Championing Digital Sovereignty – ECtHR’s Ruling in Podchasov v Russia
December 30, 2024 by Editor
Muhammad Siddique Ali Pirzada
By Muhammad Siddique Ali Pirzada
On February 13, 2024, the European Court of Human Rights (ECtHR) issued a landmark ruling in the case of Podchasov v Russia, asserting that the erosion of end-to-end encryption (E2EE), or the establishment of backdoors, constitutes a violation of the right to privacy as articulated in Article 8 of the European Convention on Human Rights. This decision heralds a pivotal milestone, embodying a landmark judgment in which an international court has, for the first time, eloquently articulated the paramount significance of E2EE in safeguarding the sanctity of online communications. This ruling constitutes a victory for privacy rights on a global scale, escalating global discourse on digital surveillance and the safeguarding of personal data.
Notably, UN Special Rapporteur on the Right to Privacy, Joseph Cannataci, has consistently underscored the urgent need for robust safeguards against state encroachment on private communications. This decision thus marks not only a critical affirmation of privacy rights but also a clarion call for the protection of digital autonomy in an era where state-sponsored surveillance is increasingly pervasive. In this context, the ruling resonates with the historical legacy of the 1990s Crypto Wars and contemporary surveillance issues posed by the ever-expanding reach of surveillance technologies. It establishes a legal precedent, shaping future jurisprudence on digital privacy and offering a vital counterbalance to governmental efforts to erode encryption and user confidentiality.
Encryption Explained: The Imperative of E2EE
Encryption transforms plain text into an unreadable format, accessible only to the intended recipient, thereby ensuring confidentiality and safeguarding data integrity. David Kaye, the UN Special Rapporteur on Freedom of Opinion and Expression, asserts that encryption is cardinal for upholding fundamental human rights by establishing a ‘zone of privacy’ that fortifies freedom of opinion and expression. Consequently, encryption is protected under various international conventions, including the International Covenant on Civil and Political Rights (ICCPR) (Articles 17 and 19), the Universal Declaration of Human Rights (UDHR) (Articles 12 and 19), and the European Convention on Human Rights (ECHR) (Articles 8 and 10).
Among the myriad forms of encryption, E2EE emerges as particularly distinguished, possessing the remarkable ability to shield data from access by the hosting platform itself. The United Nations has aptly designated E2EE as “the most fundamental building block” of privacy in contemporary messaging applications such as WhatsApp and Instagram. This singular characteristic renders it technologically infeasible for messaging platforms to acquiesce to law enforcement requests (impossibilium nulla obligatio est), as tracing the originator of even a solitary message would necessitate the dismantling of E2EE for all users on that platform. This technical limitation raises important legal and ethical questions regarding privacy and state intervention.
The interplay between encryption technologies and fundamental rights, particularly the right to freedom of expression as enshrined in Article 10 of the ECHR, constitutes a pivotal domain of scholarly discourse. Both renowned legal scholars and technologists in the field of technology law, such as David Cole and Bruce Schneier, assert that robust encryption is essential not only for the preservation of privacy but also for facilitating the expression of dissenting viewpoints, without the looming threat of surveillance or reprisal.
The ruling in Handyside v United Kingdom serves as a foundational precedent that not only underscores the intrinsic importance of freedom of expression under Article 10 of the ECHR, but also provides a compelling basis for arguing the vital role encryption technologies play in safeguarding this right in the digital age.
Stoll v Switzerland, relying on Handyside and the EctHR, asserted that freedom of speech encompasses ideas that may “offend, shock, or disturb.” This affirmation implicitly underscores the necessity of encryption as a protective mechanism for dissenting voices. In an era increasingly defined by pervasive surveillance and censorship, robust encryption is not merely advantageous but essential. It serves as a vital shield, empowering individuals to express themselves without fear of government or corporate reprisals. The confidentiality afforded by encryption is crucial for fostering an environment conducive to controversial discourse, enriching democratic dialogue, and allowing a plurality of voices to flourish.
