Durov Arrest First Salvo of Final Battle in the 30-Year War on Privacy
© Flickr / siniku
Subscribe
On Monday, Telegram CEO Pavel Durov was detained in France immediately upon landing in the country. He was eventually charged with a litany of crimes, including “importing a cryptology tool.” It is only the latest attack in a war against privacy that goes back more than three decades.
The 90s
In late January 1991, a then 48-year-old senator from Delaware named Joe Biden, introduced Senate Bill 266: the Comprehensive Counter-Terrorism Act of 1991. Buried in the last third of the proposed bill’s text was a section on “electronic communications” that imposed requirements for providers of electronic communication services.
“It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law,” the proposed bill read.
Essentially, SB266 would have required companies to create backdoors to enable the government to snoop on their customers, making it impossible to have truly private conversations digitally.
That may seem relatively mundane in the post-Snowden leak world we live in, but this was the birth of the digital age and the standards we enjoy online today did not yet exist.
Emails, for example, were sent through the internet unencrypted, in plain text. Any malicious actor with the right hardware and know-how, not just the government, could intercept email and even send emails appearing to come from someone else.
Developing a secure and private way to send information online wasn’t just a civil rights issue; it was a hurdle that needed to be solved before the internet could go mainstream. Had Senator Biden gotten his way, the internet would be a very different place right now.
Today, encryption is used to both hide the content of emails and verify the sender. But even in 1991, it was clear encryption would become a big part of how people communicated digitally and Senator Biden wanted to ensure the government had keys to a backdoor - literally and figuratively.
PGP and Phil Zimmermann
While the bill gathered three co-sponsors, including then Sen. Harry Reid (D-NV), it never got out of committee. Terrorism and the internet were not concerns most people, even Congress, had in 1991. But, it was enough to frighten the privacy advocates that populated the early internet, including one young computer scientist named Phil Zimmermann.
Zimmermann was already working on his encryption software when SB266 was introduced, but it sounded an alarm in his head that would push it from a hobby to an obsession. He would later say he missed five mortgage payments while working on it.
Congress might not have seen the coming fight over privacy in the digital age, but some, like the relatively young Biden, had started to wake up to it. The war might not have started, but the battle lines were being drawn.
On June 5 of that year, Zimmermann sent the first release of PGP 1.0, an acronym for “Pretty-Good-Privacy,” to a few of his friends to upload to the internet. It first appeared on a newsgroup called Peacenet, a gathering place online for activists worldwide. A day later, it was on Usenet, the largest collection of newsgroups and a service that still exists today.
PGP used a technique called “public key encryption,” a method invented in the 1970s by a group at Stanford MIT led by Martin Hellman. Previously, if two parties wanted to communicate using encryption, a key to decode those messages was required.
That presented a problem because, unless the two parties were physically in the same space, that key would have to be shared before encryption took place. The key would go through either an insecure channel, where it could be captured, or through a secure channel which likely meant the physical transfer of a key, which again could be intercepted.
Public key encryption works by giving each user two keys: a public key and a private key. The public key, as the name implies, is shared publicly. Anyone who wants to send the user a message uses the receiver’s public key to encrypt the message, which can only be decoded with the receiver’s private key.
Not even the message’s author can decode it once it is encrypted. It also allowed users to “sign” messages using their private key, proving they authored the message without revealing the private key. That and a later innovation by PGP developers called Web of Trust are still part of how emails are validated today.
“Their invention essentially allows us today to perform operations on information in our desktop computers that introduces no noticeable overhead whatsoever. The additional amount of time required to encrypt a message with this technology is basically negligible,” explained Dr. James Bidzos, then the president of RSA Data Security, during a discussion on internet security held by the Commonwealth Club of California in 1995. “It is essentially free and it's unbreakable and this presents a problem for the government.”
PGP soon took off and by September 1992 it was ported to virtually every platform besides Mac. But that grabbed the government's attention, and they weren’t happy about powerful encryption being released for free and for everyone.
Computer encryption, at that time, was almost exclusively the domain of governments. It was, after all, originally used to send - and crack - military messages during World War II. By the 1990s, there were a few commercial options, but they were expensive, licensed and crucially, controlled. PGP was free, it was available to everyone and it used a more secure encryption method than anything commercially available at the time.
The US government considered encryption a weapon, and its export was prohibited by the United States. It announced a criminal investigation into Zimmermann, accusing him of violating the Arms Export Control Act - that he was an arms dealer - because his software was downloaded outside of the United States. He was eventually searched by US Customs agents while traveling multiple times.
What was soon called “The Crypto Wars” had begun. By that time, PGP was already being used by human rights organizations around the world, including Amnesty International.
The investigation was ultimately dropped in 1996, four and a half years after PGP was first posted to Usenet. The move came down as the Clinton administration changed weapon export laws, removing encryption software from its “munitions” list. Every Western democracy soon followed.
Today, PGP lives on as OpenPGP and can be downloaded for free by anyone in the world. It is still considered the gold standard for private communications.
The Clipper Chip
Zimmermann was not the only focus of the Clinton administration’s war on privacy and encryption. In 1993, it announced another front in the Crypto Wars. It claimed that it developed a chip with “key escrow” functionality that provided encryption while enabling government access; privacy and patriotic security in one neat package.
Officially named MYK-78, but colloquially known as the “Clipper Chip,” the Clinton administration’s proposal set off a firestorm of outrage not only among the internet community but the telecommunication and burgeoning data security industries as well.
The New York Times called it “the first holy war of the information superhighway.”
The Clipper Chip was created in response to AT&T announcing the launch of the TSD-3600, a device that allowed users - for the relatively low price of $1,295 - to have fully encrypted phone calls.
The Clipper Chip was designed to be inserted into devices, enabling encrypted phone calls but could be unlocked by keys that the government held. Its sister chip, Capstone, was designed to do the same thing with data, including internet and fax transmissions. AT&T announced an upcoming modified version of the TSD-3600 with the Clipper Chip, but the rest of the industry was less enthused.
The plan was vehemently opposed by the left and the right: everyone from the American Civil Liberties Union to conservative radio talk show firebrand Rush Limbaugh railed against it. More than 50,000 people responded to the government’s request for petitions on the plan, with the vast majority opposing it, according to media accounts from the time.
The Clipper Chip plan came crashing down when the government gave it to Matt Blaze, a computer scientist working for Bell Labs, in the hopes of clinching his stamp of approval. Within a day, he found flaws that made it unusable, including one that eliminated the backdoor the government wanted to use.
Had that version of the Clipper Chip been implemented, the criminals the government hoped to catch could have modified it to give them more security than they would have had without it.
But the flaws weren’t the reason the chip was a bad idea, it was a bad idea because of the premise of the chip itself, as Blaze detailed in a later interview.
“It’s good that Clipper was killed—and I’m glad that I helped kill it…but it was sorta killed for the wrong reasons,” Blaze told Gizmodo. “The bug I found wasn’t why it was a bad idea. The stuff I found could be fixed…but there were all these other problems—the fact that it involved a secret algorithm…the fact that it included the key escrow mechanism that could be compromised."
"There was no version of this that you could build that wouldn’t have had those problems," he said.
The US Government was the only “customer” to buy the Clipper Chip. While exact numbers are hard to find, it was reported they ordered it in “bulk,” attempting to build demand. In 1996, the same year the Zimmermann investigation was dropped, the Clipper Chip was officially canceled.
The timing of those two events was likely not a coincidence. 1996 was an election year, and the Republican nominee for president, Bob Dole, was slamming the Clinton administration on their online privacy policy.
“Bill Clinton Wants to Put ‘Big Brother’ in Your Computer,” a subheadline of Dole’s campaign website read. “Within his first 100 days as president, Bill Clinton proposed the Clipper Chip…Since then, Bill Clinton has released updated versions of encryption proposals which insist that the government hold a key to individual's private data communications.”
"Bob Dole believes Americans should have the right to guard themselves using encryption."
Clinton won the election, but the pressure from the public, buoyed by his political opponent, encouraged his administration to back off. Their ideas just weren’t popular; Americans still valued privacy in 1996.
From the War on Terror to Telegram
But the desire to eliminate privacy online never went away, it just shifted. In the 1990s, the debate was if the public should have access to tools that enable privacy. The government lost that battle and so they started building systems to snoop on everyone who didn’t use those tools purposefully, slowly eroding the expectation of privacy the public had.
After the September 11, 2001, terrorist attacks, massive spying operations were launched, both in public and in secret. Slowly, either due to fear of terrorism or apathy, the American people started to lose their appreciation for privacy, which started to be portrayed as the exclusive domain of criminals and the paranoid.
In 2014, in the wake of the Snowden leaks, former CIA Deputy Director John McLaughlin, who also served as acting director for just over two months in 2004, wrote an opinion piece in the Washington Post to assure the American public that the US National Security Agency (NSA) wasn’t really spying on Americans (they were) and even if they were, it wasn’t a big deal.
“Although our society lauds, in almost ‘Stepford Wives’-like fashion, the merits of ‘transparency,’ it lacks a collective, mature understanding of how intelligence works, how it integrates with foreign policy and how it contributes to the national welfare. Meanwhile, prurient interest in the details of leaked intelligence skyrockets, and people devour material that is not evidence of abuse but merely fascinating — and even more fascinating to US adversaries.”
According to McLaughlin's upside-down perspective, those who want to know what our government is doing are “Stepford Wives” blindly following “society” and giving aid to our enemies. Those who remain willfully ignorant, according to McLaughlin, are the realists who know the NSA is “not perfect,” but the real problem is “the broad distrust of government that has taken root in the United States in recent decades.”
The Snowden leaks did not lead to any real reforms. The government claimed they took measures to protect the privacy of citizens, but those were internal changes around the margins and the new rules are routinely ignored anyway.
No one was fired. No one was arrested. No mass protests hit the streets. The public had been conditioned to expect the government was watching them. This year, Section 702 of the Foreign Intelligence Surveillance Act was renewed for another two years, a massive blow for privacy and civil rights advocates.
“The natural flow of technology tends to move in the direction of making surveillance easier,” Zimmermann prophetically said nearly 30 years ago.
The only vestige of privacy left online is through encryption. For years that was a fairly complicated process, public key cryptography made it far easier than it was before, but few in the mainstream were using tools like PGP.
Yes, email had become secure from spoofing, but most of the encryption was handled by email providers. Google may use encryption to keep users safe from man-in-the-middle attacks, but if they have access to your decrypted emails (and they do if you use Gmail), then there is nothing preventing them from handing that information over.
That changed with apps like Telegram and Signal, which have true end-to-end encryption that not even the owners can crack. Now, more than ever, normal people are using apps that enable their privacy by default.
It’s not perfect, devices themselves are still vulnerable to government intrusion, but it is far more difficult to gain access to than simply sending a subpoena to a service provider. The government could tolerate encryption when it was limited to a few hundred thousand geeks posting on message boards, 950 million Telegram users is a much bigger issue.
On Wednesday, Telegram CEO Pavel Durov was charged with a litany of crimes accusing him of not doing enough to prevent abuse of his platform.
The critical charge however, the one that all the others rest on because without it he couldn’t be blamed for their actions is once again – as it was with Zimmermann in the US decades ago – with providing tools that enable encryption, which is the only vestige of privacy left on the internet in a post-Snowden world.
Durov is out on €5 million bond and is barred from leaving France because, according to the indictment, he was “providing cryptology services aiming to ensure confidentiality without certified declaration," as well as “providing a cryptology tool not solely ensuring authentication or integrity monitoring without prior declaration.” And, thirdly, because he was “importing a cryptology tool ensuring authentication or integrity monitoring without prior declaration.”
The charges nearly mirror what Zimmermann was investigated for.
Instead of the crime being the export of cryptology tools, it is the import of cryptology tools. In the 1990s, the US government argued they didn’t want foreign adversaries to gain access to the privacy that cryptology enables. They may have had ulterior motives, but that was the basis of their investigation.
French authorities are arguing it is a crime to give their citizens the ability to communicate privately. They are adding charges related to what Durov’s users did to lessen public sympathy by associating him with the most horrible crimes, which would be like blaming AT&T because someone used a telephone to order a hitman. However, the cryptography charge is the heart of the case.
“A telephone company can't be sued [for crimes facilitated on its network], it can't control what the people say on the telephone,” former university professor and journalist Jim Kavanagh told Sputnik. “And that's where it should be with these social media companies.”
One may argue that the French are not the Americans, and so these are separate fights by different governments on different populations with different expectations about their freedoms, but that would be the height of naivete.
The attacks on internet privacy and freedom of speech have spread across the West. People and journalists are being arrested in the UK and Australia for social media posts. The US government is abusing the Foreign Agents Registration Act to attack any critics of its policies and has been pressuring social media companies to ban content and users.
In Brazil, a censorship-happy judge is opening investigations on his critics, and then ruling in those same cases. That same judge just shut down X inside the country and imposed a fine worth roughly $8,900 for anyone who attempts to circumvent the ban.
Just because Durov was arrested in France does not mean it is unrelated to the rest. The prosecution of WikiLeaks founder Julian Assange and whistleblower Edward Snowden are a part of it as well. Their work would have been impossible without reliable encryption.
“[The French are] part of the [Five] Eyes network of NSA-type agencies. And you can bet that the French have not done this rogue, that they have been talking to their American and, I would imagine, also British and maybe Israeli and other counterparts. I'm sure that's happening," Ted Rall, a political cartoonist and host of Sputnik Radio's Final Countdown, said on fellow Sputnik program The Backstory.
The West is systematically removing free speech from the public square of the internet. When that is complete, they will come for the speech in the private corners of it and that is why they need to end truly secure encryption.
“When I look at what happened with Durov,” Critical Hour co-host and former law enforcement officer Garland Nixon said on Wednesday, “You know what term comes to mind? Extraordinary rendition. We can’t quite get away with [arresting Durov] here, so we’ll lock you up if you land in… one of our colonies.”
On October 11, 2020, the Public Affairs Office of the US Justice Department released an “international statement” on end-to-end encryption, making clear that they believe tech companies have a responsibility to install backdoors in their software.
End-to-end encryption that precludes lawful access to the content of communications in any circumstances directly impacts these responsibilities, creating severe risks to public safety in two ways:
1.
By severely undermining a company’s own ability to identify and respond to violations of their terms of service. This includes responding to the most serious illegal content and activity on its platform, including child sexual exploitation and abuse, violent crime, terrorist propaganda and attack planning2.
By precluding the ability of law enforcement agencies to access content in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security, where there is lawful authority to do so.As in the 1990s, the government is arguing that innocent people cannot be afforded privacy, because criminals would have it as well. But, privacy isn’t just for criminals.
Everything from financial transactions to sending your address to a relative so they can ship a present for your child is something that should be encrypted before you do it. Any backdoor is susceptible to being hacked and abused. Eliminating encryption will make the world not only less private but less secure.
In the digital age, a private conversation is not as simple as going to the backyard. Never forget that privacy is supposed to be the default in free societies, government snooping is supposed to be the exception.
“So, this is the end of the celebration of democracy and free speech [and] free expression that was supposedly a foundational part of American and Western civilization,” Kavanagh said.
Writing in 2021 on the 30th anniversary of PGP’s release, Zimmermann warned that his old enemies were coming again and pleaded for the public to take the threat seriously.
“We see it in Australia, the UK, the US, and other liberal democracies. Twenty years after we all thought we won the Crypto Wars. Do we have to mobilize again? Veterans of the Crypto Wars may have trouble fitting into their old uniforms. Remember that scene in Pixar's The Incredibles when Mr. Incredible tries to squeeze into his old costume? We are going to need fresh troops.”
It is time for a new generation of digital freedom fighters to take center stage from our dial-up and Usenet-using forefathers. Users of TikTok, Twitter, Telegram and Signal, unite! You have nothing to lose but your digital chains.
