 |
VOOZH | about |
|
VOOZH | about |
One of the best demonstrations that an obsession with protecting copyright’s intellectual monopoly drives politicians insane is the French law known as Hadopi, an acronym for ‘Haute Autorité pour la diffusion des oeuvres et la protection des droits sur internet’ (High Authority for the Dissemination of Works and the Protection of Rights on the Internet). The Hadopi mechanism has been trying – and failing – to police copyright’s intellectual monopoly in France for 15 years now, and it is one of the main villains in the Walled Culture book (free digital versions available).
Here’s how Hadopi’s “graduated response” approach worked when a revised version came into operation in 2010. Alleged infringers were warned twice; if another allegation was made within a year of the second warning, the subscriber’s Internet connection could be suspended. A fine of €1,500 could also be imposed. The first notices were sent out in September 2010; by December of that year, copyright companies were issuing between 25,000 and 50,000 infringement allegations per day. At the end of July 2013, Hadopi had issued 2 million first notices and 200,000 second notices. There were 710 investigations to ascertain whether those who had been accused three times should be referred to the prosecutors.
That gives an idea of the scale of the investigations into people’s everyday use of the Internet in France, and of the databases of personal data that were created. And yet the first and only disconnection order, issued in June 2013, turned out to be unenforceable, because the disconnection only applied to Web access – other services like email, private messaging, the telephone line or TV services had to be preserved somehow – and was later dropped.
By 2020, Hadopi had been in existence in various forms for a decade. Working from Hadopi’s annual report for that year, the French magazine Next INpact calculated that in total the agency had imposed €87,000 in fines. The cost of running Hadopi was picked up entirely by French taxpayers and came to €82 million. In other words, a system that had failed to discourage people downloading unauthorized copies of copyright material, had also cost nearly a thousand times more to run than it generated in fines.
As Walled Culture reported at the time, in 2023 the French digital rights organization La Quadrature du Net brought a challenge to the Hadopi system, still running in theory, on the grounds that it was incompatible with the two EU laws defining Europe’s data protection regime, the General Data Protection Regulation and the ePrivacy Directive. Shockingly, in 2024 the Court of Justice of the European Union (CJEU), the EU’s top court, ruled that “the general and indiscriminate retention of [Internet Protocol] addresses does not necessarily constitute a serious interference with fundamental rights”. La Quadrature du Net did not give up. Alongside the case at the CJEU, it was also taking legal action in France:
In 2019, we asked the Conseil d’État to overturn Hadopi’s central decree, which authorises the storage of personal data needed for the graduated response system (IP addresses, civil identity and downloaded material). The case was referred to the Constitutional Council and in 2020 we had our first partial victory: the Constitutional Council restricted Hadopi’s broad access to personal data (the law at the time provided that it could access “all documents”). However, despite to our initial assessment, this did not necessarily mark the end of the Hadopi.
The defeat handed down by the CJEU in 2024 offered a glimmer of hope:
The outcome was disappointing, as we lost on the principle: the CJEU agreed to weaken its case law. It accepted that access to metadata might, in certain cases, not be subjected to prior independent review. However, it required numerous conditions to this possibility, relating to both the retention of such data and the requirements for prior independent review.
Those two issues – retention of metadata and the requirement for prior independent review – have now been acknowledged as problematic by the Conseil d’État in a new ruling:
the Conseil d’État finally agreed with us on these two points. Firstly, it found that the retention of metadata is not carried out in a manner that safeguards civil liberties. The CJEU required “watertight separation” of IP addresses and civil identity data (which can be understood as two distinct databases, or files, that can only be technically correlated after a formal request for access by Arcom). The Conseil d’État notes that “no legal provision imposes such retention, under these conditions, on electronic communications operators”.
Secondly, it also notes that access to this data is not subject to independent review. It fully endorses the conclusions already made by the CJEU, that Arcom [the body that took over Hadopi’s role] cannot be both judge and jury: it cannot request access and then review the legality of that access itself, even though it is an independent authority. However, like the CJEU, the Conseil d’État considers that this lack of review is only an issue from the third access to the data onwards, the stage at which a registered letter is sent.
