CEDHCASELAW;JUDGMENTS;CHAMBER;ENG6Satisfaction
CEDH · CASELAW;JUDGMENTS;CHAMBER;ENG — 13 février 2024
- ECLI
- ECLI:CE:ECHR:2024:0213JUD003369619
- Date
- 13 février 2024
- Publication
- 13 février 2024
droits fondamentauxCEDH
Source : DILA / Judilibre · open data
Mes notes
privées · visibles par vous seulRésumé structuré
version préliminaireFaits
Non déterminable à partir du texte fourni.
Procédure
Non déterminable à partir du texte fourni.
Question juridique
Non déterminable à partir du texte fourni.
Solution
source officielleViolation of Article 8 - Right to respect for private and family life (Article 8-1 - Respect for correspondence;Respect for private life);Non-pecuniary damage - finding of violation sufficient (Article 41 - Non-pecuniary damage;Just satisfaction)
Résumé généré automatiquement — à vérifier avec la décision originale.
Analyse IA non disponible
Générez un résumé intelligent de cette décision
Texte intégral
.s800EAC49 { font-size:12pt } .sFE10DC93 { margin-top:0pt; margin-bottom:0pt; text-align:center } .sBB9EE52A { font-family:Arial } .s5E1364CA { margin-top:0pt; margin-bottom:12pt; text-align:center; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .sC02E897A { margin-top:42pt; margin-bottom:14pt; text-align:center; page-break-inside:avoid; page-break-after:avoid } .s29100277 { font-family:Arial; font-weight:bold } .s34DFC730 { margin-top:0pt; margin-bottom:0pt; text-align:center; page-break-inside:avoid; page-break-after:avoid } .sA36B60A1 { font-family:Arial; font-style:italic } .s339D85E6 { margin-top:0pt; margin-bottom:14pt; text-align:center; page-break-inside:avoid; page-break-after:avoid } .s59272B2C { margin-top:0pt; margin-bottom:6pt; text-align:center; page-break-inside:avoid; page-break-after:avoid } .s780F5245 { border:0.75pt solid #000000; clear:both } .sE77B86B8 { margin-top:0pt; margin-bottom:0pt; text-align:justify; padding-top:1pt; padding-right:4pt; padding-left:4pt } .sEC28DD31 { margin-top:0pt; margin-bottom:0pt; text-align:justify; padding-right:4pt; padding-left:4pt } .sF9E8C072 { margin-top:0pt; margin-bottom:0pt; text-align:center; padding-right:4pt; padding-left:4pt; padding-bottom:1pt; font-size:10pt } .s6477A72F { margin-top:0pt; margin-bottom:6pt; text-indent:14.2pt; text-align:justify } .s10950C61 { margin-top:0pt; margin-bottom:0pt; text-indent:14.2pt; text-align:justify } .s598389FB { margin-top:0pt; margin-bottom:0pt; text-align:center; font-size:14pt } .sF5E1C6CF { font-family:Arial; font-weight:bold; text-decoration:underline; color:#ff0000 } .sE208486F { font-family:Arial; color:#ff0000 } .s598389F8 { margin-top:0pt; margin-bottom:0pt; text-align:center; font-size:11pt } .s4ACA9207 { page-break-before:always; clear:both; mso-break-type:section-break } .s32563E28 { margin-top:0pt; margin-bottom:0pt } .sA43C3626 { width:28.35pt; font-family:Arial; display:inline-block } .s3AAE10DF { margin-top:14pt; margin-bottom:12pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .s3CA22BA { font-family:Arial; text-transform:uppercase } .s9D48DD53 { margin-top:6pt; margin-left:21.25pt; margin-bottom:6pt; text-indent:7.1pt; text-align:justify; font-size:10pt } .s71220C2D { margin-top:0pt; margin-left:18.45pt; margin-bottom:12pt; text-indent:-18.45pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .s3936C9DD { width:11.78pt; font:7pt 'Times New Roman'; display:inline-block } .sD0A217A5 { margin-top:14pt; margin-left:18.45pt; margin-bottom:12pt; text-indent:-18.45pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .sBB64854C { width:8.45pt; font:7pt 'Times New Roman'; display:inline-block } .s74825D0C { margin-top:6pt; margin-left:35.45pt; margin-bottom:6pt; text-indent:7.1pt; text-align:justify; font-size:10pt } .sE8F2C496 { width:5.11pt; font:7pt 'Times New Roman'; display:inline-block } .s3BF0B6C7 { margin-top:14pt; margin-left:25.5pt; margin-bottom:12pt; text-indent:-17pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .s5BDECA8 { width:5pt; font:7pt 'Times New Roman'; display:inline-block } .s6B38CF35 { margin-top:0pt; margin-left:34pt; margin-bottom:6pt; text-indent:-17pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .s54B12A03 { width:6.99pt; font:7pt 'Times New Roman'; display:inline-block } .sF54F3725 { margin-top:0pt; margin-left:42.55pt; margin-bottom:6pt; text-indent:-17.05pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .sDBC81028 { width:4.83pt; font:7pt 'Times New Roman'; display:inline-block } .s65DDED6B { margin-top:14pt; margin-left:42.55pt; margin-bottom:6pt; text-indent:-17.05pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .s7AE800C3 { width:4.28pt; font:7pt 'Times New Roman'; display:inline-block } .s55F67FD3 { margin-top:0pt; margin-left:51.05pt; margin-bottom:6pt; text-indent:-17.05pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; line-height:113%; font-size:10pt } .s3970C00F { width:8.17pt; font:7pt 'Times New Roman'; display:inline-block } .sCD82236A { margin-top:14pt; margin-left:51.05pt; margin-bottom:6pt; text-indent:-17.05pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; line-height:113%; font-size:10pt } .s320E5A8E { width:5.95pt; font:7pt 'Times New Roman'; display:inline-block } .s7C9EDFAD { margin-top:14pt; margin-left:34pt; margin-bottom:6pt; text-indent:-17pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .sFABD3260 { margin-top:14pt; margin-left:62.35pt; margin-bottom:6pt; text-indent:-19.8pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid; font-size:10pt } .s16F6432D { width:7.9pt; font:7pt 'Times New Roman'; display:inline-block } .sFF8BF293 { width:8.05pt; font:7pt 'Times New Roman'; display:inline-block } .s3CAF9CA4 { width:8.72pt; font:7pt 'Times New Roman'; display:inline-block } .sEB3FA797 { width:8.43pt; font:7pt 'Times New Roman'; display:inline-block } .s1B1D10B4 { margin-top:14pt; margin-left:19.85pt; margin-bottom:12pt; text-indent:-19.85pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .s6F863F49 { width:6.51pt; font:7pt 'Times New Roman'; display:inline-block } .sAAD7ECD0 { width:5.18pt; font:7pt 'Times New Roman'; display:inline-block } .s59947BC4 { margin-top:14pt; margin-left:29.2pt; margin-bottom:12pt; text-indent:-17.6pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .sA07D46BD { width:5.6pt; font:7pt 'Times New Roman'; display:inline-block } .s6B505E72 { margin:0pt; padding-left:0pt } .sD11CFAB7 { margin-top:14pt; margin-left:15.01pt; margin-bottom:3pt; text-align:justify; padding-left:1.99pt; font-family:Arial } .sFBC99493 { font-style:italic } .s2D9C6089 { margin-top:12pt; margin-bottom:12pt; text-indent:14.2pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .s7CB9076 { margin-top:36pt; margin-bottom:0pt; page-break-inside:avoid; page-break-after:avoid } .sC986E16F { font-family:Arial; color:#ffffff } .sB8E58DDC { margin-top:30pt; margin-bottom:0pt; page-break-inside:avoid; page-break-after:avoid } .s4F6F0E53 { width:22.87pt; font-family:Arial; display:inline-block } .s410B2069 { width:122.41pt; font-family:Arial; display:inline-block } .sF993D337 { width:25.88pt; font-family:Arial; display:inline-block } .sF78227B2 { width:156.43pt; font-family:Arial; display:inline-block } .s37CDBE05 { margin-top:0pt; margin-bottom:0pt; page-break-inside:avoid; page-break-after:avoid } .s379BC09C { margin-top:36pt; margin-bottom:0pt; text-align:right } .s1721E4C5 { margin-top:14pt; margin-bottom:12pt; text-align:center; page-break-inside:avoid; page-break-after:avoid; font-size:14pt } .s434D37A9 { margin-top:0pt; margin-bottom:0pt; text-indent:14.2pt; text-align:justify; page-break-inside:avoid; page-break-after:avoid } .fixListIndent { list-style-position: inside }   THIRD SECTION CASE OF PODCHASOV v. RUSSIA (Application no. 33696/19)   JUDGMENT   Art 8 • Private life • Correspondence • Statutory requirement for “Internet communication organisers” to store and retain Internet communications and related communications data, provide law-enforcement authorities or security services access to those data and to decrypt encrypted communications • Legislation at issue providing extremely broad duty of retention and as such rendering the interference exceptionally wide-ranging and serious • Inadequate and insufficient safeguards against abuse relating to law-enforcement authorities’ access to stored Internet communications and related communications data • Statutory obligation to decrypt end-to-end encrypted communications disproportionate • Impugned legislation not “necessary in a democratic society” • Margin of appreciation overstepped   Prepared by the Registry. Does not bind the Court.   STRASBOURG 13 February 2024   FINAL   13/05/2024   This judgment has become final under Article 44 § 2 of the Convention. It may be subject to editorial revision. In the case of Podchasov v. Russia, The European Court of Human Rights (Third Section), sitting as a Chamber composed of:   Pere Pastor Vilanova , President ,   Jolien Schukking,   Yonko Grozev,   Georgios A. Serghides,   Peeter Roosma,   Ioannis Ktistakis,   Oddný Mjöll Arnardóttir , judges , and Olga Chernishova, Deputy Section Registrar, Having regard to: the application (no.   33696/19) against the Russian Federation lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (“the Convention”) by a Russian national, Mr Anton Valeryevich Podchasov (“the applicant”), on 18 June 2019; the decision to give notice of the application to the Russian Government (“the Government”); the observations submitted by the Government and the observations in reply submitted by the applicant; the comments submitted by the European Information Society Institute and Privacy International, which were granted leave to intervene by the President of the Section; the decision of the President of the Section to appoint one of the sitting judges of the Court to act as an ad hoc judge, applying by analogy Rule 29 §   2 of the Rules of Court (see, for an explanation of the background, Kutayev v. Russia , no. 17912/15, §§ 5-8, 24 January 2023); Having deliberated in private on 9 January 2024, Delivers the following judgment, which was adopted on that date: INTRODUCTION 1 .     The case concerns the statutory requirement for “Internet communication organisers” to store all communications data for a duration of one year and the contents of all communications for a duration of six months, and to submit those data to law-enforcement authorities or security services in circumstances specified by law, together with information necessary to decrypt electronic messages if they are encrypted. THE FACTS 2.     The applicant was born in 1981 and lives in Barnaul. He was represented by Mr S. Darbinyan, a lawyer practising in Moscow. 3.     The Government were initially represented by Mr A. Fedorov, former Representative of the Russian Federation to the European Court of Human Rights, and later by his successor in that office, Mr M. Vinogradov. 4.     The facts of the case may be summarised as follows. 5 .     The applicant is a user of Telegram, a messaging application which can be used free of charge on various devices,   such as mobile telephones, tablets or computers. This application is used by millions of people in Russia and worldwide. According to its official website, Telegram does not have end ‑ to ‑ end (client-client) encryption by default, but instead uses a custom ‑ built server-client encryption scheme in its default “cloud chats”. It is, however, possible to switch to end-to-end encryption by activating the “secret chat” feature. The official site reads, in particular: “All messages in secret chats use end-to-end encryption. This means only you and the recipient can read those messages – nobody else can decipher them, including us here at Telegram.” 6.     On 28 June 2017 Telegram Messenger LLP was listed as an “Internet communications organiser” ( организатор распространения информации в сети Интернет – hereinafter “ICO”) in a special public register. This entailed an obligation for Telegram to store all communications data for a duration of one year and the contents of all communications for a duration of six months, and to submit those data to law-enforcement authorities or security services in circumstances specified by law, together with information necessary to decrypt electronic messages if they were encrypted (see paragraphs 17-25 below). 