Morice v France and Pentikäinen v Finland also reiterated Handyside when the Court emphasized that freedom of expression is integral to democratic governance and the public interest. This perspective fortifies the argument that secure transmission of information is not merely beneficial, but essential for preserving journalistic integrity and facilitating investigative reporting on sensitive issues. In this context, encryption emerges as a crucial safeguard for journalists and whistle-blowers, enabling them to disclose vital information without jeopardizing their safety. Without encryption, the very fabric of free expression is at risk, as the fear of surveillance can stifle critical reporting and dissent.
Thus, the legal protections established in these cases extend to encompass the mechanisms that safeguard speech. From the rulings above, one can deduce that technological tools, such as encryption, are not optional but essential for upholding the rights enshrined in Article 10. As digital communication continues to dominate, the intersection of encryption and freedom of expression underscores an urgent imperative: the development of evolving international jurisprudence that not only protects individual rights, but also recognizes encryption’s indispensable role in fostering an open and vibrant society. Without such protections, we risk undermining the very principles of democracy that these rulings endeavor to uphold.
Understanding Podchasov v Russia
The distinctiveness of E2EE has ushered in a new phase in the ongoing “Privacy vs. National Security” discourse, inciting a legislative movement that demands the dismantling of E2EE on messaging platforms in various countries, including the UK, EU, and U.S. Russia has also aligned itself with this trend, through Section 10.1(4.1) of the Russian Information Technology Act, which requires digital communication providers to retain all user data, including content, and to grant law enforcement—specifically the Federal Security Service (FSB)—decryption capabilities for designated periods. Telegram has contested this mandate, asserting that the “decoding of communications” for particular users would effectively create a backdoor, compromising encryption for all 700 million of its monthly active users due to the inherent nature of E2EE.
In the case of Podchasov, the Court evaluated three distinct yet interrelated violations of the applicant’s rights. First, it considered the overarching concern of the indiscriminate retention of personal communication data on a bulk scale. Second, the Court scrutinized the capacity of the FSB to access this data with minimal judicial oversight, which raised significant questions regarding due process. Third, the court addressed the accessibility of end-to-end encrypted communications, as well as the mandated obligation to disclose decryption keys.
The Oversight of E2EE Protection in Freedom of Opinion: An Opportunity Lost?
This piece primarily addresses the third issue, specifically the dismantling of E2EE. The Court noted that such dismantling would extend beyond the targeting of specific individuals, affecting all users indiscriminately, regardless of any perceived threats (paras 57, 77). The introduction of backdoors could facilitate pervasive surveillance practices, creating vulnerabilities that may be exploited by malicious actors and fundamentally compromising the overall cybersecurity of electronic communications for all users (paras 65, 77). Furthermore, the Court identified several viable alternatives to the dismantling of E2EE, ultimately concluding that the Russian legislation was disproportionate to the legitimate objectives it sought to achieve (paras 78, 79).
While scholars have critiqued the judgment for its alleged “procedural fetishism,” an overlooked consideration is the Court’s exclusive reliance on the right to privacy (Article 8, ECHR) to prevent the dismantling of E2EE. The Court insufficiently addressed the intricate relationship between E2EE and the freedoms of expression and opinion (Article 10, ECHR). David Kaye has observed that encryption functions as a conduit for privacy, thereby facilitating the exercise of freedom of opinion and expression while protecting against arbitrary and unlawful interference. Recognizing the protection of E2EE under the right to freedom of opinion and expression would provide an additional layer of legal protection, given that the threshold for violation differs from that associated with the right to privacy.
The relationship between E2EE and the freedoms of expression and opinion, as protected under Article 10 of the ECHR, merits deeper exploration, especially given the growing importance of digital communication in contemporary society. While the ECtHR has rightly acknowledged the right to privacy in Podchasov as a crucial aspect of safeguarding individuals’ communications, it is essential to emphasize that E2EE serves not merely as a privacy tool, but as a foundational mechanism that underpins the broader exercise of freedom of opinion and expression. By ensuring the confidentiality of messages, E2EE empowers individuals to share their thoughts and ideas without fear of interception or reprisal, thus reinforcing the core principles of a political liberal society. E2EE ensures that digital messages remain confidential and accessible only to the sender and the intended recipient, protecting them from surveillance or unauthorized access. This, in turn, allows individuals to freely express their views, engage in political discourse, and share sensitive ideas without fear of interception or retaliation. The ability to speak, associate, and access information without the fear of being monitored is essential to the exercise of the right to freedom of expression.
