This is an audio transcript of the Tech Tonic podcast episode: ‘The Telegram case: Privacy vs security’
John Thornhill
Most of us message busily throughout the day, sending text, images and voice notes on messaging apps and through social media. On WhatsApp alone, it’s estimated that more than 100bn messages are sent each day, and for the most part, those messages are encrypted between the sender and the recipient. But what happens if the authorities decide they want to access your private information?
[MUSIC PLAYING]
Welcome to Tech Tonic, the technology podcast from the Financial Times with me, John Thornhill. Two weeks ago, Pavel Durov, the founder of one of the world’s largest messaging and social media apps, Telegram, was detained in France. The charge, failing to co-operate with French authorities in relation to their investigations into criminal activity and child sexual abuse material on Telegram. Last week, Durov spoke out for the first time since his detention, saying that the idea of blaming the CEO of a social media company for the misuse of his platform is misguided. In the tech community, the whole episode has caused alarm and raised questions about the balance between privacy and security.
Eva Galperin
I think this marks the first time that a government has actually arrested the CEO of a sort of social media platform, or messenger, in connection with these kinds of charges.
John Thornhill
That’s Eva Galperin. She’s the director of cyber security at the Electronic Frontier Foundation, or EFF, a San Francisco non-profit that campaigns for online privacy. Eva believes that people have the right to communicate privately on the internet, but I wanted to probe the limits of that privacy and what those limits should be. The charges against Telegram’s Durov allegedly involve egregious material. Even so, there are those who see his arrest, if not as an outright attack on free speech, then at least as raising concerns about government over-reach. Eva Galperin is among the latter and wrote an article saying as much. I started by asking her to explain her position.
Eva Galperin
Well, I think that detaining the CEO of a platform for failing to comply with moderation requests or with requests for data about users on their platform is definitely an escalation. This is not something which has happened to CEOs before. Telegram, for example, has gone head to head with the German government and with the Brazilian government, and it’s always gotten out by paying a fine. So this is, again, an escalation, which is very worrisome. And the French government simply hasn’t brought any kind of concrete facts to the table yet. And so it is really unclear whether or not they have the facts to back up the charges that they appear to be investigating in this case.
John Thornhill
The French press would seem to suggest that part of the reasons for this action is sheer frustration from the French legal authorities that they had sent requests to Durov, and Telegram had just ignored them all.
Eva Galperin
Well, the Brazilian government and the German government were pretty frustrated as well.
John Thornhill
Right. The last few weeks have been a real moment for relations between governments and social media companies, haven’t they? It’s not just Telegram that’s found itself in the cross wires, but also Elon Musk’s X. A Brazilian judge has banned access to X after it refused to co-operate. Are they parallels with Telegram?
Eva Galperin
I think there are actually some really interesting parallels to what’s happening with X right now, though I hesitate to comment because the political situation is actually very complicated and the legal situation is complicated. But definitely one of the big parallels is that the Brazilian government wants X to take down certain accounts or to be more responsive to its requests. And in response to this, if I recall correctly, Elon Musk has simply shut down X’s presence in Brazil so that, there will not be hostages. So he fired everybody in Brazil so they cannot be held responsible. And he has refused to name a new person who will live in Brazil, who will be held responsible if X fails to respond to government requests for moderation or for data about accounts. In that way, this is very similar. But it is different in that what Brazil has chosen to do is to order the blocking of X in Brazil, whereas in France they have simply waited for Pavel Durov to come to France and arrested him. This would be as if Elon Musk while travelling through Rio de Janeiro, was snagged by the Brazilian government and told he could not leave.
John Thornhill
There is a dual option on both sides, isn’t there, that the Brazilian government could shut down X in Brazil? But we’ve seen that elsewhere as well. The Indian government has shut down TikTok, for example. But the companies themselves could also refuse to operate in a particular company because they don’t want to comply with that country’s laws. So is that right? Do you think that the ultimate sanction, in a way, is for a government just to say we’re not going to allow the service to be offered in our country?
Eva Galperin
Well, often it’s not that simple. For example, most countries do not have a single switch that you can pull that will block an app from being available in that country or for being used in that country. It is the internet censorship is more complicated than that. I think Brazil is doing this by essentially banning the sale of the X app in, in the like, I guess in the Google and in the Android and Apple play stores. And also by blocking the X domain and the way that you do that is you send orders to every individual ISP, which is one of the reasons why the other clash that the Brazilian government is having with Elon Musk right now is over Starlink, which is another one of his companies which provides internet access in difficult or remote places over satellite.
John Thornhill
The other thing the Brazilian government has also tried to do is to stop people accessing X using a VPN, a virtual private network.
