European Court of Human Rights bans weakening of secure end-to-end encryption

For a better understanding: The Court held (in the circumstances of this case) that a legal obligation to decrypt E2E communications is a disproportionate interference with the right to privacy. The law in question specifically obligated messengers such as Telegram to hand over communications alongside the "information necessary to decrypt electronic messages if they were encrypted".

To come to that conclusion, it referred to the wide-scale impact such a weakening of E2E through backdoors would have and referred to "calls for alternative 'solutions to decryption without weakening the protective mechanisms, both in legislation and through continuous technical evolution.'" Looking at the cited material, these include traditional policing, undercover operations, metadata analysis, international police cooperation, live forensics on seized devices, guessing or obtaining private keys held by parties to the communication, using vulnerabilities in the target’s software or sending an implant to targeted devices.

While a ruling on a specific case (and law), the Court seems quite skeptical towards any "requirement that providers of such services weaken the encryption mechanism for all users". If I were the UK government, I would be quite worried that the UK Online Safety Bill will be overturned by domestic courts (or the European Court) on the basis of this ruling.

(It should be noted that, although the backdooring of E2E was considered to go beyond how the right to privacy may legitimately be restricted, the right to privacy is a so-called derogable right, i.e. a government can, upon declaration of a state of emergency, derogate from the right insofar that is necessary to address an emergency "threatening the life of the nation" (Art 15 ECHR))

Relevant paragraphs are paras 76-80 here: https://hudoc.echr.coe.int/eng/#{%22itemid%22:[%22001-230854...}

While a ruling on a specific case (and law), the Court seems quite skeptical towards any "requirement that providers of such services weaken the encryption mechanism for all users". If I were the UK government, I would be quite worried that the UK Online Safety Bill will be overturned by domestic courts (or the European Court) on the basis of this ruling.

It's worth noting that UK courts can't overturn Acts of Parliament.

The best they can do is issue a declaration of incompatibility, which enables ministers to use secondary legislation to correct any defect rather than having to go through the process of passing another act (if they have the political will to do so...).

Having said that, a lot of how the Online Safety Act tries to get things done is through secondary legislation and statutory codes and guidelines; these all can be quashed by the courts (unless the Act constrains the way the other instruments are made in such a way that it'd be illegal not to make an infringing instrument) so it'll be interesting to see how that plays out.

It's worth noting that UK courts can't overturn Acts of Parliament.

Interesting. I didn't know this, and as an American, it seems quite odd. Decisions by the parliament are treated as immutable there?

Here, if a bill passed by Congress is deemed unconstitutional, it can be struck down by the Supreme Court.

The only constitution that the UK has consists of Acts of Parliament. So I don't know why it should seem odd; the US courts can't strike clauses of the US Constitution, and the UK courts can't strike Acts.

Amusingly, the UK government is currently trying to pass an Act to the effect that black is equivalent to white, i.e. that Rwanda is a safe country to which asylum seekers can be sent. This is analogous to the State of Indiana trying to legislate that the value of Pi shall be 3.2. You can't legislate a fact.

In the US, it's quite hard to change the constitution. It requires agreement from 2/3rds of Congress followed by ratification by the individual legislatures of 3/4ths of the states. Such a thing has not been done since 1992, and not on a politically charged question since 1971.

There is also a convention of the states that can change the constitution. It has been talked about by various groups from time to time, but has never happened.

Are you sure? Isn't that how the ban on alcohol was lifted?

Such a thing has not been done since 1992

We’re a 235-year old republic. Changing the firmware once every 10 to 15% of the time seems fine.

and not on a politically charged question since 1971

This is a feature. If a question is charged it should be resolved first federally, through the states, and then politically, via the legislature. Only once there is consensus should it be elevated to Constitutional status. That is the only way to get a Constitution Americans believe in with intergenerational force.

It's definitely odd! That's not a reason for UK courts not to strike down acts, or more properly, to have judicial review.

Take Canada. Canada has a Supreme Court and no written constitution. The formal divorce between Canada and the UK was not long ago so we inherited the same legal framework (modulo Quebec but it doesn't play a role here). Yet the Canadian Supreme Court can and does strike down federal laws! Actually, provincial courts can too, and then the federal government gets to appeal to them to the Supreme Court if it wishes.

Take Israel. There's no written constitution. Just the Basic Laws. They're just laws, they can be amended at any time. Yet, the Supreme Court can and does strike down laws. It's even striking down changes to the Basic Laws. That's part of the current political strife.

There is a worldwide movement for judicial review. Usually, supreme courts start with conservative powers and then grow them. Judicial review is not explicitly called out in the US constitution either. The US Supreme Court had to assert that it can strike down unconstitutional laws. This took about 15 years and some careful wrangling. The particular argument of Marbury v. Madison doesn't apply to the UKSC of course.

But there are already law review articles spelling out other legal theories that could be used to assert that the UKSC has the power to strike down Acts. I suspect the UKSC will follow other supreme courts and free themselves of Parliament in the coming decades.

Canada's constitution has written and unwritten parts. The Constitution Act of 1982 (which includes the Charter of Rights and Freedoms), for example, is a written part of Canada's constitution. Changing the charter would require the procedure for constitutional change, which is rather difficult. It's not something that can be amended like a normal act of the parliament.

or more properly, to have judicial review.

I think that in the UK, judicial review doesn't apply to Acts of Parliament. It applies to administrative decisions, so things like employment tribunals, benefits decisions, medical decisions and so on. Judges aren't supposed to be able to reverse legislation (although, in practice, they can fatally undermine it).

that Rwanda is a safe country to which asylum seekers can be sent

Putting aside whether the UK government's approach is a sensible one (which in my view it isn't) we should be aware that:

"the UNHCR, with financial support from the EU, has transferred refugees from Libya to Rwanda under a scheme called the Emergency Transit Mechanism (ETM) [..] The ETM offers vulnerable refugees, taken into detention by the Libyan authorities, a choice to have their application processed in Rwanda."[0]

"In 2019, the [Rwandan] Government established the Emergency Transit Mechanism (ETM) Centre that hosted 824 refugees evacuated from Libya. Currently, the transit centre hosts 371 evacuees while working on long-term solutions continues. By the end of 2021, 462 refugees had resettled to third countries so far."[1]

So Rwanda was apparently safe enough for the UNHCR to offer to process some refugees there.

[0] https://www.bbc.co.uk/news/uk-politics-67431602

[1] https://www.unhcr.org/uk/countries/rwanda

Yup, that's because the UK doesn't have a constitution.

It doesn't have a codified constitution in the US sense but it does have a constitution:

https://en.wikipedia.org/wiki/Constitution_of_the_United_Kin...

Edit: I would certainly agree that having constitution in this form isn't a great idea...

Frankly, the US system isn't exactly a resounding vindication of written constitutions either. Arguably the UK system has displayed considerably greater flexibility. For example the US president is still basically an elected George III.

A written constitution doesn't really seem to work out better, though, does it?

Well it does, in written bits in various places, and some as precedent.

However it is a bit more complex. England has a constitution (that collection above), Scotland has a different (and somewhat incompatible) constitution.

The incompatibility being where the seat of Sovereignty lies. In Scotland with the people, in England with the Monarch (but wrested away by Parliament).

So when the two countries formed the new state of Great Britain, and dissolved their prior states, they granted it a minimal constitution. However they couldn't grant more than they had, and the Scottish grantors did not hold sovereignty. Hence claiming that UK Parliament is sovereign is to presume that England annexed Scotland.

That continuing incompatibility is (IMO) why we've never had a single written GB/UK constitution, and probably never will. It will require addressing the fact that we're acting as if Scotland was annexed, and to put that in writing will cause its own problems.

Parliament is sovereign. Basically, as long as Parliament says so, it can do what it wants, although it can be slowed down by institutions like the Supreme Court or the royal family. There is no real separation powers.

Which _sounds_ bad, but the UK has an extremely long history of relative stability compared to basically anywhere else on the planet, so something must be going right.

This stability presupposes a presence of adults in the room.

Decisions by the parliament are treated as immutable there?

Yes, and no.

Parliament is sovereign -- it is the supreme legal authority.

But it cannot bind its successors. So any law parliament creates, any decision can be overturned by a subsequent parliament.

Is that not similar to how the US constitution is managed? It was amended and latter un-amended in the case of prohibition (18th and 21st amendments)

Yeah, I don't think it's quite as simple as commentators are making out, because ECJ rulings have roughly constitutional-level effects in disapplying Acts.

They aren't immutable, but they can only be changed by Parliament:

"the courts cannot overrule its legislation and no Parliament can pass laws that future Parliaments cannot change. Parliamentary sovereignty is the most important part of the UK constitution"

https://www.parliament.uk/about/how/role/sovereignty/

Judicial review isn't necessarily an obvious or completely desirable concept. It's not in the US Constitution either, and Marbury v. Madison is still somewhat controversial.

It's worth noting that UK courts can't overturn Acts of Parliament

Eh. I think that grossly understates https://en.wikipedia.org/wiki/R_(Factortame_Ltd)_v_Secretary... ; while it does not remove the law from the books, incompatibility with ECJ rulings does effectively disapply the law.

This is why there's such a fight over the Rwanda bill: https://www.bbc.co.uk/news/uk-politics-68283703 . ECHR is effectively constitutional law in the UK, not an ordinary Act of Parliament. Courts have ruled that deporting people to dangerous countries breaches ECHR. The government is trying to legislate the ""fact"" that Rwanda is ""safe"" in order to circumvent that, because they're not quite yet ready to throw out ECHR entirely and haven't had decades to pack the courts.

