The publication of a press release by the Paris Public Prosecutor’s Office on the arrest of Pavel Durov allowsus to delve a little more (but not too much) into the context of the affair because it contains the list of charges brought against the founder of Telegram.
To summarise, the legal bases for Pavel Durov’s arrest are the offences set out in the LOI n° 2023-22 du 24 janvier 2023 d’orientation et de programmation du ministère de l’intérieur, which inserts Article 323- 3-2 and an additional paragraph (the twelfth) to Article 706-73-1 of the Code of Criminal Procedure, and by the Loi n° 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique that subjects the use of cryptography for uses other than authentication and integrity checks to ministerial authorisation (in practice if it serves to prove one’s identity in an e-commerce service, encryption is freely usable, if it serves to encrypt information it must be authorised by the government) by Andrea Monti – Initially published in Italian by Strategikon – Italian Tech La Repubblica
The shortcomings of the French judiciary’s communiqué
As mentioned, the communiqué does not help much to understand the contours of the case because it generically describes the charges but does not specify the facts that would prove them.
For instance, focusing on the charges concerning the technological aspects, the magistrates speak of ‘aiding and abetting the distribution, offer or organised provision of pornographic images of minors’, ‘aiding and abetting the purchase, transport, possession, offer or transfer of drugs’ and money laundering, but do not specify whether this complicity consisted in being an active and conscious participant in individual actions, or whether the judicial involvement ‘simply’ depended on the way Telegram was designed and the fact that it directly allows cryptocurrency transactions.
Partially different considerations apply to the allegations of making unauthorised cryptographic tools available, because in this case the problem would be having made available encryption systems for the confidentiality of communications without having sought the prescribed authorisation (and complied with the technical indications or limitations laid down by law in terms of, we can imagine, cooperation with the judicial authorities).
While the factual circumstances of the charges against Durov remain unknown, the legal ones are clear, and can be summarised in two areas: the way of building an online product/service and the limitation on the use of encryption to protect information.
Criminal liability for platform design confirmed
As seemed plausible at first sight, some of the charges do not appear to be based on Durov’s direct involvement in the commission of specific offences, but on his being an ‘online operator’ who enabled anonymous access to his platform, who did not comply with rules to prevent the sale of illicit products and services, who allowed economic transactions linked to illicit activities, and who unlawfully imported cryptographic systems to make data and information inaccessible.
We are talking, in other words, about criminal liability for the management, but first of all for the design, of an online platform that allows such ‘elastic’ use as to attract ill-intentioned persons, reassured by the sense of impunity deriving from the ‘security’ of the system.
So, in such a scheme, in order to be criminally liable, one does not need to be aware of the existence of the specific crime, but it is ‘enough’ to know (and tolerate) that thanks to the way the platform works one is committing it.
The idea might not even be inadmissible, and on the other hand, if the rule exists in France -and it does- it must be applied. But if this is really the point, then similar investigations should concern all those products and services through which crimes are being committed, because Telegram is certainly neither the sole nor the only one to be an instrument of this, and as a preventive measure, the blocking of access to the services in question should be ordered, as well as to the apps to be installed on computers and smart devices.
Consistency would therefore require taking the responsibility to declare the entire digital ecosystem ‘outlawed’ instead of focusing on a single operator, and to face the economic and social consequences of such a choice.
The end of free cryptography?
This conclusion becomes even more cogent when addressing the other aspect of the investigation, that of the limits to the use of encryption.
It is an offence for France to directly import cryptographic software that does anything else (i.e. encrypts information) than just check authentication and data integrity without seeking permission from (and complying with the requirements of) the French government. But, then, one should ask whether Meta, Google, Microsoft, Apple and Amazon (just to limit ourselves to the usual names) have asked for these authorisations and, if so, under what conditions they were granted.
The question arises because if the French government’s authorisations are granted with ‘national security’ in mind, then they could be conditional on the presence of backdoors or other systems to access data even without the passphrases or other unlocking systems made available to users.
To be clear: this is not to imply or suggest that these (and other) companies have surreptitiously weakened their encryption (at least) in France, but to ask under what conditions their use has been granted, if at all. In fact, one of two things is true: either the use of encryption in US products and services has been authorised, and then it would be legitimate to ask in what ways and within what limits, or the request to use it has not been made, and then the Paris Public Prosecutor’s Office would have to open a whole bunch of files to assess the state of affairs.
Conclusions
The publication of the press release on the Durov case pierces the veil of hypocrisy that shrouds the way Big Tech operates, the rhetoric of ‘digital rights’ and that of states as custodians of justice.
Big Tech has always exposed users to bugs, vulnerabilities, and malfunctions that are the result of deliberate design choices made to optimise development costs, accelerate market entry, or acquire significant market’s share while turning a blind eye to the rigour of procedures or giving users a ‘free hand’, and certainly not because they cherish freedom of expression and privacy. However, in the glossy marketing of Big Tech everything becomes ‘privacy’ and ‘control over your content’ to the point of using the inviolability of hardware and operating systems as a marketing lever that relies on the paranoia of global control, spread in the name of a religious and fideistic vision of ‘digital rights’.
It is one of the paradoxes of our times that the two extremes, the ‘surveillance capitalists’ and the ‘defenders of digital rights’ converge towards the common interest of calling themselves out of the rules of civil coexistence, which is based on the balancing of rights and not on the veneration of private (privacy, annexes and related) and public (national security) fetishes. At the same time, the overt impotence of states and a-national entities in the face of the downward spread of access to information technologies that are essentially uncontrollable except with hyper-authoritarian solutions forces them to cause ever sharper rips in an increasingly fragile net of rights.
The result is the construction of a colossus with feet of clay that, miraculously, has not yet collapsed, although whether it will come down is certainly a question of ‘when’ and not ‘if’, thanks also to the consequences (if any) of the earthquake caused by the French investigation.