As La Quadrature du Net notes, in practical terms, this latest ruling means that Hadopi is “stalled”:
The Arcom can no longer take you to court, as the requirements set by the CJEU are not satisfied. And it can only send you an email if it has first ensured that your internet service provider has stored your metadata with a “watertight separation”. It has now been downgraded to the function of a giant spam machine.
Hadopi is not quite dead yet: the French government could try to solve the two problems pointed out by the CJEU and confirmed by the Conseil d’État, by setting up yet more independent bodies to handle these specific aspects of Hadopi. That would involve throwing even more taxpayers’ money at an approach that has not only failed completely, but which is fundamentally misguided. Clearly, trying to keep the moribund Hadopi alive in this way would be an irrational and wasteful thing for the French government to contemplate; but given this is the world of copyright, it might well try to do it anyway.
Follow me @glynmoody on Mastodon and on Bluesky. Originally posted to Walled Culture.
Filed Under: cjeu, copyright, eprivacy directive, france, gdpr, hadopi, privacy
Back in 2011 and 2012, one of the central technical objections that helped kill SOPA and PIPA was about DNS blocking. Engineers, internet architects, and cybersecurity experts all lined up to explain, in painstaking detail, why blocking at the DNS layer was a terrible idea. It would break the fundamental architecture of how the internet works. It would have massive collateral damage. It would undermine security protocols designed to protect users from exactly the kind of DNS manipulation that the bill proposed. And it wouldn’t even stop piracy, because anyone who actually wanted to get around DNS blocking could do so easily.
Congress, to its rare credit, actually listened to the technical experts (and widespread protests) and shelved the legislation. But the entertainment industry never gave up on the idea. They just went jurisdiction-shopping. And France, which has never met a maximalist copyright enforcement scheme it didn’t love, has been more than happy to oblige.
As recently reported by TorrentFreak, a Paris Court of Appeal validated DNS blocking orders requiring Google, Cloudflare, and Cisco to block access to pirate sites through their own DNS resolvers. This goes beyond traditional ISP resolvers, which France has been ordering blocked for years — this targets third-party resolvers — the ones that millions of people specifically choose to use because they offer better privacy, better security, and better reliability than their ISP’s default DNS.
But, of course, in France (and to the usual crew of Hollywood lobbyists), “better privacy, security, and reliability” can only mean one thing: used for piracy.
The court rejected all five appeals, and in doing so, articulated a legal principle so sweeping that it has no natural stopping point.
In this case, French pay-TV provider Canal+ went to court under Article L. 333-10 of the “French Sport Code,” which lets rightsholders request “all proportionate measures” against “any online entity in a position to help” block access to pirate sites. Canal+ argued that because users were simply switching to third-party DNS resolvers to circumvent ISP-level blocking, those resolvers should be conscripted into the blocking regime too.
Cloudflare and Cisco pushed back, arguing that their DNS resolvers serve a “neutral and passive function” — they translate domain names into IP addresses and that’s it. They compared their role to a phone book. The court’s response boiled down to: we don’t care.
The DNS resolution service allows its users, via the translation of a domain name into an IP address, to access websites on which sports competitions are broadcast in violation of rights-holders’ rights, and in particular to circumvent the blocking of those sites by ISPs.
The court found that the “neutral and passive” nature of DNS resolvers is “simply irrelevant to Article L. 333-10.” The law isn’t about liability at all — it only cares whether a service can help block access to pirate sites, which DNS resolvers clearly can. If you are technically capable of blocking access, you must.
Google, meanwhile, tried a different argument: that DNS blocking through third-party resolvers isn’t effective because users can just switch to a VPN or yet another resolver. The court wasn’t moved by that either:
Any filtering measure can be circumvented, and this possibility does not render the measures in question ineffective.
As long as DNS blocking stops some subset of users from reaching pirate sites, the court ruled, it’s “proportionate.” Under that line of thinking, any measure that inconveniences even a fraction of would-be pirates is legally justified, no matter how much collateral damage it causes for everyone else.
And if you think that principle has any limit, Canal+ has made it quite clear that they don’t think it does:
Canal+ said in a statement that the rulings are “more than a victory,” forming part of “a global approach that will be reinforced by the progressive deployment of complementary measures, including IP blocking.”
