This shouldn't surprise anyone. If a company collects info about some user and the government comes to them with a legitimate warrant they have to handover the information about that user (or risk going to jail/other action by the court) . There is a reason other companies like signal go out of their way to collect as little as possible.
>the government comes to them with a legitimate warrant
Which government, such as the French government for all Russian users, the Russian government for all Ukraine users, or the USA government for all users?
Whose standard for warrants, and how much use of coercion and force are they allowed to use for enforcement. Can the USA kidnap the owners for non-compliance, can the Russians?
You’re asking very basic questions that the answers to have been the same for hundreds of years. If you do business in a country you have to answer to its laws or you risk asset forfeiture or arrest.
That would only be true if you step foot in that country or posses assets in that country, right? Though I imagine the US government can reach a lot farther than the Russian or Chinese governments.
Also bear in mind that government can convey restrictions on any other business in that country. See Brazil requiring ISPs to ban Twitter (even a penalty on individuals bypassing the block using VPNs!), or the US basically prohibiting any business with anyone in Russia.
Basically if you want to operate in a country, you probably need to obey their laws, no matter what you think of those laws. If you ignore them, you can't really be surprised if you get blocked or penalized from doing business there.
The ironic consequence of this is eventually if you want to use big tech for messaging privacy you'll be forced to basically pick one under the jurisdiction of an enemy non-extradition state like Russia or China. Sure their governments will farm and exploit the metadata even if encrypted, but they won't be handing it over to the west unless the deal is juicy.
Eh, not really, because the US has shown it's happy to go ahead and make it illegal to have TikTok here as well. The real result is probably much, much simpler: Globally-operating apps won't make as much sense as they got away with in pre-regulatory eras of the Internet.
Big Tech has basically spent the past twenty years pretending their global status made them above the law of any one nation, but in reality, being a global company just means you're subject to all the laws of all the nations.
remarkably, these are not very basic questions, and the answers are not the same for hundreds of years since this is electronic records that cross international boundaries
Certainly principles of international jurisdiction are well settled and fairly consistent. In that sense the comment was correct.
However, you are also correct that legal principles around information collection and transmission are both new and not well settled.
This feels like one of those hn discussions where everyone will end up talking past each other because of terminology failure.
I mean if you were shit talking France when living in England a few hundred years back you're likely to get put on the enemies of France list, even if your pages were for consumption in England. Now if you never left England there wouldn't be much to worry about, unless they suddenly became friends and decided to export your corpse for goodwill.
This all seems bad news for all Russian war channels, but I guess they had enough time to migrate already. Influencers influence the whole world anyway, so they should expect a knock on the door if so brave. Stupid drug dealers will find other ways to deal or will go deeper the crypto/tor hole. Childporn offenders are anyway legit target for Mr.Robot. Who's left then...? Music pirates - who cares, Spotify lives on, Soulseek does well to. Torrents apparently kill business only where it cannot exist at all due to cultural specifics.
This all somehow leaves perhaps not-so-big list of particularly interesting gentlemen then certain countries will undergo a lot of trouble to get to. No wonder then they did so this time, but wonder which particular among these is the culprit this time...
I doubt the war channels are to be concerned, perhaps the secret chats, and leftover magic in the normal chats. Or even simpler - the phone of the devices allows mobile net tracking, for certain operations this is potentially more than enough.
Where ever they want to do business at. If they expect to be allowed to operate in France/the EU they will have to comply with legitimate French/EU warrants. No one is saying they can't fight it if there is a reason to.
>Can the USA kidnap the owners for non-compliance, can the Russians?
Jailing someone/holding a company in contempt that does business in your country for ignoring legal warrants isn't kidnapping. Trying to frame it that way is pretty silly and disingenuous.
What does it mean to "operate" in a country? If I operate a service in the US and have no servers in Iran, no employees in Iran, no physical presence in Iran whatsoever, but Iranians are communicating with me over the global public internet, does that mean I have to comply with Iranian law? What about if its "France" and not "Iran"? What if these French/Iranian users are not only communicating with me, but also sending me money and/or cryptocurrency in exchange for that communication?
So what? Legitimate warrants cannot exist? Companies exist somewhere, and they follow the rules that can be enforced on them. I'll take warrents by imperfect democracies over autocracies and dictatorship any day.
This will depend on how the company is registered and represented in the states it operates in. It will also depend on the citizenship of the kidnapped owners (and whether it will be even necessary, as maybe extradition would also work).
In any case, a court in any particular state will be responsible for issuing the documents entitling the law enforcement to particular data. There's also the process to dispute issuance or legitimacy of such documents, again, through courts.
So, obviously, there isn't a single answer to your questions. But, obviously, they aren't without answer. Any specific case will produce a potentially different set of answers.
You ask these like they are some kind of gotcha moment, but all of these very simple questions have been answered for decades by international law. You think yourself clever but show yourself ignorant.
Every time someone brings up Signal in these threads I cringe. One can make up stories about spam protection as much as he wants, but given how little (basically none) control one has over him phone number, no messenger strictly requiring a phone number can be considered "privacy-oriented" by any sane person.
I think you are confusing "privacy-oriented" and anonymous! Signal is pretty privacy oriented since it has E2EE by default (and so does Whatsapp). Telegram would be much more privacy oriented if it had E2EE by default.
The incentive is to claim to collect as little as possible. What a company actually collects is between them and any influential state actor that can manage to make use of the data in secret. A company can't support the needs of such an actor and law enforcement at the same time.
you care confusing collecting data with persisting user data.
it is easy to prove what your app collects from OS's permission model and web traffic. People are less interested in whether you store it for future use or discard it immediately after receiving.