Considering the contexts where E2EE is indispensable: activists communicating about human rights abuses (Steel and Others v the United Kingdom, & Açık and Others v Turkey) , journalists safeguarding sources (Goodwin v United Kingdom). In each case, E2EE not only protects the content of these communications but also emboldens individuals to articulate their opinions without self-censorship. The chilling effect of potential surveillance is significantly mitigated by the assurance that their conversations remain secure.
Recognizing end-to-end encryption (E2EE) under Article 10 of the European Convention on Human Rights could significantly enhance legal protections by extending safeguards beyond the privacy-focused framework of Article 8, which traditionally allows for a broader range of state interference. While Article 8 protects the right to privacy, the legal threshold for state intervention in privacy matters is often relatively lenient, with states frequently invoking justifications such as national security or crime prevention to encroach on private communications. In contrast, restrictions on freedom of expression, protected under Article 10, are subject to stricter scrutiny, requiring a more compelling and proportionate justification, typically mandating that any interference be “prescribed by law” and “necessary in a democratic society.”
This distinction could offer a more robust legal defense for E2EE, as any state-imposed interference would have to meet the higher threshold for limiting freedom of expression, as emphasized by the EctHR’s decisions such as Ahmet Yıldırım v. Turkey. In such cases, the Court has made clear that any restrictions on expression, especially in the digital sphere, must be carefully tailored and narrowly construed. As such, while national authorities retain the primary responsibility for interpreting domestic law, the Court’s role remains crucial in ensuring that such interpretations do not stray into arbitrariness or manifestly unreasonable territory, as delineated in Cangi v Turkey.
By framing E2EE as essential to free expression, the legal argument emphasizes the necessity of unfettered communication in a democratic context. This aligns with the ECtHR’s established jurisprudence that recognizes free expression as a cornerstone of democracy, positioning E2EE within a framework where any restrictions must meet a higher threshold. The rise of digital platforms necessitates a reevaluation of traditional legal frameworks to address the complexities of modern communication. Recognizing E2EE under Article 10 could foster robust discourse on the implications of encryption for societal participation, prompting lawmakers and courts to consider the broader consequences of dismantling such technologies for both individual privacy and collective public engagement.
Conclusion
Regardless of any criticism, Podchasov constitutes a robust assertion against the global dismantling of E2EE. As previously noted, legislative initiatives have emerged worldwide aimed at abolishing E2EE, including the EU’s CSAM Proposal, the UK’s Online Safety Act 2023, Australia’s Assistance and Access Act 2018, and the U.S. EARN IT Act. These proposals have faced considerable opposition, with several already challenged in the courts of their respective jurisdictions. As the first international ruling of its kind, Podchasov holds significant potential to serve as a guiding precedent for domestic courts globally. This decision reinforces the legality of E2EE in protecting fundamental human rights. Importantly, while the ruling emphasizes the protection of privacy, it also underscores the essential role that E2EE plays in facilitating free expression.
Recognizing E2EE as critical for both privacy and freedom of expression is essential in light of ongoing legislative efforts to undermine these protections. Framing the Podchasov case in this dual context enhances our understanding of its implications, highlighting how the erosion of encryption could jeopardize not just individual privacy, but also the broader democratic discourse necessary for a vibrant society. As we navigate the complexities of digital communication, the affirmation of E2EE stands as a vital safeguard against censorship and state overreach, ultimately enriching our collective engagement in public discourse.
____________________________________________
Re-published with revisions from original publication.
Muhammad Siddique Ali Pirzada is a final-year LL.B. (Hons.) student at Pakistan College of Law – PCL (University of London) and an alumnus of Repton School Dubai, UAE. He presently serves as the Managing Editor at the Legal Education & Access Portal (LEAP) and President of the PCL Study Circle Society. He has participated as an Oralist in the Philip C. Jessup International Moot Court Competition 2023. He has authored articles in leading publications such as the University of Oxford Politics Blog, Cambridge International Law Journal, Center for International Investment and Commercial Arbitration (CIICA), Cornell Journal of Law & Public Policy, European Studies Review, and South Asia Foresight Network.