Well, yes, there's some nuance here. Where there's an Act of Parliament that says courts can dis-apply other Acts of Parliament then the courts can do so.

But the Human Rights Act does not do this, even though it has quasi-constitutional status, and as far as I know now that the European Communities Act has been repealed no Act of Parliament does this.

A better case to cite than Factortame would be R (Jackson) v Attorney General, where the House of Lords (in its judicial function before that was removed to the Supreme Court) entertained the idea that in extremis parliamentary sovereignty was not absolute.

If the government continues its showdown over Rwanda the Supreme Court might be forced to re-visit that idea.

But the law as it is applied right now means that courts cannot overturn actsof Parliament.

The best isn't necessarily a declaration of incompatibility, that's mostly specific to ECHR.

In general if parliament passes legislation that contradicts earlier legislation that wasn't repealed and it wasn't deliberate then a judge can determine that parliament didn't intend to override that earlier legislation and that the new legislation doesn't apply in a given context.

Parliamentary supremacy exists, but only where parliament takes a deliberate action.

I wholeheartedly recommend How Parliament Works¹ for people who want a deep dive on these points. It is nowhere near as dry as you'd imagine for a five hundred page book about parliament.

While used copies are super cheap I'd also recommend picking up a current revision. Recent years have seen far more use(or attempts to use) some of the more obscure tools of both houses. The updates include more explanation of those topics, along with descriptions of recent cases before the courts.

¹ https://www.amazon.co.uk/dp/1032015012

the UK Online Safety Bill will be overturned by domestic courts (or the European Court) on the basis of this ruling.

The UK wants to leave the ECHR[0], so they might be able to get around it — unfortunately.

—

[0]: https://www.chathamhouse.org/2023/03/uk-must-not-sleepwalk-l...

The UK DOES NOT WANT TO LEAVE THE ECHR.

Select people in the government want to, not the whole of UK.

I think it is more correct to use 'UK' (or any other country) just for government and its institutions than for the body of its citizens.

A minor quibble. The UK is a 'state', not a 'country'.

It comprises of countries: Scotland, England, Wales, and a small chunk of Ireland.

As recognized by the rest of the world, the United Kingdom actually is a country.

Internally may be different, but technically it is a country.

A political union of four member countries — but still recognized as a country.

I think the post you're replying to is rightfully observing that that semantic ambiguity creates harm, by equating the position of a country's government to the position of a country's people. Being more specific and saying "a faction within the UK government wants to..." seems like a better framing for any discussion.

The coverage I heard on the BBC and NPR in the States about Brexit and UK public sentiment was a complete inversion of reality. I'm reluctant to believe anyone telling me what the UK wants.

Nobody really knows what public sentiment is in the UK, because nobody is asking. They're all just telling the people what they 'want'.

The sample sizes for any polls are tiny, and the areas/people that are sampled are not comprehensive.

It's fairly likely that the people (or a majority of) want the Tories out, as all sides are suggesting that and it's about the only consensus we see.

Brexit was such a mess of misinformation and rushed voting, on something that the majority of people had no idea 'what' they were really voting for, that it should never have been taken as binding - and it probably wouldn't have been if the remain vote won.

At this point, it's unclear if the UK will start to even recover in the next 5 years, or just keep getting worse.

Good clarification.

Personally I just hope we can remove those “select people” from office before they can actually carry out their plan.

You can’t remove the administrative state. It’ll be happy to sustain the illusion of “democracy” for you by throwing a few of its representatives under the bus every now and again, but in the end all of the candidates you get to vote for are 100% acceptable to the administrative state and are anointed by it.

To tack onto this I don't think most people in the UK understand what the ECHR does and why leaving the EU didn't alter our obligations under the ECHR.

The media carries a lot of responsibility for that but not all of it - nearly every person in the UK carries a little box with access to a huge chunk of the sum total of all human knowledge, they just choose to not to use it.

If that sounds elitist or arrogant it's because I've about reached my limit with ignorant people refusing to understand the world is messy and complex.

It doesn't sound elitist or arrogant - quite the opposite. It just assumes that people know what's true and what's not up front, and know when the media is telling them the truth. Their little box doesn't only tell them true things.

The UK leaving the ECHR, at this point, seems incredibly far-fetched; even amongst the Tories it's hardly a consensus position, and they realistically only have a few month of working time left before the next election.

The Court held that a legal obligation to decrypt E2E communications is a disproportionate interference with the right to privacy.