7.     On 12 July 2017 the Federal Security Service (“the FSB”) required Telegram Messenger LLP to disclose technical information which would facilitate “the decryption of communications since 12 July 2017 in respect of Telegram users who were suspected of terrorism-related activities”. The disclosure order referred to section 10.1(4.1) of the Information Act and Order no.   432 of 19 July 2016 (see paragraphs 20 and 24 below). It listed six mobile telephone numbers associated with Telegram Messenger accounts and referred to six court decisions delivered on 10 July 2017. It required Telegram Messenger LLP to submit, among other things, an IP address, a TCP/UDP port number and the “data relating to the [encryption] keys” ( ключевой материал ) which would be “necessary and sufficient” for decrypting a communication. The information was to be sent, by 19 July 2017, to the FSB’s email address. 8 .     Telegram Messenger LLP refused to comply with the disclosure order, arguing that it was technically impossible to execute it without creating a backdoor that would weaken the encryption mechanism for all users. It explained, in particular, that the six users mentioned in the disclosure order had switched on the “secret chat” feature and therefore used end-to-end encryption. The company was fined by the Meshchanskiy District Court of Moscow on 12   December 2017. Subsequently, by a judgment of 13   April 2018, the Taganskiy District Court of Moscow ordered the blocking of the Telegram application in Russia. Both judgments were upheld on appeal. 9 .     On 12 March 2018 the applicant together with thirty-four other persons challenged the disclosure order before a court. The plaintiffs argued that the provision of encryption keys as required by the FSB would enable the decryption of the communications of all users. It would therefore breach their right to respect for their private life and for the privacy of their communications. After receiving the encryption keys the FSB would have the technical capability to access all communications without the judicial authorisation required under Russian law. They pointed to the broad scope of section 10.1 of the Information Act (see paragraphs 16-23 below) as the legal basis for the interference and a lack of guarantees against the potentially unjustified disclosure of their personal information. 10.     On 22 March 2018 the Meshchanskiy District Court rejected the complaint as inadmissible, finding that the challenged disclosure order did not affect the plaintiffs’ rights. The inadmissibility decision did not contain any further reasoning. 11.     On 22 May 2018 the Moscow City Court upheld the inadmissibility decision on appeal. 12.     On 10 September 2018 a judge of the Moscow City Court refused to refer a cassation appeal lodged by the applicant to the Plenary Moscow City Court for examination, finding no significant violations of substantive or procedural law which had influenced the outcome of the proceedings. 13.     A further cassation appeal by the applicant was rejected on 16 January 2019 by the Supreme Court of the Russian Federation. 14.     The Telegram Messenger application is still available and functioning in Russia. RELEVANT LEGAL FRAMEWORK 15 .     For a summary of the domestic provisions on secret surveillance of communications, including the relevant provisions of the Code of Criminal Procedure and of the Operational-Search Activities Act, see   Rom an Zakharov v. Russia ([GC], no. 47143/06, §§ 15-138, ECHR 2015). 16 .     Section 10.1 of Federal Law no.   149 ‑ FZ of 27 July 2006 on Information,   Information Technologies and Protection of Information (“the Information Act”) was introduced into that Act in 2014. It defines an ICO and lists its statutory obligations. 17 .     An ICO is defined as a person or an entity that ensures the functioning of information systems and/or programmes for electronic devices, with the aim of receiving, transmitting, delivering and/or processing electronic communications on the Internet (section 10.1(1) of the Information Act). 18.     In July 2016 the following obligations of an ICO were introduced. 19 .     An ICO must store on Russian soil all communications data generated by Internet users for a duration of one year and the contents of all communications for a duration of six months. This obligation concerns voice, textual, visual, sound, video or other electronic communications sent, received, transmitted or processed by Internet users (section 10.1(3)). 20 .     An ICO must submit the information mentioned in section 10.1(3) to law-enforcement authorities or security services in the circumstances specified by law (section 10.1(3.1)). It must also submit any information necessary to decrypt electronic communications if they are encrypted (section   10.1(4.1)). 21.     Equipment installed by an ICO must meet the technical requirements set out by the government and enable law-enforcement authorities and security services to carry out their tasks (section 10.1(4)). 22.     In the context of the provision of instant messaging services, an ICO must, in addition to the requirements above, identify the users of such messaging services by their mobile telephone numbers (section 10.1(4.2)(1)). 23 .     The scope of the information which must be stored pursuant to section   10.1(3), the location and conditions of storage, the procedures for providing the information to the law-enforcement authorities and security services and the procedures for the supervision of ICOs must be established by the Russian government (section 10.1(6)). 24 .     Order no. 432 of 19 July 2016 of the FSB provides that an ICO must submit any information necessary to decrypt electronic communications within ten days after a request by a competent security services unit. The request must specify the contents (the format) of the requested information and the postal or electronic destination address (paragraphs 3-6). 25 .     Order no. 743 of 31 July 2014 of the Russian government, as amended on 18 January 2018, provides that an ICO must grant security services remote access to its information system in order to enable them to receive the information mentioned in section 10.1(3) and (4.1) of the Information Act (paragraph 8). 26 .     Order no. 571 of 29 October 2018 of the Ministry of Digital Development and Communications provides that an ICO must install equipment which is capable of, among other things, searching, processing and delivering to the control centre of the FSB – at the request of that control centre or automatically – the following data: the identity of registered users; the receiving, sending, delivering or processing of voice, textual, visual, sound, video or other electronic communications by Internet users; the contents of voice, textual, visual, sound, video or other electronic communications; and the information necessary to decrypt electronic communications if they are encrypted (paragraph 4). The control centre of the security services must have round-the-clock remote access to the equipment and be capable of administering it (paragraph 14). 27.     Government Decree no. 1526 of 23 September 2020 provides that an ICO must provide the law-enforcement authorities and security services with communications data within thirty days of a request, or within three days in urgent situations (paragraphs 8 and 9). The request must include specific information identifiers that will be used as search criteria, such as a telephone number, an email address, the information found in the communication protocol’s header or other identifiers (paragraph 7). international materiAL I.         united nations 28 .     The Report on the right to privacy in the digital age by the Office of the United Nations High Commissioner for Human Rights, published on 4   August 2022 (A/HRC/51/17), reads as follows, in so far as relevant (footnotes omitted): “B.     Restrictions on encryption ... 21.     Encryption is a key enabler of privacy and security online and is essential for safeguarding rights, including the rights to freedom of opinion and expression, freedom of association and peaceful assembly, security, health and non-discrimination. Encryption ensures that people can share information freely, without fear that their information may become known to others, be they State authorities or cybercriminals. Encryption is essential if people are to feel secure in freely exchanging information with others on a range of experiences, thoughts and identities, including sensitive health or financial information, knowledge about gender identities and sexual orientation, artistic expression and information in connection with minority status. In environments of prevalent censorship, encryption enables individuals to maintain a space for holding, expressing and exchanging opinions with others. In specific instances, journalists and human rights defenders cannot do their work without the protection of robust encryption, shielding their sources and sheltering them from the powerful actors under investigation. Encryption provides women, who face particular threats of surveillance, harassment and violence online, an important level of protection against involuntary disclosure of information. In armed conflicts, encrypted messaging is indispensable to ensuring secure communication among civilians. It is notable that in the two months after the beginning of the armed conflict in Ukraine on 24 February 2022, the number of downloads in Ukraine of the encrypted messaging app Signal went up by over 1,000   per cent compared with preceding months. ... 23.     In spite of its benefits, Governments sometimes restrict the use of encryption, for example for the protection of national security and combating crime, in particular to detect child sexual abuse material. Restrictions include bans on encrypted communications and criminalization for offering or using encryption tools or mandatory registration and licensing of encryption tools. Similarly, in some instances, encryption providers have been required to ensure that law enforcement or other government agencies have access to all communications upon request, which can effectively amount to a blanket restriction of encryption that could require, or at least encourage, the creation of some sort of back door (a built-in path to bypass encryption, allowing for covert access to data in plain text). Another form of interference with encryption is the requirement that key escrow systems be created and maintained, and all private keys needed to decrypt data be handed over to the Government or a designated third party. The imposition of traceability requirements, according to which providers need to be able to trace any message back to its supposed originator, could also require the weakening of encryption standards. Recently, various States have started imposing or considering general monitoring obligations for providers of digital communications, including those offering encrypted communications services. Such duties could effectively force those providers to abandon strong end-to-end encryption or to identify highly problematic workarounds (see paras. 27-28 below). 24.     There is no doubt that widely used encryption capabilities, capabilities that the public has demanded as a response to mass surveillance and cybercrime, create a dilemma for Governments seeking to protect populations, in particular their most vulnerable members, against serious crime and security threats. However, as pointed out by the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, regulation of encryption risks undermining human rights. Governments seeking to limit encryption have often failed to show that the restrictions they would impose are necessary to meet a particular legitimate interest, given the availability of various other tools and approaches that provide the information needed for specific law enforcement or other legitimate purposes. Such alternative measures include improved, better-resourced traditional policing, undercover operations, metadata analysis and strengthened international police cooperation. 25.     Moreover, the impact of most encryption restrictions on the right to privacy and associated rights are disproportionate, often affecting not only the targeted individuals but the general population. Outright bans by Governments, or the criminalization of encryption in particular, cannot be justified as they would prevent all users within their jurisdictions from having a secure way to communicate. Key escrow systems have significant vulnerabilities, since they depend on the integrity of the storage facility and expose stored keys to cyberattacks. Moreover, mandated back doors in encryption tools create liabilities that go far beyond their usefulness with regard to specific users identified as crime suspects or security threats. They jeopardize the privacy and security of all users and expose them to unlawful interference, not only by States, but also by non-State actors, including criminal networks. Licensing and registration requirements have similar disproportionate effects as they require that encryption software contain exploitable weaknesses. Such adverse effects are not necessarily limited to the jurisdiction imposing the restriction; rather it is likely that back doors, once established in the jurisdiction of one State, will become part of the software used in other parts of the world. 26.     ... Since the content of messages, once encrypted, cannot be accessed by anyone except the sender and the recipient, any general monitoring obligation would force service providers to either abandon transport encryption or seek access to messages before they are encrypted ...” II.       Council of Europe 29.     Appendix to Recommendation by the Committee of Ministers of the Council of Europe on the protection of human rights with regard to social networking services (CM/Rec(2012)4, adopted on 4 April 2012) reads as follows: “15.     In co-operation with the private sector and civil society, member States, in addition to the measures stated in section I of this appendix, should take appropriate measures to ensure that users’ right to private life is protected, in particular by engaging with social networking providers to carry out the following actions: ... −     ensure that the most appropriate security measures are applied to protect personal data against unlawful access by third parties. This should include measures for the end ‑ to-end encryption of communication between the user and the social networking services website ...” 30.     The Council of Europe Parliamentary Assembly Resolution 2045 (2015) on mass surveillance, adopted on 21 April 2015, reads as follows, in so far as relevant: “5.     The Assembly is deeply worried about threats to Internet security by the practices of certain intelligence agencies, disclosed in the Snowden files, of seeking out systematically, using and even creating ‘back doors’ and other weaknesses in security standards and implementation that could easily be exploited by terrorists and cyberterrorists or other criminals. 6.     It is also worried about the collection of massive amounts of personal data by private businesses and the risk that these data may be accessed and used for unlawful purposes by State or non-State actors. ... 8.     ... High-technology surveillance tools are already in use in a number of authoritarian regimes and are used to track down opponents and to suppress freedom of information and expression. In this regard, the Assembly is deeply concerned about recent legislative changes in the Russian Federation which offer opportunities for enhanced mass surveillance through social networks and Internet services. 9.     In several countries, a massive ‘surveillance-industrial complex’ has evolved, fostered by the culture of secrecy surrounding surveillance operations, their highly technical nature and the fact that both the seriousness of alleged threats and the need for specific counter-measures and their costs and benefits are difficult to assess for political and budgetary decision makers without relying on input from the interested groups themselves. There is a risk that these powerful structures could escape democratic control and accountability and threaten the free and open nature of our societies ... 11.     The Assembly recognises the need for effective, targeted surveillance of suspected terrorists and other organised criminal groups. Such targeted surveillance can be an effective tool for law enforcement and crime prevention. At the same time, it notes that, according to independent reviews carried out in the United States, mass surveillance does not appear to have contributed to the prevention of terrorist attacks, contrary to earlier assertions made by senior intelligence officials. Instead, resources that might prevent attacks are diverted to mass surveillance, leaving potentially dangerous persons free to act ... 19.     The Assembly therefore urges the Council of Europe member and observer States to: 19.1     ensure that their national laws only allow for the collection and analysis of personal data (including so-called metadata) with the consent of the person concerned or following a court order granted on the basis of reasonable suspicion of the target being involved in criminal activity; unlawful data collection and processing should be penalised in the same way as the violation of the traditional confidentiality of correspondence; the creation of ‘back doors’ or any other techniques to weaken or circumvent security measures or exploit their existing weaknesses should be strictly prohibited; all institutions and businesses holding personal data should be required to apply the most effective security measures available; 19.2     ensure, in order to enforce such a legal framework, that their intelligence services are subject to adequate judicial and/or parliamentary control mechanisms ... 19.5     promote the further development of user-friendly (automatic) data protection techniques capable of countering mass surveillance and any other threats to Internet security, including those posed by non-State actors ...” III.     European Union 31 .     The judgment given by the Court of Justice of the European Union (CJEU) on 8 April 2014 in the joined cases of   Digital Rights Ireland and Seitinger and Others   (C-293/12 and C-594/12, EU:C:2014:238) declared the Data Retention Directive 2006/24/EC invalid. The Directive laid down an obligation on the providers of publicly available electronic communication services or of public communications networks to retain all traffic and location data for periods from six months to two years, in order to ensure that the data were available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member State in its national law. For a summary of that judgment and further developments in the case ‑ law of the CJEU, see Big Brother Watch and Others v. the United Kingdom [GC], nos. 58170/13 and 2 others, §§ 209-41, 25 May 2021. 32 .     The CJEU also held, in its judgment of 6 October 2015 in the case of   Maximillian Schrems v. Data Protection Commissioner (C-362/14, EU:C:2015:650), as follows: “94 .     In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article   7 of the Charter ...” 33 .     A Joint Statement by Europol and the European Union Agency for Cybersecurity (ENISA) of 20 May 2016 on lawful criminal investigation that respects 21st Century data protection reads: “Intercepting an encrypted communication or breaking into a digital service might be considered as proportional with respect to an individual suspect, but breaking the cryptographic mechanisms might cause collateral damage. The focus should be on getting access to the communication or information; not on breaking the protection mechanism. The good news is that the information needs to be unencrypted at some point to be useful to the criminals. This creates opportunities for alternatives such as undercover operations, infiltration into criminal groups, and getting access to the communication devices beyond the point of encryption, for instance by means of live forensics on seized devices or by lawful interception on those devices while still used by suspects. Moreover, forensic methods that make use of physical fingerprints of devices might not help to intercept the communication content itself, but might provide other important clues for the investigator. Even so, there are cases in which there are no such alternatives and access to the concealed content can only be gained by a form of decryption. While no practical encryption mechanism is perfect in its design and implementation, decryption appears to be less and less feasible for law enforcement purposes. This has led to proposals to introduce mandatory backdoors or key escrow to weaken encryption. While this would give investigators lawful access in the event of serious crimes or terrorist threats, it would also increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society. Moreover, criminals can easily circumvent such weakened mechanisms and make use of the existing knowledge on cryptography to develop (or buy) their own solutions without backdoors or key escrow ... Solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well, which makes an easy solution impossible ... When circumvention is not possible yet access to encrypted information is imperative for security and justice, then feasible solutions to decryption without weakening the protective mechanisms must be offered, both in legislation and through continuous technical evolution. For the latter, the fostering of close cooperation with industry partners, as well as the research community with expertise in crypto-analyses for the breaking of encryption where lawfully indicated, is strongly advised. We are convinced that a solution that strikes a sensible and workable balance between individual rights and protection of EU citizen’s security interests can be found. In this respect, the deployment of European R&D instruments may drive this collaboration while at the same time EU Agencies can work closely together in establishing best practices.” 34 .     On 28 July 2022 the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 4/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse. It provides as follows (footnotes omitted): “Executive summary ... measures permitting the public authorities to have access on a generalised basis to the content of a communication in order to detect solicitation of children are more likely to affect the essence of the rights guaranteed in Articles 7 and 8 of the Charter ... The EDPB and EDPS also express doubts regarding the efficiency of blocking measures and consider that requiring providers of internet services to decrypt online communications in order to block those concerning CSAM [child sexual abuse material] would be disproportionate. Furthermore, the EDPB and EDPS point out that encryption technologies contribute in a fundamental way to the respect for private life and confidentiality of communications, freedom of expression as well as to innovation and the growth of the digital economy, which relies on the high level of trust and confidence that such technologies provide. Recital 26 of the Proposal places not only the choice of detection technologies, but also of the technical measures to protect confidentiality of communications, such as encryption, under a caveat that this technological choice must meet the requirements of the proposed Regulation, i.e., it must enable detection. This supports the notion gained from Articles 8(3) and 10(2) of the Proposal that a provider cannot refuse execution of a detection order based on technical impossibility. The EDPB and EDPS consider that there should be a better balance between the societal need to have secure and private communication channels and to fight their abuse. It should be clearly stated in the Proposal that nothing in the proposed Regulation should be interpreted as prohibiting or weakening encryption ... 4.10     Impact on encryption 96.     European data protection authorities have consistently advocated for the widespread availability of strong encryption tools and against any type of backdoors. This is because encryption is important to ensure the enjoyment of all human rights offline and online. Moreover, encryption technologies contribute in a fundamental way both to the respect for private life and confidentiality of communications ... 97.     In the context of interpersonal communications, end-to-end encryption (‘E2EE’) is a crucial tool for ensuring the confidentiality of electronic communications, as it provides strong technical safeguards against access to the content of the communications by anyone other than the sender and the recipient(s), including by the provider. Preventing or discouraging in any way the use of E2EE, imposing on service providers an obligation to process electronic communication data for purposes other than providing their services, or imposing on them an obligation to proactively forward electronic communications to third parties would entail the risk that providers offer less encrypted services in order to better comply with the obligations, thus weakening the role of encryption in general and undermining the respect for the fundamental rights of European citizens. It should be noted that while E2EE is one of the most commonly used security measures in the context of electronic communications, other technical solutions (e.g., the use of other cryptographic schemes) might be or become equally important to secure and protect the confidentiality of digital communications. Thus, their use should not be prevented or discouraged too. 98.     The deployment of tools for the interception and analysis of interpersonal electronic communications is fundamentally at odds with E2EE, as the latter aims to technically guarantee that a communication remains confidential between the sender and the receiver ... 100.     The impact of degrading or discouraging the use of E2EE, which may result from the Proposal needs to be assessed properly. Each of the techniques for circumventing the privacy preserving nature of E2EE presented in the Impact Assessment Report that accompanied the Proposal would introduce security loopholes. For example, client-side scanning would likely lead to substantial, untargeted access and processing of unencrypted content on end user’s devices ... At the same time, server-side scanning, is also fundamentally incompatible with the E2EE paradigm, since the communication channel, encrypted peer-to-peer, would need to be broken, thus leading to the bulk processing of personal data on the servers of the providers. 101.     While the Proposal states that it ‘leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders and should not be understood as encouraging or discouraging the use of any given technology’, the structural incompatibility of some detection orders with E2EE becomes in effect a strong disincentive to use E2EE. The inability to access and use services using E2EE (which constitute the current state of the art in terms of technical guarantee of confidentiality) could have a chilling effect on freedom of expression and the legitimate private use of electronic communication services ...” THE LAW I.         preliminary issues 35 .     The applicant’s complaints concern the continuous storage of Internet communications and related communications data by ICOs, the authorities’ potential access to these data and the ICOs’ obligation to decrypt them if they are encrypted, pursuant to the Information Act and its regulations on implementation. The Court will examine the Convention compliance of the contested law on the date of its examination of the admissibility of the applicant’s complaints (see Big Brother Watch and Others v. the United Kingdom [GC], nos. 58170/13 and 2   others, §§ 268-70, 25 May 2021). The Court decides that it has jurisdiction to examine the present application in so far as the facts giving rise to the alleged violations of the Convention occurred prior to 16 September 2022 – the date on which the Russian Federation ceased to be a party to the Convention (see Fedotova and Others v. Russia [GC], nos.   40792/10 and 2 others, §§   68 ‑ 73, 17 January 2023; Pivkina and Others v. Russia (dec.), no. 2134/23 and 6   others, § 61, 6 June 2023; and N.F. and Others v. Russia , nos. 3537/15 and 8 others, §   30, 12 September 2023). II.       ALLEGED VIOLATION OF ARTICLE 8 OF THE CONVENTION 36 .     The applicant complained about the statutory requirement for ICOs to store the content of all Internet communications and related communications data, and to submit those data to law-enforcement authorities or security services at their request together with information necessary to decrypt electronic messages if they were encrypted. He relied on Article 8 of the Convention, which reads as follows: “1.     Everyone has the right to respect for his private and family life, his home and his correspondence. 2.     There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” A.    Admissibility 37.     The Court notes that this complaint is neither manifestly ill-founded nor inadmissible on any other grounds listed in Article   35 of the Convention. It must therefore be declared admissible. B.    Merits 1.      Submissions by the parties (a)    The applicant 38 .     The applicant submitted that the statutory requirement for ICOs to store the contents of all online communications, coupled with the requirement to provide encryption keys at the request of law-enforcement authorities, amounted to an interference with the applicant’s right to respect for his private life and correspondence. Moreover, it was technically impossible to provide the authorities with encryption keys associated with specific users of the Telegram messenger application. Any disclosure of encryption keys therefore affected the privacy of the correspondence of all Telegram users. 39.     