of Ukraine — Russia was still part of the Council of Europe and (at least theoretically) subject to ECHR rulings.
Well, Russia may have exited the Council with its illegal invasion, but the courtroom challenge was still active. The final ruling — which will have zero effect on how Russia handles compelled decryption — is throwing a considerably sized wrench into the mechanations of anti-encryption legislators in the EU government.
The court concluded that the Russian law requiring Telegram “to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users.” As such, the court considers that requirement disproportionate to legitimate law enforcement goals.
The EU Commission dropped its anti-encryption demands last summer following considerable pushback from EU member governments. But that doesn’t mean those desires aren’t still there, even if they’re dormant at the moment.
But this ruling will make it almost impossible to resurrect most of the EU Commission’s anti-encryption efforts. The court’s ruling makes it clear there’s no legally justifiable reason for breaking end-to-end encryption. And the ancillary stuff — like client-side scanning and extensive logging demands — is far less likely to receive a warm welcome from member states, not to mention EU courts, following this ruling (even as the European Court of Human Right is not a part of the EU, its judgments cover the EU members as well as other members in the Council of Europe).
Most of the stuff the EU Commission has been trying to enact over the past few years has been declared illegal. If it wants to do these things, it will have to change several other laws first. And that effort is far less likely to succeed, since changing these laws means breaking the law. You can always write illegal laws. You just can’t enforce them.
So, unless the EU Commission has the power to talk its members into backing its preferred brand of friendly fascism, it will just have to dial back its expectations. Sure, those who think any means can be justified by the ends will throw up their hands in despair and proclaim this is the beginning of a new criminal apocalypse. But for everyone else, this ruling means their communications will remain secure — both from EU government agencies as well as entities far more malicious.
Filed Under: backdoors, encryption, eu, eu commission, europe, european court of human rights
Comments on “European Human Rights Courts Rules That Encryption Backdoors Are Illegal Under European Law”
Well… no, not yet. Maybe some communications. But more than 27 years after the first “crypto war” ended (1996 in the USA), we’re still dealing with the fallout. TETRA radio was the big news last year, created with weak crypto in the 1990s to appease the US and European governments and never sufficiently strengthened once that became legal. GSM had been found to be weak before that, and downgrade attacks remain a concern with more modern cellular protocols.
Probably dozens of still-viable attacks can be traced back to these pre-1996 encryption policies. Give it another couple decades, at least. But note that the loosening of export controls went much more slowly for non-open-source software—I think they’re not entirely gone even now—and there’s some suspicious business happening with NIST in the Post-Quantum Crypto contest (they’re against “hybrid” algorithms, contrary to most respected cryptographers).
Oh great, another reason for the fucknuggets currently leading the UK to try and get out of the ECHR.
[insert roll-eye gif of your choice]
I’m going to say this slowly, for anyone still confused.
If. There. Is. A. Backdoor. Then. It’s. No. Longer. Encryption.
Absolutely correct! Because when encryption is outlawed, only outlaws will use encryption. And we all know who the biggest users of encryption are, right?
Hint: governments might be your first guess. Just sayin’….
Dude, I don’t think that how you spell the word ‘should’.