Arrest of Telegram founder raises concerns about future of end-to-end encryption

2024.08.28

If CEOs are responsible for what happens on their platforms, could this principle be applied to apps that use end-to-end encryption (E2EE), where regulation is nearly impossible?

Since the arrest of Telegram founder and CEO Pavel Durov in France, the tech industry is still grappling with what the incident means for the future of privacy in the app. 

In the eyes of Durov's supporters, including a group of political opportunists, his arrest marks him as a victim of a technological crackdown that threatens free speech.

However, a list of charges released by French prosecutors paints a very different picture. According to the document, Durov is accused of conspiracy for allowing his platform to be used for drug trafficking, distributing child pornography and money laundering.

The third view is more nuanced, and includes some in the tech industry who see Durov as just another wealthy tech mogul who has exploited the concept of “freedom” to prop up a self-serving, unfettered business model.

More worrying for them is whether Durov’s detention — no one else in the industry’s upper echelons has been arrested on such serious charges — signals a possible new direction in which liberal democracies might move toward restricting digital privacy.

Whether to adopt E2EE

The issue ties into a wider and increasingly heated debate about the status of end-to-end encryption (E2EE), a controversial technology introduced several years ago by apps such as WhatsApp and Signal.

Under E2EE, the decryption key is stored only on the device, meaning the government cannot eavesdrop on a user's conversations by asking the service provider for the key. Unsurprisingly, governments are extremely unhappy with this, leading countries like the US and UK to suggest they may outlaw the technology at some point.

Ironically, Telegram does not use this technology by default, relying instead on traditional server-side encryption, where the service provider keeps the keys. The app offers a limited version of E2EE called "Secret Chats," but the setup process is relatively complicated.

This means that by default Telegram can see the content of users' conversations if it wishes, but according to the French allegations, Telegram refused to cooperate when asked to provide details in the police investigation.

Therefore, Telegram’s problem is not whether it uses E2EE, but that it does not use E2EE in most cases and still refuses to assist investigators.

Obvious concealment

Despite the differences in encryption technology, privacy advocates remain concerned about the broader message Durov’s arrest may send about the state of privacy on messaging apps.

"I'm not a big fan of Telegram. There are a lot of bad actors on the platform. The worrying thing is what this means for other platforms," ​​said Professor Alan Woodward, a security expert at the University of Surrey in the UK.

Woodward said it appears the app ran afoul of French authorities because they can monitor criminal activity in Telegram broadcast groups, however, the same abuse is widely known in other apps.

"What does this mean for apps like Signal and WhatsApp, where authorities can't see what's going on because end-to-end encryption is enabled by default?" Woodward asked.

He suggested that just because the information was hidden, it didn't mean the executives of those organizations were immune from similar legal action.

This could lead to them being held liable at some point for content they cannot police unless they turn off E2EE.

As for the charges against Durov, “a lot will depend on proving Durov’s intent. Did he intentionally facilitate criminal activity by setting up Telegram?” Woodward said.

Even if there was no intent, there was at least negligence: "If he knew these things were happening and did nothing, that in itself is a serious accusation," he added.

In contrast, independent security commentator Graham Cluley was less concerned about the impact of Durov’s arrest on encryption technology.

For Cluley, the bigger problem is that authorities have lost patience with organizations that passively allow criminal behavior to occur on their platforms.

"Telegram gives the impression that it doesn't care about moderating these groups, even when people report abuse and criminal behavior. This behavior is harder to defend when the offending messages are not encrypted, so the app has no excuse not to read and delete them," he said.

He also suggested the timing of Durov's arrest was likely more opportunistic than planned.

“He might be wise not to hang out with influencers who can’t resist posting travel information on Instagram,” he said, referring to reports that a woman traveling with him leaked his itinerary to authorities.

Warning for applications

Now, while the list of charges is long and serious, they are not necessarily easy to prove unless prosecutors have evidence that has not yet been made public.

More likely, the case could take years to progress through the French justice system, by which time events elsewhere may have taken over.

Whatever the outcome of Durov’s arrest, it’s hard to shake the feeling that social media, including messaging-app-based platforms, may soon be called upon to implement more aggressive content policing.

This applies not only to X/Twitter and Facebook, but potentially also to apps that keep content hidden due to E2EE, like WhatsApp and Signal.

“The concern is, are the French authorities setting a precedent?” Woodward said. “This could be the thin end of a wedge. If this is the first step toward removing end-to-end encryption, then that would be very concerning.”