Legal Report: Weakening Encryption Would Threaten Right to Privacy, European Court Rules
Judicial Decisions
European Union
Privacy. The European Court of Human Rights determined that strong encryption is fundamental to the basic right of privacy.
The source of the case involved a 2017 incident when encrypted messaging platform Telegram was ordered by the Russian Federal Security Service to help decrypt communications from specific users suspected of terrorist involvement. At the time, the Russian government required Telegram and other Internet communication providers to store all communication content and data, as well as give the data and the information to decrypt it to law enforcement when ordered.
Telegram opposed the order, arguing that it would create a backdoor that would threaten encryption for all of its users. In response, Russian courts fined the company and banned the app.
The European Court of Human Rights agreed with a Russian citizen, Anton Podchasov, who claimed that forced decryption of users’ communications would violate their rights to a private life, which is laid out in Article 8 of the European Convention of Human Rights. The court determined “that the continuous storage of the applicant’s Internet communications and related communications data by Telegram, the authorities’ potential access to these data and Telegram’s obligation to decrypt them if they are encrypted…amounted to an interference with the applicant’s Article 8 rights,” according to the judgment.
The court also noted that encryption helps protect people and businesses from others who would abuse information technologies (such as cybercriminals or other malicious actors), and that decrypting encrypted communications could weaken encryption protections for all users.
The decision safeguards encrypted communications, giving guidance to other courts where end-to-end encryption is being or will be debated. (Podchasov v. Russia, European Court of Human Rights, No. 33696/19, 2024)
United States
Espionage. A federal court sentenced Jareh Dalke to 262 months in prison for attempted espionage. In 2023, Dalke pleaded guilty to six counts of trying to transmit classified National Defense Information (NDI) to a foreign agent, according to court documents.
Dalke was an employee of the U.S. National Security Agency (NSA) for some months in 2022, during which time he worked as an information systems security designer. Between August and September 2022, he tried to prove his access to classified information to a person Dalke believed to be a Russian agent. Dalke transmitted portions of three classified documents that all contained NDI and were obtained while he worked for the NSA.
Dalke asked for $85,000 in exchange for all the information in his possession, claiming that it would be valuable to Russia. He also offered to continue providing information in the future.
However, that supposed Russian agent turned out to be an FBI covert employee, and moments after Dalke transmitted five additional files he was arrested by the FBI. (United States v. Jareh Sebastian Dalke, U.S. District Court for Colorado, No. 22-cr-313-RM, 2024)
School shooting. James and Jennifer Crumbley—the parents of the teenager who shot and killed four students in 2021 in Oxford, Michigan—were each sentenced to serve 10 to 15 years in prison.
The Crumbleys, who were tried separately, are the first parents to be held criminally responsible for a mass school shooting carried out by their child. They were found guilty of four counts of involuntary manslaughter because they failed to prevent their son from taking a firearm from their home and killing four students—Madisyn Baldwin, Tate Myre, Justin Shilling, and Hana St. Juliana—and injuring six more and a teacher. James Crumbley had bought the firearm three days before the shooting and then gifted it to his son, even though he had signed a form that said it was illegal to purchase a gun for someone else.
The shooter, Ethan, was sentenced to life in prison without parole. During his trial, he pled guilty to terrorism, four counts of first-degree murder, and 19 other related charges.
Both parents are appealing the convictions. (People of the State of Michigan v. James Robert Crumbley, Oakland Circuit Court, No. 2022-273389-FH, 2024; People of the State of Michigan v. Jennifer Lynn Crumbley, Oakland Circuit Court, No. 2022-279990-FH, 2024)
Legislation
United States
Surveillance. U.S. President Joe Biden signed legislation (HR 7888) that reauthorized the Foreign Intelligence Surveillance Act (FISA), keeping the statute from lapsing and extending it.
The program—which is known as Section 702 of the FISA—allows the U.S. government to collect communications of non-Americans who are outside of the nation for the purposes of gathering foreign intelligence. It does not require the government to secure a warrant for this data. U.S. officials have credited this surveillance tool with disrupting terrorist attacks and foreign espionage and with generating intelligence for specific operations.
U.S. States
School safety. Utah’s governor, Spencer Cox, signed legislation that will reform school safety measures, including requiring public and charter schools to have an emergency communications system.
The emergency communications systems should include a silent panic alarm that connects to local law enforcement. This part of the bill, Alyssa’s Law, was proposed in response to 13 schools that had false reports of an active shooter in March 2023. It was named Alyssa’s Law in honor of Alyssa Alhadeff, a 14-year-old student who was killed during the 2018 Parkland High School shooting in Florida.
Alyssa’s Law is part of HB 84, a larger effort to reform school security. HB 84 will also create a guardian program, which requires each school to have at least one armed security guard; maintain minimum safety procedures for schools; and mandate that state employees report any threats to schools.
Regulations
European Union
Privacy. The European Consumer Organization (BEUC) accused Facebook’s parent company Meta of illegally collecting data from hundreds of millions of users in the region.
The BEUC claims that Meta’s collection of personal data violates the General Data Protection Regulation (GDPR) and that the “pay-or-consent” option it imposes on users is a “smokescreen” meant to hide the company’s illegal processing of data, it said in a press release.
In October 2023, after fining Meta for violating GDPR rules when it transferred users’ personal data to servers in the United States, EU regulators also ordered Meta to start asking users for their explicit consent to use their personal information to deliver targeted ads on the platform. By November, Meta started offering European users a subscription service, where a user would pay up to €12.99 ($14) per month for an ad-free version of Facebook and Instagram.
The BEUC claims that the subscription service is misleading because it does not inform users on what, if any, changes would occur to how their information is processed if they become subscribers.
The BEUC is an umbrella organization for 45 independent consumer groups from 31 countries, representing those groups to EU institutions. Eight of those groups have filed complaints with their respective national data protection authorities in the Czech Republic, Denmark, France, Greece, The Netherlands, Norway, Slovakia, Slovenia, and Spain. Authorities have not yet announced a next step.
Meta has disputed the accusations.
United States
Surveillance. As part of a 2023 settlement with doorbell camera and home security company Ring, the U.S. Federal Trade Commission (FTC) announced it is issuing more than $5.6 million in refunds to customers.
After an investigation into the company’s practices of allowing employees and contractors to access users’ private videos, the FTC filed a complaint against the company in 2023, accusing Ring of using the video feeds to train their algorithms and for other reasons without consent from the camera owners.
According to the FTC, a lack of sufficient security measures at Ring also resulted in hackers taking control of customers’ accounts, cameras, and videos.
Along with the refunds, the settlement will result in Amazon, Ring’s parent company, paying a $25 million civil penalty to the FTC, and having Ring delete any content that was illegally obtained and create stronger security protections. (Ring, LLC, U.S. Federal Trade Commission, 2023113)
Also of Interest
Security Management tracks stories where the government and security intersect. Below are items that are still developing.
Artificial intelligence. The U.S. House of Representatives has introduced a bill (HR 7832) that would require the Department of Homeland Security to consider integrating artificial intelligence and machine learning into operations along U.S. borders.
Classified information. A U.S. Representative introduced a bill, the Guarding the United States Against Reckless Disclosures Act (HR 7846), that would restrict classified access of federal employees who were charged or convicted of specific crimes—including obstructing an official proceeding, unlawful retention of national defense information, unlawful disclosure or improper handling of classified information, acting as a foreign agent, or compromising national security.
Climate change. The European Court of Human Rights in France found that the nation of Switzerland failed to properly address the climate crisis, violating human rights. The lawsuit was filed by more than 2,000 older Swiss women, claiming that the increasing heat and heat waves (due to climate change) threatened their health, quality of life, and endangered their lives.
Discrimination. Black Democratic lawmakers reintroduced a bill (HR 8191) into the U.S. House of Representatives that, if enacted, would prohibit discrimination against a person’s hairstyle or hair texture. The bill, also known as the CROWN Act, was previously passed in the House in 2019 and 2022, but it was blocked by the Senate.
Personal data. U.S. President Biden signed an executive order (EO 14117) that aims to prevent certain nations—including China, North Korea, and Russia—from buying Americans’ sensitive information from commercial data brokers.
Privacy. In Illinois, USA, a class-action lawsuit was filed against retail giant Target over alleged violations of the state’s Biometric Information Privacy Act. The lawsuit claims that Target’s surveillance systems were collecting biometric data on customers without their consent.
Sexual assault. The U.S. Department of Justice has agreed to a $100 million settlement with the victims of sports doctor Larry Nassar. An internal investigation determined that the FBI mishandled abuse allegations against Nassar—who was a sports doctor at Michigan State University and at USA Gymnastics—prior to his arrest in 2016. The settlement agreement has not been finalized.
Train derailment. Transportation company Norfolk Southern agreed to a settlement agreement that would close a class-action lawsuit filed after 38 train cars derailed outside of East Palestine, Ohio, USA, in February 2023. The derailment caused a massive fire, with toxic fumes generated by the flames and the 11 hazardous chemicals the cars were carrying. Nearly half of the town’s residents were forced to evacuate the area. The company agreed to pay $600 million and would not admit to any wrongdoing or liability. The agreement is pending approval from a federal judge.