Can You Install an Encryption Backdoor Without Risking Privacy? European Court Says NO

The European Court of Human Rights (ECHR) has just protected your Telegram messages, ruling against encryption backdoors in a Podchasov v. Russia case. The case bears similarities to the Apple v. FBI clash in 2016, with the former refusing to install backdoors to Apple's encrypted smartphones. Both cases outline that the right to privacy supersedes occasional encryption backdoor demands, even juxtaposed with terrorism threats.

Podchasov v. Russia dispute

This case is a fundamental rights victory against the Russian surveillance state, as the latter imposes Internet control characteristic of totalitarian regimes. The issue is perfectly summed up in the ECHR Podchasov v. Russia document:

The case concerns the statutory requirement for “Internet communication organizers” to store all communications data for a duration of one year and the contents of all communications for a duration of six months, and to submit those data to law-enforcement authorities or security services in circumstances specified by law, together with information necessary to decrypt electronic messages if they are encrypted.

The Kremlin demanded access to six users' digital communications records allegedly related to terrorism. Telegram responded accurately, outlining that it is technically impossible to create backdoors restricted to specific accounts without compromising all user access safety. It's also naive to trust governments respecting privacy boundaries when you remember that 2016 Trump's presidential campaign brazenly used data illegally gathered by Cambridge Analytica from 50 million Facebook profiles.

Mueller's report proved Russia's interference in the 2016 US presidential elections, so both governments aren't strangers to clandestine tactics. Furthermore, Russia stated its Federal Security Service (FSB) will not intrude on the private lives of other Telegram users out of "duty of discretion." Simultaneously, it is strenuously trying to block major VPN services, making the statement impossible to believe. Remember that the state demands all VPNs log and store data on Russian servers accessible to authorities, rendering VPN encryption nearly useless.

To us, this looks like another attempt at a blown-up government surveillance vestured in noble phrases. What's more, we couldn't find a single documented case where encryption backdoors prevented criminal activity. Law enforcement has numerous extremely sophisticated tools to monitor criminals, and governments want the same for citizens. As the renowned French philosopher Michel Foucault put it

Surveillance is permanent in its effects, even if it is discontinuous in its action.

And we agree. Weakening end-to-end encryption for one case will have long-lasting effects on every Internet user.

What is end-to-end encryption?

End-to-end encryption (E2EE) is an unsung hero of our times that lets you shop online safely, express your mind freely, and browse the Internet with an additional layer of privacy. It does so by encrypting your online traffic on the device level using a public key, which can only be decrypted by the recipient's private key. This way, E2EE protects your sensitive information from third parties, be it cybercriminals, Google, or Big Brother. Telegram's secret chat feature is a good end-to-end encryption example.

VPNs similarly contribute to data privacy and strengthen it with advanced encryption algorithms. For example, Mysterium VPN runs on the WireGuard protocol that uses modern cryptography embedded in a dense and compact code base. Furthermore, noteworthy VPNs follow strict no-logs policies and do not store, collect, or share your sensitive data with third parties.

At first glance, E2EE and encrypted VPN connection may look nearly identical, but there are significant differences you should be aware of. E2EE is widely used to secure communication software and works on the app level. Because nobody can see and tamper with your correspondence, not even your Internet Service Provider, E2EE ensures data integrity.

On the other hand, VPNs (except VPN browser extensions) work on a network level, encrypting all data flow. They substitute the user's original IP address with the VPN server, which takes over online communication. A VPN has a broader scope and focus than E2EE, but treating both as essential for your online privacy is best.

Why should you care?

Let's put it straight. The Internet as we know it would not be possible without encryption. Your credit card details would be out in the open whenever you shop online. Without encryption, you can say goodbye to private online communication and personal liberty to express your worldview, especially if it's critical to power institutions.

In 2018, Marriott announced that cybercriminals managed to steal 500 million guest information, including credit card and passport details. Although Marriott encrypted credit card numbers, it stored the decryption keys on the same server, a typical rookie mistake unbecoming of any brand. Stolen names, addresses, security numbers, and all other personally identifiable information (PII) are then used for phishing campaigns, impersonation, and identity theft.

That's why E2EE is paramount wherever it is applicable. Confidential information should be accessible only to relevant parties. It is the service provider's obligation to secure your PII, which is now regulated by the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US.

Unfortunately, many businesses prioritize short-term profits, saving money on expensive cybersecurity systems. Until they learn the mistakes the hard way, you should know your digital rights, choose E2EE communication software, and use a VPN to safeguard your browsing activities from ISPs and intrusive governments.

The myth of a safe encryption backdoor

The idea of creating a backdoor into current encryption algorithms often comes from officials who have little understanding of this technology. In the U.S., the National Security Agency is the proponent of weak encryption with backdoors. Yes, the same NSA that Edward Snowden exposed was gathering a humongous amount of telephone records, deemed illegal by the U.S. Court of Appeals seven years later.

If that's not good enough of a reason to leave encryption intact, we don't know what is. If power institutions can use mass surveillance to remain in power, they will. That's a statement we firmly believe in, supported by historical examples like Cambridge Analytica and the Pegasus spyware in recent years.

Weakening encryption will not make our societies safer – it can backfire. Cybercriminals are aware that breaking modern encryption algorithms with current technology is impossible. In reality, a cybercriminal is more likely to drug the victim and beat the password out with a hammer than spend countless nights brute-forcing encryption algorithms.

But if governments – or anyone else – install encryption backdoors, you just have to break a person with the backdoor key. Practice shows that human error is the weakest link in the cybersecurity chain. Trusting a person with decryption tools will introduce this link and put your digital life at risk.

How to resist government surveillance

For privacy-concerned Internet users, it is evident that personal data safety lies within their own hands. Although the Universal Declaration of Human Rights named the right to private life as fundamental to everyone, the fight for data privacy is ongoing, amplified by the emergence of digital surveillance technology.

Digital privacy cannot be achieved in one easy step. There is no magic cure. One should start by knowing digital rights and then strengthen them with cybersecurity software, like a decentralized VPN. Simultaneously, switching from Chrome to a more ethical browser limits Google's access to your online activities, and E2EE communication software prevents ISPs and hackers from peaking at your conversations.

However, the European Court's decision to protect E2EE is a significant step forward. At Mysterium VPN, we are happy that no governmental agency can request a backdoor to our services, and we can keep your digital life safe from unwanted attention.