European court favors strong encryption, calling it key to privacy rights

While some American officials continue to attack strong encryption as an enabler of child abuse and other crimes, a key European court has upheld it as fundamental to the basic right to privacy.

The ruling by the European Court of Human Rights has no effect in the United States; only the 46 European countries that signed the European Convention on Human Rights are subject to the court’s jurisdiction.

Still, the decision might ease pressure on U.S.-based social media companies to provide workarounds that law enforcement could use to view encrypted messages. American law enforcement’s efforts to block end-to-end encryption in messaging have faded in recent months as Congress has moved on to other approaches.

But FBI Director Christopher A. Wray has cited encryption as one of law enforcement’s main challenges, telling an audience at Texas A&M University last year that “terrorists, hackers, child predators and more are taking advantage of end-to-end encryption to conceal their communications and illegal activities from us.”

The European court’s Feb. 13 ruling came in a long-running case filed by Telegram users against Russia for requiring “internet communication organisers” to keep all messages sent by users for six months, along with a means to decrypt them.

Although digital rights advocates said they don’t expect Russia, one of the signatories to the human rights convention, to change its laws, they said the United Kingdom, also a signatory, is likely to modify pending legislation that had sought to bring similar pressure on companies there.

“This will have to be taken into account,” said Ioannis Kouvakas, an assistant general counsel at the U.K.-based rights group Privacy International, which intervened in the Telegram case. “It would be the U.K. setting itself up for failure if they think this doesn’t apply.”

Technology companies had expressed worry that the Online Safety Act, which passed in the U.K. Parliament in September, could be used to force them to drop strong encryption or hack their customers. The U.K’s Office of Communications, known commonly as Ofcom, issued guidelines that exempted end-to-end encrypted services from key requirements.

Yet a proposed bill amending the Investigatory Powers Act, now in the House of Commons, would require tech companies to inform U.K. authorities whenever they are upgrading the security of a service, giving the government the ability to order the companies to hold off on such changes.

Industry and rights groups say that could include shifts to end-to-end encryption, which promise that only the two parties in a conversation can access the content. Over the objection of the FBI and law enforcement in other countries, Meta is rolling out such strong encryption for its Messenger service. Signal and WhatsApp already have it, and most security experts support it.

In the Russian case, the users relied on Telegram’s optional “secret chat” functions, which are also end-to-end encrypted. Telegram had refused to break into chats of a handful of users, telling a Moscow court that it would have to install a back door that would work against everyone. It lost in Russian courts but did not comply, leaving it subject to a ban that has yet to be enforced.

The European court backed the Russian users, finding that law enforcement having such blanket access “impairs the very essence of the right to respect for private life” and therefore would violate Article 8 of the European Convention, which enshrines the right to privacy except when it conflicts with laws established “in the interests of national security, public safety or the economic well-being of the country.”

The court praised end-to-end encryption generally, noting that it “appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information.”

In addition to prior cases, the judges cited work by the U.N. human rights commissioner, who came out strongly against encryption bans in 2022, saying that “the impact of most encryption restrictions on the right to privacy and associated rights are disproportionate, often affecting not only the targeted individuals but the general population.”

High Commissioner Volker Türk said he welcomed the ruling, which he promoted during a recent visit to tech companies in Silicon Valley. Türk told The Washington Post that “encryption is a key enabler of privacy and security online and is essential for safeguarding rights, including the rights to freedom of opinion and expression, freedom of association and peaceful assembly, security, health and nondiscrimination.”

The United Kingdom is far from alone among democracies considering bans or other obstacles to strong encryption. The Nevada attorney general sued Meta last month, seeking a preliminary injunction against its offering end-to-end encrypted Messenger to those under 18. The office argued that in addition to aiding child predators, Meta was violating fair-trade-practices laws by telling users that strong encryption improved their security instead of making it worse.

One idea under consideration by the European Union would let member countries compel tech companies to scan user devices for child sexual abuse material, which hundreds of academic experts have argued undermines the concept of end-to-end encryption by opening up one of those ends to inspection.

Apple initially embraced scanning users’ devices for child sexual abuse images before reversing course under pressure from rights groups and technologists as well as ordinary users.

Even as the fight over encryption continues in Europe, police officials there have talked about overriding end-to-end encryption to collect evidence of crimes other than child sexual abuse — or any crime at all, according to an investigative report by the Balkan Investigative Reporting Network, a consortium of journalists in Southern and Eastern Europe.

“All data is useful and should be passed on to law enforcement, there should be no filtering … because even an innocent image might contain information that could at some point be useful to law enforcement,” an unnamed Europol police official said in 2022 meeting minutes released under a freedom of information request by the consortium.

It remains to be seen what impact the human rights ruling will have on that approach, but it may push the burden back to law enforcement to explain why the many won’t be penalized in pursuit of a few.

“Our position is that the E.U. Institutions negotiating the CSAM proposal are now bound by a clear ban on mandated encryption back doors,” Silvia Lorenzo Perez of the nonprofit rights group Center for Democracy and Technology said by email Monday.

Even so, it will not let tech companies off the hook entirely, said Greg Nojeim, director of the CDT’s Security and Surveillance Project.

“Where it’s going to land, we don’t know yet,” he said. “It depends a lot on how end-to-end services respond to mandates and whether they can persuade regulators that they are taking significant steps to removes child sexual abuse material.”

correction

An earlier version of this article misidentified the state trying to block end-to-end encryption for minors on Meta’s Messenger. It is Nevada. This story has been corrected.

Read More

Joseph Menn