*when no adequate safeguards against abuse are in place

Unfortunately it is not as straightforward as that it's incompatible altogether. Per this ruling, it's only incompatible when there are no good safeguards (they use the word "adequate" in one place and "suitable" in another, neither is very specific about what it means)

Yes, that is very true. The Court generally does not oppose surveillance measures in general, as long as adequate safeguards are in place. However, I read the relevant paragraphs (paras 76-79) to be quite a strong rejection of any statutory obligation that would effectively require the installation of a backdoor undermining E2EE. The criticism of a lack of adequate safeguards and the risk of abuse is more focused on other aspects of the law.

That also becomes clear in the key paragraph 80: "The Court concludes from the foregoing that the contested legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored _without adequate safeguards against abuse_ and the _requirement to decrypt encrypted communications_, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society"

The Court does not qualify the requirement to decrypt E2EE communications with the same safeguards requirements. That of course does not exclude the possibility of the Court finding that a more narrowly-construed law is not in violation. But the Court clearly signals its skepticism towards any "requirement that providers of such services weaken the encryption mechanism for all users" (para 79).

Yes, this was a problem all along with arguments against surveillance (/encryption weakening) based on "it can be abused by bad actors" - it implies that one would be ok with surveillance if it could not be abused by bad actors. While it's tempting to use such arguments (it looks like they had effect in this case at least) it remains necessary to emphasize the true reasons one takes a stand against surveillance e.g. authoritarian overreach or a fundamental right to privacy.

Do you think that phone taps and mail-opening warrants, issued by judges, based on evidence submitted to the court that such warrants are appropriately targetted and based on existing evidence and reasonable suspicion, are intrinsically "authoritarian overreach"?

Not inherently, but they become overreach when they start claiming that they should be able to apply to E2EE protocols.

If you want the data from an E2EE protocol, serve an appropriately targeted and scoped warrant to one of the endpoints. This also provides an opportunity for legal challenge (e.g. for scope overreach).

From paragraph 64:

For a detailed description of safeguards that should be set out in law for it to meet the “quality of law” requirements and to ensure that secret surveillance measures are applied only when “necessary in a democratic society”, see Roman Zakharov, §§ 231-34, and Big Brother Watch and Others, §§ 335-39

I am not a lawyer and not motivated enough to go read those decisions, but if anyone is curious that is probably the place to start to figure out what might count as "adequate safeguards".

The UK government almost seem to be deliberately passing multiple pieces of legislation that they know will be overturned due to ECHR, because they believe such rulings would strengthen their argument for withdrawing from the convention.

Is there an exception for emergency purposes?

When there is an emergency to break into a house, the police needs to get a mandate from a judge.

That's not true at least in Spain. There's "In flagrante delicto" which means if the police suspects something going on they can kick your door down.

It was used many times during the pandemic: when they suspected you were having too many people over at home, they acted. Unconstitutionally, mind you.

The EU is not the utopia many think it is.

You’d need to define “unconstitutionally” as it seems if they have the right then it is constitutional

The constitutional court of Spain ruled the state of alarm (a kind of state of emergency) that was used to prohibit gatherings during the pandemic was unconstitutional. But by then the damage was made of course.

The constitutional court of Spain is an ultra-rightwing joke. Imprisoning Catalan nationalist politicians for calling for independence brought that court into disrepute.

I'm not keen on written constitutions, or constitutional courts <cough US Supremes>.

Errr, that's not exactly what they did, as well as you know :-)

In any case I hope we can agree that it's good that they said that restricting our constitutional right to free movement was illegal, even if it had no consequences for those who violated our basic rights so blatantly.

People think the EU is a utopia? I just think it is the best of a bad bunch

Well, there is actually an exception to that too - the Police can break into any home, without a warrant, in the US, if they can prove they had reasonable cause to believe that there was imminent and immediate threat of bodily harm or death.

If you are a police officer and see a guy clearly pointing a gun at someone else through the window, yes, you can break in if the circumstances warrant that.

The flip side of that is that if the police enter on that basis, any evidence they come across in the course of that action is going to be tainted and potentially thrown out of court, especially if that evidence wasn't in plain sight.

Or if you receive an anonymous call from a swatter..

Depends on where you are. In the US there's the Exigent Circumstances exception to the warrant requirement. Not sure if the same theory has been included in EU countries but I would be surprised if it hadn't, a quick search didn't turn up much english language about it.

https://www.ce9.uscourts.gov/jury-instructions/node/155

No, they don't. Many countries have the concept of "imminent danger", which allows police to skip the warrants. It's called "Gefahr im Verzug" in Germany, for instance.

If it's done right, it can't be subverted in case of "emergency" can it?

If it's full of bugs, it simply doesn't matter.

The "e2e" concept that most are familiar with is basically fake: the provider is responsible for the client that does the encryption and decryption. Of course they can break it if forced. Software exploits are a separate matter and also easier to deal with when the end user isn't truly in control of the encryption (or easier if they don't know what they are doing.)

If the client is properly developed and secured, they cannot break it without shipping an update to that client to change its behavior - which then affects everyone.

I'm quite sure they can use the app store to push a targeted update just to some.

Yes, an operating system that uses a compromised software supply chain is at risk of compromise, but that really has nothing to do with e2ee.

No need, push an update to all that only affects certain users. But if anyone ever de-obfuscates that, your reputation is gone.

It's more fake because you download the app, look up your friend's number "1-555-333-2222", and your client trusts their server to actually return your friend instead of a MITM. Some asterisks there, but basically it's far from trustless.

Is there an exception for emergency purposes?

The problem is when the "emergency" is "the citizen may be engaged in political activities that are against the interests of the ruling party."

there’s only and opposing secret court mandating the opposite: publicly available encryption must be weakened on release

Yes, in case of an emergency you can ask God to give you the prime factorization of 4096bit numbers.

Exceptional circumstances can warrant exceptional measures, but also require exceptional justification, for example by means of a juridical decision for the individual case (i.e., a judge issuing a warrant allowing the police to install and use a backdoor on a concrete individual).

I think that depends on what you mean: a general state of emergency or a specific situation where the police deem there to be an emergency (e.g. classic hidden bomb scenario)

Regarding (2), the Court found that a statutory obligation to decrypt E2E-encrypted data upon (judicial) request to be disproportionate, but it could still be imagined that – if more narrowly construed – a law could be considered to be proportionate. But the Court does seem quite unwilling to entertain the idea of backdoors for E2E encryption.

Regarding (1), the European Convention on Human Rights (ECHR) allows so-called derogations from certain rights in "time of war or other public emergency threatening the life of the nation" (Art 15 ECHR), insofar as they are necessary and the state of emergency has been properly declared. The right to privacy is such a right, so a State that faces an insurgency may declare a state of emergency and, as part of its emergency measures, could probably demand the decryption of E2E communications if it's necessary to fight the insurgency (e.g. it's a guerilla group using an E2E messenger) - but hard to judge in the abstract.

Man, Europe is really setting an example lately for how it's possible to roll out sensible technology regulations.

Now if they could only do a good job developing the technology itself…

they already do

Do they? Examples?

Spotify, King, DICE and Mojang are some commercial software successes. All from Sweden.

If you don't think the entertainment industry counts for much, I might remind you Linux was originally made in Finland. (Linus Torvalds is half Swede half Finn iirc)

That's just from the top of my head.

Spotify was made up of 75% US employees since the moment it validated its value.

DICE is a failed studio. Battlefield 2042 was one of the worst AAA video game launches of all time (with Cyberpunk 2077 by Polish studio CD Projekt Red being another) after a rocky Battlefield V launch and there is no reason to believe they will come back from it.

King makes low quality micro-transaction-riddled games for addicts.

Mojang -- OK.

Why do what everyone can do if you can do the thing only you can do?

ASML

When there's a gold rush, make shovels.

That’s it? One noteworthy company for a population of 440M?

Obviously not. There are tons of large companies, many of which are often misread as American, because they are listed on the Nasdaq or another US exchange.

Many EU companies have far higher revenues than their US counterparts (Airbus, Volkswagen, Alstom), are boring but crucial (Heidelberg, DTE) or not easily recognised (Novo Nordisk, Unilever).

Even in tech, there's a lot of interesting ones: Booking.com, elastic search, takeaway (aka GrubHub), Adyen, for example are all Dutch. There's or was, Spotify, Skype, SoundCloud, Zalando, Mojang, Shazam and so on.

Just be a bit more curious and less preoccupied and you'll see there's plenty going on in Europe. And don't forget that companies can be great and big and multinationals even if they aren't present in the US.

This decision was needed because the EU was about to ban end-to-end encryption. It’s not the EU commission, but a judge that ruled. AFAIK Commission can still ignore this.

They in fact cannot.

Ursula on suicide watch.

You have it the other way around. Majority of EU member countries wanted to to ban E2E, but the EU institutions prevented that.

I am a bit confused. The article seems fairly political, quoting some promotional text by the pirate party and not describing what case was brought in front of a judge and what the ruling bans specifically, so I clicked through to the actual court case linked at the bottom.

It has nothing to do with the pirate party or chatcontrol or any such thing. The court case was one person against the Russian government for fining Telegram when they didn't hand over plain text chat messages, if I'm skimming the initial facts section correctly. The whole article doesn't even contain the word russia. What is the article reporting on and why does it portray it as being related to the recent chatcontrol legislation?!

Edit: found the decision

80. The Court concludes from the foregoing that the contested legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society.

81. There has accordingly been a violation of Article 8 [privacy] of the Convention [of human rights]

Sounds like you can indeed extend that to any other encryption-circumventing law, like chatcontrol, but without considering the specific circumstances that were present in this Russian law, I'm not sure that it will be accurate. Note, for example, the wording in paragraph 80 "without adequate safeguards against abuse". Maybe chatcontrol had those, if that had been brought in front of the same judges

Its a judgement that will provide precedence. A Pirate Party member of the European Parliament comments because its a core issue to the party. Why would there be anything about the Pirate Party in the ruling?

Why would you include "We Pirates will now fight even harder for our digital privacy of correspondence!" (and then continuing to link their website as a source of truth on the matter) in a non-promotional piece? This is an advertisement, not a news article

One which I agree with, to be clear. I'm not opposed to the pirate party's views on digital matters. This party's goals/narrative just has no place in a piece about a court case

I'm not arguing that with you. You misunderstood what was going on here, edited your comments many times, and now you want to discuss the article linked instead of the actual news (the judgement). Calm down.

I edited in more info as I found it, trying to be helpful for what's currently the top comment. Sorry if that's not okay

C'mon, let's let people write pationately about issues they hold in their hearts.

I can totally understand why they're so passionate about this topic in particular. We don't have much left of democracy in the world. If electronic privacy is destroyed like some EU leaders want, there will be close to nothing left.

There’s a disclaimer at the bottom of the article that says they publish articles from a variety of sources, and that the viewpoints expressed aren’t necessarily their own, etc. Considering that it does seem to have an angle, the byline says it’s from their own unnamed correspondent, it’s not called an opinion piece, and there’s no link to the original, I’m guessing their slightly unpredictable correspondent’s surname is GPT.

I thought precedents only matter in the US "common law" framework, but most of the EU is following the "civil law" framework where precedents do not matter. Does this precedent really matter?

Precedence is still a thing. Just less mechanically than in the US.

This might be interesting: https://opensiuc.lib.siu.edu/cgi/viewcontent.cgi?article=101...

It's funny seeing "common law" referred as a US thing when it's literally been in use in the UK for centuries before the US was a thing, and that's where the US inherited it from.

And precedent has it's place in civil law countries too, mostly around clarifying existing legislation in case of ambiguity, but it isn't an automatic ironclad thing.

While precedence is not the same thing in civil law as in common law, this is essentially a ruling by the highest European court on the interpretation of a law and its conflict with human rights. These rulings are typically on the matter of principle, so it does effectively "bind" lower courts and because of this the court is very unlikely to take on another case on the same "conflict" (at least before the law has been changed).

Europe has done something that I actually love.

I was worried the "let's think of the children" narrative would take over.

The value of encryption has a future in Europe at least.

Despite the name, it's not the eu :D

I was assuming it had jurisdiction over the EU?

What is the actual real world impact of this?

It's a part of the Council of Europe, which includes all European countries besides Russia and Belarus (who got kicked out last year). It has no real enforcement powers for its judgements, though most countries do adopt most its judgements, and it has pushed human rights in Europe forward a lot.

While the EU could potentially just ignore the statement, there's a good chance they won't, especially as the European Parliament already tends to be against weakening encryption.

EU can't ignore it - while the ECHR is separate from the EU, the EU itself is legally bound to follow the ECHR rulings.

the EU itself is legally bound to follow the ECHR rulings

You'd think so, but it actually isn't. All of the EU's member states are, but the EU and its institutions aren't.

The EU is legally bound to join the Council of Europe (and thus come under the jurisdiction of the ECHR), except the EU's Court of Justice threw a spanner in the works quite a while ago and this is on hold, pretty much indefinitely.

The conflict is that the CJEU is supposed to be the authoritative interpreter of EU law, but if the EU joins the CoE then the ECHR could also rule on matters of EU law, potentially binding the CJEU, and it doesn't like that very much.

ECtHR rulings have been ignored in the past by members. Italy for example currently has over 2000 verdicts unimplemented. The ECtHR orders a country to implement changes to improve the situation, but does not set a deadline, so members could just ignore it.

The European Court of Human Rights enforces the European Convention on Human Rights.

Its jurisdiction is recognised by the 46 member states of Council of Europe (which includes all of the 27 EU members) + Kosovo.

The EU requires EU members to be subject to the ECHR, but it is a separate body and various non-EU countries are subject to it (though, particularly outside the EU, compliance varies).

Reminder that the European Court of Human Rights, although very powerful and influential, does not have the authority to force anyone to abide by their rulings.

Also, here's a better article: https://fortune.com/2024/02/13/end-to-end-encryption-russia-...

Not so. The UK, for instance, appears to treat these rulings as binding. This is why the UK conservatives want to scrap the Human Rights Act and replace it with a supposedly identical Bill of Rights, the key difference being a presumption that the UK's supreme court would cease to defer to the convention court.

