Telegram Founder's Indictment Thrusts Encryption Into the Spotlight

An anonymous reader shares a report: When French prosecutors charged Pavel Durov, the chief executive of the messaging app Telegram, with a litany of criminal offenses on Wednesday, one accusation stood out to Silicon Valley companies. Telegram, French authorities said in a statement, had provided cryptology services aimed at ensuring confidentiality without a license. In other words, the topic of encryption was being thrust into the spotlight.

The cryptology charge raised eyebrows at U.S. tech companies including Signal, Apple and Meta's WhatsApp, according to three people with knowledge of the companies. These companies provide end-to-end encrypted messaging services and often stand together when governments challenge their use of the technology, which keeps online conversations between users private and secure from outsiders.

But while Telegram is also often described as an encrypted messaging app, it tackles encryption differently than WhatsApp, Signal and others. So if Mr. Durov's indictment turned Telegram into a public exemplar of the technology, some Silicon Valley companies believe that could damage the credibility of encrypted messaging apps writ large, according to the people, putting them in a tricky position of whether to rally around their rival.

Encryption has been a long-running point of friction between governments and tech companies around the world. For years, tech companies have argued that encrypted messaging is crucial to maintain people's digital privacy, while law enforcement and governments have said that the technology enables illicit behaviors by hiding illegal activity. The debate has grown more heated as encrypted messaging apps have become mainstream. Signal has grown by tens of millions of users since its founding in 2018. Apple's iMessage is installed on the hundreds of millions of iPhones that the company sells each year. WhatsApp is used by more than two billion people globally.

Licence? What licence?

[Bruce66423]

'Telegram, French authorities said in a statement, had provided cryptology services aimed at ensuring confidentiality without a license.'

So the debate comes down to whether encryption is a matter of free speech or something which the state has the power to regulate.

The good news is that the accused has the money to get the best possible lawyers involved. The bad news that our lords and masters don't want us talking to each other unless they can eavesdrop...

It'll be a good fight. I will be pleasantly surprised if our lords and masters don't win.

Re:

[smooth wombat]

So the debate comes down to whether encryption is a matter of free speech or something which the state has the power to regulate.

The state has the power to regulate whatever it wants. As we've seen, your own body isn't off limits to regulation.

Re:Licence? What licence?

[AleRunner]

The state has the power to regulate whatever it wants. As we've seen, your own body isn't off limits to regulation.

Never has been. In WWII all powers on all sides conscripted them and sent them into massive risk of death. States which fail to do that get replaced by states which are able to do it. The people are not always conserved in this process.

Re:

[UnknownSoldier]

The problem is disingenuous arguments can and have been used:

"Think of the children! Peter Files use encryption and you are against Peter Files (*), right? Therefore we must intercept / control encryption to keep children safe."

And that's how you get government hijacking freedom of speech -- all in the name of safety. Because only "they" should be allowed unfettered access to encryption.

(*) You will also see "pdf" being used as well. I hate how the acronym for Portable Document Format has been hijacked for

Re:

[Seven Spirals]

I saw a comic once that showed Santa wrapping up a gift that said "new legislation" for Uncle Sam. He had two kinds of wrapping paper. One said "Won't someone think of the children!" the other said "We have to stop the Terrorists!" and Santa was just sanguine standing there saying to an indecisive Uncle Sam: "Which one?"

Re:

[UnknownSoldier]

Ha! Brilliant summary.

Re:

[Brain-Fu]

I am also curious to know what Judge with no power in the courtroom would even do. Like, would the judge have the ability to stop people from presenting hearsay as evidence? Or to halt proceedings if evidence arises that a juror is biased or bribed? And does the judge still determine the sentence should the accused be found guilty? Does he have the power to sustain or overrule objections made by lawyers? Does he participate in any way in ensuring that the laws are being interpreted as correctly as pos

Re:

[Seven Spirals]

Totally agree. Income tax is not the fairest way to fund the government. Repeal the 16th Amendment and force sales taxes which are much more fair and transparent. Of course, they won't do that because it's much more easy to indirectly fund the government via deficit spending. That way, you never have to ask for permission to spend more or on some stupid thing folks would never approve if they knew they were paying for it directly.

