[Aachen]

> The Court held that a legal obligation to decrypt E2E communications is a disproportionate interference with the right to privacy.

*when no adequate safeguards against abuse are in place

Unfortunately it is not as straightforward as that it's incompatible altogether. Per this ruling, it's only incompatible when there are no good safeguards (they use the word "adequate" in one place and "suitable" in another, neither is very specific about what it means)

[Quanttek]

Yes, that is very true. The Court generally does not oppose surveillance measures in general, as long as adequate safeguards are in place. However, I read the relevant paragraphs (paras 76-79) to be quite a strong rejection of any statutory obligation that would effectively require the installation of a backdoor undermining E2EE. The criticism of a lack of adequate safeguards and the risk of abuse is more focused on other aspects of the law.

That also becomes clear in the key paragraph 80: "The Court concludes from the foregoing that the contested legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored _without adequate safeguards against abuse_ and the _requirement to decrypt encrypted communications_, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society"

The Court does not qualify the requirement to decrypt E2EE communications with the same safeguards requirements. That of course does not exclude the possibility of the Court finding that a more narrowly-construed law is not in violation. But the Court clearly signals its skepticism towards any "requirement that providers of such services weaken the encryption mechanism for all users" (para 79).

[bondarchuk]

Yes, this was a problem all along with arguments against surveillance (/encryption weakening) based on "it can be abused by bad actors" - it implies that one would be ok with surveillance if it could not be abused by bad actors. While it's tempting to use such arguments (it looks like they had effect in this case at least) it remains necessary to emphasize the true reasons one takes a stand against surveillance e.g. authoritarian overreach or a fundamental right to privacy.

[Karellen]

Do you think that phone taps and mail-opening warrants, issued by judges, based on evidence submitted to the court that such warrants are appropriately targetted and based on existing evidence and reasonable suspicion, are intrinsically "authoritarian overreach"?

[JoshTriplett]

Not inherently, but they become overreach when they start claiming that they should be able to apply to E2EE protocols.

If you want the data from an E2EE protocol, serve an appropriately targeted and scoped warrant to one of the endpoints. This also provides an opportunity for legal challenge (e.g. for scope overreach).

[burkaman]

From paragraph 64:

> For a detailed description of safeguards that should be set out in law for it to meet the “quality of law” requirements and to ensure that secret surveillance measures are applied only when “necessary in a democratic society”, see Roman Zakharov, §§ 231-34, and Big Brother Watch and Others, §§ 335-39

I am not a lawyer and not motivated enough to go read those decisions, but if anyone is curious that is probably the place to start to figure out what might count as "adequate safeguards".