Canal+ has already been getting courts to order VPN providers to block as well. So now we have ISP DNS blocking mandated, third-party DNS resolver blocking mandated, VPN blocking mandated — and, per the TorrentFreak article, direct automated IP address blocking is coming too. They will not stop until the entire internet is broken.
Each step reaches further down the internet stack, breaks more of the internet for more people, and stops fewer actual pirates, because the people who are determined to pirate content are always one technical maneuver ahead. The people who get caught in the collateral damage are ordinary users who happen to use Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8 for perfectly legitimate reasons like speed, reliability, and privacy.
Cisco, rather than comply with the original order, simply pulled its OpenDNS service out of France entirely. That’s the kind of collateral damage we’re talking about. French users who relied on OpenDNS for entirely lawful purposes completely lost access to the service. Because a copyright holder decided that the DNS layer was the right place to play whack-a-mole with pirate sites.
When Cisco argued on appeal that implementing geo-targeted DNS blocking would require 64 person-weeks of engineering work, the court waved it off, saying the estimate was “not supported by any objective evidence” and pointing out that Cisco already offers DNS filtering to enterprise customers. The fact that enterprise DNS filtering for corporate networks is a fundamentally different thing than mass geo-targeted blocking of domains at the resolver level for an entire country’s users apparently did not register as a meaningful distinction.
The court’s core reasoning — that any entity technically capable of blocking must do so, that circumvention doesn’t make blocking disproportionate, and that the “neutral and passive” function of an intermediary is irrelevant — creates a legal framework that can reach basically anything. If a DNS resolver can be conscripted because it’s “in a position to help,” what about browsers? What about operating systems? What about CDNs, or cloud hosting providers, or certificate authorities? The logic has no brake pedal. Every layer of the internet stack is, in some sense, “in a position to help” block access to content. The question the court’s reasoning cannot answer is: where does it end?
Under this reasoning, what’s to stop a rightsholder from arguing that browsers should block pirate URLs directly? Or that operating systems should refuse to resolve them at all?
That seems bad!
Of course, this kind of maximalist copyright enforcement is something of a French specialty. This is the same country that brought us HADOPI, the graduated response agency that cost French taxpayers €82 million over a decade while imposing a grand total of roughly €87,000 in fines. A staggering return on investment — if the goal was to light money on fire while accomplishing nothing. France has also been at the forefront of copyright exceptionalism that risks undermining the EU legal system more broadly, pushing interpretations of copyright law so aggressive that they threaten to distort the legal frameworks of neighboring countries.
France keeps doing the same thing over and over again: spend enormous sums, conscript more and more intermediaries, break more and more of the internet’s infrastructure, accomplish almost nothing in terms of actually reducing piracy, and then conclude that what’s really needed is… more of the same, but harder. The entertainment industry’s refusal to learn from twenty years of evidence that enforcement-maximalism doesn’t work is genuinely remarkable. Every study and every natural experiment shows the same thing: the most effective anti-piracy tool ever invented is convenient, reasonably priced legal access to content. But that requires adapting your business model, and it’s apparently much more satisfying to get courts to break the internet for you instead.
The ruling’s real danger is the template it sets. Other countries with similar legal frameworks will look at this appeals court validation and think: we can do that too. The “any entity in a position to help” standard, combined with the “doesn’t have to be perfectly effective” standard, combined with the “we don’t care about your neutral role in the architecture” standard, adds up to a legal toolkit for conscripting nearly any internet infrastructure provider into a copyright enforcement apparatus. And the costs get externalized onto those providers (and their users), while the rightsholders collect the benefits.
The engineers who fought SOPA warned about exactly this: DNS blocking breaks things, creates collateral damage, pushes enforcement into layers of the stack never designed for it — and doesn’t actually stop piracy, because the actual pirates just route around it while everyone else suffers. France apparently decided all of those concerns are, to quote the court, “simply irrelevant.” And now they’ve moving on to IP blocking.
At some point, you run out of layers of the internet to break. But apparently we’re going to have to find out where that point is the hard way.
Filed Under: copyright, dns blocking, france, sopa
Companies: canal plus, cisco, cloudflare, google
Ctrl-Alt-Speech is a weekly podcast about the latest news in online speech, from Mike Masnick and Everything in Moderation‘s Ben Whitelaw.
Subscribe now on Apple Podcasts, Overcast, Spotify, Pocket Casts, YouTube, or your podcast app of choice — or go straight to the RSS feed.
In this week’s round-up of the latest news in online speech, content moderation and internet regulation, Mike and Ben cover:
Play along with Ctrl-Alt-Speech’s 2026 Bingo Card!
Filed Under: content moderation, eu, france, gavin newsom, jim jordan, social media, spain
Companies: tiktok, twitter, x
Ctrl-Alt-Speech is a weekly podcast about the latest news in online speech, from Mike Masnick and Everything in Moderation‘s Ben Whitelaw.
Subscribe now on Apple Podcasts, Overcast, Spotify, Pocket Casts, YouTube, or your podcast app of choice — or go straight to the RSS feed.
In this week’s round-up of the latest news in online speech, content moderation and internet regulation, Mike and Ben cover:
This episode is brought to you with financial support from the Future of Online Trust & Safety Fund.
Filed Under: bonnie blue, content moderation, dsa, eu, france
Companies: bluesky, onlyfans, reddit, twitter, x
While politicians from both parties race to dismantle Section 230, we’re missing a crucial part of the story: how this uniquely American law helped US internet companies succeed globally. In the latest episode of Otherwise Objectionable, I explore with legal scholar Anupam Chander what might seem paradoxical — how a domestic liability shield became America’s most successful tech export without a single international treaty.
We discuss how other places regulate the internet, including Europe, Japan, Australia, South Korea, Brazil and more. And how each of their approaches created real burdens — the exact kinds of burdens that Chris Cox and Ron Wyden were trying to avoid while drafting Section 230.
What’s particularly striking is how Section 230 functioned as a kind of incubator. The early freedom from crushing legal uncertainty allowed companies to build services compelling enough that international users demanded access to them, creating pressure on foreign regulators to accommodate these platforms rather than block them entirely. This explains what seems like a contradiction: how platforms built under Section 230’s protection can operate in jurisdictions with much stricter liability regimes. They succeeded not despite Section 230, but because of the head start it provided, reinforcing the idea that Section 230’s biggest value is in protecting smaller, newer platforms.
But this era of American digital success may be fading. As regulations globally become increasingly stringent (with the EU’s Digital Services Act, Australia’s Online Safety Act, and dozens of similar regulatory regimes), we’re witnessing the early stages of internet fragmentation. We discuss how platforms will need to make difficult decisions about which markets to exit when compliance becomes untenable.
The irony shouldn’t be lost on American legislators rushing to “reform” Section 230: they’re dismantling the very legal framework that made American digital innovation possible, just as the rest of the world is recognizing — through increasingly desperate regulatory measures — how effective it was.
Filed Under: anupam chander, australia, brazil, eu, france, germany, intermediary liability, japan, otherwise objectionable, section 230, south korea
In a moment of clarity after initially moving forward a deeply flawed piece of legislation, the French National Assembly has done the right thing: it rejected a dangerous proposal that would have gutted end-to-end encryption in the name of fighting drug trafficking. Despite heavy pressure from the Interior Ministry, lawmakers voted Thursday night (article in French) to strike down a provision that would have forced messaging platforms like Signal and WhatsApp to allow hidden access to private conversations.
The vote is a victory for digital rights, for privacy and security, and for common sense.
The proposed law was a surveillance wish list disguised as anti-drug legislation. Tucked into its text was a resurrection of the widely discredited “ghost” participant model—a backdoor that pretends not to be one. Under this scheme, law enforcement could silently join encrypted chats, undermining the very idea of private communication. Security experts have condemned the approach, warning it would introduce systemic vulnerabilities, damage trust in secure communication platforms, and create tools ripe for abuse.
The French lawmakers who voted this provision down deserve credit. They listened—not only to French digital rights organizations and technologists, but also to basic principles of cybersecurity and civil liberties. They understood that encryption protects everyone, not just activists and dissidents, but also journalists, medical professionals, abuse survivors, and ordinary citizens trying to live private lives in an increasingly surveilled world.
France’s rejection of the backdoor provision should send a message to legislatures around the world: you don’t have to sacrifice fundamental rights in the name of public safety. Encryption is not the enemy of justice; it’s a tool that supports our fundamental human rights, including the right to have a private conversation. It is a pillar of modern democracy and cybersecurity.
As governments in the U.S., U.K., Australia, and elsewhere continue to flirt with anti-encryption laws, this decision should serve as a model—and a warning. Undermining encryption doesn’t make society safer. It makes everyone more vulnerable.
This victory was not inevitable. It came after sustained public pressure, expert input, and tireless advocacy from civil society. It shows that pushing back works. But for the foreseeable future, misguided lobbyists for police national security agencies will continue to push similar proposals—perhaps repackaged, or rushed through quieter legislative moments.
Supporters of privacy should celebrate this win today. Tomorrow, we will continue to keep watch.
Republished from the EFF’s Deeplinks blog.
Filed Under: backdoors, encryption, france, ghost participant
Despite widespread beliefs to the contrary, patents are not a measure of innovation, nor are they needed for companies to thrive — something even Elon Musk understands. But one aspect of patents that is rarely considered is their morality. The European Patent Office’s Board of Appeal wrestled with this issue in an interesting case involving the plant extract simalikalactone E and its use to treat malaria. As the patent admits: “simalikalactone E (SkE) was isolated from Quassia amara (Simaroubaceae), a medicinal plant widely used in the Amazon for the treatment of malaria.” In other words, the use of the plant extract to treat malaria was already known among Amazonian peoples, who naturally did not try to patent it. Related to this, an objection was raised to the patent, on the grounds that it was contrary to “morality”, as defined by Article 53 of the European Patent Convention:
European patents shall not be granted in respect of:
(a) inventions the commercial exploitation of which would be contrary to “ordre public” or morality; such exploitation shall not be deemed to be so contrary merely because it is prohibited by law or regulation in some or all of the Contracting States;
The IPKat has a good explanation of the reasoning behind the objection:
the Opponent argued that the invention represented “biopiracy” on behalf of the patentee against the indigenous people involved in the original research. Specifically, the Opponent submitted that the interactions with the indigenous communities had been conducted in an immoral fashion, involving deception and an abuse of trust. According to the Opponent, the members of the communities involved had not been fully and transparently informed of the nature of the research project, its objectives, the filing of the patent, and other risks and benefits of the project to community members and their knowledge. As such, the Opponent argued, the IP rights of the communities over their traditional knowledge had been violated. The Opponent submitted that the deception and breach of trust displayed was contrary to ordre public and would jeopardize relations between indigenous and local communities and researchers.
However, the EPO’s Board of Appeal rejected this argument for an interesting reason:
The exclusion to patentability provided for in Article 53(a) EPC requires the stated offense to morality to reside in the “commercial exploitation” of the claimed invention. The claims of the patent were directed to the formula of the antimalarial, a process of manufacturing the antimalarial and its use in therapy. Given the dire need for effective antimalarial medication, the Board of Appeal found that the commercial exploitation of these inventions would not be contrary to public morality (on the contrary, they would be beneficial to society). Specifically, the Board of Appeal made a clear distinction between the morality of the commercial exploitation of an invention, and the morality of how the invention itself occurred (r.2.14).
That is, patents can be excluded if their commercial exploitation would be immoral, but it doesn’t matter if the way the invention claimed in the patent was made turned out to be immoral. European patent law simply doesn’t care about that aspect. Fortunately, that’s not the end of this particular story, as the IPKat post explains:
Questions over the morality of scientific discovery must therefore be dealt with in a different forum than the patent office. In this case, despite the decision of the Board of Appeal, the European patent in question appears to have lapsed on all member states due to failure to pay renewal fees. The US case has similarly been abandoned. It thus appears that the substantial political pressures on the [patent-holder, the French Institute for Development Research] outside the patent system have impacted their desire and/or ability to commercialise the invention.
It’s good that this kind of pressure works, but it would be better if the patent world cared more about the morality of inventors’ actions in the first place.
Follow me @glynmoody on Bluesky and on Mastodon.
Filed Under: antimalarial, biopiracy, elon musk, epo, european patent office, exploitation, france, innovation, inventors, malaria, morality, pressure
Thierry Breton has finally taken the next logical step in his role as the EU’s censor: he’s talked himself out of his job.
Over the last few years, Thierry Breton, the former CEO of France Telecom, has spent the last few years as the Commissioner for the Internal Market in the EU, where he has positioned himself as a sort of tech regulatory czar. But, now he’s out. While the press is describing it as a “resignation,” his own letter admits that it is because the President of the European Commission, Ursula von der Leyen had requested that France propose someone else to be France’s designated candidate for a European Commission position.
For the past few years, Breton has constantly boosted his own profile in pursuit of tech policy results that he, personally, wanted. As we’ve described, he has a long history of both self-promotion and inflating his job as Commissioner into basically being a full tech czar. He has repeatedly interpreted the Digital Services Act (DSA) to mean that he can demand certain content be removed, which has only served to piss off EU colleagues, who keep insisting the DSA is not a censorship law.
He has also been leading the charge in the EU to hamstring AI tools, gleefully pushing a bill that was mostly conceived of prior to the generative AI boom, and then trying to retrofit the law to that world, resulting in quite a regulatory mess.
Still, it had been assumed that he would keep his job as the digital regulator as von der Leyen was prepared to present her new slate of Commissioners. Each member state gets to designate someone to be a Commissioner, and the bigger countries (e.g., Germany, France) often get the higher profile/more important roles.
Emmanuel Macron had designated Breton to continue in that role, though there had been some concerns that Breton was a liability. Breton had also pissed off von der Leyen back in March, tweeting out a mocking tweet about how she was outvoted by her own party, and suggesting maybe she shouldn’t be leading the EU.
On Monday, Breton tweeted out his “resignation.” It’s clear that von der Leyen had asked Macron for someone other than Breton, promising Macron that France would get a better, more influential Commissioner job if it was anyone but Breton. Hence Breton’s resignation:
On 25 July. President Emmanuel Macron designated me as France’s official candidate for a second mandate in the College of Commissioners as he had already publicly announced on the margins of the European Council on 28 June. A few days ago, in the very final stretch of negotiations on the composition of the future College, you asked France to withdraw my name for personal reasons that in no instance you have discussed directly with me and offered, as a political trade-off, an allegedly more influential portfolio for France in the future College. You will now be proposed a different candidate.
And thus, he submitted his resignation “effective immediately.”
Somehow, he posted this letter without including a photo of himself. This is surprising, given the vast majority of his tweets include self-portraits (not selfies).
Macron quickly designated France’s outgoing foreign minister, Stéphane Séjourné, as Breton’s replacement. This doesn’t mean that Séjourné will get Breton’s assignment either, or that whoever does eventually get it won’t be even worse than Breton was. But it should serve as a reminder, yet again, of how much power the European Commissioner has over how some of these laws are interpreted.
On Tuesday, von der Leyen rolled out her proposed slate of Commissioners. Séjourné is up for “Prosperity and Industrial Strength” whatever that means. It’s not at all clear where the tech policy portfolio will land, as there are a few places it might end up. Finland’s Henna Virkkunen is given “tech sovereignty” which again is not clear. Either way Breton is out and we’ll see what comes of the new Commission.
Filed Under: emmanuel macron, eu, eu commission, france, thierry breton, ursula von der leyen
Is the arrest of Pavel Durov, founder of Telegram, a justified move to combat illegal activities, or is it a case of dangerous overreach that threatens privacy and free speech online? We had hoped that when French law enforcement released the details of the charges we’d have a better picture of what happened. Instead, we’re actually just left with more questions and concerns.
Earlier today we wrote about the arrest and how it already raised a lot of questions that didn’t have easy answers. Soon after that post went out, the Tribunal Judiciaire de Paris released a press release with some more details about the investigation (in both French and English). All it does is leave most of the questions open, which might suggest they don’t have very good answers.
First, the report notes “the context of the judicial investigation” which may be different from what he is eventually charged with, though the issues are listed as “charges.”
I would bucket the list of charges into four categories, each of which raise concerns. If I had to put these in order of greatest concern to least, it would be as follows:
In the end, though, a lot of this does seem potentially very problematic. So far, there’s been no revelation of anything that makes me say “oh, well, that seems obviously illegal.” A lot of the things listed in the charge sheet are things that lots of websites and communications providers could be said to have done themselves, though perhaps to a different degree.
So we still don’t really have enough details to know if this is a ridiculous arrest, but it does seem to be trending towards that so far. Yes, some will argue that Durov somehow “deserves” this for hosting bad content, but it’s way more complicated than that.
I know from the report that Stanford put out earlier this year that Telegram does not report CSAM to NCMEC at all. That is very stupid. I would imagine Telegram would argue that as a non-US company it doesn’t have to abide by such laws. These charges are in France rather than the US, but it still seems bad that the company does not report any CSAM to the generally agreed-upon organization that handles such reports, and to which companies operating in the US have a legal requirement to report.
But, again, there are serious questions about where you draw these lines. CSAM is content that is outright illegal. But some other stuff may just be material that some people dislike. If the investigation is focused just on the outright illegal content that’s one thing. If it’s not, then this starts to look worse.
On top of that, as always, are the intermediary liability questions, where the question should be how much responsibility a platform has for its users’ use of the system. The list of “complicity” in various bad things worries me because every platform has some element of that kind of content going on, in part because it’s impossible to stop entirely.
And, finally, as I mentioned earlier today, it still feels like many of these issues would normally be worthy of a civil procedure, perhaps by the EU, rather than a criminal procedure by a local court in France.
So in the end, while it’s useful to see the details of this investigation, and it makes me lean ever so slightly in the direction of thinking these potential charges go too far, we’re still really missing many of the details. Nothing released today has calmed the concerns that this is overreach, but nothing has made it clear that it definitely is overreach either.
Filed Under: complicity, content moderation, csam, encryption, france, law enforcement, pavel durov
Companies: telegram
There’s plenty of news flying around over the past few days after it was reported on Saturday that Pavel Durov, the founder and CEO of Telegram, had been arrested at Bourget airport in France after taking his private plane there from Azerbaijan. Durov, who got a French citizenship in 2021 apparently knew that there was a risk he might be arrested, but chose to go anyway.
The reporting on why he was arrested has been somewhat vague, to the point that it could be hyped up nonsense, or it could actually be legit. Initial reports claimed that he was arrested over a “lack of moderation” but other reports suggested potentially more serious claims around drug trafficking, terrorism, and CSAM.
France’s OFMIN, an office tasked with preventing violence against minors, had issued an arrest warrant for Durov in a preliminary investigation into alleged offences including fraud, drug trafficking, cyberbullying, organised crime and promotion of terrorism, one of the sources said.
Durov is accused of failing to take action to curb the criminal use of his platform.
“Enough of Telegram’s impunity,” said one of the investigators, adding they were surprised Durov came to Paris knowing he was a wanted man.
The problem is, without more details, we have no idea what is actually being charged and what his alleged responsibility is. After all, we’ve seen other cases where people have been charged with sex trafficking, when the reality was that was just how law enforcement spun a refusal to hand over data on users.
On top of that, leaping to criminal charges against an exec over civil penalties for a company… seems strange. For that to make any sense, someone should need to show actual criminal behavior by Durov, and not just “his service hosted bad stuff.”
The head of OFMIN, the French police agency that issued the warrant, posted to LinkedIn (of all places) that: “At the heart of this issue is the lack of moderation and cooperation of the platform (which has nearly 1 billion users), particularly in the fight against paedophilia.” Again, that is frightfully unclear. Is it just that Telegram wasn’t doing enough to fight CSAM? And if so, what “lack of moderation and cooperation” is enough? Because lots of websites are accused (often unfairly) of not doing enough in the fight against CSAM. Or is there something more?
And if it was just that they weren’t “cooperating” does it make sense to jump straight to criminal charges against the CEO, rather than penalties and fines for the company?
One thing, which I’ve talked about on the Ctrl-Alt-Speech podcast a few times, is how often Telegram comes up in discussions of content moderation and bad behavior, but politicians kind of wave it off as untouchable. Telegram had claimed to be under the threshold that would cause it to be registered as a “Very Large Online Platform” (VLOP) in the EU, and EU officials seemed to buy that claim.
But the numbers were still quite close (a claimed 41 million EU users, when the threshold is 45 million). And even if you’re not a VLOP, there were some requirements for smaller platforms, and it was unclear if Telegram was even remotely concerned with complying.
On top of that there were plenty of stories of bad behavior across social media first being planned on Telegram. The most recent example was the riots in the UK. While lots of people talked about misinformation on ExTwitter that contributed to that, much of that content originated on Telegram.
But, hosting bad behavior alone shouldn’t lead to criminal charges. Even ignoring law enforcement demands seems like it should lead to civil penalties before reaching criminal charges. That’s why I’m really hoping that there are more details here that justify the arrest. Without the details, though, it’s really difficult to know if this is an attack on free speech, or legitimate charges over actual criminal behavior.
I know that many people are leaping to conclusions one way or the other, but until we know the details, everyone’s guessing.
Earlier this year, Durov had given a surprising and rare interview with the Financial Times, where he actually talked about some of the effort (or lack thereof?) that Telegram puts into dealing with criminal behavior on the platform:
Durov said Telegram planned to improve its moderation processes this year as multiple global elections unfold and “deploy AI-related mechanisms to address potential issues”.
But “unless they cross red lines, I don’t think that we should be policing people in the way they express themselves”, said Durov. “I believe in the competition of ideas. I believe that any idea should be challenged . . . Otherwise, we can quickly degrade into authoritarianism.”
That same interview noted that the company only had 50 full time employees, though some reports have suggested it did have some other outsourced moderators. But in general it took a pretty hands off approach. That alone should never lead to criminal charges, though.
Also, there are different parts to Telegram’s service. There are the various channels, which act as sort of semi-public “groups” around certain topics. That part is more like social media communities. But there is also parts that are more about person-to-person communication, which the company has long insisted is end-to-end encryption, though many people have doubted the security of it, since Telegram does not reveal how it works.
On top of that, the “encrypted” messaging is not enabled by default, only works in one-to-one communications (any group messaging is unencrypted) and is quite hard to actually turn on. In other words, the vast, vast, vast majority of content on Telegram is not encrypted and can be seen by the company.
So, there are big questions about whether or not the charges against him relate to the more social media style content, or the (supposedly) encrypted communications part.
On top of that, there’s the Russia question in all of this. Telegram was based in Dubai, and part of the reason for that was that the Russian-born Durov was effectively forced to flee Russia and sell his former company, VK (basically a Russian clone of Facebook that was quite successful), after refusing to remove some content that the Kremlin didn’t like.
However, more recently, there have been claims that the Russian government has access to private Telgram communications, and Russian officials have said that the company “cooperates with Russian law enforcement.” And the response to Durov’s arrest from Russian officials suggest that they’re not happy about the arrest. While the Kremlin itself has been somewhat cautious in its public response, Russian media has been condemning the arrest, and various politicians have been calling for the French to release Durov.
The other interesting point is how central Telegram has been to Russia’s war in Ukraine, for both sides.
Of course, Europol has also said that Telegram cooperates with its request for dealing with terrorism online. And other reports have talked about Telegram cooperating with German officials and handing over data on users.
Combine all that and, basically, at this point, no one really knows what’s going on. It’s possible that Telegram cooperated on some law enforcement efforts and didn’t on others. It’s possible that it had good reasons to cooperate or not cooperate. It’s possible the team got overwhelmed. But it’s also possible that it just said “fuck it” and decided to ignore legal demands because they didn’t care.
As of right now, we just don’t know.
It sounds potentially worrisome, because if it’s really just “well, they refused to take down what we wanted,” that would be a dangerous attack on free speech. But if it’s “Durov himself was actively involved in the creation of and the sharing of illegal content,” then it could be trickier. And there’s a wide spectrum in between.
I will note that, over on Twitter, Elon’s fans are insisting that this is a test run before officials arrest Elon, but that seems ridiculously unlikely.
Also, I have to remind folks that a little over two decades ago, France also put out an arrest warrant on Yahoo CEO Tim Koogle, charging him as a war criminal, because Yahoo’s auction site in the US (notably, not the French version) allowed people to sell Nazi memorabilia. Eventually he was acquitted. You would hope in the two decades since then that officials would be a bit more sophisticated about this stuff, but at this moment, it’s just not clear at all.
Filed Under: arrest, content moderation, criminal liability, france, intermediary liabilty, pavel durov
Companies: telegram
Read the latest posts:
