Indictment of Telegram CEO Threatens End-to-End Encryption

Telegram Messages Hard to Encrypt But CEO Faces Charges for Noncompliant Cryptology
Indictment of Telegram CEO Threatens End-to-End Encryption

The arrest and indictment of Telegram CEO Pavel Durov is sparking concerns about the viability of encrypted communications in France.

See Also: Meet PCI DSS Compliance Requirements for Test Data with Data Masking

The Paris Prosecutor's Office indicted Durov, the 39-year-old Russian-born owner of Telegram on Wednesday, after arresting him Saturday night when his private airplane landed in the Paris exurbs. Durov could face a minimum 10-year sentence and a half-million-euro fine for complicity in hacking, child sexual abuse and other charges (see: Telegram Founder Pavel Durov Charged by French Court).

While the main impetus for charges against Durov appear to be Telegram's lack of cooperation with French investigations into child abuse, Durov also faces charges under the country's Online Communication Freedom Act.

The law requires technology services deploying cryptographic tools to obtain permission from the country's prime minister to operate in the country. Companies are also required to provide details on the technology used, its source code and its algorithmic processing. The law criminalizes any use of the technology that could obstruct law enforcement.

Provision of noncompliant cryptology services are two of the charges for which prosecutors late Wednesday said they indicted Durov.

"The arrest of Durov marks the spectacular confirmation of a shift made in recent years by the French justice system concerning encrypted messaging: the idea that these messaging services constitute, in essence, the tool of crime," said Guillaume Martine, a Paris based business criminal lawyer.

Telegram offers end-to-end encryption on an opt-in basis that requires several steps to enable. Security researchers have criticized the app for touting encryption while simultaneously making it difficult to access and have long-standing criticisms against it cryptology. As recently as 2023, German academics found that the Telegram end-to-end protocol "is susceptible to fairly efficient algorithm substitution attack" that could "potentially lead to a very efficient state-sponsored surveillance of private communications over Telegram."

Durov's arrest showcases a trend by French law enforcement agencies of targeting encrypted services in a similar manner, Martine said Thursday.

This includes the disruption of encrypted service Encrochat by French authorities that hacked into the app servers, as well as their role in the disruption of Sky ECC. These actions also include suspected Encrochat administrators being extradited to France, as well as arrest warrants being issued against two Sky ECC operators.

Other end-to-end encrypted services such as WhatsApp and Signal could also be targeted in a similar manner, even if the platforms ensure compliance under the French law, said Alan Woodward, a professor of computer science at England's University of Surrey.

"WhatsApp and Signal are end-to-end encrypted by default, and they can't do the moderation because they can't read any of the content. If the French government comes along and says, 'We have got to be able to read on an exceptional basis,' then the companies will be forced to comply," Woodward said.

Signal and WhatsApp have argued against efforts to insert a weakness into end-to-end encryption that allows law enforcement to access message content, stating that such measures will threaten the user privacy and create hacking vulnerabilities.

Neither Signal nor WhatsApp returned multiple attempts to contact them.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.