Eva Galperin
It’s unclear what’s going on there. When I first heard about the court order, it apparently included language punishing X users for using a VPN to access X. It is not clear that language is still present right now. But certainly if that language is present and if the Brazilian government turns around and starts punishing X users, I will be extremely upset.
John Thornhill
Yeah, I imagine the EFF is very strongly opposed to any government attempts to stop using people using VPNs.
Eva Galperin
Yes, and also punishing a platform’s users for the behaviour of the platform’s owner is disproportionate and ridiculous.
John Thornhill
And the French government presumably would hesitate a lot to ban Telegram outright in France because many of them, including Emmanuel Macron, the president, use it themselves.
Eva Galperin
Yes.
John Thornhill
So the French authorities are saying that Telegram has not complied with their requests to help them investigate criminal activity on Telegram. To what extent, more generally, do social media and social network companies comply with such requests?
Eva Galperin
Well, it depends both on what the social media platform does and how much control it has over the data flowing over its app or its platform. Not all platforms are sort of created equal, and not all traffic is created equal. One of the things that’s really confusing about Telegram is that Telegram is actually sort of two different kinds of services. First is a social media platform and the way that we understand the X or Facebook to be. So there are a lot of channels people can post things to channels. They have tens and sometimes hundreds of thousands of followers. You can also engage in group chats, and sometimes those groups can be very large. And all of the traffic in group chats and on channels is not end-to-end encrypted. So that traffic is visible to Telegram. So it is not unreasonable to think that Telegram could take things down or provide you information about what is happening on those channels, in response to government or law enforcement requests. But Telegram also has a mode, where you can have a one-on-one conversation with someone and you can turn on secret messages which end-to-end encrypts your communications. When you have end-to-end encryption, then the middleman, which is to say Telegram, can’t see what you’re talking about. So if the government’s request has to do with telling them, what is the content of that communication, Telegram cannot comply with that request unless they do something to undermine the encryption so much that it is no longer an end-to-end encryption.
John Thornhill
OK. Could you just talk us through there, what happens, say, when the US government goes to Apple or Facebook and asks for metadata on some of the user exchanges that happen there? What data can they legally request?
Eva Galperin
Well, legally they can ask for anything, whether or not Apple or Facebook or Signal or WhatsApp can actually hand over that data varies. When it comes to end-encrypted communications, some of the most common, end-to-end encrypted chat apps that people use right now are WhatsApp, which has something like 3bn users. Signal, which is run by an independent non-profit and also creates the cryptography, which is used by and licensed by WhatsApp. Facebook Messenger is now end-to-end encrypted. And all of these are platforms where the data is end-to-end encrypted by default. So you don’t have to turn on a secret message mode. Just every single message that you are sending, including messages to groups of people, are end-to-end encrypted.
So the contents of those communications are not available to the platform, which means that you don’t have to trust the platform not to hand over the content of your communications. But that still leaves the metadata. And metadata in this context, is all the data about the data. If you think about your message as a letter, the data is the letter that you put inside the envelope, and the metadata is all the information on the outside of the envelope. So where is it going? What is the address that it’s being shipped to? In this particular case, you also learn things like when was the message sent? When was the message received? So those are the sort of most common types of metadata that come with end-encrypted chats. WhatsApp keeps a lot of metadata about, you know, sort of who you’re talking to. And when you’re talking to them, even if they don’t keep the contents of your communications. And they do give that up response to valid government requests and law enforcement requests. Signal, on the other hand, makes a point of simply not storing that data so they can’t give it up. They don’t have any information about who you’re talking to or when you’re talking to them.
[MUSIC PLAYING]
John Thornhill
You were talking about Telegram’s end-to-end encryption and secret chats, but you really have to opt in to that. So have they made themselves vulnerable in the sense for the legal authorities could ask for more content. Whether they hand it over or not is a different matter, but some of that traffic is unencrypted.
Eva Galperin
Yes. Well, some of that traffic is not end-to-end encrypted, which is to say that Telegram has access to the contents of those communications. And one of the big problems that I have encountered when I work with vulnerable populations is that Telegram actually has a sort of unearned reputation as a secure messenger. And, when Russia invaded Ukraine, a couple of years ago, lots of Ukrainians were using Telegram, and they were under the impression, not only that there were one-on-one communications were end-to-end encrypted, which they were not, unless they turned on secret messages, but also that their group communications were encrypted, which was simply not the case.
John Thornhill
So for vulnerable populations, you would absolutely advise them to make sure that they use end-to-end encryption, either on Signal or WhatsApp, or make sure they turn it on in Telegram.
Eva Galperin
Well, again, it depends on what you mean by a vulnerable population. Every single vulnerable population has a different what we call threat model. So whenever somebody tells you that something is secure, always ask. Secure from whom? What kind of attacker am I securing things from? If your attacker includes somebody who has the ability to send a government or law enforcement request to Telegram, and can reasonably expect to have Telegram comply with that request, then, yes, you should turn on end-to-end encrypted messages so that they cannot hand that information over. But really, the best thing to do is simply to get off of Telegram and to move to any of the end-to-end encrypted services that encrypt all of your communications every time by default.
John Thornhill
Right. So Telegram is more vulnerable because some of its services aren’t encrypted. And even when things are encrypted, then governments or authorities can put in requests to see the metadata. But if a government is trying to prosecute a crime, shouldn’t companies share whatever data they can access?
Eva Galperin
For example, a law enforcement request that is coming from British police or from even French police. We do not feel that it should be treated in the same way as a request that is coming in from, say, Turkey or India or UAE, places where the rule of law is not very strong and it is very common for people in power to use the law in order to pressure platforms into giving away information about or silencing their political opponents. For example, Modi has absolutely done this by a government request to X. President Erdoğan in Turkey is actually quite famous for being humourless about people posting critical memes about him to social media, and frequently sends out takedown requests or requests seeking to unmask the anonymous people who are posting these things so that the government can go after them — which they do. I spent many years working on EFF’s legal team, and I saw many sort of legal requests coming into platforms having to do with using things like copyright law or defamation claims in order to get information about political enemies, about critics. I’ve also seen these kinds of requests used as a way to de-anonymise journalists’ sources for stories that are critical of people in power. So it’s one of those things where you really have to be very careful.
John Thornhill
So how do you think social media platforms or messaging apps should approach these requests when they come through?
Eva Galperin
If you are getting requests from a place with a good track record in the rule of law like the US or the UK or France, then we’re not saying that you should rubber stamp it. We’re saying you should definitely have a lawyer take a look at it and see whether or not it’s valid. And if it’s not valid, you should get your lawyers out and you should push back on it in court. And these places that have rule of law, Pavel Durov is not inclined to do any of these things because this requires employing a lot of lawyers going to court a lot. So it increases his overhead costs and so it’s a lot easier for him to just pretend that it’s impossible.
John Thornhill
On Telegram itself, I mean, and I’ve spoken to them in the past, they make the point that they have not handed over any data to governments and that it would be very dangerous for them to distinguish between, say, a democratic and an autocratic state. Because if you concede to, say, France in this case, which is considered a rule of law country, then every other country would want to have the same access. So how practically could Telegram say, well, you’re an acceptable company and we’re gonna comply with your request, but you’re an unacceptable country and we’re not gonna comply with your request. Do you think that’s reasonable for Telegram to make that distinction?
Eva Galperin
I think that . . . well, first I would point out that no other platform takes this position, which tells you a little bit about how reasonable it is. And in the end, every country is in some way liable when it comes to the requests of governments and law enforcement in places where they are storing data or places where they have employees. So, pretending that, oh, we’re just going to ignore every single government request for user data is disingenuous and unrealistic. In the end, Pavel Durov has to live somewhere. Which, incidentally, is Abu Dhabi, not a place with a great track record in the area of human rights or rule of law. In the end, Pavel Durov has to transit through places such as France, where he may be held liable. And he’s discovering the reality of that really quickly right now and over the last two weeks.
[MUSIC PLAYING]
John Thornhill
Since Dorov’s arrest, people have been arguing that this is a move against free speech. Is that right, do you think?
Eva Galperin
It depends. Again, we are not really sure what kind of communications the government wants Durov to censor and we’re not sure whether or not he is being asked to backdoor end-to-end encrypted communications. We simply don’t have enough details right now to make that kind of call. But I am watching it very closely because there is a chance this could all go very wrong very quickly.
John Thornhill
And the idea of backdooring is when a bypass is created into end-to-end encryption. So if needs be, a third party has a means of viewing those messages. But can you say more about the Telegram case specifically? In what ways could it go wrong?
Eva Galperin
Well, this could be the result of the French government essentially arresting the CEO of a company because he will not backdoor his end-to-end encrypted communications. The way that the charges are structured indicates that probably a lot of these requests have to do with content on channels and in group chats rather than end-to-end encrypted communications. But they don’t specify. And as long as they don’t specify, I’m keeping a very close eye on it.
John Thornhill
You’re obviously quite right to caution against this kind of over-interpreting what they are looking at, but they haven’t specified that they do think there is abuse on the site to the extent that child sexual abuse material or criminality is shared on Telegram. And that surely is a legitimate concern for governments to worry about, isn’t it?