A couple of examples relating to this that come to mind:

* Deporting refugees to Rwanda was stopped by an injunction from the ECHR * Depriving prisoners of votes was ruled illegal in 2005 or so

There are a few others but these two come to mind.

My understanding is that although the treaties (plural?) of the CoE and ECHR don't assume judgements are binding, a number of countries made them binding in their legal systems via domestic legal instruments.

I believe both your examples are ones where the UK did not follow the decision of the ECHR.

The Rwanda ECHR injunction was followed, which is one reason why no migrants have yet been sent to Rwanda despite nearly two years of harsh rhetoric.

Also, despite its name and despite its location in Strasbourg, European Court of Human Rights is not an EU institution.

https://en.wikipedia.org/wiki/European_Court_of_Human_Rights...

Slightly misleading: The Court's judgments are legally binding upon the State members of the Council of Europe. However, it is true that there is no armed enforcement mechanism – something that most domestic courts lack too – and instead decisions are enforced and monitored by the Council of Ministers (the equivalent of the UN General Assembly). However, most of its decisions are complied with most of the time by most nations (safe for Russia and Turkey), frequently because domestic courts will abide by the Court's rulings to overturn laws through its own decisions.

For example, Azerbaijan (a brutal and militarily aggressive dictatorship) is a member

The article is semi-garbage (politics aside it is a badly written/biased article).

Better read the decision.

https://hudoc.echr.coe.int/eng/#{%22itemid%22:[%22001-230854...}

CASE OF PODCHASOV v. RUSSIA

(Application no. 33696/19)

Relevant English text from the Court's press release:

The applicant, Anton Valeryevich Podchasov, is a Russian national who was born in 1981 and lives in Barnaul (Russia).

Mr Podchasov was a user of Telegram, a messaging application which was listed as an “Internet communications organiser” (организатор распространения информации в сети Интернет) by the Russian State. It was therefore obliged by law to store all communications data for a duration of one year and the contents of all communications for a duration of six months and to submit those data to law-enforcement authorities or security services in circumstances specified by law, together with information necessary to decrypt electronic messages if they were encrypted.

Relying on Article 8 (right to respect for correspondence) and Article 13 (right to an effective remedy) of the Convention, Mr Podchasov complains of the legal requirements to store, pass on and decrypt data, and that he did not have an effective remedy for this complaint.

Violation of Article 8

Just satisfaction: The finding of a violation constitutes in itself sufficient just satisfaction for any non-pecuniary damage sustained by the applicant

Source: (this is broken) https://hudoc.echr.coe.int/eng-press/#{%22fulltext%22:[%2233...}

Edit: Yuck, this website makes it impossible to permalink anything. What a horrible idea for an organization that's supposed to make very important decisions that people need to reference.

Click on "details" and you can permalink

In defence of the article - it linked the decision. That means it is automatically in something close to the top 20% of articles about political topics.

And the actual decision is quite readable; on a quick skim it seemed to agree with what the article said.

HN markup seems to be breaking the link, here's an alternative one: https://hudoc.echr.coe.int/eng/?i=001-230854

Relevant paras:

(γ) Statutory requirement to decrypt communications

76. Lastly, as regards the requirement to submit to the security services information necessary to decrypt electronic communications if they are encrypted, the Court observes that international bodies have argued that encryption provides strong technical safeguards against unlawful access to the content of communications and has therefore been widely used as a means of protecting the right to respect for private life and for the privacy of correspondence online. In the digital age, technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression (see paragraphs 28 and 34 above). Encryption, moreover, appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. This should be given due consideration when assessing measures which may weaken encryption.

77. As noted above (see paragraph 57 above), it appears that in order to enable decryption of communications protected by end-to-end encryption, such as communications through Telegram’s “secret chats”, it would be necessary to weaken encryption for all users. These measures allegedly cannot be limited to specific individuals and would affect everyone indiscriminately, including individuals who pose no threat to a legitimate government interest. Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications. The Court takes note of the dangers of restricting encryption described by many experts in the field (see, in particular, paragraphs 28 and 34 above).

78. The Court accepts that encryption can also be used by criminals, which may complicate criminal investigations (see Yüksel Yalçınkaya v. Türkiye [GC], no. 15669/20, § 312, 26 September 2023). However, it takes note in this connection of the calls for alternative “solutions to decryption without weakening the protective mechanisms, both in legislation and through continuous technical evolution” (see, on the possibilities of alternative methods of investigation, the Joint Statement by Europol and the European Union Agency for Cybersecurity, cited in paragraph 33 above, and paragraph 24 of the Report on the right to privacy in the digital age by the Office of the United Nations High Commissioner for Human Rights, cited in paragraph 28 above; see also the explanation by third-party interveners in paragraph 47 above).

