More About Telegram and Pavel Durov’s Arrest ⇥ techdirt.com

French magistrate Laure Beccuau (PDF) on Monday disclosed the reasons for Pavel Durov’s arrest and detainment. The first two pages are in French; the last two are in English.

Mike Masnick, Techdirt:

In the end, though, a lot of this does seem potentially very problematic. So far, there’s been no revelation of anything that makes me say “oh, well, that seems obviously illegal.” A lot of the things listed in the charge sheet are things that lots of websites and communications providers could be said to have done themselves, though perhaps to a different degree.

Among the things being investigated by French authorities “against person unnamed” — not necessarily Durov — are “complicity” with various illegal communications, money laundering, and providing cryptography tools without authorization or registration. The latter category has raised the eyebrows of many but, I believe, must be read in the context of the whole list of charges. That is, this is not a pure objection to encrypted communications — to the extent Telegram chats may be encrypted — but unauthorized encryption used in complicity with other crimes.

In a way, that might be worse — all forms of communication, no matter whether they are encrypted, are used to facilitate crime. But providers of end-to-end encryption are facing seemingly endless proposals to weaken its protections. I do not think this is France trying to create a backdoor.

I think France is trying to pressure one of its own — Durov is a French citizen — to moderate the massive social network he runs within sensible boundaries. It is proudly carefree, which means it ignores CSAM reports and, according to an April report (PDF) from the Stanford Internet Observatory, does not appear to scan for known CSAM at all.

Telegram appears to believe it is a dumb pipe for users no matter whether they are communicating one-on-one or to a crowd of hundreds of thousands. It seems to think it has no obligation to cooperate with law enforcement in almost any circumstance.

Casey Newton, Platformer:

Anticipating these requests, Telegram created a kind of jurisdictional obstacle course for law enforcement that (it says) none of them have successfully navigated so far. From the FAQ again:

To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data. […] To this day, we have disclosed 0 bytes of user data to third parties, including governments.

It is important to more fully contextualize Telegram’s claim since it does not seem to be truthful. In 2022, Der Spiegel reported Telegram had turned over data to German authorities about users who had abused its platform. However, following an in-app user vote, it seems Telegram’s token willingness to cooperate with law enforcement on even the most serious of issues dried up.

I question whether Telegram’s multi-jurisdiction infrastructure promise is even real, much less protective against legal demands, given it says so in the same FAQ section as its probably wrong “0 bytes of user data” claim. Even so, Telegram says it “can be forced to give up data only if an issue is grave and universal enough” for several unrelated and possibly adversarial governments to agree on the threat. CSAM is globally reviled. Surely even hostile governments could agree on tracking those predators. Yet it seems Telegram, by its own suspicious “0 bytes” statistic, has not complied with even those requests.

Durov’s arrest presents an internal conflict for me. A world in which facilitators of user-created data are responsible for their every action is not conducive to effective internet policy. On the other hand, I think corporate executives should be more accountable for how they run their businesses. If Durov knew about severe abuse and impeded investigations by refusing to cooperate with information the company possessed, that should be penalized.

As of right now, though, all we have are a lot of questions about what this arrest means. There is simply little good information right now, and what crumbs are available lead to yet more confusion.