The trouble with Telegram (part 2)
16 Jul 2018|

Last Friday, the Turnbull government announced that it’s planning to introduce new laws that will compel international technology companies to cooperate with intelligence agencies. But the legislation will be no panacea. Although it demonstrates a political will to address shortcomings in current laws dealing with encrypted technology, one country’s legislative fix will be insufficient to address the challenge posed by Telegram and other encrypted service providers.

The fact that Telegram is incorporated overseas and has physical assets (such as data centres and servers) in multiple jurisdictions makes it nearly impossible to enforce a single nation’s laws. We saw this with the Cambridge Analytica scandal earlier in the year, when Facebook’s Mark Zuckerberg ignored requests from the British parliament to testify. Britain had the same problem when trying to compel Rupert Murdoch to give evidence to a parliamentary committee in 2011. And, while the CLOUD Act theoretically gives US law enforcement the power to acquire data from foreign tech companies, many subclauses limit that power, including conflict with the laws of foreign jurisdictions.

Moreover, the need for a warrant—which will have to specify exactly which server is being subpoenaed—will also hinder those seeking data from Telegram. According to Mounir Mahjoubi, former president of the French National Digital Council, Telegram has ‘done everything to make it a technological nightmare to find where their server is’. And after attacks on churchgoers in Normandy in 2016 were linked to Telegram, the French interior minister alleged that investigators, armed with court orders, had been unable to even find a Telegram ‘interlocutor’ to contact.

Users have many tools with which to circumvent country-specific regulation. Virtual private networks (VPNs) spoof user locations, as do internet browsers such as Tor. They aren’t hard to use and are effective—Facebook is still used regularly in China despite being blocked by the ‘Great Firewall’.

In Russia, Telegram rerouted its app through overseas cloud-based IP addresses. That caused the Kremlin to block more than 15 million IP addresses as Telegram hopped from one Google- or Amazon-based IP address to another, affecting a host of unrelated businesses and people.

One proposed solution is to put pressure on third parties that host Telegram on their app stores or provide cloud services. Amazon eventually put a stop to Telegram’s IP address-hopping, and Apple blocked Telegram updates worldwide until recently. Indeed, going directly to Apple to remove apps from a particular country’s store is proving an increasingly effective censorship technique.

Lawmakers sometimes lack technical expertise, which can make it hard for them to understand why quick legislative fixes won’t work. Some politicians voiced support for the idea that encrypted messaging services (EMSs) should weaken their encryption to aid law enforcement after the FBI versus Apple encryption dispute, when the FBI needed to access the San Bernardino terrorist’s iPhone. EMS operators, like Apple, have rightly pointed out that forcing them to weaken their encryption makes consumers vulnerable to nefarious hacking.

A dearth of technical expertise among US legislators was obvious earlier this year when Zuckerberg testified before Congress (by choice). The lack of even basic knowledge about how Facebook works meant that lawmakers’ questioning couldn’t reveal what went wrong.

Australian legislators have the benefit of expert advice from agencies such as the Australian Signals Directorate. However, if they can’t understand how Telegram’s technology works, they’re going to struggle to explain the proposed new law (as we saw with the 2014 metadata legislation), or to understand its limits.

Legislative processes don’t operate in isolation. Users who want encryption can be innovative, so it’s a safe bet that by the time we think of one fix they’ll already be exploiting another loophole. Telegram is the preferred platform of Islamic State’s online supporters, partly because they have found creative ways to quickly upload thousands of megabytes of data to maintain a consistent flow of propaganda to their support base, well ahead of moderators. Plus, Telegram doesn’t moderate private channels and groups.

And stopping the determined user is a lot harder than stopping the company from taking advantage of tools such as VPNs. Islamic State puts out multilingual manuals on VPNs, dark-web browsing and other techniques to evade law enforcement. And it’s possible to set up an Apple store account under a fake identity from a different country to acquire an app that’s been removed.

Telegram as a company may be more about tapping into the pro-privacy market than about upholding an unwavering, high-minded commitment to the principle of privacy. Certainly, there’s evidence that Telegram was initially designed with secrecy from the Russian state in mind, rather than flawless encryption. But if Telegram admits to handing over user data or seems like it’s bowing to government pressure, then another, more recalcitrant, EMS will take its place, and any legislative fix will probably be redundant.

This means that we need a solution that covers the overall problem of uncooperative multinational EMSs. And that means dealing with both the technical and legislative aspects. The European Union has put forward some good ideas, including establishing networks of encryption centres and harmonising rules about cross-border access to and storage of data.

Australia can lead in trying to expand European efforts to capture more servers and companies in the legal framework. And we can invest in similar efforts to improve our ability to unlock the sorts of encryption used by Telegram and understand the data its users generate.

It’s inefficient for multiple countries to try to simultaneously decrypt the same Telegram algorithm, and multiple legal regimes for data access make it easy for the company to pick and choose where to hide its servers.

Telegram is an international problem, and it requires an international solution.