A Reuters press release informs of the arrest in France of Pavel Durov, founder and CEO of Telegram, with dual Russian and French citizenship. According to TF1, the reason for the arrest is the lack of content moderation, the failure to cooperate with law enforcement and the type of ‘tools’ -such as cryptocurrencies and disposable phone numbers- freely available on the platform. The French investigators considered that in doing so, Durov did not merely ‘fail to control’ but was a real accomplice in the commission of the crimes. Since we do not have access to the case file of this affair, and therefore do not know whether there are indications of Durov’s involvement in specific acts, it is not possible to say more on the merits. However, this case does allow for some more general reflections on the subject of Big Tech’s liability for the way it designs devices and services that control our existence. by Andrea Monti – Initially published in Italian by Strategikon – Italian Tech La Repubblica
Responsibility by design
The problem posed by Durov’s arrest can be summarised in this question: when a product/service is designed with certain characteristics, and these characteristics allow a crime to be committed or an investigation to be jeopardised, is the person who decided them jointly responsible for the criminal offences that are committed through these products/services?
Some precedents
As far as the US is concerned,the most relevant precedent is undoubtedlythe 2016 clash between Apple and the US FBI over Apple’s refusal to cooperate in accessing an iPhone used by the perpetrators of the St. Bernardino massacre. In this case, too, the crux of the matter was essentially the same: Apple refused to cooperate with the investigators, claiming that the iPhone was designed by default in such a way that it could not be ‘cracked’ and that it could therefore do nothing. But Apple did not stop there because in a letter to its users, Tim Cook explicitly stated that he would not accept the FBI’s request to install a backdoor in iPhones.
While Apple did not suffer any judicial consequences from this choice, Encrochat, an encrypted messaging system widely – if not exclusively – used in the European criminal world and dismantled by a Dutch-French investigation, had a dramatically different fate . Encro-Phones‘ not only ran applications to exchange encrypted messages and calls via a network of proprietary servers, but were also physically modified with the removal of GPS and data ports, so as to make the investigating authorities’ task even more difficult. Here again, therefore, we are faced with a conscious and deliberate choice on the part of the manufacturer of a device and/or the provider of a service, which results in the provision of tools that make it impossible, or more difficult, to carry out police investigations.
The legal limit to the security of a product/service
As much as law is the art of hairsplitting, in the case of design liability it is quite difficult to do it looking for differences between these cases. All of them, in fact, are united by the awareness or lack of awareness of top management of the consequences of the choices made in the design of products and services made available to end users.
In terms of criminal law, however, things are more complex because, basically, liability concerns specific acts committed knowingly. Thus, coming to the practical, in the case of platforms and hardware manufacturers, it would be necessary to prove the direct and voluntary involvement of specific persons who deliberately facilitated the commission of offences, without being able to automatically establish the liability of a manager or CEO.
The knot to unravel
Out of all hypocrisy, therefore, the dilemma is clear: if it is permissible to put into circulation tools which hinders control by the state, then one must accept the existence of total anonymisation services, of systems designed to be impenetrable to unauthorised access attempts regardless of who -delinquents or police forces- wants to commit them, and the right not to cooperate with the judicial authorities.Or else all this is forbidden, and therefore punished, and consequently one has to accept things like hardware and software backdoors, weakened encryption, VPNs managed in such a way as to allow the acquisition of unencrypted traffic, abolition of passwords and other authentication systems, generalised obligation to cooperate, and so on. In the first case, therefore, no one should be punished, but in the second, everyone – no one excluded – should be punished.
The (theoretically) possible solutions and the consequences for the digital ecosystem
A criminal sanction for the design liability of products and services that facilitate the commission of crimes or hinder their detection does not exist (at least, not yet). It is clear, however, that if it were to be adopted, it would disrupt the entire digital ecosystem because it would imply the setting up of a very powerful and capillary system of mass surveillance at the disposal, first and foremost, of Big Tech, to which the control of people would also be delegated, but above all that of police investigations.
However dystopian this prospect may seem, some warning of the presence of such a solution has already appeared in the US, where platform service providers are required to monitor the content stored by users and to inform, indirectly, the competent authorities of the presence of illegal content, and in the EU, where client-side scanning is an option that is far from being shelved.Whatever the choices adopted, one fact is quite clear: the ubiquitous spread of platform services, individual messaging and related security systems have amplified the number and intensity of criminal phenomena to the point where repression (a term used in the technical sense of the penal code) is objectively insufficient and non-functional.
But if the alternative is technological prevention – in the form of real-time monitoring of everything that happens – then device manufacturers, platform operators and users must be forced to operate in ways similar to those practised in regimes characterised by a different understanding of the word ‘democracy’.
Such a perspective is undoubtedly disturbing and difficult to accept even for those who do not live the conspiracy and ‘anti’ dimension based on the paranoia of having to defend themselves against the state that ‘regardless’ controls everything and everyone. At the same time, however, it explodes all the contradictions of a concept of democracy built on the inviolable separation between the state and the individual dimension of the citizen, but which requires the annulment of this boundary in order to be preserved.