Thoughts on Pavel Durov’s detention and general perception of digital privacy in today’s world

A few days ago, the CEO of the messaging app Telegram, Pavel Durov, was detained in France. I believe this is a significant, potentially even a pivotal event for digital privacy, and I’d like to share some thoughts on the matter.

The social contract on privacy

Let’s start by discussing the current practices surrounding large Internet services, like popular instant messengers, the control over them, and the privacy of your data. Nearly everyone agrees that privacy matters. Some may argue, but I think that politicians believe that too, as evidenced by the widespread existence of personal data protection laws.

At the same time, there are numerous government agencies around the world that would prefer privacy to be a flexible concept, available when convenient, and dispensable when not. On one hand, their motivation is clear — there’s a lot of genuinely “bad” stuff out there on the Web, and fighting it would be much easier if these agencies could access the information they need from Internet services at will. But this system requires checks and balances because having an absolute, unfettered access to personal information historically inevitably leads to its abuse.

And these checks and balances do exist. It is important to understand that they are not designed to hinder the functioning of government agencies. Their primary purpose is to maintain trust in the entire system. If I’m an average law-abiding Joe, I want to be confident that some random police officer isn’t rifling through my messages for their own amusement or, worse, with malicious intent — there is no shortage of examples where this was exactly the case.

Trust issues

Unfortunately, in recent years, these system of checks and balances has become “worn out.” There are instances where it is entirely bypassed, allowing government employees in certain positions to access virtually anyone’s personal information they desire, at any time. This, in turn, leads to loss of trust among ordinary citizens in their own government agencies. This is a global problem, not confined to any specific country.

And this erosion of trust, in turn, leads to the shift of expectations from services that make privacy their main selling point. People seek extra protection in these services — someone who will, at the very least, act as “people’s advocate” and have their right to privacy in mind when responding to governmental data requests. At this point, whether these expectations are unrealistic or even justified is not the most important question. What’s more important is the fact that these expectations exist, and so do people trying to meet them.

So what about Durov?

With that in mind, let’s get back to Durov’s detention. The whole thing is not fully transparent, it’s unclear whether any charges will be brought against him, and so it’s too early to comment on the essense with confidence yet. However, there are a few things I’d like to say now, and I am sure these points will remain valid regardless of the outcome. I want to believe that you’ll agree with them even if you hold the opinion that the claims against Telegram are justified.

1. As I’ve already mentioned, current expectations from privacy-focused services are largely shaped by the lack of trust people have in their own government organizations. Durov’s detention only exacerbates this problem. For some, this is seen as an attack on someone who they view as a defender of their rights, and it’s difficult for them to see it any other way.

2. My second point is about the trust that the owners of various web services have in the European Union. We’ve come to regard the EU as a gold standard in personal data privacy, thanks in part to its advanced legislation — think GDPR, for example. Any exceptions to this weaken our confidence, and the situation with Durov’s detention is a huge blow to the trust that has been built over the last years.

3. But there’s one more conclusion we can draw. If you’re developing a privacy-focused service, there’s really only one safe and effective way to keep your promises to users: don’t store sensitive (or any, for that matter) personal data at all. Of course, not all services can be designed this way. Messaging apps, for instance, are challenging to make both user-friendly and so private that the platform owner has no information about its users. But it seems this is the only reliable way to protect not only the users but, as it turns out, the service itself.

I sincerely hope that the situation with Durov’s detention will be resolved soon. The longer it drags on and the less transparent the process is, the more the problems I’ve outlined above will worsen.

And once this is over, I hope Telegram will prioritize enhancing support for end-to-end encryption in their service.

Discuss the implications of Pavel Durov's detention on our social networks