- Complicity - Administration of an online platform to allow an illegal transaction in an organised band,
- Refusal to communicate, at the request of the authorised authorities, the information or documents necessary for the realisation and exploitation of interceptions authorised by law,
- Complicity - Detention of the image of a minor of a child-pornographic nature,
- Complicity - Dissemination, offer or making available in an organised tape of images of a minor of a pornographic nature,
- Complicity - Acquisition, transport, holding, offer or disposal of narcotic products,
- Complicity - Offer, assignment or making available without legitimate reason of equipment, an instrument, a program or data designed or adapted for the attack and access to the operation of an automated data processing system,
- Complicity - Organised gang scam,
- Association of criminals with a view to committing a crime or offence punishable by 5 years of imprisonment at least,
- Money laundering of crimes or offences in organised gangs,
- Provision of cryptology services to ensure confidentiality functions without a declaration of conformity,
- Provision of a cryptological means not exclusively ensuring authentication or integrity control functions without prior declaration,
- Import of a cryptology means that does not exclusively perform authentication or integrity control functions without prior declaration.
Looking at relevant French law it would appear there is a bureaucratic procedure to import cryptography into France.
But how this gets interesting is if Telegram has no explicit office presence in France and the app and webapp are merely distributed to French users resulting in these charges.
If I have a web server in the US that serves content that uses a cryptography JS library and a French user accesses it could I be arrested in France because I didn't declare the library to the French bureaucracy and get it approved?
Has France basically just nuked themselves for non-France based cryptography providers? Is npm going to block France in case a French citizen imports a JS cryptography library? Are a bunch of apps going to get their app removed from app stores for France?
Evidently this all seems incredibly selective and arbitrary but the lawyers are going to have to assess the risks of the French now in a way they didn't before, and once again another unclear rule haunts the EU software industry.
When a prosecutor writes accusation he writes extra accusations like when you go to a store and buy something you buy extra things. This way the prosecutor gets ekstra points, and prestige. I am talking for all countries.
A kinder perspective: you only have one opportunity to prosecute, so you add all the charges you think might be relevant, and let the courts decide on guilt.
I’m sure that the intent is at least somewhat cynical in some (many? Most?) cases, but this serves a legitimate purpose.
Sounds like selectively enforceable laws. And we thought Russia was bad with that.
If we provide an XMPP server on github, should we not allow users from France to use it? Or at which point it gets enforceable?
France has at least theoretically had a licencing/declaration/whatever regime for all cryptography software since forever. Presumably they rarely enforce it, but I remember when they passed it. I think it was supposed to involve key-disclosure back doors somehow.
I wonder, did Google and Mozilla properly certified the cryptogrpahic tools they distribute? And Github is probably the worst offender, hosting thousands of uncertified, illegal cryptographic tools.
Tangentially-related, it remains surprising that many U.S.-based developers I've spoken with fail to realize that they need to obtain an Export Control Classification (ECCN) from the US Dept of Commerce's Bureau of Industry and Security (BIS) before publishing their apps in the app store or otherwise making them available on the net. And then devs need to submit annual updates for their products.
Most will get a mass market exemption under 5D992, but a surprising number of modern applications making 'interesting' uses of crypto will need export licenses.
First time I hear about this as well and I'm not sure if I understand this correctly (because it's in French :p) but it sounds like if your software uses cryptography and you have French users then you need to submit a declaration to some French authority:
Yes I think. For us the audit was part of our ISO27001 certification, but i'm pretty sure you can have other certification, as long as an official audit exist.
Basically, do you know the saying 'never roll your own crypto'? It's a bureaucratization of this saying (to avoid people getting sold insecure crypto). Agree or not on the idea that the government should control that (I'm torn tbh), but it isn't a way to force people into illegality to pressure them.
So basically all networking software uses cryptography...
Yeah, with upcoming EU related changes for software, you need not only programmers, but layers too. Because pretty sure they would implement something similar and more.
This seems to confirm speculation that Durov himself is not accused of committing these crimes, but rather than Telegram didn't do enough to prevent criminals from using it in the commission of crimes. The only exception (maybe?) is the money laundering, which seems to be a direct accusation against Durov.
It's also fascinating that they also seem to be nailing him for failing to disclose the limitations of Telegram's cryptography.
If you manage a message board with illegal activity and don't do anything to take stuff down, you're going to jail. see all the people in the jail who managed sites selling drugs/weapons on Tor. Even worse if it's CSAM like Telegram was doing.
There are public subreddits about drugs, prostitution, and suicide assistance. Presumably the main issue here is whether Telegram was cooperating with law enforcement, but maybe I'm missing something.
That's exactly it but the key differentiator is CSAM is the main and most dangerous one. Reddit doesn't have these problems with CSAM. That's what makes him indefensible.
"failing to perform even basic content enforcement on public channels, with instances of known CSAM being detected and reported by our ingest systems".
Complicity accusations seem to be a stretch. I am not sure if it is the same in French law but according to Wikipedia:
> For two persons to be complicit in a crime that does not involve negligence, they must share the same criminal intent; "there must be a community of purpose, partnership in the unlawful undertaking".
> Complicity - Detention of the image of a minor of a child-pornographic nature
Yikes. He's done. If you administer a message board (whether in open-web, dark web or an app) and your board gets overrun with CSAM and you don't take down CSAM after being reported repeatedly, you're going to go to jail. Simple as that.
Which means any board could be nuked with bots... Kinda reminds me how opposition media got nuked from VK using a similar tactics.
Could probably used against hashtags on Twitter.
Pages 3-4 of the PDF contain an English version with a non-identical translation:
“Pavel DUROV, founder and CEO of instant messaging and platform TELEGRAM, was
arrested at Le Bourget airport in the outskirts of Paris on Saturday, the 24th of August 2024, then taken into police custody at 8 p.m.
This measure comes in the context of a judicial investigation opened the 8th of July
2024, following a preliminary inquiry initiated by Section J3 - JUNALCO (Fight against Cybercrime) of the Paris Public Prosecutor’s Office.
This judicial investigation was opened against person unnamed, on charges of:
- Complicity – web-mastering an online platform in order to enable an illegal
transaction in organized group,
- Refusal to communicate, at the request of competent authorities, information
or documents necessary for carrying out and operating interceptions allowed
by law,
- Complicity – possessing pornographic images of minors,
- Complicity - distributing, offering or making available pornographic images of
minors, in organized group,
- Complicity - offering, selling or making available, without legitimate reason,
equipment, tools, programs or data designed for or adapted to get access to and to damage the operation of an automated data processing system,
- Complicity – organized fraud,
- Criminal association with a view to committing a crime or an offense punishable
by 5 or more years of imprisonment,
- Laundering of the proceeds derived from organized group’s offences and
crimes,
- Providing cryptology services aiming to ensure confidentiality without certified
declaration,
- Providing a cryptology tool not solely ensuring authentication or integrity
monitoring without prior declaration,
- Importing a cryptology tool ensuring authentication or integrity monitoring
without prior declaration.
The investigative magistrates in charge of this preliminary judicial investigation have
requested a co-referral of the Centre for the Fight against Cybercrime (Centre de lutte
contre les criminalités numériques, C3N) and the Anti-Fraud National Office (Office
National Anti-Fraude, ONAF) for the pursuance of the investigations.
It is within this procedural framework in which Pavel DUROV was questioned by the
investigators.
The custody period was extended until the 25th August 2024 by an investigative
magistrate and can last up to 96 hours (that being the 28th August 2024) given the
applicable procedure for organized crime offences, as referred to above.”
So, do I understand correctly that they are not cracking down on him for operating an e2e encrypted app that facilitates all those things (CP, organised crime, etc.) (because as many have already argued in comments in previous threads, Telegram is only E2EE in a very narrow use-case, and most likely the comms in question were not encrypted), but cracking down on him for not giving the authorities access to those unencrypted comms that they've requested, which is seen as facilitation of those things (CP, organised crime, etc.)?
In other words, Signal is in the clear, because it's E2EE for all purposes and the operators wouldn't have the ability (via reasonable means) to access the data in the first place?
At this point I'm fairly confident this is not about the technology per se, so it's pointless to try and find differences and similarities and make sense of them. It's about politics, it's about personalities, impressions and incentives. I feel like governments just gave up on pretending that laws matter, now it's all about "indicting a ham sandwich".
Meaning, Signal is "in the clear" right now, because nobody fucking cares. It might not be, should the owner change, or should it became more popular (either in general or among certain categories of people).
They did charge him on providing "unlicensed" cryptographic services, and I wonder what the requirements for licensing them are if they are public at all.
> In other words, Signal is in the clear, because it's E2EE for all purposes and the operators wouldn't have the ability (via reasonable means) to access the data in the first place?
Sure but telegram isn’t really just a “messaging app”. It has features that support broad social networking. Some of those features just don’t scale effectively if they’re E2EE.
I think the real takeaway is all social networking applications must have active content moderation.
I don’t fully understand the legalese here but it looks like they are not pressing charges against him but questioning him in relation to these charges against unnamed person. Let’s see what happens next.
> they are not pressing charges against him but questioning him in relation to these charges against unnamed person
The French term they're using is "Garde à vue" which is more like "under custody" instead of "in jail"
The last paragraph gives some more info
> The custody period was extended until the 25th August 2024 by an investigative
magistrate and can last up to 96 hours (that being the 28th August 2024) given the applicable procedure for organized crime offences, as referred to above
(I don't think the translation is the best one but it works)
In other words, Signal is in the clear, because it's E2EE for all purposes and the operators wouldn't have the ability (via reasonable means) to access the data in the first place?
> - Provision of cryptology services to ensure confidentiality functions without a declaration of conformity,
Does signal declare conformity of its privacy crypto functions? (with what, anyway?)
Anyway, with Telegram, what is the outher country? What is "import"? Someone using Telegram servers from France? Taking money from customers in France, for provison of service hosted potentially elsewhere? Someone in France being able to download Telegram client?
What about cryptographic tools distributed by Github in France? Do they have proper declarations? What about Linux distributions containing tools like openssl or pgp? It seems to me that a lot of illegal activity might be happening there.
Personal or development use are excluded. Basically if you're selling your own crypto (or a tool with your own crypto) you have to license it. I have to look, but i'm pretty sure openssl is licensed (If you have ISO/IEC 9797 or something you're good)
Yes. The best situation for a government to be in - everybody is doing something that doesn't make any sense to be illegal but it is, so they can do whatever at any time they feel like so.
Appearing to try to comply, responding promptly to questions, etc means a lot to governments. While meta may not moderate well, they do obviously try, and they cooperate with requests (they reply, meet, etc)
This is also a warning to Musk, considering he is trying to turn X into the 'everything' app, and thus far has resisted giving backdoor access to the powers that be.
i hope i’m misconstruing what complicity means here but how long before law enforcement authorities are putting open source maintainers in jail for complicity, because bad actors profited off their labor to terrible ends? the crypto utilities in go, for example, are extremely easy to use, and a competent programmer could fashion their own comms technology out of just that (i’m slightly exaggerating here). but then would law enforcement come for go’s authors?
Software development is already considered a crime in some cases.
Tornado cash devs were an example.
Satoshi Nakamoto decision to remain anonymous and disappear seems wiser as time passes.
I have seen people comparing durov with ross ulbricht which is mind boggling.
This man created a messaging/social media app that is not controlled by the powers that be and now he is getting punished for his freedom and independence.
The Tornado cash developers were charged because they personally profited from criminal activity (laundering greater than $1 billion, helping North Korea). Someone developing software is not in the same situation if they are not also operating a service which criminals can use.
Was it proven that tornado cash devs knowingly and intentionally laundered 1B and helper North Korea or are we just describing what a tumbler does which is to allow parties to mix in their money's and the tumbler operator takes a profit for running this?
That's the problem with this "lowly devs engaging in biz that big finance guys without paying their dues to the rest of the extortion racket". Which HSBC executives got jailed for laundering billions for narcos during the GFC? Oh it was just a slap in the wrist fine.
I _think_ the question here is whether you operate the platform and are able to help the police if requested. E.g. as a developer of an open-source messenger you are probably are not liable, as soon as you deploy and operate the same messenger, and refuse to provide the data you have you can become complicit.
If police asks you to add a backdoor in your software though. As far as I know you are only explicitly obliged to do so in Australia.
I guess so? At least if police reaches out to prevent/stop/investigate a crime where you as an administrator are able to help, and you don't respond, it may be argued that you are complicit.
is that why there are tons of examples of russian dissidents being DOXXED on telegram? and non russia aligned OSINT accounts regularly deleted with no reason given?
You're right, looks like Apple has a form for it if you public an app in the app store that supports encryption other than what is provided by Apple. I see posts from app developers complaining about it and debating whether to check the "none" box or just leave France out. Presumably Google does the same.
Now that I know, I'm actually surprised that Telegram would not have filed that form given its size. How could they have gotten it through Apple's review without doing it?
Do open-source projects on Gihub and Linux distributions, available in France, have proper certification? I doubt it. France should arrest developers and maintainers then. And you definitely can find hacking tools on Github as well.
There are exemptions for development, testing, and personal use, among other things. And the restrictions apply to “products”, which GitHub projects by themselves probably don’t constitute.
- Complicity - Administration of an online platform to allow an illegal transaction in an organised band,
- Refusal to communicate, at the request of the authorised authorities, the information or documents necessary for the realisation and exploitation of interceptions authorised by law,
- Complicity - Detention of the image of a minor of a child-pornographic nature,
- Complicity - Dissemination, offer or making available in an organised tape of images of a minor of a pornographic nature,
- Complicity - Acquisition, transport, holding, offer or disposal of narcotic products,
- Complicity - Offer, assignment or making available without legitimate reason of equipment, an instrument, a program or data designed or adapted for the attack and access to the operation of an automated data processing system,
- Complicity - Organised gang scam,
- Association of criminals with a view to committing a crime or offence punishable by 5 years of imprisonment at least,
- Money laundering of crimes or offences in organised gangs,
- Provision of cryptology services to ensure confidentiality functions without a declaration of conformity,
- Provision of a cryptological means not exclusively ensuring authentication or integrity control functions without prior declaration,
- Import of a cryptology means that does not exclusively perform authentication or integrity control functions without prior declaration.