Case Summary and Outcome

The Appellate Collegiate Body of the Supreme Court of Russia found that the Federal Security Services of Russia (FSS) had a lawful right to request that Telegram, a popular online messaging application, share with the FSS the keys needed to decrypt messages sent over its service. On April 14, 2017, the FSS sent a letter to Telegram’s offices in London asking the company to provide it with keys to decrypt messages sent from six mobile numbers. Telegram received the letter but never shared the decryption keys. The FSS initiated a legal action against Telegram alleging that, by failing to satisfy the request, the company had violated the Federal Law “On Information, Information Technologies, and Protection of Information”. The first instance court fined Telegram RUB 800,000 (around $13,000) for failing to comply with the FSS’s requests. Telegram appealed to the appellate court, and the Supreme Court of Russia, arguing that the Russian courts had no jurisdiction to determine such a case against a UK-based entity, and that the request was unlawful since it was not made pursuant to a judicial order. Both upheld the law allowing the FSS to request that Telegram share the decryption keys. Telegram then appealed to the Appellate Collegiate Body of the Supreme Court of Russia, which, among other things, reasoned that the rights to privacy and secrecy in correspondence did not extend to the keys and, therefore, the FSS did not require a judicial order before it could request their disclosure.

---

Facts

Telegram is a popular online messaging application with headquarters in London. On April 14, 2017, the Federal Security Services (FSS) of Russia sent a letter to Telegram’s offices in London asking the company to provide it with keys to decrypt messages sent from six mobile numbers by July 19, 2017. Telegram received the letter on July 21, 2017, but chose not to respond because it found that the request was unlawful since it did not contain court orders authorizing the FSS to access the messages.

On September 19, 2017, the FSS filed a protocol of an administrative violation against Telegram. It argued that, by failing to respond to the request, Telegram had violated Article 10(1) of the Federal Law “On Information, Information Technologies, and Protection of Information” (Information Law) that obliged Internet companies to provide federal bodies with the information necessary to decrypt digital messages.

The First Instance Judgment

The Moscow Meshansk Regional Court heard the case on October 16, 2017. Telegram’s representatives were not present at the trial. Nonetheless, the Regional Court proceeded with the hearing. It explained that Telegram received notification about the trial and Article 25(1) of the Russian Code of Administrative Violations permitted hearings without the presence of the defendant party. The Regional Court found Telegram guilty of an administrative offence because it failed to comply with the Information Law, which is binding on all companies operating in Russia. The Regional Court explained that under the Informational Law an organization that uses the Internet to receive, send, or process information is considered an “organizer” of information dissemination. Under the same law, such “organizers” are obliged to provide the Russian authorities with the tools needed to decrypt messages when it is requested to do so by a federal government agency. The Regional Court found that Telegram was such an “organizer” and thus had to provide the authorities with the decryption keys. The manner in which such requests had to be made was outlined in FFS Order No. 432 from July 19, 2016. The Regional Court levied a fine of RUB 800,000 (around $13,000) against Telegram. The court did not assess whether the FSS’s demand for the decryption keys was a justifiable limitation on the rights to privacy and freedom of expression.

Telegram’s Appeal

Telegram appealed the decision. In its appellate brief, it argued that, in light of Article 8 (right to respect for private life) under the European Convention on Human Rights and Article 23 (right to privacy) under the Russian Constitution, it had a professional duty to protect the privacy of Russian citizens. It added that the Russian Constitution permitted limitations on the right to secrecy of correspondence only if such limitations served a legitimate aim, were in accordance with the law (meaning there was a judicial order) and were proportionate to the achievement of the legitimate aim.

On the issue of legitimacy, Telegram argued that the FSS’s request was unlawful because, according to the Russian Federal Law “On Operational-Investigative Activities” and Article 186 of the Russian Criminal Code, law enforcement agencies were allowed to access private communications only after obtaining a court order. In this case, the FSS failed to provide Telegram with proof that its request for the decryption keys was made pursuant to a judicial order. Telegram noted that the FSS’s request simply referred to the Information Law as giving it the right to receive the decryption keys from Telegram.

Additionally, as Telegram was based outside of Russia, it argued that the FSS had to abide by the European Convention on Mutual Assistance in Criminal Matters , which does not permit the FSS to make requests directly to foreign companies. Instead, as per the Federal Law “On the Federal Security Services”, the FSS should have contacted a British law enforcement agency and sought its help.

Telegram also argued that the FSS’s request was disproportionate. The decryption keys that the FSS requested could have potentially given it access to communications of over six million Russian citizens who use Telegram. A more proportionate request would have been to ask Telegram to decrypt messages sent from the six mobile numbers that FSS wanted to access. To aid its argument, Telegram cited the UN Special Rapporteur on freedom of expression and information who stated in his 2015 report that “[i]t is a seemingly universal position among technologists that there is no special access that can be made available only to government authorities, even ones that, in principle, have the public interest in mind. In the contemporary technological environment, intentionally compromising encryption, even for arguably legitimate purposes, weakens everyone’s security online.” (A/HRC/29/32)

Further, Telegram reminded the appellate court that the European Court of Human Rights, in the 2015 case of Zakharov v. Russia concluded that “Russian legal provisions governing interceptions of communications do not provide for adequate and effective guarantees against arbitrariness and the risk of abuse which is inherent in any system of secret surveillance, and which is particularly high in a system where the secret services and the police have direct access, by technical means, to all mobile  telephone communications. Russian law does not adequately and effectively safeguard against abuse of surveillance by law enforcement.” [para.  302] The FSS did not explain in its request how it would safeguard against abuse of the decryption keys. Further, it requested the decryption keys to be sent to a general email address fsb@fsb.ru, which was accessible by a broad number of individuals, thus permitting potential misuse of the keys.

Additionally, Telegram highlighted that the court failed to assess whether the company could even decrypt the communications requested by the FSS. Telegram offers a “secret chat” option, whereby messages are encrypted end-to-end, meaning that they are encrypted on the phones of each of the communicators. Such end-to-end encrypted messages are saved solely on the phones of the communicators and cannot be decrypted by Telegram.

In its appeal, Telegram also argued that the first instance court committed a series of procedural violations. First, the court had no jurisdiction to hear the case, since the company was based in the UK and did not have a presence in Russia. Moreover, Article 29(5) of the Administrative Code states that a case should be heard in the jurisdiction where the violation occurred. They argued that the alleged violation occurred in the UK. Furthermore, they argued that the court had no jurisdiction over the case since Article 29(1)(6) of the Administrative Code required that case materials be forwarded to the Prosecutor General in cases where a foreign entity allegedly committed an administrative violation and it could not participate in court proceedings. It was then up to the Prosecutor to contact the relevant foreign government bodies to seek prosecution for the administrative violation.

Finally, Telegram complained that the court failed to contemplate the ramifications of its decision. According to Article 15(4) of the Information Law, an administrative violation is cause for an internet resource to be blocked in all of Russia. The court did not consider that if Telegram was blocked, over six million users in Russia would be affected. Additionally, the FSS claimed that their request was on the ground of national security. According to Telegram, restricting privacy on the basis of national security had to be balanced against the interests of the messenger’s users, which the court did not attempt to do.

The Appellate Court’s Ruling

On December 12, 2017, the Moscow Meshansk Regional Court heard the appeal and upheld the ruling of the court’s first instance chamber. First, the appellate court found that the first instance court correctly reviewed the facts, particularly concerning the chronology of the relevant events. Then, the appellate court turned to the question of whether the first instance court committed procedural violations. The appellate court stressed that article 1(4)(1) of the Administrative Code establishes all entities’ liability for administrative violations regardless of their location. Secondly, according to Decree No. 5 of the Supreme Court Plenary “On some questions raised by courts concerning the implementation of the Administrative Code”, if a violation occurs due to inaction, then the location of the violation is deemed to be the place where the action should have occurred. In this case, that location was Russia.

The appellate court then explained that although Article 10 of the European Convention on Human Rights guaranteed the right to freedom of expression, which included the right to receive and disseminate information, this right could be restricted. Such restrictions were to be “prescribed by law” and “necessary in a democratic society.” Here, the limitation was “prescribed by law” since the Information Law obliged companies that disseminated information over the Internet to provide the decryption keys to the FSS upon request.

The court also dismissed Telegram’s arguments in relation to Article 8 of the European Convention on Human Rights as well as Article 23 of the Russian Constitution. Specifically, the court clarified that Article 17(1) of the Russian Constitution guarantees the rights and freedoms generally accepted in international law. However, these rights and freedoms could be limited, and the right to the privacy of correspondence is not exempt from such limitations. The Constitution mandates that a limitation is permissible only on the basis of a court judgment. The Court stated that the FSS referred to a judgment in the letter sent to Telegram on July 12, 2017.

Telegram appealed the decision to the Supreme Court of Russia.

The Supreme Court Ruling

On March 20, 2018, the Supreme Court of Russia (Court) rejected Telegram’s appeal and upheld the lower instance judgments. In its appeal to the Court, Telegram challenged the FSS’s request for the decryption keys on the basis that the request relied on an unlawful FSS Order No. 432. The FSS issued the order in June 2016 to regulate the procedures of obtaining the tools needed to decrypt online communications. According to Telegram, only the Russian Government could publish such an order and the FSS thus exceeded its authority in violation of the rights to privacy and secrecy of correspondence.

The Court dismissed Telegram’s arguments. First, the Court explained that, according to Federal Law 40 “On the Federal Security Services”, the FSS had the right to publish normative legal acts for the purpose of protecting the national security of Russia. Furthermore, it held that Article 10(1)(4.1) of the Information Law obliged companies that disseminated information online and that encrypted such information to provide the FSS with the necessary decryption keys upon request.

For the purposes of implementing Article 10(1)(4), the Russian government passed Decree No. 743 “On Establishing the Rules for Cooperation between Online Disseminators of Information and Government Agencies Tasked with Operative-Investigative Activities or Protecting the Security of the Russian Federation”. Presidential Order No. 1301 on prevention of terrorism and public security, issued on July 6, 2016, tasked the FSS with establishing a system needed to decrypt messages by July 20, 2016. Additionally, the FSS followed procedure by issuing the FSS Order No. 432, outlined in Presidential Order No. 763. Thus, the Court concluded that the FFS did not exceed its authority in issuing FSS Order No. 432 that regulated how it could obtain the means to decrypt information.

Articles 3 and 5 of FSS Order No. 432 obliged companies such as Telegram to share information necessary to decrypt electronic messages. The Court added that the Russian Constitution and laws on privacy and secrecy of correspondence did not protect the information used for decryption. As a result, the FSS was not required to provide Telegram with a judicial order when requesting the decryption keys, since such orders were needed solely in situations when the authorities sought access to constitutionally protected information. The Court also stressed that, under Russian law, Telegram was not tasked with assessing the legality of information requests of operative-investigative bodies.

The Court added that FSS Order No. 432 outlined specific ways in which Telegram could have shared the decryption keys. It could have sent a magnet carrier via mail, sent the information via email, or set-up access to it for the FSS. Thus, Telegram could have used any of these methods, and not just email, to send the requested information to the FSS. In light of the above, the Court ruled that FSS Order No. 432 was lawful.

Following the decision, the FSS gave Telegram an additional 15 days to share the decryption keys. Telegram did not and on April 6, 2018, the FSS filed a judicial request to immediately block Telegram in Russia.

Telegram appealed the decision of the Supreme Court with the Appellate Collegiate Body of the Supreme Court of Russia.

---

Decision Overview

On August 9, 2018, the Appellate Collegiate Body of the Supreme Court upheld the verdict that FSS Order No. 432 was lawful.

The Appellate Body affirmed the arguments made by lower courts. First, it found that FSS Order No. 432 established the procedure for obtaining decryption information from companies such as Telegram. The Court added that Under the Law on Information, Information Technologies, and Protection of Information, internet companies are obliged to provide federal bodies with the information necessary to decrypt digital communication. Furthermore, Federal Law No. 40 On the Federal Security Services (1995) enshrined the FSS with the authority to independently implement laws and issue normative acts related to national security. Thus, the FSS has the authority to issue Order No. 432.

The Appellate Body also agreed with the lower instance courts that that Order No. 432 did not violate article 23 of the Russian Constitution that guaranteed the right to privacy and secrecy of correspondence. According to the Court, the Federal Law on Information imposed limitations on the ability of the FSS to gain access to specific information. However, this law did not extend limitations to information used to decrypt communication. Similarly, other constitutional provisions and federal laws on the secrecy of correspondence did not protect information used to decrypt communication.

Lastly, the Appellate Body dismissed Telegram’s allegations that Order No. 432 included “corrupt elements.” The Court explained that Federal Law No. 172 On Anti-corruption Review of Normative Acts and Draft Normative Acts defined “corrupt elements” as legal provisions that were too broad and thus open to abuse. Pursuant to the law, relevant executive justice bodies were tasked with reviewing normative acts for the presence of “corrupt elements.” In this case, the Ministry of Justice reviewed Order No. 432 and found no issues with it.

---