[Cryptography] Updates on Durov charges in France
Jon Callas
jon at callas.org
Thu Aug 29 16:26:41 EDT 2024
American Legal expert Emptywheel (Marcy Wheeler) has a new post:
<https://www.emptywheel.net/2024/08/29/the-missing-detail-about-encryption-in-the-pavel-durov-investigation/>
And in that says:
But one of three encryption-related crimes, “Importing a cryptology
tool ensuring authentication or integrity monitoring without prior
declaration,” was dropped. Again, that could reflect new information
about server locations.
It’s the commentary regarding the (now two) encryption-related crimes
that most befuddles me. The American press, at least, continues to
discuss this as if this is a crime about using encryption.
Some online speech experts and privacy advocates agreed that
France’s indictment of Durov raises concerns for online freedoms,
pointing in particular to charges relating to Telegram’s use of
cryptography, which is also employed by Apple’s iMessage, Meta’s
WhatsApp and Signal.
“French law enforcement has long hated encryption,” said David
Kaye, a professor at University of California, Irvine School of
Law and former U.N. special rapporteur on freedom of expression.
“This seems like a potential avenue for them to blame what happens
on Telegram at least in part on encryption, when the truth is that
the other counts suggest that Telegram’s noncooperation with
judicial orders is the real problem.”
Stamos agreed the charges related to cryptography are
“concerning,” because “that seems to apply even to platforms that
are actively working to prevent the spread of child sexual abuse
material.” He said that while Telegram has at times banned groups
and taken down content in response to law enforcement, its refusal
to share data with investigators sets it apart from most other
major tech companies.
As far as I understand it, the law in question is one passed in 2004 [1]
that required affirmative registration of encryption. Signal, easily
the most protective encrypted messaging app, did register under this
law when it first applied to offer Signal in French app stores. So,
no, they’re not going to be prosecuted under that law, because
they’re following the law.
And therein lies the question I keep asking but people are ignoring:
whether this law works like the affirmative registration requirements
in the US for acting as a foreign agent. The US uses 18 USC 951, for
example, to prosecute people who are secretly doing things for a
foreign government — such as the targeting for which Maria Butina was
prosecuted — without having to prove they were affirmatively spying.
There's more, so go read it if you want. I feel like I've already quoted too much here and there's more information that is tangential (like Proud Boy use of Telegram in Jan 6 cases) but interesting.
Emptywheel brings up precisely the issue in the way that I've wondered about it, and I even brought up FARA as an analogue in a discussion. Emptywheel also notes that Signal registered, so they're not going to be prosecuted. (Fréderic Jacobs even posted on the fediverse about this.) I remember from dealing with it at PGP, Silent Circle, and Blackphone that it was similar to doing export registration here in the US -- I was on a phone call with a lawyer for a half-hour answering some questions, and the lawyer did it. There's further discussion, go read it if you're interested.
My thoughts continue to be that these charges are really just bouncing the rubble; they're charging him with being an accomplice in crimes discussed in plaintext on his service among other things and then saying, "while you're here, we notice you didn't do your registration." Emptywheel says, "I don’t know if this is how France uses this law, or if they may be doing here. What I’m saying is that the crime is failing an affirmative obligation to register, a law that has not prevented Telegram’s counterparts from operating lawfully in France."
Jon
[1]: <https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000801164#LEGISCTA000006117690>
More information about the cryptography
mailing list