Eva Galperin
Where that criminality is happening matters in the discussion around encryption. If this content is in Telegram channels and in Telegram group chats, or even in one-on-one chats without secret messages turned on, and therefore is content that Telegram can see and therefore control. That is a very different sort of request than saying that this content that you can’t see is full of illegal stuff, and you are going to have to undermine the . . . or backdoor the encryption that you are providing people in order to stop bad things from happening.
John Thornhill
Could you help us understand a bit more about what backdooring is? I mean, I think it’s being compared to leaving your keys under the doormat, isn’t it? And how would a backdoor work and why would it be such a terrible idea?
Eva Galperin
Well, there are good reasons why people compare this to leaving your keys under your doormat. And this is because when you have an end-to-end encrypted communication, the keys to decrypting the content of that communication are present only in two places and possessed only by two people. In a conversation between two people, they are possessed by the people on either end of the communications, and they live on the devices belonging to those people. So the the middleman, the platform doesn’t have the keys and therefore, no matter what you do to the middleman, no matter how much pressure you put them under, they cannot hand over the content of the communication. This is the promise of end-to-end encryption. This is the reason why governments rely on it, why corporations rely on it. This is the reason why finance relies on it. And the the intelligence community relies on it.
One of the questions that I always ask governments, when they try to come up with schemes for, backdooring encryption is all right, so give back door, end-to-end encryption and it is no longer possible to have a secure, end-to-end communication, so what are you going to use? And that is a very . . . often they’re very confused. This is one of the things that really stumps them often, sometimes they will imagine a world in which there is really this stuff is only used on bad guys. But you cannot create a backdoor that only good guys can walk through. That is only available to governments and law enforcement. Usually what these backdoor proposals look like is no, we’re gonna give a third set of keys and we’re going to give it to the government, or we’re going to give it to law enforcement. It’s only gonna be used in emergencies, and we’re truly never going to lose them, and they’re never going to be cracked and it’s never going to be a problem. And that is simply unrealistic.
John Thornhill
Why do you say unrealistic?
Eva Galperin
I work in information security, and let me tell you that if you make a set of keys that will unlock end-to-end communications on a platform for everybody, that they will immediately become a target for just every intelligence community and also just about like every government and every hacker on earth, because it would make them incredibly powerful. And then it would only be a matter of time before those keys are lost. And then once the keys are lost, there is no putting the genie back in the bottle.
John Thornhill
So the law enforcement authorities, if they were to compare it with, say, a telephone call, that if they apply for a legal mandate from a judge to tap someone’s phone, that they can do that, they can listen in to a call as long as it’s not encrypted. But what you’re saying is that an end-to-end encryption that is impossible to listen into that call, as it were. And it’s quite right. You shouldn’t be able to listen into that call, because the ability to do so would then compromise the ability to listen to into any end-to-end encrypted message.
Eva Galperin
That is correct.
John Thornhill
Do you think this arrest will reshape the government-social media relations in the future? Is this gonna be seen, do you think obviously depends on how this case plays out, as a landmark case?
Eva Galperin
I think it’s unclear, especially because most of the other platforms moderate a great deal more than Telegram. And so they may think that they are safe.
John Thornhill
Where do you think the balance should be struck between the government’s legitimate rights to help pursue criminal investigations against terrorist activity, or against paedophiles, and the users’ right to privacy?
Eva Galperin
Well, I think that the users’ right to privacy in an end-to-end encrypted chat is priority. The reason for this is that if the platform starts to backdoor end-to-end encrypted chats, then it makes all end-to-end encrypted communications over that platform unsafe for everyone. So the potential downside of backdooring end-to-end encryption is that you have completely destroyed privacy and security on that platform, not just for that one person, but for everybody. And that is a really big deal.
Having said that, I am not of the position that if a government sends a law enforcement request to a platform having to do with content that it can see and it can control that the platform should just automatically laugh and throw it in the garbage. What matters is who is the request coming from. What are they asking for? What is the state of rule of law in that country? Do you have employees in that country? Do you have data in that country? These are all considerations that platforms take into account when they get this kind of request.
John Thornhill
Thank you very much, Eva.
Eva Galperin
Thank you so much.
[MUSIC PLAYING]
John Thornhill
That was Eva Galperin from the Electronic Frontier Foundation. You can keep up with all the news about Telegram on FT.com. This case is gonna be closely watched by the tech world. But as Eva makes clear, this action is unprecedented and has some very big implications for everyone on the internet.
You’ve been listening to Tech Tonic from the Financial Times with me, John Thornhill. We’ve put some free links related to this episode in the show notes, so do check them out and do leave us a review. It helps spread the word. This episode of Tech Tonic is produced by Persis Love. Edwin Lane is the senior producer. Manuela Saragosa is the executive producer. Sound design by Breen Turner, original music by Metaphor Music and the FT’s head of audio is Cheryl Brumley.