79. The Court concludes that in the present case the ICO’s statutory obligation to decrypt end-to-end encrypted communications risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users; it is accordingly not proportionate to the legitimate aims pursued.

(δ) Conclusion

80. The Court concludes from the foregoing that the contested legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society. In so far as this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications, it impairs the very essence of the right to respect for private life under Article 8 of the Convention. The respondent State has therefore overstepped any acceptable margin of appreciation in this regard.

81. There has accordingly been a violation of Article 8 of the Convention.

  FOR THESE REASONS, THE COURT
  
  Holds, unanimously, that it has jurisdiction to deal with the applicant’s complaints in so far as they relate to facts that took place before 16 September 2022;
  Declares, unanimously, the complaint concerning the alleged violation of the right to respect for private life and correspondence admissible;
  Holds, unanimously, that there has been a violation of Article 8 of the Convention;
  Holds, by five votes to two, that there is no need to examine the complaint under Article 13 of the Convention;
  Holds, by six votes to one, that the finding of a violation constitutes in itself sufficient just satisfaction for any non-pecuniary damage sustained by the applicant;
  Dismisses, by six votes to one, the applicant’s claim for just satisfaction.
  
  Done in English, and notified in writing on 13 February 2024, pursuant to Rule 77 §§ 2 and 3 of the Rules of Court.

It's nice to know this also applies to the UK even after Brexit (still a member of the ECHR).

Azerbaijan is in the ECHR too; doesn't stop them from imprisoning political dissidents, employing slave labor, committing war crimes, attacking other ECHR members, or performing ethnic cleansing.

Well yes, generally the ECHR has no powers to compel compliance.

But ECHR rulings are binding to EU members (and the the various organs of the EU including the ECJ have way to enforce them).

ECHR are also still binding in the UK because legislation that says otherwise hasn't been passed yet.

Oh sweet summer child

The Tories have been talking about leaving the ECHR for years now.

Nice. I can imagine certain ISPs (that I will not shame by name) won't be very happy right now. This really throws a wrench in some proxy models.

Good riddance.

Please do name and shame. This would benefit everyone.

I realise the article contains the same typo, but the title is bugging me – it needs a space between "end" and "encryption". "Endencryption" is not a word.

@dang ?

Yeah, it's bugging me as well. haha.

The judgement cites using vulnerabilities in the target’s software or sending an implant to targeted devices as examples [of legitimate ways to defeat E2E encryption].

That looks like a bad judgement, to me; exploiting vulnerabilities, or using implants, is generally some kind of criminal hacking. So the court seems to be saying that's not OK, unless you're a government. I.e., governments don't have to obey the law.

There are quite a few EU governments that would prefer not to have to comply with the law. Every EU government gets to plant a judge on the ECHR bench.

Every EU government gets to plant a judge on the ECHR bench.

Every EU Council member?

Not sure why I was downvoted, because the downvoters didn't care to comment.

Honestly, after so many things turning into "they'll just come back and try again in two years", it's a little reassuring to see some longer term roadblocks being put in place against these anti-E2EE proposals.

yeah, preferably through the Agricultural and Fisheries Commission or a similar body

They also ruled a while ago on site blocking, which has at least been tested in the Mexican supreme court[0]

translated via google "As the United Nations Human Rights Council has stated, blocking an Internet page implies any measure taken to prevent certain online content from reaching an end user. In this regard, it must be taken into account that restrictions on the human right of freedom of expression should not be excessively broad, on the contrary, they should refer to specific content; Hence, generic prohibitions on the operation of certain websites and web systems, such as blocking, are incompatible with the human right of freedom of expression, except in truly exceptional situations, which could arise when the contents of an Internet page are translate into prohibited expressions, that is, classified as crimes in accordance with international criminal law, among which the following stand out: (I) incitement to terrorism; (II) the advocacy of national, racial or religious hatred that constitutes incitement to discrimination, hostility or violence - dissemination of "hate speech" on the Internet; (III) direct and public incitement to commit genocide; and (IV) child pornography. Likewise, the exceptional situation regarding the prohibition of generic restrictions on the right of expression could also be generated when the entire contents of a web page are illegal, which logically could lead to its blocking, as it is limited only to hosting expressions that are not permissible by law. the legal framework."

[0] https://vlex.com.mx/vid/tesis-aisladas-683012725

this is a HUGE win and could very much help set precedent across the globe (looking at our congress specifically, USA). Still more hurdles to jump over but a great step in the right direction

This article doesn’t actually contain any information that backs up the title, or if the title is true at all.

There’s a quote from some party member who doesn’t seem directly involved, and almost no information about the actual case / ruling.

Excellent news.

The European Court of Human Rights ... the court our idiotic UK gvoernment are trying to paint with the same brush they painted the EU.

A "Court of Human Rights" that counts Azerbaijan as a member is not a court that should be taken seriously.