Days on from the weekend arrest of Telegram founder and CEO Pavel Durov in France, the tech industry is still trying to make sense of what this event means for the future of app privacy.
To Durov’s supporters, including a chorus of political opportunists, his arrest marks him out as a victim of a technological clampdown that threatens free speech.
The charge sheet released by the French prosecutor paints a very different picture. According to this, Durov has been complicit by allowing his platform to be used for drug trafficking, the distribution of child pornography, and money laundering.
A third view is more nuanced. To this group, which includes some in the tech industry itself, Durov is really another wealthy tech bro who adopts notions of “freedom” to prop up a self-serving anything-goes business model.
What concerns them more is whether his detention — no senior figure in this part of the industry has ever been arrested on such serious charges before — is a signal of where governments in liberal democracies might be heading in terms of limiting digital privacy.
To E2EE or not
The latter issue connects to a wider and increasingly fraught debate about the status of end-to-end encryption (E2EE), a contentious technology implemented some years ago by apps such as WhatsApp and Signal.
Under E2EE, decryption keys are stored only on devices, meaning that governments can’t eavesdrop on what is being said by demanding the keys from service providers. Not surprisingly, governments hate this, leading to the suggestion in countries such as the US and UK that the technology might be outlawed at some point.
Ironically, Telegram doesn’t use this technology by default, relying instead on traditional server-side encryption where the service provider holds the keys. The app offers a limited version of E2EE called ‘Secret Chats’ but this can be awkward to set up.
That means that by default Telegram can see what is being said if it wants to but, according to the French charges, has refused to co-operate when asked to release details during police investigations.
So, it’s not having E2EE that’s the issue with Telegram, it’s the fact it doesn’t have it in most cases but still refuses to help investigators.
Hiding in plain sight
Despite the encryption difference, privacy advocates are still nervous that Durov’s arrest might be sending a broader message about the status of privacy in messaging apps.
“I’m not a great fan of Telegram. There are a lot of bad people using the platform. Where it becomes a concern is what it means for other platforms,” said Professor Alan Woodward, a security expert at the University of Surrey in Guildford, England.
According to Woodward, it appears that Telegram ran afoul of the French because the authorities could monitor criminality on the app’s broadcast groups. And yet the same abuses are known to be going on in other apps.
“What does this mean for apps like Signal and WhatsApp where the authorities can’t see what’s going on because it’s end-to-end encrypted by default?” Woodward asked.
Just because it’s hidden doesn’t mean that the executives of those organizations would be safe from similar actions, he suggested.
This leads to the possibility that they might at some point be held liable for something they can’t moderate unless they turn off E2EE.
As for the case against Durov, “a lot of this is going to be about proving Durov’s intent. Did he intend to enable criminal activity by setting up Telegram?” said Woodward.
Or if not intent then at least negligence: “If he knows it’s happening and has neglected to do anything about it, that’s a serious charge in itself,” he added.
In contrast, independent security commentator Graham Cluleywas less worried about the effect Durov’s arrest might have on encryption.
For Cluley, it’s more that the authorities have run out of patience with organizations that passively allow criminality on their platforms.
“Telegram gives the impression that it’s not bothered about policing groups, even when abuse and criminal behaviour is reported to them. That is perhaps even harder to defend when the offending messages are not encrypted, and so the app has no excuse not to read and remove them,” he said.
The timing of Durov’s arrest was probably opportunistic rather than planned, he suggested.
“He might be wise to not hang out with influencers who can’t resist posting their travels on Instagram,” he said, a reference to reports that a woman travelling with him had revealed his travel itinerary to the authorities.
Putting apps on notice
For now, while the rap sheet is long and serious, none of the charges will necessarily be easy to prove unless the prosecutors have access to evidence not currently in the public domain.
More likely, the case could take years to move through the French judicial system, by which time it could be overtaken by events elsewhere.
Whatever the outcome of Durov’s arrest, it’s hard to shake the sense that social media, including platforms based on messaging apps, could soon be required to implement more active moderation.
That applies to X/Twitter and Facebook, but also possibly to those where the content remains hidden thanks to E2EE such as WhatsApp and Signal.
“The worrying thing is, are the French authorities setting a precedent?” said Woodward. “This could be the thin end of the wedge. If this is the first stage towards getting rid of end-to-end encryption, then that is deeply worrying.”
More by John E. Dunn: