This shouldn't surprise anyone. If a company collects info about some user and the government comes to them with a legitimate warrant they have to handover the information about that user (or risk going to jail/other action by the court) . There is a reason other companies like signal go out of their way to collect as little as possible.
>the government comes to them with a legitimate warrant
Which government, such as the French government for all Russian users, the Russian government for all Ukraine users, or the USA government for all users?
Whose standard for warrants, and how much use of coercion and force are they allowed to use for enforcement. Can the USA kidnap the owners for non-compliance, can the Russians?
You’re asking very basic questions that the answers to have been the same for hundreds of years. If you do business in a country you have to answer to its laws or you risk asset forfeiture or arrest.
That would only be true if you step foot in that country or posses assets in that country, right? Though I imagine the US government can reach a lot farther than the Russian or Chinese governments.
Also bear in mind that government can convey restrictions on any other business in that country. See Brazil requiring ISPs to ban Twitter (even a penalty on individuals bypassing the block using VPNs!), or the US basically prohibiting any business with anyone in Russia.
Basically if you want to operate in a country, you probably need to obey their laws, no matter what you think of those laws. If you ignore them, you can't really be surprised if you get blocked or penalized from doing business there.
The ironic consequence of this is eventually if you want to use big tech for messaging privacy you'll be forced to basically pick one under the jurisdiction of an enemy non-extradition state like Russia or China. Sure their governments will farm and exploit the metadata even if encrypted, but they won't be handing it over to the west unless the deal is juicy.
Eh, not really, because the US has shown it's happy to go ahead and make it illegal to have TikTok here as well. The real result is probably much, much simpler: Globally-operating apps won't make as much sense as they got away with in pre-regulatory eras of the Internet.
Big Tech has basically spent the past twenty years pretending their global status made them above the law of any one nation, but in reality, being a global company just means you're subject to all the laws of all the nations.
remarkably, these are not very basic questions, and the answers are not the same for hundreds of years since this is electronic records that cross international boundaries
Certainly principles of international jurisdiction are well settled and fairly consistent. In that sense the comment was correct.
However, you are also correct that legal principles around information collection and transmission are both new and not well settled.
This feels like one of those hn discussions where everyone will end up talking past each other because of terminology failure.
I mean if you were shit talking France when living in England a few hundred years back you're likely to get put on the enemies of France list, even if your pages were for consumption in England. Now if you never left England there wouldn't be much to worry about, unless they suddenly became friends and decided to export your corpse for goodwill.
That link states that they only have two data points tied to an account: time of account creation and time of last connection. Since phone numbers are used as the account identifier, law enforcement would need to supply the phone number for signal to look up the account, right?
Do you have any source for Signal supplying IP logs?
This all seems bad news for all Russian war channels, but I guess they had enough time to migrate already. Influencers influence the whole world anyway, so they should expect a knock on the door if so brave. Stupid drug dealers will find other ways to deal or will go deeper the crypto/tor hole. Childporn offenders are anyway legit target for Mr.Robot. Who's left then...? Music pirates - who cares, Spotify lives on, Soulseek does well to. Torrents apparently kill business only where it cannot exist at all due to cultural specifics.
This all somehow leaves perhaps not-so-big list of particularly interesting gentlemen then certain countries will undergo a lot of trouble to get to. No wonder then they did so this time, but wonder which particular among these is the culprit this time...
I doubt the war channels are to be concerned, perhaps the secret chats, and leftover magic in the normal chats. Or even simpler - the phone of the devices allows mobile net tracking, for certain operations this is potentially more than enough.
This will depend on how the company is registered and represented in the states it operates in. It will also depend on the citizenship of the kidnapped owners (and whether it will be even necessary, as maybe extradition would also work).
In any case, a court in any particular state will be responsible for issuing the documents entitling the law enforcement to particular data. There's also the process to dispute issuance or legitimacy of such documents, again, through courts.
So, obviously, there isn't a single answer to your questions. But, obviously, they aren't without answer. Any specific case will produce a potentially different set of answers.
Where ever they want to do business at. If they expect to be allowed to operate in France/the EU they will have to comply with legitimate French/EU warrants. No one is saying they can't fight it if there is a reason to.
>Can the USA kidnap the owners for non-compliance, can the Russians?
Jailing someone/holding a company in contempt that does business in your country for ignoring legal warrants isn't kidnapping. Trying to frame it that way is pretty silly and disingenuous.
What does it mean to "operate" in a country though? If I operate a service in the US and have no servers in Iran, no employees in Iran, no physical presence in Iran whatsoever, but Iranians are communicating with me over the global public internet, does that mean I have to comply with Iranian law? What about if its France and not Iran? What if these French/Iranian users are not only communicating with me, but also sending me money and/or cryptocurrency in exchange for that communication?
Personally I would contend that none of that counts as "operating" in France or Iran. You're operating entirely in the US, and it would be ridiculous for Iran or France to try to subject you to their laws just because people who live in their country are communicating with you or sending you money. (Though obviously those people are still subject to the laws of their respective countries in what they're allowed to do when interacting with you, just as you are subject to US law in your interactions with them.)
Of course, the fact that something is ridiculous doesn't prevent a sovereign country from trying to do it anyway. Iran can threaten to assassinate you for communicating with their citizens, and France can threaten to jail you if you ever travel to France or extradite you. Both of those threats are unjustified in my opinion and should not be supported or condoned by other countries (particularly not the US), but like I said; they're sovereign countries so we can't do much to stop them if they want to be unreasonable.
If you are serving people in Iran or France then you are operating in those countries regardless of where you or your servers are and so you do have to comply with their laws or risk facing the consequences.
Now, depending on where you are at the reach of the consequences can be negligible and not impact you at all or can be a major problem.
At minimum you will get your service banned in those countries.
In this example everything is happening on U.S. servers, with U.S. employees, on U.S. soil. How is that "operating in" Iran or France?
If someone physically flew over from Iran and talked to me in-person instead of over the internet would you make the same argument? That I'm "operating in Iran" and should be subject to Iranian law because I'm talking to an Iranian citizen? What if it was via a letter? How about a phone call?
So what? Legitimate warrants cannot exist? Companies exist somewhere, and they follow the rules that can be enforced on them. I'll take warrents by imperfect democracies over autocracies and dictatorship any day.
You ask these like they are some kind of gotcha moment, but all of these very simple questions have been answered for decades by international law. You think yourself clever but show yourself ignorant.
Every time someone brings up Signal in these threads I cringe. One can make up stories about spam protection as much as he wants, but given how little (basically none) control one has over him phone number, no messenger strictly requiring a phone number can be considered "privacy-oriented" by any sane person.
I think you are confusing "privacy-oriented" and anonymous! Signal is pretty privacy oriented since it has E2EE by default (and so does Whatsapp). Telegram would be much more privacy oriented if it had E2EE by default.
This is only true if the cost of storing user data is greater than the profits it generates. When companies are allowed to sell out users and punishment for data leaks are just seen as the cost of doing business then why would you not store whatever data you can get your hands on?
User data is only an asset if your business model demands it, like Google and Facebook. If you don’t have, and won’t create, a way to monetize it then yes, it’s strictly a liability.
The incentive is to claim to collect as little as possible. What a company actually collects is between them and any influential state actor that can manage to make use of the data in secret. A company can't support the needs of such an actor and law enforcement at the same time.
you care confusing collecting data with persisting user data.
it is easy to prove what your app collects from OS's permission model and web traffic. People are less interested in whether you store it for future use or discard it immediately after receiving.
Even if you claim you don't persist any of user data, you would still be collecting it
Now the question is, to which government Telegram will comply to share your info.
If I live in Germany, and I do a channel with offensive content against the government of an Arabian shitty country, let's say UAE for example. The content might be legal here but illegal there.
Will the UAE gov be entitled to get my IP address and other info? Leading them to be able to use that to harass me, like targeting me with Pegasus for example?
This was entirely predictable and inevitable. I don't understand what Durov thought would happen nor why he rejects E2EE as a liberating technology.
Policy will never be the key to digital privacy, it must always be accompanied by cryptography. The status quo of allowing a third party read and store your messages forever, slurping up all the metadata along the way, is insane.
I think it is pretty obvious why Durov did not opt for universal E2EE. His main purpose of making Telegram was to make the chat app that is the most usable of all. E2EE comes with a cost on user experience which was for him too high.
Example: Signal can't handle more than one phone logged in, and if for some case you don't open the desktop app for more than 30 days, it logs you out there and you can never get these messages to the desktop.
Indeed this is. For some reason, all the implementations that I can recall suffer from some usability problems. I expect that if a solution that is acceptable for Durov is discovered, they will roll it out. Of course, my prediction might be wrong.
Good that the company is able to continue functioning with the CEO being trapped and under charges. Shame on France for pulling a nasty warrant mid air.
Well, the fact that Telegram wants to cooperate to me suggests that they previously could have been cooperating but weren't, which makes a charge of complicity make a lot more sense now. Thanks France!
Could you please stop posting unsubstantive comments and flamebait? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
Rubber hose cryptanalysis works every time, unless you design your protocol to not have any visibility into the data. Which is impossible in the case of Telegram feeds at the very least.
You can't submit the same article twice for the most part. Dupes are duplicate discussions. There's an earlier article with some discussion and eventually maybe mods will merge them. No need to split up the discussion. Share your thoughts over there!
You could even suggest this link in that thread as a better article option.
You totally can, the HN dupe detector is less than reliable. Submit something interesting at night and you'll often see it submitted the following day by someone else.
As a more general point, the fact is that if a discussion doesn't take off while an item is on the front page shortly after submission, it probably never will. The page sorting algorithm ends up prioritizing recency and traction. I agree this isn't ideal.
> I would imagine any serious criminal org will have their own messaging infra by now.
I'm guessing they do not -- that would be inconvenient, expensive, unreliable, insecure, and/or conspicuous.
[Edit: "serious" criminal orgs run, e.g., custom-built submarines, so private comms infrastructure is clearly within their technical abilities. But having all org members communicating to a private centralized mothership seems risky from a surveillance perspective]
I'm guessing they do not -- that would be inconvenient, expensive, unreliable, insecure, and/or conspicuous.
Some do run their own platforms or share a self hosted platform set up by people in a non cooperating country. Sometimes the platform admins find out they were being MitM by mistake tech or law enforcement make. [1] Or not using the MitM detection Jabber is capable of. Jabber scales to millions of users per cluster, big enough for probably most criminal organizations. I doubt the cluster in question was specifically meant for criminals, but the smart criminals will find solutions best suited for their needs. In this case I think they chose poorly given VM's can be live migrated and snapshot including memory contents without interrupting the platform or raising suspicion.
In my humble opinion the big shared corporate platforms will attract the ultra-lazy arrogant and cavalier criminals and I'm sure law enforcement are fine with it. Easy busts still look good to justify big budgets. There are probably people that say they don't know anyone that's been busted on those platforms but they are probably not moving enough volume of illicit goods to warrant immediate attention. That information would be quite useful for getting a warrant however if the target was suspected of something else or if they were an influencer thinking or saying the wrong thing in public.
[Edit] Updated link to the snapshot describing potential mitigations including SCRAM PLUS which was not configured in this incident.
I know people who order drugs all the time via various messaging apps, in the US and throughout Latin America. Often the messages and menus are highly explicit.
This is not "haha". It's a pity. Even Russia haven't forced Telegram to do things that now they need to comply because Pavel became hostage of this situation
Hm, given how many requests Meta and Google disclose annually
I dont think a warrant canary is really useful, it implies “we just got 1!” instead of “we just got an additional pile of 200 secret requests from G-7 national governments, one of which is already trying to incarcerate us for not being so forthcoming about compliance”
Given that you won't know the details of the 1 or 200 requests anyway, I think knowing the difference between 0 and >0 is useful. We do know what 0 means, and anything other than 0 means the platform's got the attention and jurisdiction of outside parties.
Also, Signal does supposedly comply with all lawful warrants. They give over what data they do have when properly requested. It is just they don't normally have much useful data to give.
Meanwhile, Telegram supposedly hasn't been properly handling lawful warrants in many countries and does have interesting data on their servers as only private secure messages are (meaningfully) encrypted and not most messages most users send on the platform
The good old days when governments represented people, like before the 17th Amendment when states picked the Senate in smokey backroom deals. Wait that can't be right, maybe like before the 19th Amendment. Wait no, during the Jim Crow era. No, the McCarthyism era. Wait...uhh...hmm...
I don't know what time period you're thinking of with "It's not the good old days any more. Your government doesn't represent you." Seems like the government represents more people better today than it did in the past given before so many couldn't even vote at all and the government was far more active in suppressing minority rights.
And if its about them snooping in on conversations, these days they have to actually ask a lot of communication providers for data. Back in the day there was only one company providing electronic communications and the government was absolutely listening in to the conversations. Tons of those communications were happening over the air for anyone with the right antenna to listen in. US v. Miller was in 1976 and established what we now know as third-party doctrine.
If you can get arrested for organizing a protest (that didn't even start that), do you still think that those people are criminals? Just look at all the people that got arrested recently in UK... It's sad, and telegram, not being a UK company (imho) shouldn't be forced to give UK government/police peoples ip addresses and phone numbers.
Should the same rule exists in more authoritarian countries like China, North Korea, or Belarus?
If so should the government be allowed access to non-nationals outside the country? How about if a non-national is inside the country communicating with those outside? How about if those folks are journalist reporting where journalism is illegal (see Russia's laws on "fake news" on Ukraine).
I'm not saying your point of view is wrong, but I think its easy to jump to that conclusion as this is probably the least sympathetic case to set principle. But this _does_ set principle.
> Should the same rule exists in more authoritarian countries like China, North Korea, or Belarus?
If eg. Iran requested IP addresses from Pornhub (Aylo?) for all the visitors from iranian ip addresses who have viewed a gay video there, people would be changing their view pretty fast.
Where they operate doesn't matter, and it should be pretty obvious why (hint, for the same reasons that American bleached chicken can't be sold in the EU)
I imagine that this would be reason enough for them to either comply with the law or not operate there, like every other business does? You seem to imply that it's ok for internet companies to be above the law, I don't see how that's compatible with self-determinism/democracy (loss of jurisdiction) nor in the interests of the people (because inevitably such companies will optimize their profits at the expense of the public and can't be held accountable, in your anarchic world order).
Let's say your set up a raspberrypi at home (I assume you live in US), install apache, install wordpress, set up port forwarding and write a blog about making pickles. Then someone writes a comment under "How much dill?" and writes "I'm from Iran and I'm gay".
Are you really operating in iran? You don't have servers there, you don't have employees there, you're not a registered company there, what ties do you have with iran? Someone from iran "came to visit"? Sure, so do brits with amsterdam and legal weed.
Yes how strange that a DARPA project, handed off to the National Science Foundation and then awarded to Sprint, would be torn from the common man and wrested from its rightful owners into the heartless clutches of government authority
How much of what you use today has anything to do with DARPAs original design goals or funding?
> handed off to the National Science Foundation and then awarded to Sprint
The NSF handled links between Universities and their funding not the Internet in general. Sprint was a primary contractor under this system. None of this should be understood as "the Internet."
> would be torn from the common man
You do appreciate precisely how much open source software underpins everything we're doing, even in typing these comments to each other, over the internet, yes?
I mean.. show me the government plan to build a web browser.
> from its rightful owners
Do you pay taxes? Congratulations. You are the rightful owner.
> into the heartless clutches of government authority
Yea. Hacker News. Typical bastion of mindless worship of "government authority." Then again, if it has the natural right to exist, why does it need my taxes?
Pony Express, telegraph lines, railroads, a national highway system: what purpose and goals do you think were in mind here? So you could jaunt down Route 66 for a burger, and send back a 5c postcard??? Haha!
> How much of what you use today has anything to do with DARPAs original design goals or funding?
100%
The National Center for Supercomputing Applications (NCSA) is a state-federal partnership to develop and deploy national-scale cyberinfrastructure that advances research, science and engineering based in the United States.[1][2] NCSA operates as a unit of the University of Illinois Urbana-Champaign,[3] and provides high-performance computing resources to researchers across the country. Support for NCSA comes from the National Science Foundation,[1][4] [5] [6] the state of Illinois,[2] the University of Illinois, business and industry partners,[7] and other federal agencies.
To put a fine point on it: what DARPA did, was to sponsor a company called BB&N to develop a piece of hardware called the Interface Message Processor (or IMP). And that's pretty much it.
The IMP was the first gateway doing what you'd think of today as Network Address Translation, isolating "LAN" from "WAN" and using arbitrary computation to rewrite packets between the two. Though at the time, far more work was needed than just address translation. Wholesale network protocol translation was needed, as every site network (and there were already many small site networks) used its own networking equipment; and each vendor's networking equipment spoke some random stack of proprietary protocols invented by that equipment vendor. (There were nascent standards with open reference-impl hardware, e.g. MIT's Chaosnet, but none of these were widely adopted.) This was true all the way up to the application layer — different networking equipment required different application software that spoke the network's supported application protocols!
The IMP was a programmable router, allowing arbitrary CPU packet translation. So each site network could program the very same IMP with the details of its own network — what each type of local-network packet looked like, and what that should translate to for the WAN; and vice-versa.
This allowed these site networks to be glued together into a larger network. The IMP translated packets, and also "wrapped" each (proprietary, site-local) address of each LAN host, giving it a globally-routable name — i.e. an Internet Protocol address. This allowed machines on these networks to — at least in theory — address other networks' machines. All without anyone having to rip out any networking equipment, or replace each network's host application software with new software speaking standardized protocols.
Once the IMP was released, a bunch of universities and corporations came along and said to BB&N, "oh hey neat, I'll buy one of these! Heck, I'll buy one for each campus!" — and promptly stuck them into each of their (existing!) networks. (Some of these purchases were partially funded by DARPA as well — but only if the buyer reached out to ask.)
This didn't actually get anyone any value at first, because the IMPs still needed to be programmed, not just with the details of their local networking standards, but with the details of what the "WAN standard" application packet protocols would/should be for these local networks to translate things into. There were no standards for that yet.
So the folks doing the networking at these orgs, all got together to discuss how to actually get these boxes they bought to talk to each-other — e.g. what application-layer protocols they would need to invent/standardize on, to then get these gateway boxes to translate into from the proprietary site protocols they were using.
That group became known as the Internet Engineering Task Force, and their meeting notes became known as RFCs. (Read https://datatracker.ietf.org/doc/html/rfc1 if you don't believe me.)
Note that they called this WAN network formed by these sites through the IMPs the "ARPA Network" — presumably because that's what BB&N referred to it as, in turn because DARPA funded the IMP with the intent of creating such a network.
But DARPA had no involvement in the actual development of the "ARPA Network"! They weren't even a site on it! They didn't attend the IETF meetings! Rather, DARPA just kinda stepped back and said "go ahead, have fun" — and watched as the Internet took shape.
(I would thus describe DARPA's funding of the BB&N IMP as probably the most successful case of "nudge theory" in history. Almost as if someone at DARPA was a time-traveller who knew that that much effort, and no more, was all that was needed to shift the timeline.)
BB&N was and remains a private company, and isn't primarily a government contractor. It was a one-time government grant — and for much less than the full CapEx required to build the thing. DARPA essentially said "you want to build this? We'd sure like something like that to exist, so we'll give you some money to increase your chances/make it happen faster."
As it turns out, "throwing money at American-owned private companies who are being the [technological] change you [i.e. the state] wants to see in the world, to advance the technological edge America has over other countries" is a large part of DARPA's mandate. DARPA seeks to incubate a healthy private sector in nascent high-tech industries, so that it can later rely on competition in those industries, to produce a healthy, non-monopolistic set of viable military contract bidders for the military as a whole to choose from / set against one-another.
> prompt: There’s an article on Hackernews titled “Telegram will now hand over your phone number and IP if you’re a criminal suspect”. Generate a comment in Hackernews style that supports this decision, implies that it’s because they didn’t encrypt the messages and uses Signal as an example of doing it right because “look! They haven’t had problems”
Not surprised. Telegram doesn't encrypt by default, so of course they're handing over phone numbers and IPs. If you don't lock things down like Signal does, you're going to have problems. Signal can’t hand over what they don’t have—encrypted end-to-end, no metadata. Simple as that.
Yes, channels and groups are most likely what makes Telegram a threat where Signal isn't. That's an excellent argument for decentralized social media.
You're probably exasperated that others don't see what to you seems like an obvious truth. Rather than mocking the opposing argument, it's probably still worth rehashing yours when the topic comes up, even if it feels like banging the same drum with nobody listening.