European Court of Human Rights declares backdoored encryption is illegal

[bnew]

European human rights court says no to weakened encryption

Surprising third-act twist as Russian case means more freedom for all

www.theregister.com

European Court of Human Rights declares backdoored encryption is illegal​

Surprising third-act twist as Russian case means more freedom for all​

Thomas Claburn

Thu 15 Feb 2024 // 07:26 UTC

The European Court of Human Rights (ECHR) has ruled that laws requiring crippled encryption and extensive data retention violate the European Convention on Human Rights – a decision that may derail European data surveillance legislation known as Chat Control.

The Court issued a decision on Tuesday stating that "the contested legislation providing for the retention of all internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society."

The "contested legislation" mentioned above refers to a legal challenge that started in 2017 after a demand from Russia's Federal Security Service (FSB) that messaging service Telegram provide technical information to assist the decryption of a user's communication. The plaintiff, Anton Valeryevich Podchasov, challenged the order in Russia but his claim was dismissed.

In 2019, Podchasov brought the matter to the ECHR. Russia joined the Council of Europe – an international human rights organization – in 1996 and was a member until it withdrew in March 2022 following its illegal invasion of Ukraine. Because the 2019 case predates Russia's withdrawal, the ECHR continued to consider the matter.

The Court concluded that the Russian law requiring Telegram "to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users." As such, the Court considers that requirement disproportionate to legitimate law enforcement goals.

• Privacy crusaders accuse X of ad-targeting that flouts EU rules
• German Digital Affairs Committee hearing heaps scorn on Chat Control
• Open Source Policy Summit: Where FOSS and government meet
• Scanning phones to detect child abuse evidence is harmful, 'magical' thinking
  

While the ECHR decision is unlikely to have any effect within Russia, it matters to countries in Europe that are contemplating similar decryption laws – such as Chat Control and the UK government's Online Safety Act.

Chat Control is shorthand for European data surveillance legislation that would require internet service providers to scan digital communications for illegal content – specifically child sexual abuse material and potentially terrorism-related information. Doing so would necessarily entail weakening the encryption that keeps communication private.

Efforts to develop workable rules have been underway for several years and continue to this day, despite widespread condemnation from academics, privacy-oriented orgs, and civil society groups.

Patrick Breyer, a member of the European parliament for the Pirate Party, hailed the ruling for demonstrating that Chat Control is incompatible with EU law.

"With this outstanding landmark judgment, the 'client-side scanning' surveillance on all smartphones proposed by the EU Commission in its chat control bill is clearly illegal," said Breyer.

"It would destroy the protection of everyone instead of investigating suspects. EU governments will now have no choice but to remove the destruction of secure encryption from their position on this proposal – as well as the indiscriminate surveillance of private communications of the entire population!" ®

 

[bnew]

EU cancels vote on child sexual abuse law amid encryption concerns

Countries clash over how to safeguard privacy when rooting out illegal pictures and grooming on private chat apps.

www.politico.eu

EU cancels vote on child sexual abuse law amid encryption concerns​

Countries clash over how to safeguard privacy when rooting out illegal pictures and grooming on private chat apps.

European Commission Vice President Věra Jourová said Thursday the Commission's original proposal meant “that even encrypted messaging can be broken for the better protection of children.” | Ronald Wittek/EFE via EPA

June 20, 2024 12:29 pm CET


By Clothilde Goujard


A vote scheduled today to amend a draft law that may require WhatsApp and Signal to scan people’s pictures and links for potential child sexual abuse material was removed from European Union countries' agenda, according to three EU diplomats.

Ambassadors in the EU Council were scheduled to decide whether to back a joint position on an EU regulation to fight child sexual abuse material (CSAM). But many EU countries including Germany, Austria, Poland, the Netherlands and the Czech Republic were expected to abstain or oppose the law over cybersecurity and privacy concerns.

"In the last hours, it appeared that the required qualified majority would just not be met," said an EU diplomat from the Belgian presidency, which is spearheading negotiations until end June as chair of the EU Council.

The draft law, proposed in 2022, has drawn controversy for potentially forcing messaging apps to scan all images and links to find and report child abuse material and conversations between potential offenders and minors, known as grooming. Privacy groups have cried foul over the law, saying it effectively breaks end-to-end encrypted messaging.

European Commission Vice President Věra Jourová said Thursday the Commission's original proposal meant “that even encrypted messaging can be broken for the better protection of children.”

The Belgian Council presidency has been trying for the last six months to solve a deadlock among EU countries to move negotiations forward to finalize the law.

Some EU heavyweights like Germany and Poland have backed privacy experts' warnings that it threatens privacy. Others like Ireland and Spain have insisted on the need for a strong law to monitor online content amid a spike in child sexual abuse material since the pandemic.

Under the Belgians' plan, obtained by POLITICO earlier, messaging apps would scan pictures and links when users upload them via their services, and users would be informed of this under the terms and conditions. Users who refused the regime would be blocked from sending pictures and links.

Highly secure apps using end-to-end encryption like WhatsApp, Signal and Messenger would also have to respect such measures. The draft proposal however exempted “accounts used by the State for national security purposes."

Once EU countries agree on a joint position, they will still have to negotiate the final version of the law with the European Parliament and European Commission. Parliament has taken a more privacy-friendly stance in its own version of the law adopted in November 2023.