Even if you claim you don't persist any of user data, you would still be collecting it
This is only true if the cost of storing user data is greater than the profits it generates. When companies are allowed to sell out users and punishment for data leaks are just seen as the cost of doing business then why would you not store whatever data you can get your hands on?
User data is only an asset if your business model demands it, like Google and Facebook. If you don’t have, and won’t create, a way to monetize it then yes, it’s strictly a liability.
Now the question is, to which government Telegram will comply to share your info.
If I live in Germany, and I do a channel with offensive content against the government of an Arabian shitty country, let's say UAE for example. The content might be legal here but illegal there.
Will the UAE gov be entitled to get my IP address and other info? Leading them to be able to use that to harass me, like targeting me with Pegasus for example?
This was entirely predictable and inevitable. I don't understand what Durov thought would happen nor why he rejects E2EE as a liberating technology.
Policy will never be the key to digital privacy, it must always be accompanied by cryptography. The status quo of allowing a third party read and store your messages forever, slurping up all the metadata along the way, is insane.
I think it is pretty obvious why Durov did not opt for universal E2EE. His main purpose of making Telegram was to make the chat app that is the most usable of all. E2EE comes with a cost on user experience which was for him too high.
Example: Signal can't handle more than one phone logged in, and if for some case you don't open the desktop app for more than 30 days, it logs you out there and you can never get these messages to the desktop.
Good that the company is able to continue functioning with the CEO being trapped and under charges. Shame on France for pulling a nasty warrant mid air.
Well, the fact that Telegram wants to cooperate to me suggests that they previously could have been cooperating but weren't, which makes a charge of complicity make a lot more sense now. Thanks France!
You can't submit the same article twice for the most part. Dupes are duplicate discussions. There's an earlier article with some discussion and eventually maybe mods will merge them. No need to split up the discussion. Share your thoughts over there!
You could even suggest this link in that thread as a better article option.
You totally can, the HN dupe detector is less than reliable. Submit something interesting at night and you'll often see it submitted the following day by someone else.
As a more general point, the fact is that if a discussion doesn't take off while an item is on the front page shortly after submission, it probably never will. The page sorting algorithm ends up prioritizing recency and traction. I agree this isn't ideal.
> I would imagine any serious criminal org will have their own messaging infra by now.
I'm guessing they do not -- that would be inconvenient, expensive, unreliable, insecure, and/or conspicuous.
[Edit: "serious" criminal orgs run, e.g., custom-built submarines, so private comms infrastructure is clearly within their technical abilities. But having all org members communicating to a private centralized mothership seems risky from a surveillance perspective]
I'm guessing they do not -- that would be inconvenient, expensive, unreliable, insecure, and/or conspicuous.
Some do run their own platforms or share a self hosted platform set up by people in a non cooperating country. Sometimes the platform admins find out they were being MitM by mistake tech or law enforcement make. [1] Or not using the MitM detection Jabber is capable of. Jabber scales to millions of users per cluster, big enough for probably most criminal organizations. I doubt the cluster in question was specifically meant for criminals, but the smart criminals will find solutions best suited for their needs. In this case I think they chose poorly given VM's can be live migrated and snapshot including memory contents without interrupting the platform or raising suspicion.
In my humble opinion the big shared corporate platforms will attract the ultra-lazy arrogant and cavalier criminals and I'm sure law enforcement are fine with it. Easy busts still look good to justify big budgets. There are probably people that say they don't know anyone that's been busted on those platforms but they are probably not moving enough volume of illicit goods to warrant immediate attention. That information would be quite useful for getting a warrant however if the target was suspected of something else or if they were an influencer thinking or saying the wrong thing in public.
[Edit] Updated link to the snapshot describing potential mitigations including SCRAM PLUS which was not configured in this incident.
I know people who order drugs all the time via various messaging apps, in the US and throughout Latin America. Often the messages and menus are highly explicit.
Rubber hose cryptanalysis works every time, unless you design your protocol to not have any visibility into the data. Which is impossible in the case of Telegram feeds at the very least.
Hm, given how many requests Meta and Google disclose annually
I dont think a warrant canary is really useful, it implies “we just got 1!” instead of “we just got an additional pile of 200 secret requests from G-7 national governments, one of which is already trying to incarcerate us for not being so forthcoming about compliance”
Given that you won't know the details of the 1 or 200 requests anyway, I think knowing the difference between 0 and >0 is useful. We do know what 0 means, and anything other than 0 means the platform's got the attention and jurisdiction of outside parties.
Also, Signal does supposedly comply with all lawful warrants. They give over what data they do have when properly requested. It is just they don't normally have much useful data to give.
Meanwhile, Telegram supposedly hasn't been properly handling lawful warrants in many countries and does have interesting data on their servers as only private secure messages are (meaningfully) encrypted and not most messages most users send on the platform
It's not the good old days any more. Your government doesn't represent you. Its police, military, and "justice" system are not manned by good people acting in the interests of the people and community.
The good old days when governments represented people, like before the 17th Amendment when states picked the Senate in smokey backroom deals. Wait that can't be right, maybe like before the 19th Amendment. Wait no, during the Jim Crow era. No, the McCarthyism era. Wait...uhh...hmm...
I don't know what time period you're thinking of with "It's not the good old days any more. Your government doesn't represent you." Seems like the government represents more people better today than it did in the past given before so many couldn't even vote at all and the government was far more active in suppressing minority rights.
And if its about them snooping in on conversations, these days they have to actually ask a lot of communication providers for data. Back in the day there was only one company providing electronic communications and the government was absolutely listening in to the conversations. Tons of those communications were happening over the air for anyone with the right antenna to listen in. US v. Miller was in 1976 and established what we now know as third-party doctrine.
If you can get arrested for organizing a protest (that didn't even start that), do you still think that those people are criminals? Just look at all the people that got arrested recently in UK... It's sad, and telegram, not being a UK company (imho) shouldn't be forced to give UK government/police peoples ip addresses and phone numbers.
Where they operate doesn't matter, and it should be pretty obvious why (hint, for the same reasons that American bleached chicken can't be sold in the EU)
I imagine that this would be reason enough for them to either comply with the law or not operate there, like every other business does? You seem to imply that it's ok for internet companies to be above the law, I don't see how that's compatible with self-determinism/democracy (loss of jurisdiction) nor in the interests of the people (because inevitably such companies will optimize their profits at the expense of the public and can't be held accountable, in your anarchic world order).
Let's say your set up a raspberrypi at home (I assume you live in US), install apache, install wordpress, set up port forwarding and write a blog about making pickles. Then someone writes a comment under "How much dill?" and writes "I'm from Iran and I'm gay".
Are you really operating in iran? You don't have servers there, you don't have employees there, you're not a registered company there, what ties do you have with iran? Someone from iran "came to visit"? Sure, so do brits with amsterdam and legal weed.
Should the same rule exists in more authoritarian countries like China, North Korea, or Belarus?
If so should the government be allowed access to non-nationals outside the country? How about if a non-national is inside the country communicating with those outside? How about if those folks are journalist reporting where journalism is illegal (see Russia's laws on "fake news" on Ukraine).
I'm not saying your point of view is wrong, but I think its easy to jump to that conclusion as this is probably the least sympathetic case to set principle. But this _does_ set principle.
> Should the same rule exists in more authoritarian countries like China, North Korea, or Belarus?
If eg. Iran requested IP addresses from Pornhub (Aylo?) for all the visitors from iranian ip addresses who have viewed a gay video there, people would be changing their view pretty fast.
Yes how strange that a DARPA project, handed off to the National Science Foundation and then awarded to Sprint, would be torn from the common man and wrested from its rightful owners into the heartless clutches of government authority
How much of what you use today has anything to do with DARPAs original design goals or funding?
> handed off to the National Science Foundation and then awarded to Sprint
The NSF handled links between Universities and their funding not the Internet in general. Sprint was a primary contractor under this system. None of this should be understood as "the Internet."
> would be torn from the common man
You do appreciate precisely how much open source software underpins everything we're doing, even in typing these comments to each other, over the internet, yes?
I mean.. show me the government plan to build a web browser.
> from its rightful owners
Do you pay taxes? Congratulations. You are the rightful owner.
> into the heartless clutches of government authority
Yea. Hacker News. Typical bastion of mindless worship of "government authority." Then again, if it has the natural right to exist, why does it need my taxes?
To put a fine point on it: what DARPA did, was to sponsor a company called BB&N to develop a piece of hardware called the Interface Message Processor (or IMP). And that's pretty much it.
The IMP was the first gateway doing what you'd think of today as Network Address Translation, isolating "LAN" from "WAN" and using arbitrary computation to rewrite packets between the two. Though at the time, far more work was needed than just address translation. Wholesale network protocol translation was needed, as every site network (and there were already many small site networks) used its own networking equipment; and each vendor's networking equipment spoke some random stack of proprietary protocols invented by that equipment vendor. (There were nascent standards with open reference-impl hardware, e.g. MIT's Chaosnet, but none of these were widely adopted.) This was true all the way up to the application layer — different networking equipment required different application software that spoke the network's supported application protocols!
The IMP was a programmable router, allowing arbitrary CPU packet translation. So each site network could program the very same IMP with the details of its own network — what each type of local-network packet looked like, and what that should translate to for the WAN; and vice-versa.
This allowed these site networks to be glued together into a larger network. The IMP translated packets, and also "wrapped" each (proprietary, site-local) address of each LAN host, giving it a globally-routable name — i.e. an Internet Protocol address. This allowed machines on these networks to — at least in theory — address other networks' machines. All without anyone having to rip out any networking equipment, or replace each network's host application software with new software speaking standardized protocols.
Once the IMP was released, a bunch of universities and corporations came along and said to BB&N, "oh hey neat, I'll buy one of these! Heck, I'll buy one for each campus!" — and promptly stuck them into each of their (existing!) networks. (Some of these purchases were partially funded by DARPA as well — but only if the buyer reached out to ask.)
This didn't actually get anyone any value at first, because the IMPs still needed to be programmed, not just with the details of their local networking standards, but with the details of what the "WAN standard" application packet protocols would/should be for these local networks to translate things into. There were no standards for that yet.
So the folks doing the networking at these orgs, all got together to discuss how to actually get these boxes they bought to talk to each-other — e.g. what application-layer protocols they would need to invent/standardize on, to then get these gateway boxes to translate into from the proprietary site protocols they were using.
That group became known as the Internet Engineering Task Force, and their meeting notes became known as RFCs. (Read https://datatracker.ietf.org/doc/html/rfc1 if you don't believe me.)
Note that they called this WAN network formed by these sites through the IMPs the "ARPA Network" — presumably because that's what BB&N referred to it as, in turn because DARPA funded the IMP with the intent of creating such a network.
But DARPA had no involvement in the actual development of the "ARPA Network"! They weren't even a site on it! They didn't attend the IETF meetings! Rather, DARPA just kinda stepped back and said "go ahead, have fun" — and watched as the Internet took shape.
(I would thus describe DARPA's funding of the BB&N IMP as probably the most successful case of "nudge theory" in history. Almost as if someone at DARPA was a time-traveller who knew that that much effort, and no more, was all that was needed to shift the timeline.)
BB&N was and remains a private company, and isn't primarily a government contractor. It was a one-time government grant — and for much less than the full CapEx required to build the thing. DARPA essentially said "you want to build this? We'd sure like something like that to exist, so we'll give you some money to increase your chances/make it happen faster."
As it turns out, "throwing money at American-owned private companies who are being the [technological] change you [i.e. the state] wants to see in the world, to advance the technological edge America has over other countries" is a large part of DARPA's mandate. DARPA seeks to incubate a healthy private sector in nascent high-tech industries, so that it can later rely on competition in those industries, to produce a healthy, non-monopolistic set of viable military contract bidders for the military as a whole to choose from / set against one-another.
Pony Express, telegraph lines, railroads, a national highway system: what purpose and goals do you think were in mind here? So you could jaunt down Route 66 for a burger, and send back a 5c postcard??? Haha!
> How much of what you use today has anything to do with DARPAs original design goals or funding?
100%
The National Center for Supercomputing Applications (NCSA) is a state-federal partnership to develop and deploy national-scale cyberinfrastructure that advances research, science and engineering based in the United States.[1][2] NCSA operates as a unit of the University of Illinois Urbana-Champaign,[3] and provides high-performance computing resources to researchers across the country. Support for NCSA comes from the National Science Foundation,[1][4] [5] [6] the state of Illinois,[2] the University of Illinois, business and industry partners,[7] and other federal agencies.
> prompt: There’s an article on Hackernews titled “Telegram will now hand over your phone number and IP if you’re a criminal suspect”. Generate a comment in Hackernews style that supports this decision, implies that it’s because they didn’t encrypt the messages and uses Signal as an example of doing it right because “look! They haven’t had problems”
Not surprised. Telegram doesn't encrypt by default, so of course they're handing over phone numbers and IPs. If you don't lock things down like Signal does, you're going to have problems. Signal can’t hand over what they don’t have—encrypted end-to-end, no metadata. Simple as that.
Yes, channels and groups are most likely what makes Telegram a threat where Signal isn't. That's an excellent argument for decentralized social media.
You're probably exasperated that others don't see what to you seems like an obvious truth. Rather than mocking the opposing argument, it's probably still worth rehashing yours when the topic comes up, even if it feels like banging the same drum with nobody listening.
This shouldn't surprise anyone. If a company collects info about some user and the government comes to them with a legitimate warrant they have to handover the information about that user (or risk going to jail/other action by the court) . There is a reason other companies like signal go out of their way to collect as little as possible.
>the government comes to them with a legitimate warrant
Which government, such as the French government for all Russian users, the Russian government for all Ukraine users, or the USA government for all users?
Whose standard for warrants, and how much use of coercion and force are they allowed to use for enforcement. Can the USA kidnap the owners for non-compliance, can the Russians?
You’re asking very basic questions that the answers to have been the same for hundreds of years. If you do business in a country you have to answer to its laws or you risk asset forfeiture or arrest.
That would only be true if you step foot in that country or posses assets in that country, right? Though I imagine the US government can reach a lot farther than the Russian or Chinese governments.
Not quite.
Here: https://www.asil.org/sites/default/files/benchbook/jurisdict...
This is both a reasonable exposition and fairly short.
But also keep in mind data collection and transmission and sharing and rule enforcement are not really a jurisdiction thing.
Or the countries you live or travel in have extradition treaties with the other country.
Also bear in mind that government can convey restrictions on any other business in that country. See Brazil requiring ISPs to ban Twitter (even a penalty on individuals bypassing the block using VPNs!), or the US basically prohibiting any business with anyone in Russia.
Basically if you want to operate in a country, you probably need to obey their laws, no matter what you think of those laws. If you ignore them, you can't really be surprised if you get blocked or penalized from doing business there.
The ironic consequence of this is eventually if you want to use big tech for messaging privacy you'll be forced to basically pick one under the jurisdiction of an enemy non-extradition state like Russia or China. Sure their governments will farm and exploit the metadata even if encrypted, but they won't be handing it over to the west unless the deal is juicy.
Another option is to use free and open source encryption software, like gpg/pgp.
Like what most darknet markets use.
Eh, not really, because the US has shown it's happy to go ahead and make it illegal to have TikTok here as well. The real result is probably much, much simpler: Globally-operating apps won't make as much sense as they got away with in pre-regulatory eras of the Internet.
Big Tech has basically spent the past twenty years pretending their global status made them above the law of any one nation, but in reality, being a global company just means you're subject to all the laws of all the nations.
remarkably, these are not very basic questions, and the answers are not the same for hundreds of years since this is electronic records that cross international boundaries
Certainly principles of international jurisdiction are well settled and fairly consistent. In that sense the comment was correct. However, you are also correct that legal principles around information collection and transmission are both new and not well settled.
This feels like one of those hn discussions where everyone will end up talking past each other because of terminology failure.
I mean if you were shit talking France when living in England a few hundred years back you're likely to get put on the enemies of France list, even if your pages were for consumption in England. Now if you never left England there wouldn't be much to worry about, unless they suddenly became friends and decided to export your corpse for goodwill.
I have never paid telegram for their business
So, using the same logic, Meta should not be liable for what happens on Facebook because users do not pay…
That's some Barlowesque[1] thinking that would play into the hands of big tech.
If Telegram didn't want to answer to French law, they should've blocked French phone numbers from registering users. Problem solved.
[1] https://disconnect.blog/reclaiming-sovereignty-in-the-digita...
Meta sells my data to advertisers
I think you answered why the only real solutions are
a) don’t collect the data (signal approach)
b) hire an army of lawyers and compliance people (big tech approach)
c) ban users from entire countries where you don’t comply (common in crypto)
d) risk jailtime or asset forfeiture
Signal has both phone numbers and IPs.
Signal hand over IP logs, phone numbers, and the datetime of last connection. [0]
[0] https://signal.org/bigbrother/central-california-grand-jury/
This all seems bad news for all Russian war channels, but I guess they had enough time to migrate already. Influencers influence the whole world anyway, so they should expect a knock on the door if so brave. Stupid drug dealers will find other ways to deal or will go deeper the crypto/tor hole. Childporn offenders are anyway legit target for Mr.Robot. Who's left then...? Music pirates - who cares, Spotify lives on, Soulseek does well to. Torrents apparently kill business only where it cannot exist at all due to cultural specifics.
This all somehow leaves perhaps not-so-big list of particularly interesting gentlemen then certain countries will undergo a lot of trouble to get to. No wonder then they did so this time, but wonder which particular among these is the culprit this time...
Bad news for the OSINT community who gets tonnes of leaks from Russian war telegram channels
I doubt the war channels are to be concerned, perhaps the secret chats, and leftover magic in the normal chats. Or even simpler - the phone of the devices allows mobile net tracking, for certain operations this is potentially more than enough.
> Which government ... Whose standard
It depends entirely on where you land in your private jet.
Where ever they want to do business at. If they expect to be allowed to operate in France/the EU they will have to comply with legitimate French/EU warrants. No one is saying they can't fight it if there is a reason to.
>Can the USA kidnap the owners for non-compliance, can the Russians?
Jailing someone/holding a company in contempt that does business in your country for ignoring legal warrants isn't kidnapping. Trying to frame it that way is pretty silly and disingenuous.
What does it mean to "operate" in a country? If I operate a service in the US and have no servers in Iran, no employees in Iran, no physical presence in Iran whatsoever, but Iranians are communicating with me over the global public internet, does that mean I have to comply with Iranian law? What about if its "France" and not "Iran"? What if these French/Iranian users are not only communicating with me, but also sending me money and/or cryptocurrency in exchange for that communication?
So what? Legitimate warrants cannot exist? Companies exist somewhere, and they follow the rules that can be enforced on them. I'll take warrents by imperfect democracies over autocracies and dictatorship any day.
Ha! The devil of the details.
This will depend on how the company is registered and represented in the states it operates in. It will also depend on the citizenship of the kidnapped owners (and whether it will be even necessary, as maybe extradition would also work).
In any case, a court in any particular state will be responsible for issuing the documents entitling the law enforcement to particular data. There's also the process to dispute issuance or legitimacy of such documents, again, through courts.
So, obviously, there isn't a single answer to your questions. But, obviously, they aren't without answer. Any specific case will produce a potentially different set of answers.
You ask these like they are some kind of gotcha moment, but all of these very simple questions have been answered for decades by international law. You think yourself clever but show yourself ignorant.
You have to follow the laws in the jurisdictions in which you do business.
If you want to not be subject to the laws of a country you need to blackhole that entire country.
Every time someone brings up Signal in these threads I cringe. One can make up stories about spam protection as much as he wants, but given how little (basically none) control one has over him phone number, no messenger strictly requiring a phone number can be considered "privacy-oriented" by any sane person.
What do you advocate for an alternative identifier and how do you combat spam without verifying a phone number?
no IDs, only connect to the users you choose to connect with
SimpleX comes to mind
https://simplex.chat/
Huh?
I think you are confusing "privacy-oriented" and anonymous! Signal is pretty privacy oriented since it has E2EE by default (and so does Whatsapp). Telegram would be much more privacy oriented if it had E2EE by default.
they have usernames now
[dead]
The incentive is to claim to collect as little as possible. What a company actually collects is between them and any influential state actor that can manage to make use of the data in secret. A company can't support the needs of such an actor and law enforcement at the same time.
you care confusing collecting data with persisting user data.
it is easy to prove what your app collects from OS's permission model and web traffic. People are less interested in whether you store it for future use or discard it immediately after receiving.
Even if you claim you don't persist any of user data, you would still be collecting it
User data is a liability, not an asset. However this is untrue when breaches, leaks and misuse aren’t prosecuted. It’s a shame we have ended up here.
This is only true if the cost of storing user data is greater than the profits it generates. When companies are allowed to sell out users and punishment for data leaks are just seen as the cost of doing business then why would you not store whatever data you can get your hands on?
> User data is a liability, not an asset.
Yeah Google and Facebook are all losing money in those liabilities.
No theyre not, they're printing money because user data is an asset. Stop repeating silly sound bytes.
User data is only an asset if your business model demands it, like Google and Facebook. If you don’t have, and won’t create, a way to monetize it then yes, it’s strictly a liability.
It's not that it is a liability, it's that it should be. Likewise, it currently is an asset, but shouldn't be monetizable.
When you quote part of my comment, it give a different message. Clever!
"Legitimate warrant" is a flexible and fluctuating idea. When a new government takes over, they may want information on all potential opposition.
yep, and reading the news lately "legitimate warrant" means things like "has a harris poster on their lawn"
But my crypto bro friends said they would only communicate by Telegram because it is 1000% secure!
Now the question is, to which government Telegram will comply to share your info.
If I live in Germany, and I do a channel with offensive content against the government of an Arabian shitty country, let's say UAE for example. The content might be legal here but illegal there.
Will the UAE gov be entitled to get my IP address and other info? Leading them to be able to use that to harass me, like targeting me with Pegasus for example?
This was entirely predictable and inevitable. I don't understand what Durov thought would happen nor why he rejects E2EE as a liberating technology.
Policy will never be the key to digital privacy, it must always be accompanied by cryptography. The status quo of allowing a third party read and store your messages forever, slurping up all the metadata along the way, is insane.
I think it is pretty obvious why Durov did not opt for universal E2EE. His main purpose of making Telegram was to make the chat app that is the most usable of all. E2EE comes with a cost on user experience which was for him too high.
Example: Signal can't handle more than one phone logged in, and if for some case you don't open the desktop app for more than 30 days, it logs you out there and you can never get these messages to the desktop.
that is a limitation of signal not E2EE for an example see matrix
although E2EE chats do take more computing and storage especially with very large groups
[dead]
Good that the company is able to continue functioning with the CEO being trapped and under charges. Shame on France for pulling a nasty warrant mid air.
Well, the fact that Telegram wants to cooperate to me suggests that they previously could have been cooperating but weren't, which makes a charge of complicity make a lot more sense now. Thanks France!
You are part of the problem.
Suspect, try to find excuses to arrest and then go look for evidence.
Suggests, implies, I believe, blablabla. All nonsense.
That's tyranny.
It looks like we need tyranny from time to time so that people learn why lots of people died to earn basic rights...
It's always tempting. "We're only doing it to get the bad criminals!"
Sounds great. Until a tyrant decides you're bad.
Well that's a shame...
[dupe]
https://news.ycombinator.com/item?id=41628019
Dupes are submissions of the same article. I thought this one was better than the others I had seen on this topic.
You can't submit the same article twice for the most part. Dupes are duplicate discussions. There's an earlier article with some discussion and eventually maybe mods will merge them. No need to split up the discussion. Share your thoughts over there! You could even suggest this link in that thread as a better article option.
You totally can, the HN dupe detector is less than reliable. Submit something interesting at night and you'll often see it submitted the following day by someone else.
As a more general point, the fact is that if a discussion doesn't take off while an item is on the front page shortly after submission, it probably never will. The page sorting algorithm ends up prioritizing recency and traction. I agree this isn't ideal.
Honestly you have to be a bit dumb to write incriminating stuff on popular messaging apps like Telegram, Whatsapp, etc.
I would imagine any serious criminal org will have their own messaging infra by now.
> I would imagine any serious criminal org will have their own messaging infra by now.
I'm guessing they do not -- that would be inconvenient, expensive, unreliable, insecure, and/or conspicuous.
[Edit: "serious" criminal orgs run, e.g., custom-built submarines, so private comms infrastructure is clearly within their technical abilities. But having all org members communicating to a private centralized mothership seems risky from a surveillance perspective]
I'm guessing they do not -- that would be inconvenient, expensive, unreliable, insecure, and/or conspicuous.
Some do run their own platforms or share a self hosted platform set up by people in a non cooperating country. Sometimes the platform admins find out they were being MitM by mistake tech or law enforcement make. [1] Or not using the MitM detection Jabber is capable of. Jabber scales to millions of users per cluster, big enough for probably most criminal organizations. I doubt the cluster in question was specifically meant for criminals, but the smart criminals will find solutions best suited for their needs. In this case I think they chose poorly given VM's can be live migrated and snapshot including memory contents without interrupting the platform or raising suspicion.
In my humble opinion the big shared corporate platforms will attract the ultra-lazy arrogant and cavalier criminals and I'm sure law enforcement are fine with it. Easy busts still look good to justify big budgets. There are probably people that say they don't know anyone that's been busted on those platforms but they are probably not moving enough volume of illicit goods to warrant immediate attention. That information would be quite useful for getting a warrant however if the target was suspected of something else or if they were an influencer thinking or saying the wrong thing in public.
[Edit] Updated link to the snapshot describing potential mitigations including SCRAM PLUS which was not configured in this incident.
[1] - https://archive.ph/4wi5t
More insecure than an app that keeps track of everything in a database you cannot control and can be accessed by the authorities?
Even when deleting messages how can you trust these are actually being hard deleted?
I would imagine the inconvenience and cost are worth it but what do I know... I'm not a criminal :P
I know people who order drugs all the time via various messaging apps, in the US and throughout Latin America. Often the messages and menus are highly explicit.
Actually it's the criminals that use secure messaging services made for them that get in trouble.
There have been a few big busts the last years by the Dutch police of criminal rings, caught because of their choice in messengers.
The ones using Signal or Whatsapp are the smarter ones.
haha Durov is singing like a bird now that he go apprehended
Rubber hose cryptanalysis works every time, unless you design your protocol to not have any visibility into the data. Which is impossible in the case of Telegram feeds at the very least.
In a sense the surveillance in the "west" and in particular in the EU is worse than what you have in China.
At least the Chinese they know that all their conversations are being monitored and read by the government.
In the EU many people still live under the illusion of GDPR, data privacy, democracy etc...
Sounds good to me
They are coming for you Tether
About time. Criminals hiding behind some technicalities!
There is a difference between "criminal" and "criminal suspect."
If you’ve got something to hide, you’re guilty!
/s
We don't need privacy! Only criminals want those pesky "privacy policies,, to protect their operations! 1
Warrant canary removed: https://opentermsarchive.org/en/memos/telegram-expands-forbi...
Hm, given how many requests Meta and Google disclose annually
I dont think a warrant canary is really useful, it implies “we just got 1!” instead of “we just got an additional pile of 200 secret requests from G-7 national governments, one of which is already trying to incarcerate us for not being so forthcoming about compliance”
Given that you won't know the details of the 1 or 200 requests anyway, I think knowing the difference between 0 and >0 is useful. We do know what 0 means, and anything other than 0 means the platform's got the attention and jurisdiction of outside parties.
[dead]
[flagged]
The CEO of Signal has not been arrested.
Also, Signal does supposedly comply with all lawful warrants. They give over what data they do have when properly requested. It is just they don't normally have much useful data to give.
Meanwhile, Telegram supposedly hasn't been properly handling lawful warrants in many countries and does have interesting data on their servers as only private secure messages are (meaningfully) encrypted and not most messages most users send on the platform
Of Signal?
How is enforcing subpoenas a form of terrorism?
It's not the good old days any more. Your government doesn't represent you. Its police, military, and "justice" system are not manned by good people acting in the interests of the people and community.
Snap out of it.
The good old days when governments represented people, like before the 17th Amendment when states picked the Senate in smokey backroom deals. Wait that can't be right, maybe like before the 19th Amendment. Wait no, during the Jim Crow era. No, the McCarthyism era. Wait...uhh...hmm...
I don't know what time period you're thinking of with "It's not the good old days any more. Your government doesn't represent you." Seems like the government represents more people better today than it did in the past given before so many couldn't even vote at all and the government was far more active in suppressing minority rights.
And if its about them snooping in on conversations, these days they have to actually ask a lot of communication providers for data. Back in the day there was only one company providing electronic communications and the government was absolutely listening in to the conversations. Tons of those communications were happening over the air for anyone with the right antenna to listen in. US v. Miller was in 1976 and established what we now know as third-party doctrine.
Yeah I'm sure it was better in the good old days ahaha
No it’s just that now it affects everyone not just certain groups which is the tipping point for Society to reorganize
This is what is called out by Polybius, Socrates, Jefferson, Strauss/Howe as the socio-political cycle.
[flagged]
This is the most bullying way to make excuses for the government, but okay.
By the way, until convinced, he's not a criminal.
You don't even see the problem that's crept into your own language, do you?
>until convinced, he's not a criminal
Freud would absolutely approve.
Criminal _suspects_ are not the same as criminals.
The problem lies in "what is a crime?" here.
If you can get arrested for organizing a protest (that didn't even start that), do you still think that those people are criminals? Just look at all the people that got arrested recently in UK... It's sad, and telegram, not being a UK company (imho) shouldn't be forced to give UK government/police peoples ip addresses and phone numbers.
If they want to operate in country X, they have to abide by the laws of country X, I don't see what's controversial about this.
But they're operating in UAE (or whereever they're registred).
They just get visitors from UK.
Where they operate doesn't matter, and it should be pretty obvious why (hint, for the same reasons that American bleached chicken can't be sold in the EU)
The laws of country X are controversial.
All countries have laws that are controversial for some other country.
Yep.
Imagine iran requesting all the IP addresses of people who have viewed gay porn from pornhub (=Aylo or whatever it's called now)
I imagine that this would be reason enough for them to either comply with the law or not operate there, like every other business does? You seem to imply that it's ok for internet companies to be above the law, I don't see how that's compatible with self-determinism/democracy (loss of jurisdiction) nor in the interests of the people (because inevitably such companies will optimize their profits at the expense of the public and can't be held accountable, in your anarchic world order).
Let's say your set up a raspberrypi at home (I assume you live in US), install apache, install wordpress, set up port forwarding and write a blog about making pickles. Then someone writes a comment under "How much dill?" and writes "I'm from Iran and I'm gay".
Are you really operating in iran? You don't have servers there, you don't have employees there, you're not a registered company there, what ties do you have with iran? Someone from iran "came to visit"? Sure, so do brits with amsterdam and legal weed.
They definitely wouldn't stop operating in Iran and miss that sweet ad money
then it's fair game for Iran (or any other country) to fine them/block them for that.
[dead]
> telegram, not being a UK company (imho) shouldn't be forced to give UK government/police peoples ip addresses and phone numbers
They absolutely should if they want to operate in the UK.
Define operate in.
Does HN operate in the UK because I can access it here? Should they be subject to UK law?
Should the same rule exists in more authoritarian countries like China, North Korea, or Belarus?
If so should the government be allowed access to non-nationals outside the country? How about if a non-national is inside the country communicating with those outside? How about if those folks are journalist reporting where journalism is illegal (see Russia's laws on "fake news" on Ukraine).
I'm not saying your point of view is wrong, but I think its easy to jump to that conclusion as this is probably the least sympathetic case to set principle. But this _does_ set principle.
> Should the same rule exists in more authoritarian countries like China, North Korea, or Belarus?
If eg. Iran requested IP addresses from Pornhub (Aylo?) for all the visitors from iranian ip addresses who have viewed a gay video there, people would be changing their view pretty fast.
But they're registered in UAE (i think it's there).
They might get "visitors" from UK, but so do "coffeeshops" in amsterdam.
That’s not for telegram to decide and dictate to everyone else I’m not sure I’d call that sad
Yes how strange that a DARPA project, handed off to the National Science Foundation and then awarded to Sprint, would be torn from the common man and wrested from its rightful owners into the heartless clutches of government authority
> that a DARPA project
How much of what you use today has anything to do with DARPAs original design goals or funding?
> handed off to the National Science Foundation and then awarded to Sprint
The NSF handled links between Universities and their funding not the Internet in general. Sprint was a primary contractor under this system. None of this should be understood as "the Internet."
> would be torn from the common man
You do appreciate precisely how much open source software underpins everything we're doing, even in typing these comments to each other, over the internet, yes?
I mean.. show me the government plan to build a web browser.
> from its rightful owners
Do you pay taxes? Congratulations. You are the rightful owner.
> into the heartless clutches of government authority
Yea. Hacker News. Typical bastion of mindless worship of "government authority." Then again, if it has the natural right to exist, why does it need my taxes?