The applicant further argued that the domestic law provisions requiring the storage of the contents of all online communications and the provision of encryption keys to the law-enforcement authorities were not foreseeable in their application and did not contain effective guarantees against arbitrariness. In particular, the domestic authorities did not need judicial authorisation to request encryption keys. Although the disclosure order of 12 July 2017 had mentioned that there had been judicial authorisations in respect of the six telephone numbers concerned, the judicial authorisations had never been shown to the Telegram Messenger company, to the domestic courts examining the company’s or the applicant’s cases or to the public. (b)    The Government 40.     The Government submitted that there had been no interference with the applicant’s rights. The applicant had failed to demonstrate that there was a “reasonable likelihood” that the security services had compiled and retained information concerning his private life. As regards Telegram encryption keys, Order no. 432 (see paragraph 24 above) did not contain a requirement to provide encryption keys to decrypt all traffic. Encryption keys were to be provided upon a request for specific data. The request for encryption keys of 12 July 2017 contested by the applicant had concerned communications involving six telephone numbers belonging to suspected terrorists and judicial authorisation had been obtained. The applicant’s allegations that the security services had access to the communications of all users were therefore unsubstantiated. 41.     In the alternative, the Government submitted that the alleged interference had a basis in domestic law. The domestic legal provisions were accessible and foreseeable in their effects. Any interception of communications had to be authorised by a court. Interception of communications could only be conducted following the receipt of information that a criminal offence had been committed, was being committed or was being plotted; about persons conspiring to commit, or committing, or having committed a criminal offence; or about events or activities endangering the national, military, economic or ecological security of the Russian Federation. Only offences of medium severity, serious offences and especially serious offences might give rise to an interception order and only persons suspected of such offences or who might have information about such offences could be subject to interception measures. Records of intercepted communications had to be stored under conditions excluding any risk of their being listened to or copied by unauthorised persons (the Government cited domestic legal provisions summarised in Roman Zakharov v. Russia , [GC], no. 47143/06, §§   31-33 and 51, ECHR 2015). The procedures to be followed for examining, using, storing and destroying the data obtained set out in the domestic law contained the necessary safeguards against abuses of power. 42.     The Government further argued that the provision of encryption keys to the FSB did not mean that the information necessary to decrypt encrypted electronic communications would become available to its entire staff. The heads of relevant services were responsible for making sure that their staff acted within the bounds established by the requirements of their duties. In any event, the FSB staff were bound by the duty of discretion in respect of information about private life that became known to them in the performance of their duties. Encryption keys served to decrypt communications in respect of which a judicial interception authorisation had been obtained. 43.     Lastly, the Government submitted that the interference was “necessary in a democratic society” to achieve the legitimate aim of combating terrorism. For example, in April 2017 a terrorist attack had occurred in St Petersburg. Subsequently, in December 2017, another attack had been prevented. In both cases, the attacks had been coordinated from abroad through secret chats via Telegram. (c)    Third parties (i)       European Information Society Institute (EISI) 44 .     EISI explained that end-to-end encryption was a mathematics-based tool which worked as follows: with the help of a “public” key, any message (“plaintext”) was translated into a seemingly random combination of letters, numbers or symbols (“ciphertext”). Only the senders and receivers could see the plaintext, whereas outsiders could only see the ciphertext. The message in ciphertext could not be translated back into plaintext without the “private” key, which was kept securely on the receiver’s device. The conversion into plaintext took place directly on the receiver’s device. End-to-end encryption ensured that the operator of the messaging service never had access to either the private key or the original plaintext message at any point, preventing any access to the exchanged content. 45 .     EISI further argued that the FSB’s disclosure order to Telegram amounted to a “backdoor order” which indiscriminately affected all users of Telegram. Compliance with that order would essentially mean that Telegram would have to centrally store “private” keys, that is, it would be unable to legally provide end-to-end encrypted services to its users. 46.     EISI submitted that encryption used by messaging services was a self ‑ defence mechanism against surveillance. It played a vital role in ensuring the integrity and security of messages during transmission. It offered essential protection to vulnerable individuals, such as journalists, opposition leaders or victims of cyber abuse. There was therefore a strong connection between encryption and human rights, particularly Articles 8 and 10 of the Convention.Articles de loi cités
Article 8 CEDHArticle 8-1 CEDH
Citations
Aucune citation répertoriée pour cette décision.
Décisions connexes
Aucune décision similaire identifiée pour le moment.
Synthèse
- Juridiction
- CEDH
- Chambre
- CASELAW;JUDGMENTS;CHAMBER;ENG
- Formation
- 6
- Dispositif
- Satisfaction
- Date
- 13 février 2024
- Matière
- droits fondamentaux
Référence
ECLI:CE:ECHR:2024:0213JUD003369619