As far as the critique on the size and scope of government, you're simply

Re:

[bleedingobvious]

So many slippery slopes...

However will we survive!?

As it happens,... thinking does not appear to be a problem for certain people

Re:

[loonycyborg]

But the state can't reverse a trapdoor function. And if it tries to ban something that it can't regulate then it will only give advantage to criminals.

Re:

[Seven Spirals]

It makes me wonder why more software isn't actually released anonymously. Maybe my brothers in code are too vain and cannot stand to work in the shadows? I remember a few FOSS projects designed to run anonymously and in some cases that were designed anonymously. Bitcoin, TruCrypt, WASTE, I2P, and Cryptocat all come to mind.

I'd be super happy to see something akin to a mix of FIDONET, Hotline, Tor, GNUtella, and WASTE which ran as a web server or on a random port. For scanners and governments, it would jus

Re:

[Seven Spirals]

I wonder what happens when people use a site that, for example, the French don't like, but it's in another country. They don't have a Great Firewall. So, they could issue fines against the company but if they have no EU branch (or maybe no company at all) then that's not going to work. I noticed that Brazillian judge just ordered X blocked in Brazil. It's now just an extra cost to Brazillian ISPs because they have no Great Firewall. I wonder how well it'll work, as folks can easily just bypass the rules wit

Re:

[Mordain]

Encryption is fancy math. Does this mean the state should be able to regulate any level of math they desire?

Re:

[ArchieBunker]

That's like saying drugs are just fancy chemistry.

Re:

[Luckyo]

Fancy chemistry is fundamentally fancy math.

Re:

[Seven Spirals]

"All science is either physics or stamp collecting." -Ernest Rutherford

Re:

[Luckyo]

Physics is fundamentally fancy math too. He was wrong. Everything starts with math. Including physics.

Except social sciences. But those are anti-scientific method in the first place.

Re:

[bleedingobvious]

Thought and the chemistry that drives it are not the same thing

Conflating the two takes heroic levels of mental impairment. Or, apparently, the EU.

Re:

[Luckyo]

"Fundamentally" and "same thing" are not the same thing. Any more so than "red car" is fundamentally a "car" but not the same thing as "a car".

Re:

[Mordain]

There's a physical component to chemistry at least, and it's the results that are what is usually illegal (at least at the federal level). It's hard if not impossible to make knowledge of growing or making things illegal, though they certainly try. But with encryption, the results can't be proven illegal (or in most cases, proof of communication of wrongdoing) unless they break the encryption.

Re:

[Mordain]

Manufacture and possession of controlled substances is illegal, regardless of intent to distribute or not, at least at the federal level. Of course there's practicality in play when it comes to enforcing such things, but just knowledge of your possession can get you into trouble.

Re:

[NotEmmanuelGoldstein]

Obligatory XKCD:
https://xkcd.com/435/ [xkcd.com]

Re:Licence? What licence?

[thegarbz]

So the debate comes down to whether encryption is a matter of free speech or something which the state has the power to regulate.

While France has free speech and the US has free speech, the idea that this freedom is linked to fundamental freedom of anonymity is a construct from judicial branch and not something most countries have codified in law. Even in the USA that freedom does not come with the requirement for a service to be offered, i.e. the government can for a whole litany of reasons shut down other services as well if they break another law. Free speech doesn't come into that.

Even the USA tried to regulate encryption. Their problem wasn't a legal one, but a practical one, attempting to legislate something that wasn't possible in the modern world - export restrictions on math.

Re:

[Rujiel]

"While France has free speech"

Lol, is that why they would ban an entire platform like Rumble? And now Telegram, depending on how that goes. But either way, it's for the public's protection, of course. /s

Re:

[thegarbz]

"While France has free speech"

Lol, is that why they would ban an entire platform like Rumble? And now Telegram, depending on how that goes. But either way, it's for the public's protection, of course. /s

Given that neither platform is banned I'm going to go with... yes. I just say yes because your post makes no sense in any context and I figure appeasing you is more productive than getting further involved in whatever bizarre ignorant argument you want to have.

Re:

[Rujiel]

"Given that neither platform is banned I'm going to go with"

You could just fuckin google it you know. too "bizarre" for you?
https://www.lemonde.fr/pixels/... [lemonde.fr]

Re:

[Seven Spirals]

Yeah, and "having tried" really means they tried harebrained stunts like the Clipper Chip and never got very far because they couldn't pass the legislation. So that really means we haven't "tried this before" because it was so stupid and so beyond the pale it never got off the drawing board.

Re:

[Seven Spirals]

You are correct. Their regulated speech is also getting a lot more regulated and the same is true in the UK. This idea that you can't say anything offensive is ill-conceived, authoritarian, and fundamentally denies free expression because, like it or not, people need to be free to hate whoever they want. Sometimes it's justified sometimes it's not, but acting like you can regulate even the expression of hate is foolhardy and downright dangerous.

It's like someone who is tired of hearing their pressure cook

Re:

[thegarbz]

France does not have free speech, it has regulated speech. Free speech in France started with the French Revolution and died with the Reign of Terror (about 1 year) because they had not enshrined the two rights you need for that: the right to free speech and the right to self defense against the government.

Not true. The French Revolution did enshrine the concept of free speech in the constitution. The thing is that this freedom in its definition was not absolute and in the very definition carves out an exception for speech that contravenes law and order.

It's actually far more sane than what the USA did, which is pretend to have absolute free speech, while in reality people learn on a daily basis that there are other legal issues which can arise when making speech (e.g. libel laws).

Also you don't need the righ

Re: Licence? What licence?

[i_ate_god]

What is an ECCN with regards to exporting cryptography to the US?

Re:

[Valgrus Thunderaxe]

Cryptology is the study of ciphers. Is that really what Telegram was doing? I doubt that.

Re:

[AmiMoJo]

TFA is a bit misleading. You don't need a licence, you need a declaration. You have to say you are doing it, not get permission. Other messaging apps have done so, e.g. WhatsApp.

That's not the main reason they are after this guy though, it's just throwing everything they can at him because you only get one opportunity. Well, you can try to add stuff later, but the courts don't look very favourably on you piling on extra chargers when it looks like you are about to lose.

The main thing is actually a lack of c

Re:

[VeryFluffyBunny]

People only feel the need for E2E because government agencies have assumed the power to wire-tap anyone & everyone, effectively without a specific warrant. It's a problem of their own making. If they respected their own laws & civil & human rights, the vast majority of people could communicate with only massive IT corporations listening in & creating personal profiles about everyone. So that part needs regulating just as strongly as govt warrant-less surveillance.

Re:

[Zocalo]

AFAICT, acquiring these licenses is pretty much a formality and it's more a registry of providers than anything else. I suspect it's a throwback to the days when things like SSH were classed as munitions by the US and exporting them to countries that were not friendly with the US was considered a much more serious offence. Of course, it's also a useful thing for the French authorities to have that list and implicit ability to revoke the licenses thereby crippling a company, just in case, so of course it's

Re:

[bleedingobvious]

it's still the law of the land and whether you agree with the law or not

"Look. The law is frackin' stoopid and the legislators who crafted it are equally stoopid and ignorant , but by it's very definition it's beyond reproach"

How about... no?

Dumber than a shiat-covered stick is pretty much the defacto standard of anything coming out of the EU.

Re:

[flyingfsck]

The laws about encryption in Europe and North America are not the same. In general, governments love to spy and dont like it if you interfere with that.

Summed up with one sentence

[jacks smirking reven]

But while Telegram is also often described as an encrypted messaging app

There it is, Telegram is NOT an encrypted messaging app. It has an encrypted messaging feature but it is a social media platform. Simply because it became popular around the same time as Signal and the other alt-social-media sites in the Facebook/Twitter snapback a few years back doesn't mean both services are really alike in function or purpose at all.

Now whether Telegram advertised and singalled (heh) to it's users that it is an encrypted messaging app, sure, maybe something untoward is there but really if you were doing clandestine shit on Telegram, well, that's a bit on you if you are panicking today. PGP exists.

Re:Summed up with one sentence

[echo123]

Not a Telegram user but from what I've read [telegram.org], Telegram actually hosts content on servers under its control. That's a major distinction between it and Signal both technically and legally. That makes Telegram a content provider as well as a messaging tool.

Telegram is a cloud service. We store messages, photos, videos and documents from your cloud chats on our servers so that you can access your data from any of your devices anytime without having to rely on third-party backups.

If the government gives you a subpoena, you must comply. Signal saw this coming long ago and engineered specifically for such an event, and there's nothing for them to surrender to the Feds. Signal really is P2P. I don't think Moxie Marlinspike of Signal is terribly concerned with getting hit up by the Feds the same way as what's happened to Telegram's Pavel Durov.

= = = = = =

Fun fact: Pavel Durov claims to have fathered over a hundred children.

https://techcrunch.com/2024/08... [techcrunch.com]

Re:

[jacks smirking reven]

Yeah everything i've seen and experienced with Signal seems to show the product is legit, it does what it says it does, money where mouth is as they say.

As you said, it's actually not that complicated to create a system where the operators of that system have no access to the information traversing it, ultimate and true deniability. It's just usually there's not as much money to be made with such a service.

Re:

[Seven Spirals]

Do you believe folks that say Signal is controlled by the CIA and they've backdoored it?

Re:

[bill_mcgonigle]

Signal is secure so people use it to say absolutely whatever on their phones.

Their phones are backdoored.

Not technically a honeypot.

Re:

[jacks smirking reven]

No to the former but that's only because of it's open source nature since I think that's pretty much the only way you can truly know if something is backdoored. The latter I think is always possible, a three letter does have potential to break something without anyones notice.

Then again that assumes a certain degree of competency so whos to say.

The Cockney Swain To His Lost Love

[Pseudonymous Powers]

This is why, a few years back, I just mailed everyone I care to talk to a pad of closely printed sheets of random numbers. If they want to communicate with me, they just convert each letter in their message to a number using a chart, then add that number to the number at the corresponding position on the pad, and, if it's greater than the total number of possible characters, subtract that out, then email me the result.

I'm thinking of patenting it.

Re:

[BeepBoopBeep]

You making it too complicated. just mail people your messages. Snail mail + fire = secure.

Re:

[Pseudonymous Powers]

I tried that, but they keep stamping the ashes in my mailbox "undeliverable: insufficient postage".

Re:

[AleRunner]

You are not supposed to burn the stamp and the envelope. Think of them as a bit like the ASCII-Armor in a PGP message. Instead you are supposed put the message in after burning it and stirring the ashes (a bit like the diffusion stage in a modern cypher). In that case it should be delivered correctly but people who intercept the message should not be able to read it.

I authenticate "lima", authenticate "golf whiskey"

[mmell]

Great Ceaser's ghost!

Re:

[Pseudonymous Powers]

I will, but I just have to work out the last couple bugs first. My Dad keeps using the same page for every message.

Re:

[Pseudonymous Powers]

I know, but Dad's a Boomer and he says he keeps forgetting to tear off the page he's used.

Boomer generation invented RSA.

[mmell]

I've got asymetric encryption libraries older than you, squirt.

Re:

[Pseudonymous Powers]

#notallboomers

Fixed that for you.

[Anonymous Coward]

These companies provide end-to-end encrypted messaging services and often stand together when governments challenge their use of the technology, which keeps online conversations between users private and secure from intrusive governments and criminals.

Jami. https://jami.net/ [jami.net] Open source, E2EE, P2P.

France has key escrow laws

[Zarhan]

Quoth wikipedia, https://en.wikipedia.org/wiki/... [wikipedia.org]

"Loi no 2001-1062 du 15 novembre 2001 relative à la sécurité quotidienne, article 30 (Law #2001-1062 of 15 November 2001 on Community Safety) allows a judge or prosecutor to compel any qualified person to decrypt or surrender keys to make available any information encountered in the course of an investigation. Failure to comply incurs three years of jail time and a fine of â45,000; if the compliance would have prevented or mit

Re:

[thegarbz]

This is completely irrelevant. The French law only applies to services providing encryption on their end. It doesn't compel people to hand over something they don't have, nor does it ban end-to-end encryption that is handled by the client. That law is not the reason Telegram is in trouble.

Services vs Applications vs Protocols

[Anonymous Coward]

Keep a careful eye out for when people are talking about cryptographic (cryptologic? ok, I admit I don't know when to use which word) services, versus applications (i.e. code) versus protocols.

In the US, we have CALEA and it only regulates services: it requires services to be completely insecure, so if someone says they have a secure messaging service, you know they're either lying or they aren't operating in the US. And if you use an app which depends on that service, then you know it can't possibly be sec

Re:

[tabrisnet]

At least in its original incarnation, CALEA was real-time "lawful intercept", but only covered wiretaps of raw data. Although it was passed around the same time as the Clipper chip was attempted, there were no key escrow or other such requirements, and as such no specific breakage of E2EE systems, nor of things analogous to an STU-III/STE phone [although there's a good chance that STU-III had key escrow, it was a military system].

It has been subsequently expanded to include VoIP, SMS and "broadband" traffic

Encryption -- should govt have access?

[eklektic]

> For years, tech companies have argued that encrypted messaging is crucial to maintain people's digital privacy, while law enforcement and governments have said that the technology enables illicit behaviors by hiding illegal activity.

The question comes down to do you trust the government? How much harm (to minors, those being exploited, those harmed by the crimes enabled by true privacy, etc) is worth protecting it. Then again on the other side, how much do you trust government (which can give almo

Re:

[jacks smirking reven]

Seems like a long time ago there was a war fought about invasive government and why we shouldn't trust government...

2003, Iraq

The revolution was not fought for something so simplstic as "do not not trust the government" and we know that because the first thing after the revolution the newly formed states did was... attempt to form a government and first one which was far looser and ill defined as the Constitution today was a failure, something those same founding figures realized and why we have a much stronger federated system today.

Also the Ben Frankling quote is not about privacy, or distrust of government, in fact in

Re:

[Seven Spirals]

Leave it to NPR to try and weaken a quote by a founding father on privacy. Of course they did. Here are some better quotes from notable folks on privacy that your Commie pals can't weaken in the same whiny/condescending "ackshully" way.

Tim Berners-Lee - "The right to privacy is crucial for democracy. Without privacy, individuals cannot speak freely, think freely, or assemble freely."

Bruce Schneier - "Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity

Re:

[jacks smirking reven]

Why would the quotes of 2 technology academics, 1 hack reporter and his hack whistleblower matter to anyone about anything? 4 out of 5 have as much validity as I do (and the both of us actually deserve more standing than fucking Greenwald).

Also none of them are arguing the context of the quote so NPR is right until shown otherwise.

The founders probably would agree in spirit with that but that does not mean they supported the idea of "do not trust the government". The founders were institutionlists, Frankli

Re: Encryption -- should govt have access?

[FudRucker]

i wonder how much intellectual property was stolen by corrupt government because they has access to messaging that should have been encrypted???

Re:

[Seven Spirals]

Probably zero. They don't need to do this. They can just refuse your patent or steal it from you after you do all the work.

Encryption is absolutely NOT the issue with Tel...

[PubJeezy]

Encryption is absolutely obviously not the issue with Telegram. Tim Cook isn't facing indictment for iMessage's encryption. There isn't a warrant out for the arrest for Mark Zuckerberg because of WhatsApp's encryption. And no one is calling Moxie Marlinspike a terrorist because Signal uses encryption.

Telegram became a marketing and sales platform for transnational criminal organizations and guess what, it couldn't have been an accident. Honest folks that want privacy don't need the same things that a drug cartel or human trafficker needs. The fact that they've integrated mass-marketing and payment processing on their platform is a massive red-flag that this wasn't about free speech and privacy.

Moxie Marlinspike is a hero and Pavel Durov is a villain and it makes perfect sense for one of 'em to be indicted. This is actually an example of the system seeing a complex issue and arriving at the correct conclusion.

Re:

[SmaryJerry]

Encryption absolutely is the issue according to the charge and report. Selective enforcement of laws is even worse than bad laws, and some would call that corruption. You can't just call one person a hero and the other a villain and then apply the law differently while using the act of someone being accused as proof of their villainy. The government wants to read private messages of criminals - they don't understand how exceptionally easy it is to encrypt something. Any criminal organization could create th

Re:Encryption is absolutely NOT the issue with Tel

[Rujiel]

Firsr paragraph: correct
Second paragraph: as incorrect as the first was correct

You went from incredulity and back to "think of the children" in 100 words or less.

The new heat on Telegram is all about censorship. Israel had documents leak on Telegram in at August, and now August isn't even done and Telegram has been designated Satanic crimelord hellapp level 9000.

https://www.haaretz.com/israel... [haaretz.com]

Re:

[Seven Spirals]

What about Level 9001? That’s when Telegram becomes the "Demon Kingpin’s Lair of Infinite Secrets." Once you hit that level, you're basically one encrypted message away from summoning a digital apocalypse.

Re:

[sfcat]

Ahem, you know that Ukrainian troops use Telegram too right? You know that both sides of several conflicts use them right? Your efforts to paint Telegram as Russia are exactly what the French government is doing. It is also why it isn't working and the media is having to backpedal. If you were an actual international criminal, you wouldn't use Telegram or you would use it in a way that most people don't. This is about payback for the riots in Paris a few months ago. It has nothing to do with what you

Re:

[SvnLyrBrto]

> The fact that they've integrated mass-marketing and
> payment processing on their platform is a massive
> red-flag that this wasn't about free speech and
> privacy.

Huh? I'm pretty sure no one wants or needs mass-marketing; except perhaps for the sort of shitbirds that do the mass-marketing in the first place. But payment processing? Particularly secure, private, and anonymous payment processing? Basically payment processing that's equivalent to a cash transaction? I'm not sure about "need" p

Re:

[Sark666]

can you expand on that? what did telegram do that directly benefited a drug cartel? even if that's the case, my concern is encryption is the issue, and they'll use this 'bad actor' for new legislation.

Re:

[PubJeezy]

Telegram's added two things that no privacy platform should ever implement, groups/channels and payment processing. Both are the antithesis of private but great for folks trying to sell illegal stuff.

Groups are persistent and open other anonymous users, which means they're not secure. Honestly, I'm not even sure anyone is selling anything illegal on telegram as opposed to simply engaging in widespread fraud. If you make a comment on certain cannabis related subreddits you'll get invites to telegram groups

Re:

[flyingfsck]

I think the difference is that the Telegram encryption actually works and the others dont.

Re:

[Seven Spirals]

"I've got nothing to hide and nothing to fear' argument, my response is 'Are you sure? Because the government may have a different opinion of what is worth hiding.' Privacy isn't about hiding a wrong; it's about protecting the individual from a very powerful government." --Daniel J. Solove

Lol WhatsApp hands directly to the US gov't

[x_t0ken_407]

Meta's WhatsApp...these companies provide end-to-end encrypted messaging services and often stand together when governments challenge their use of the technology

Wrong, for this specific app.

If encryption is outlawed

[Kevin108]

Only outlaws will mS6 0qVcW1vkUUF

Citation needed

[Rujiel]

"These companies... often stand together when governments challenge their use of the technology"

Apple and Whatsapp? Do they now?

https://www.justsecurity.org/7... [justsecurity.org]

"True, E2EE renders usersâ(TM) messages inaccessible to law enforcement in transit, but itâ(TM)s a different story for cloud storage. If an iMessage user has iCloud backups turned on, a copy of the encryption keyÂis backed upÂalong with the messages (for recovery purposes) and will be disclosed as part of Appleâ(TM)s warrant

Shills got updated talking points.

[Luckyo]

A few days ago:

"Telegram is bad because all data is stored on the servers unencrypted. It's obviously a Russian honeypot. Don't go there".

Today: ...

Yeah. Shills did a 180. As usual. But "thing you need to hate is bad" narrative just keeps going.

Re:

[bill_mcgonigle]

The servers are in Netherlands.

Can Russia intrude on them?

Do we have severs that are really sure?

sleight of hand

[Big Hairy Gorilla]

This particular case is interesting becuase it plays into what most people think. Encrypted messages is completely private right? Yes.

But look at that flying elephant over there ! Did you see that!
I made you look at the encrypted nature of your messaging app.

In reality what you said or typed to the other criminal (we'll assume you're up to dastardly deeds for the sake of this argument) is nearly irrelevant. YOU think it's incredibly important because you're an egocentric monster.

But what is relevant, what t

Re:

[Rujiel]

"But what is relevant, what the service provider gets and shares with national intelligence by law, is the metadata."

With this metadata talk, tou're giving me flashback to the Snowden revelations, or even the Bush administration's granting of retroactive immunity to telecoms that enabled its extensive spying. All media takes were talking about the metadata when (at minimum with the NSA) it was well known that they had a lot more than just that.

Don't be naiive, they want it all. The end of privacy is a stat

Just another idiot

[hdyoung]

In a long line of people who think they can throw up a file-sharing server, declare it “free speech” like a sovereign-citizen with a clearly misfiring frontal cortex, allow CSAM to be freely distributed, and expect zero consequences.

That sh&t’s fine in Russia, but this guy stepped foot in France.

Re:

[Rujiel]

Can all the natsec goons in these comments please get in a line for photo? Thanks

Re:

[bleedingobvious]

Look... there are limits to what can be considered "fetish"...

We do, however, applaud your adventurous spirit..

Good encryption's never been obvious.

[mmell]

X^D

I remember reading a fine magazine article in Scientific American in the mid-seventies which explained how RSA encryption worked. Being a junior high school kid with a taste for mathematics, I understood the article and tested the validity using two digit primes p and q instead of two hundred digit primes to generate e, d, and n and enjoyed something of a revelation into how it worked by doing it by hand. Then-unbreakable (and still unbreakable) encryption was made available to the entire world, implementing the algorithm in code was a trivial exercise for anybody with access to the computing resources of the day.

I also remember the nineties, when the authors of the (then FOSS) encryption software PGP got brought up on charges of violating US ITAR. The charges were quickly dismissed - check the history on this, it's actually quite fascinating.

Re:

[serafean]

This is making a comeback... In France ofc.
Sometimes we have to deal with French customers, and on multiple occasions we've had to fill out export control forms specifying the cryptographic capabilities of our software.
The best interaction with legal was "the fuck we know? We link the system openssl, whatever the system's cryptographic capacity is, those are ours."

It's your product - you better know what's in it.

[mmell]

Not you, personally, but your organization had better be able to describe in fairly specific terms exactly what encryption is present or that you're not knowingly and intentionally supplying (munition-grade) encryption to anyplace not approved by your nation's government. ITAR is not flexible and the people that enforce it here have absolutely no sense of humor.

Re:

[serafean]

Don't worry, we basically copied the capabilities of openssl into that form...
I mean what is an organization supposed to do if the end-user replaces the dynamic library on their system? Statically link everything? That would at least triple our releases.

No, unless you're supplying the DLL's.

[mmell]

You're off-base. You need to find someone who understands security and what is demanded of you (collectively) as an organization.

Re:

[serafean]

I know I'm off base, we also answered questions for other people who actually speak legalese. How they munched it up, I don't know.

X^D

[mmell]

Well played, sir. Well played.

Re:

[Seven Spirals]

ITAR primarily focuses on military-specific encryption and other defense-related technologies. For most civilian and commercial encryption technologies, EAR is the relevant regulation. Under these restrictions encryption that exceeds 56-bit DES or 128-bit RSA may need a license for export (including just publishing on the web). Thus, most authors make sure that any net-new algos don't emerge in the US initially. Also, open source has specific conditions for exemptions to the license requriement, but that al

Uh, it's not limited to military applications.

[mmell]

Just sayin', I've been obliged to take ITAR training at a lot of firms that don't have military contracts. It's the ability of the software to provide munition-grade functionality that matters. IIRC, it was illegal to sell PS2s in China.

Why now?

[serafean]

Most of us here knew/suspected already that Telegram wasn't encrypted in any meaningful way. So lets put that to the side.

The question burning me is : Why now? What happened that now came the time to strike?
Is it because Telegram has been piggy-backed on by russian military when their own (non-existent) network failed?
Was France just waiting for him to land there for months/years?
Is it simply that only now they feel they have a case?
Is it a political PR stunt to show that "encrypted apps" aren't really encrypted, by going at the intersection of popular/technically bad?

Re:

[Rujiel]

Telegram refused to censor sputnik and the EU will not have it. From an NYTimes summary 3 days ago:

"Mr. Durov made himself a target with an anti-authority ethos that governments should not restrict what people say and do online.."

Smokescreen

[RitchCraft]

Don't believe for a moment that any encrypted data is secure. I'm sure every major government around the world has the ability to quickly and easily decrypt anything they like. Crying wolf that they can't is just a smokescreen to keep the deception going. If you're sending encrypted data across the public Internet your data is being analyzed ... period.

I don't think you understand how encryption works.

[mmell]

Modern encryption has come a long way since the dual-rot13 encryption you're accustomed to. Trust me, by the time I'm using a 4kb RSA key, no amount of electronic analysis is breaking in.

I only wish I understood the cryptographic schemes NIST is proposing to beat quantum cryptographic techniques from breaking encryption. I'll have to rely upon the FOSS "million eyes" philosophy and implement it when it's generally available (not that I understand all of the encryption standards I'm currently using, but I

Encryption is a honeypot for the most part

[Seven Spirals]

This is the best way to operate. We know that most broken encrypted communications applications are broken via their implementation methods or by circumvention (key logging and spying) not by breaking the encryption. Thus, no matter if you believe encryption is truly a magic black box or not, you still have to approach that box some way, some how. That's where they are going to snatch your cleartext. Why bother trying to break encryption when breaking the implementation is so much easier?

While in other news . . .

[mmell]

https://slashdot.org/submissio... [slashdot.org]

Oh the irony

[pitch2cv]

As the French govt is heavily invested in Matrix https://element.io/case-studie... [element.io] , a federated IM andere group messaging service on which any and all communications and files are E2EE, am I the only one seeing the irony of the court bringing up encryption?

No, I do not believe it's the encryption they don't like, but as a regular there, I believe it's rather
1) how TG has never given out details about its users
2) how TG seems like the wild wild west, where any reporting of scambots, catfish or dopescammers

Litany of criminal offenses

[manu0601]

French prosecutors charged Pavel Durov, the chief executive of the messaging app Telegram, with a litany of criminal offenses on Wednesday

Sounds like french magistrates have learned from US justice playbook.

Didn't France learn their lesson in the 90's?

[misnohmer]

Remember the 90's, 40-bit web browser encryption limit (actually 128-bit, but 88 bits were in the clear in order to pass US export laws but also French encryption regulations)? Then French citizens got screwed (hacked, spied on, etc), some of their businesses allegedly lost a lot of money due to data leaks (Airbus?), so they started allowing stronger encryption.