To put a fine point on it: what DARPA did, was to sponsor a company called BB&N to develop a piece of hardware called the Interface Message Processor (or IMP). And that's pretty much it.
The IMP was the first gateway doing what you'd think of today as Network Address Translation, isolating "LAN" from "WAN" and using arbitrary computation to rewrite packets between the two. Though at the time, far more work was needed than just address translation. Wholesale network protocol translation was needed, as every site network (and there were already many small site networks) used its own networking equipment; and each vendor's networking equipment spoke some random stack of proprietary protocols invented by that equipment vendor. (There were nascent standards with open reference-impl hardware, e.g. MIT's Chaosnet, but none of these were widely adopted.) This was true all the way up to the application layer — different networking equipment required different application software that spoke the network's supported application protocols!
The IMP was a programmable router, allowing arbitrary CPU packet translation. So each site network could program the very same IMP with the details of its own network — what each type of local-network packet looked like, and what that should translate to for the WAN; and vice-versa.
This allowed these site networks to be glued together into a larger network. The IMP translated packets, and also "wrapped" each (proprietary, site-local) address of each LAN host, giving it a globally-routable name — i.e. an Internet Protocol address. This allowed machines on these networks to — at least in theory — address other networks' machines. All without anyone having to rip out any networking equipment, or replace each network's host application software with new software speaking standardized protocols.
Once the IMP was released, a bunch of universities and corporations came along and said to BB&N, "oh hey neat, I'll buy one of these! Heck, I'll buy one for each campus!" — and promptly stuck them into each of their (existing!) networks. (Some of these purchases were partially funded by DARPA as well — but only if the buyer reached out to ask.)
This didn't actually get anyone any value at first, because the IMPs still needed to be programmed, not just with the details of their local networking standards, but with the details of what the "WAN standard" application packet protocols would/should be for these local networks to translate things into. There were no standards for that yet.
So the folks doing the networking at these orgs, all got together to discuss how to actually get these boxes they bought to talk to each-other — e.g. what application-layer protocols they would need to invent/standardize on, to then get these gateway boxes to translate into from the proprietary site protocols they were using.
That group became known as the Internet Engineering Task Force, and their meeting notes became known as RFCs. (Read https://datatracker.ietf.org/doc/html/rfc1 if you don't believe me.)
Note that they called this WAN network formed by these sites through the IMPs the "ARPA Network" — presumably because that's what BB&N referred to it as, in turn because DARPA funded the IMP with the intent of creating such a network.
But DARPA had no involvement in the actual development of the "ARPA Network"! They weren't even a site on it! They didn't attend the IETF meetings! Rather, DARPA just kinda stepped back and said "go ahead, have fun" — and watched as the Internet took shape.
(I would thus describe DARPA's funding of the BB&N IMP as probably the most successful case of "nudge theory" in history. Almost as if someone at DARPA was a time-traveller who knew that that much effort, and no more, was all that was needed to shift the timeline.)
Well yeah, and the government sponsored a little company called Los Alamos to develop a few things. But now we own them, I guess.
BB&N was and remains a private company, and isn't primarily a government contractor. It was a one-time government grant — and for much less than the full CapEx required to build the thing. DARPA essentially said "you want to build this? We'd sure like something like that to exist, so we'll give you some money to increase your chances/make it happen faster."
As it turns out, "throwing money at American-owned private companies who are being the [technological] change you [i.e. the state] wants to see in the world, to advance the technological edge America has over other countries" is a large part of DARPA's mandate. DARPA seeks to incubate a healthy private sector in nascent high-tech industries, so that it can later rely on competition in those industries, to produce a healthy, non-monopolistic set of viable military contract bidders for the military as a whole to choose from / set against one-another.
Pony Express, telegraph lines, railroads, a national highway system: what purpose and goals do you think were in mind here? So you could jaunt down Route 66 for a burger, and send back a 5c postcard??? Haha!
> How much of what you use today has anything to do with DARPAs original design goals or funding?
100%
https://en.wikipedia.org/wiki/CERNhttps://en.wikipedia.org/wiki/CERN_httpd
https://en.wikipedia.org/wiki/NCSA_Mosaic
https://en.wikipedia.org/wiki/NCSA_HTTPd
Are you even serious rn?
If you're right then I shall take out my equity in the form of SAM batteries. How many will fit on my balcony.
Previously posted:
https://news.ycombinator.com/item?id=41629437
https://news.ycombinator.com/item?id=41628467
https://news.ycombinator.com/item?id=41628381
https://news.ycombinator.com/item?id=41628019
The only relevant link with discussion is the last one:
https://news.ycombinator.com/item?id=41628019 - 3 hours ago (6 comments)
And it's not a dupe, only a related submission (different article / link).
[dead]
It’s sad to see HN become so full of bots.
> prompt: There’s an article on Hackernews titled “Telegram will now hand over your phone number and IP if you’re a criminal suspect”. Generate a comment in Hackernews style that supports this decision, implies that it’s because they didn’t encrypt the messages and uses Signal as an example of doing it right because “look! They haven’t had problems”
Not surprised. Telegram doesn't encrypt by default, so of course they're handing over phone numbers and IPs. If you don't lock things down like Signal does, you're going to have problems. Signal can’t hand over what they don’t have—encrypted end-to-end, no metadata. Simple as that.
I guess I'm a bot then.
Yes, channels and groups are most likely what makes Telegram a threat where Signal isn't. That's an excellent argument for decentralized social media.
You're probably exasperated that others don't see what to you seems like an obvious truth. Rather than mocking the opposing argument, it's probably still worth rehashing yours when the topic comes up, even if it feels like banging the same drum with nobody listening.