It’s 7:30 p.m. on a Monday in June at an undisclosed location somewhere in northern Europe. I’m sitting in a private dining room in an upscale hotel, talking to Pavel Durov—the “Mark Zuckerberg of Russia,” a young internet mogul who had built the country’s most popular social network and lost it to the Kremlin all before he turned thirty. Not long after the famed American whistleblower Edward Snowden had fled to Russia to avoid federal prosecution, Durov had offered Snowden a job—but then himself had to flee Russia because of a widening conflict with the Russian government. Initially hailed as a cyber-dissident because of his spat with the Kremlin, Durov has since drawn the repeated, aggressive interest of American intelligence officials, as well.
A group of wealthy tourists milled around in the lobby, excitedly chattering about their day of sightseeing and museum tours. Our conversation was of a darker nature. Durov and I were talking about the murky, hyper-paranoid world of the crypto-obsessed privacy movement—a place where spies ruled, nothing was what it seemed, and no one could be trusted.
For me, the paranoia made sense. For the last three years I had been investigating the grassroots crypto tech accessories at the heart of today’s powerful privacy movement: internet anonymizers, encrypted chat apps, untraceable drop boxes for whistleblowers, and super-secure operating systems that even the NSA supposedly couldn’t crack. These tools were promoted by Pulitzer Prize-winning journalists, hackers, whistleblowers, and the biggest and most credible names in the privacy trade—from Edward Snowden to the Electronic Frontier Foundation and the American Civil Liberties Union. Apps like Tor and Signal promised to protect users from America’s all-seeing surveillance apparatus. And the cryptographers and programmers who built these people’s crypto weapons? Well, many of them claimed to live on the edge: subversive crypto-anarchists fighting The Man, pursued and assailed by shadowy U.S. government forces. Citing harassment, some of them had fled the United States altogether, forced to live in self-imposed exile in Berlin.
At least that’s how they saw themselves. My reporting revealed a different reality. As I found out by digging through financial records and FOIA requests, many of these self-styled online radicals were actually military contractors, drawing salaries with benefits from the very same U.S. national security state they claimed to be fighting. Their spunky crypto-tech also turned out, on closer inspection, to be a jury-rigged and porous Potemkin Village version of secure digital communications. What’s more, the relevant software here was itself financed by the U.S. government: millions of dollars a year flowing to crypto radicals from the Pentagon, the State Department, and organizations spun off from the CIA.
My investigation of this community had brought me a lot of abuse: smears and death threats lobbed by military contractors against me and my colleagues; false slanderous stories planted in the press about me being a sexist bully and a CIA agent paid to undermine trust in encryption. So I learned long ago to approach my sources with skepticism and wariness—especially someone as infamous as Durov, who had recently gotten into the crypto business with Telegram, which now enjoys the distinction of being ISIS’s favorite chat app.
Mogul on the Move
Durov, who asked me to obscure the location of our meeting because of his ongoing conflict with the Russian government, was wary, too. He had a right to be.
Now thirty-two, he is a multimillionaire—and, if the papers are to be believed, Russia’s most radical internet mogul. In 2006, while only twenty-two, he had cofounded VKontakte (“In Contact”), a Facebook social networking clone that became more popular in Russia and across the former Soviet Union than Facebook itself. The company didn’t stay under his control for long. In 2011, following mass opposition protests against Vladimir Putin’s ruling party organized largely via social media, the government wanted a firmer grasp over VKontakte. Durov resisted, and pulled off all sorts of acts of defiance: he took photos of documents ordering the company to block certain political groups and posted them online, and publicly mocked officials of Russia’s FSB state security forces.
But the Kremlin persisted, and finally got its way. Durov had wearied of the Russian state’s steady barrage of dramatic pressure tactics—including attempts by police to raid Durov’s apartment, a bizarre blackmail incident involving what Durov says was a fake video purporting to show him in a black Mercedes running over a traffic cop, and trumped-up criminal charges that forced him to flee the country. So in 2014, the young social media mogul was forced to sell his 20 percent stake of VKontakte to a business concern run by Uzbek-born Alisher Usmanov, a scary billionaire loyal to President Putin. Stripped of his empire, Durov could no longer claim to be the Zuckerberg of the Russian polis.
Durov fled Russia and, after making a strategic investment on the two-
island nation of St. Kitts and Nevis, became a citizen of the Caribbean. For the past three years, he’s lived the life of an autonomous, self-facilitating multimillionaire, wandering the globe living in luxurious hotels, while forsaking material possessions like land and real estate. Durov could have done anything he wanted, and so while in exile, he worked with his elder brother Nikolai on the next big thing: channeling his time and wealth—estimated to be about $300 million—into the development of a new messaging app, Telegram.
With about 100 million users worldwide, Telegram is ten times smaller than Facebook’s WhatsApp, its closest competitor. But Telegram has found success in strange places: it’s huge in Iran and big in Uzbekistan. It’s got some users in Europe, as well as a growing fan base among Russia’s journalists. It’s also been a big hit with Al-Qaeda and ISIS, who seem to see Telegram as the most secure tool on the market. The groups have used the app’s encrypted chats to plan attacks, while deploying its “public channels” feature to broadcast propaganda, recruit lone-wolf terrorists and claim responsibility for successful strikes. Telegram has been implicated in attacks in France, Germany, Turkey and, most recently, in Durov’s hometown of St. Petersburg, where a lone suicide bomber struck a metro station in the heart the city, killing fifteen people and maiming many more.
Getting the Message
Not surprisingly, the Russian government has again put Durov in its sights. Russian security officials have been pressuring him to share data with them, or risk having his service blocked. But the Russians aren’t the only ones trying to put the screws on Durov. Apparently, the Americans want a piece of the action, too.
As a waitress brought out a plate of bread and some appetizers—sliced squid and tuna tartar—Durov explained that over the past several years, the FBI has been attempting to pressure him into secretly cooperating with the agency, and that agents had gone as far as trying to bribe one of his developers into becoming a mole. He had never fully discussed the details of his run-ins with the FBI in public—until now.
Durov says the pressure started in 2014, shortly after he sold his stake in VKontakte. That’s when he first started routinely getting interviewed and questioned by FBI agents on the American border. Sometimes they would detain him for further questioning on entry; other times they would catch up with him to “chat” while he was at the gate getting ready to board a plane. At first, the FBI was curious about his work portfolio at VKontakte and the company’s relationship with Russian law enforcement, including the procedures it followed for complying with government data requests. “I wasn’t comfortable with these questions,” he said. “I had no inclination of becoming an American mole, so I just provided them with the minimum information that was already available in the media.”
Durov and I were talking about the murky, hyper-paranoid world of the crypto-obsessed privacy movement.
On later trips, though, FBI officials began asking about Telegram. Where was it based? How did it work? How could the FBI get in touch with Durov in the future? The agents followed up with friendly notes by email, telling Durov to reach out to them if he had trouble or needed help with anything. Durov says he continued to ignore the overtures, but the FBI clearly wanted something; the question was what. In 2016, Durov got his answer. That May, he flew from Europe to San Francisco to attend the annual Google I/O conference. The first morning of his visit, two FBI agents showed up unannounced at eight in the morning at a Mountain View home he was renting through Airbnb. “How did they get the address?” Durov asks. “Maybe they tracked my sim card? Followed me from the airport? Maybe they got the info from Uber? I don’t know.”
In any event, the two agents were clearly on a mission. “Right away they started asking about Telegram, which made me worry,” says Durov, explaining that it didn’t take long for his early-morning visitors to get to the point: the FBI wanted to set up some kind of informal backchannel process that would enable Telegram to hand over data on particular users in the event of a terrorist threat; they even came prepared with official-looking documents in hand. “They showed me a court order and told me, ‘We respect your values about privacy and cryptography very much, and we respect what you’re trying to do. But there is terrorism, it is a serious problem and we have a duty to protect society. We hope you understand and share our views. We want to create a process of data exchange so that you can help us when there is a terrorist threat,’” Durov recounted. During the twenty-minute interview, the agents made it clear they hoped that this was just the start of a long and fruitful relationship.
Telegram is registered in the UK as Telegram Messenger LLP, a company owned by two other companies—one in the British Virgin Islands; the other in Belize. Its data is also cut up and spread out over multiple jurisdictions—part of Durov’s master plan that in theory made legal access to user data as difficult as possible. The company had no legal presence in the United States, and so the FBI had no real authority to demand anything from Durov or his company. Durov said he understood that the court order was a ruse—an attempt to get him to cooperate—but he played along and promised that he would get back to the agents after he had Telegram’s legal team look at the document.
Still, Durov says he was a bit shaken by the experience. “In Russia, the FSB guys I’ve interacted with were not impressive. They were of middling ability; not really qualified. In the United States, the FBI is different. The ones who questioned me were competent. They spoke multiple languages. They had done their research, and knew exactly what questions to ask. They were of a high caliber. And I understood that America has so many resources dedicated to security that it is downright scary. Law enforcement in America is so much more efficient.”
The FBI agents went away, but they weren’t done. As Durov tells it, they also had set their sights on a Telegram developer who had flown in for the Google conference, and was also staying at the same Mountain View Airbnb with Durov. (An FBI spokesman declined to discuss any details of Durov’s account with The Baffler.)
This developer had already been stopped and questioned at the airport by agents from the FBI’s cyber division, but the FBI scheduled a follow-up meeting at a San Francisco café. The agents who met the developer there started by peppering him with general questions about Telegram’s architecture and how its encryption algorithm worked, all while lavishing him with praise for his expert knowledge. It didn’t take them long to get to what they really wanted: access, for which they were willing to pay. Durov would not disclose the name of this developer, but he recounted the story that his employee eventually told him. The FBI wanted to work out an arrangement in which the developer would secretly feed its operatives information about Telegram’s inner workings—things like new features and other components of the service’s architecture that they might want to know about. The arrangement would be strictly confidential, and they were willing to pay. “We will make it worth your while,” they said. They said he would be “consulting” for the FBI—a thinly veiled euphemism for what was clearly a pay-off. “The FBI agents gave him a range,” said Durov, munching on a piece of bread. “It was on the order of tens of thousands of dollars.”
After the developer turned down the offer, the FBI met him one more time. This time, the FBI interviewers asked that he not say a word to anyone about their conversation—and especially not to tell his boss. “They were specific,” said Durov. “Don’t tell Pavel about this, this is our secret.”
He shrugged and smiled. It appeared that the FBI was unable to close the deal. “We pay our developers very well,” he said in a small flourish of managerial self-congratulation. “Our developers are all millionaires. Naturally they can’t be bribed with that kind of offer.”
The FBI trying to turn his own employee into a mole against him? I was expecting Durov to make a big deal out of this disclosure. Silicon Valley companies and crypto privacy types jump at any opportunity to paint themselves as victims of government oppression, and frequently blow up tiny incidents that might redound to their brand advantage in the secrecy wars. Think, for example, of how Apple turned the FBI’s request to unlock a single phone used in a 2015 terrorist attack in San Bernardino that left fourteen people dead into a stand against government oppression—even as the company was also submitting to China’s data demands. (In the end, of course, the FBI got the data it was seeking in the San Bernardino case by using a third-party data hack.) Or there was the recent case of a developer who had worked for Tor, an internet anonymity tool funded by the Pentagon, and fled to Germany after an FBI agent left his business card at her parents’ home.
Given Durov’s libertarian leanings and his proximity to that world, I thought he would start raving against government tyranny—but Durov was surprisingly, almost unnervingly, levelheaded and reasonable about the whole thing. He was troubled and upset by the FBI’s pressure tactics, and pledged to resist all attempts by the agency to get at Telegram’s data. But he wasn’t surprised that it happened, either. After all, that’s what the FBI was there to do. “Basically, the Americans are doing their job. Look at it from their perspective. Here’s a young guy, his app is used by terrorists. We need to find out who he is. What kind of team he has. This is logical. I don’t see anything extraordinary in this,” he said. “I could have gone public with this when it happened and made a big stink. ‘Look at me, look how the Americans are putting the screws on me.’ But I thought it would be a bit pretentious and melodramatic.”
So why make the story public now? Durov says that he’s coming forward to make a bigger point that’s typically lost in the self-dramatizing scripting of Silicon Valley showdowns with the Feds: what happened to Telegram is quite representative of how the government seeks to gain influence over big data services. “I’m raising this issue only to point out that American security agencies are persistent and pushy, and that they’re just carrying out their jobs. They’ll catch up with you at the airport. They show up unannounced at your Airbnb—the address of which no one should know but you. They try to pay off developers. One way or another, the FBI is very carefully doing its job, and they do all this in the span of just a couple of days that my team and I spend in America,” he says.
If the FBI was so persistent and pushy with Telegram—going as far as trying to bribe its employees while they are on a short business trip—then what does the U.S. government do to companies permanently based in America? “I can’t imagine myself or anyone else running a privacy-oriented app in that environment. They may start their information requests with data related to terrorism and then gradually widen it to who knows what.”
Encrypt or Die!
In June 2013, Edward Snowden engineered a data leak heard round the world. An NSA contractor working for the Beltway data and law colossus Booz Allen Hamilton, Snowden blew the whistle on America’s internet surveillance apparatus, and helped shine a light on the symbiotic relationship between Silicon Valley and the U.S. government.
Documents that he stole from an NSA facility in Hawaii provided the first real evidence that our most respected tech companies—including Google, Facebook, and Apple—worked closely with American spies, secretly tapping their own server farms for the NSA and FBI. Snowden’s dramatic leak put the issue of privacy on the internet on the map in a way that it had never been before.
Suddenly, internet privacy was netting daily cable news coverage, Frontline investigations, and Pulitzer prizes. There were anti-surveillance protests, online campaigns, and a flurry of reports by government watchdogs and consumer rights nonprofits. Back in 2013, it seemed like we could be on the verge of a global movement that would galvanize people to push for meaningful privacy laws that would not only curb government surveillance, but put limits on Silicon Valley’s unrestricted data collection practices, as well. But things went a different way.
Now, four years after the Snowden leak, we can see that all that energy and outrage and potential for civic action has been redirected into a narrow band of mass-politics-by-app. The new consensus, bruited loudly in and around Silicon Valley, holds that all we need to do to protect ourselves from surveillance is download whatever crypto chat app is in vogue at the moment, and run it on our iPhones. Instead of finding political and democratic solutions to the government and corporate surveillance crisis plaguing our society, the privacy movement somehow ended up in a libertarian rut. In remarkably short order, online privacy advocates had abandoned the idea that people and politics could change the world for the better, and instead chased something closer to an NRA fantasy: the idea that if everyone was equipped with a crypto weapon powerful enough, they could single-handedly take on both corporations and powerful spy agencies like the NSA. They could use technology to guarantee their own privacy on their own terms.
If your enemy was the United States government, it didn’t really matter what crypto app you used.
Edward Snowden himself has been the principal promoter of this idea, never missing an opportunity to tell people that collective politics is useless, and that arming yourself with technology is where it’s at. He shrugged off the for-profit surveillance that powered the businesses of Silicon Valley, pithily telling the Washington Post that “Twitter doesn’t put warheads on foreheads.” Instead, he saw private companies like Apple and Facebook as allies—perhaps the only places that offered even a modicum of safety in the dangerous wilderness of the internet. To him, private developers and software engineers were the true protectors of the people, and he called on them to rise up against government oppression. “If you want to build a better future, you’re going to have to do it yourself. Politics will take us only so far and if history is any guide, they are the least reliable means of achieving the effective change . . . at the end of the day, law is simply letters on a page. They’re not gonna jump up and protect your rights,” he told the audience at Fusion’s 2016 Real Future Fair in Oakland via video-robot link from Moscow. To Snowden—now a leaker-
turned-political-philosopher—political movements and collective action were fickle, merely human endeavors that offered no guarantees; encryption and computer technology was a sure thing, based on the laws of math and physics. “Technology works differently than law,” the fugitive leaker told the crowd at the Real Future Fair. “Technology knows no jurisdiction.”
It was an absurd position. Substitute “technology” with “assault rifle” and Snowden’s speech turns into something you’d hear at a Republican CPAC conference. Still, Snowden got a standing ovation at the Real Future Fair. And why not? From the moment Snowden appeared on the scene, his tech-centric worldview has been backed up by a chorus of award-winning journalists, privacy activists, left-leaning think-tankers, and powerful advocacy groups like the Electronic Freedom Foundation and the ACLU. Silicon Valley supported Snowden’s call to arms, as well. A brave new cohort of app developers backed very narrow technological privacy solutions that they claimed would protect their users from government snooping, all while shamelessly tracking these very same users for private profit and gain.
As it happened, Snowden’s call to encryption-arms helped inspire Pavel Durov to build Telegram. “I am far from politics and cannot lobby for a ban on total surveillance,” he wrote in October 2013, a few months after Snowden fled to Moscow and right before Durov in turn had to flee Russia. “But there is something that we as IT-entrepreneurs and programmers can do. We can develop and finance technologies aimed at making total surveillance technically impossible.”
In America, the initial movement to take the anti-surveillance fight to Silicon Valley fizzled and turned into something else that was at once bizarre and pathetic: privacy activists working with Google and Facebook to fight the NSA with privacy technology. This made precisely as much sense as siding with Blackwater (or Xe or Acadami or whatever the Pentagon contractor calls itself now) against the U.S. Army. Yet this trend of politics-by-app went into overdrive after Donald Trump was elected president. You saw it everywhere: civil libertarians, privacy advocates, and demoralized liberals arose to proclaim that encryption—even the stuff rolled out by Silicon Valley surveillance giants—was the only thing that could protect us from a totalitarian Trump administration.
“Trump Is President. Now Encrypt Your Email,” urged New York magazine’s technology editor Max Read in an opinion piece published in the New York Times in March. “In the weeks after Donald J. Trump won the election, a schism threatened to break my group of friends in two. Not a political argument brought about by the president-elect, or a philosophical fight over the future of the country, but a question of which app we should be using to chat. . . .” Buzzfeed concurred: “Here’s How To Protect Your Privacy In Trump’s America: Easy tips to shield yourself from expanded government surveillance,” wrote the outlet, offering its millennial readers a listicle guide to “going dark” on the net.
What were these apps? Who made them? Did they really work? That’s where the story got even stranger.
Secrets and Lies
Durov’s involuntary encounters with the FBI drive home one unpleasant fact of life in the big data economy: today’s app-obsessed privacy movement relies almost entirely on crypto tools that were hatched and funded by America’s foreign policy apparatus—a body of agencies and organizations that came out of an old-school Cold War propaganda project run by the CIA.
In 1948, the CIA was given a blank check to wage a full-spectrum “covert operations” program to contain and roll back the spread of communism, starting with the Soviet Union and Eastern Europe. Radio propaganda was a central tool in this covert war of ideas, and the CIA used private front groups to run stations with names like “Radio Liberation from Bolshevism” and “Radio Free Europe.” In the 1950s and 1960s, the agency expanded its radio network to include operations targeting communist, left-leaning, and otherwise suspiciously reformist forces that might be spreading the dread bacillus of Bolshevism through Asia and Latin America.
The idea was to prevent these states from exercising sovereign control over their information space—as well as to dominate and influence people’s ideas in a way that aligned with America’s interests. As far as the CIA was concerned, this sub rosa propaganda operation was a beauty, and the agency still proudly boasts that it remains one of the most successful covert psychological warfare projects ever run by the United States.
Eventually, the CIA’s multi-tentacled propaganda operation shed its covert status, and was transformed by Congress into the Broadcasting Board of Governors, a sister federal agency to the State Department. With a nearly billion-dollar budget, today the BBG operates America’s sprawling foreign propaganda nexus. The American public is only dimly aware of the BBG’s existence, but this media empire leaves almost no corner of the world untouched by satellite, television and radio transmissions. And just as was the case nearly seventy years ago under the CIA, the mission of the BBG is to systematically perpetrate the very same thing that America’s esteemed political establishment is currently accusing Russia of doing: sponsoring news—some of it objective, some wildly distorted—as part of a broader campaign to project geopolitical power.
But there was more. When the internet spread around the world, it became a powerful medium of influence, and the U.S. government moved ruthlessly to exploit its competitive edge against rivals under the banner of “Internet Freedom.” The policy, put into place by Secretary of State Hillary Clinton, was about more than just broadcasting news. Its aim was to weaponize this global communications technology in all sorts of creative ways to weaken rivals, topple unfriendly governments, and support opposition movements from China to Russia and Iran, Syria, and Libya. “The Obama administration is leading a global effort to deploy ‘shadow’ internet and mobile phone systems that dissidents can use to undermine repressive governments that seek to silence them by censoring or shutting down telecommunications networks,” reported the New York Times in 2011, when the Internet Freedom program first got going in a major way.
The effort includes secretive projects to create independent cellphone networks inside foreign countries, as well as one operation out of a spy novel in a fifth-floor shop on L Street in Washington, where a group of young entrepreneurs who look as if they could be in a garage band are fitting deceptively innocent-looking hardware into a prototype ‘Internet in a suitcase.’ . . . The suitcase could be secreted across a border and quickly set up to allow wireless communication over a wide area with a link to the global Internet.
This was just the beginning. Over the next several years, the BBG, backed by the State Department, expanded the Internet Freedom initiative into a $50 million a year program funding hundreds of projects targeting countries across the world—China, Cuba, Vietnam, and Russia. And here things, yet again, took a turn for the surreal: the Internet Freedom apparatus was designed to project power abroad—yet it also emerged as the primary mover and shaker in America’s domestic privacy movement. It funded activists and privacy researchers, worked with the EFF and ACLU and even companies like Google. Wherever you looked, privacy tools funded by this agency dominated the scene. That included the most ardently promoted privacy products now on offer: Tor, the anonymous internet browsing platform that powers what’s known as the “dark web,” and Signal, the chat app championed by Edward Snowden. Both of them took in millions in government cash to stay afloat.
From a Whisper to a Scream
When Pavel Durov first had VKontakte taken away from him by the Kremlin and fled Russia, he was hailed in the West as a hero—a modern-day Sakharov who fought for freedom and paid the price with his business. America’s crypto and privacy community embraced him, too. But it did not take long for the relationship to sour—and the chief culprit was Signal, a crypto mobile phone app built by a small opaque company called Open Whisper Systems, aka Quiet Riddle Ventures LLC.
Invented by a self-styled radical cryptographer who goes by the name of Moxie Marlinspike (although his real name may or may not be Matthew Rosenfeld or Mike Benham), Signal was brought to life with funding from the BBG-supported Open Technology Fund (which has pumped in almost $3 million since 2013), and appears to rely on continued government funding for survival. Despite the service’s close ties to an organization spun off from the CIA, the leading lights of America’s privacy and crypto community back the app. “I use Signal every day. #notesforFBI,” Snowden tweeted out to legions of followers who went out and downloaded the app en masse. Marlinspike leveraged Snowden’s praise to the max, featuring the leaker’s endorsement prominently on his company’s website: “Use anything by Open Whisper Systems.”
Largely thanks to Snowden’s endorsement and support, Signal has become the go-to encrypted chat app among American journalists, political organizers, and activists—from anarchists to Marxists to Black Lives Matter. These days, it’s also the secure planning app of first resort for opposition rallies targeting Trump. The app’s even made major inroads into Silicon Valley, with Marlinspike working with management at Facebook and Google to get them to adopt the chat app’s encryption architecture into their mobile chat programs, including WhatsApp. Not surprisingly, Facebook’s adoption of Signal into its WhatsApp program won plaudits from the BBG; managers at the propaganda shop boasted that government-funded privacy tools were now going to be used by a billion people.
Despite Open Whisper’s continued ties to the U.S. government, leading lights of America’s privacy and crypto community have taken to warning off people from using anything else. That includes Telegram, which deploys a custom-built cryptographic technique designed by Pavel Durov’s brother, Nikolai, a mathematician. Even Snowden has taken it upon himself to shoo people away from Telegram, advising political activists, journalists, dissidents, whistleblowers—in short, everyone—to use Signal or even Facebook’s WhatsApp instead. “By default, it is less safe than @WhatsApp, which makes [it] dangerous for non-experts,” he tweeted in response to a question from a Telegram-curious supporter.
But for an app designed to hide people from the prying eyes of the U.S. government, Signal’s architecture has given some security and crypto experts pause. Its encryption algorithm is supposed to be flawless, but the app’s backend runs as a cloud service on Amazon, which is itself a major CIA contractor. The program also requires that users connect the app to a real mobile phone number and give access to their entire address book—strange behavior for an app that is supposed to hide people’s identities. Signal also depends on Google and Apple to deliver and install the app on people’s phone, and both of those companies are surveillance partners of the NSA. “Google usually has root access to the phone, there’s the issue of integrity. Google is still cooperating with the NSA and other intelligence agencies,” wrote Sander Venema, a developer who trains journalists on security. “I’m pretty sure that Google could serve a specially modified update or version of Signal to specific targets for surveillance, and they would be none the wiser that they installed malware on their phones.” And given Signal’s narrow marketing to political activists and journalists, the app works like a flag: it might encrypt messages, but it also tags users as people with something to hide—a big fat sign that says: “WATCH ME, PLEASE.”
And anyway, Signal or no Signal, if your enemy was the United States government, it didn’t really matter what crypto app you used. A recent dump of CIA hacking-tool documents published by WikiLeaks revealed that the agency’s Mobile Devices Branch has developed all sorts of goodies to grab phone data, even when it’s quarantined by the firewalls of apps like Signal and WhatsApp or even Telegram. “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide, and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied,” wrote WikiLeaks.
Durov admitted that cryptography has its limits. Still, as he recounted how Snowden had talked down Telegram, Durov was frustrated and bewildered. He says he and his brother were very cautious about choosing cryptography techniques promoted by American experts—particularly since the NSA docs leaked by Snowden revealed the NSA secretly paid RSA, an influential computer security firm, to use a flawed technique that the NSA knew how to crack. The Durov brothers wondered if the same thing could now be happening with other popular encryption algorithms. They became even more concerned when Telegram began to draw public attacks on social media from American cryptography experts. “They based their criticism of our approach not on any actual weakness, but solely on the fact that we didn’t use the algorithms they were promoting,” he said. “Since they failed to engage in any meaningful conversation on cryptography, we started to realize there was some other agenda they were pushing rather than finding truth or maximizing security.”
But the attacks continued. Not only were Snowden and his crypto allies telling people to trust Facebook, a company that runs on surveillance and partners with the NSA; they were also promoting an app that was actively funded by the foreign policy wing of the U.S. national security state. It just didn’t make any sense.
Durov was dumbfounded. As we sat talking, he told me he could not understand how people could trust a supposedly anti-government weapon that was being funded by the very same U.S. government it was supposed to protect its users from.
We’ve entered a paranoid game theory nightmare world.
I told him that I shared his bewilderment. Throughout all my reporting on this set of crypto radicals funded by a CIA spinoff, I asked a simple question that no one could properly answer: If apps like Signal really posed a threat to the NSA’s surveillance power, why would the U.S. government continue to fund them? I couldn’t help but think of how this alignment of government and corporate power would have been received among the tech and media establishment in the United States had something similar taken place in the former Soviet Union: imagine if the KGB funded a special crypto fax line and told Aleksandr Solzhenitsyn and dissident samizdat writers to use it, promising that it was totally shielded from KGB operatives. Then imagine that Solzhenitsyn would not only believe the KGB, but would tell all his dissident buddies to use it: “It’s totally safe.” The KGB’s efforts would be mercilessly ridiculed in the capitalist West, while Solzhenitsyn would be branded a collaborator at worst, or a stooge at best. Ridiculous as this fusion of tech and state interests under the rubric of dissidence is on the face of things, in America this plan can somehow fly.
As I laid out this analogy, Durov nodded in agreement. “I don’t think it’s a coincidence that we both understand how naïve this kind of thinking is, and that we were both born in the Soviet Union.”
Trusting the Force
Political agreement wasn’t exactly what I was expecting when I prepared to meet with Pavel Durov. From what I had read in the press, our politics and view of the world could not be further apart. He was a libertarian, a guy who threw 5,000-ruble notes down at pedestrians just to watch them scramble and fight to pick them up, someone who tweeted out that Hitler and Stalin were no different on the day that people across the former Soviet Union celebrated their victory over Nazi Germany.
Still, on a personal level, he was likeable and even humble. For someone in the crypto world, he was also unexpectedly realistic about the limits of cryptography, displaying none of the cult-like belief in technology that you see in America’s privacy movement. But there was something else as well: he was a fighter.
Begin with the simple fact that he was publicly coming out to detail the FBI’s attempt to bribe his team and pressure Telegram into secretly working with the agency—despite Durov’s own disclaimers and efforts to downplay the revelation, it was a big deal. Despite being chased out of Russia, he wasn’t throwing in with the U.S. security apparatus, but electing instead to fight a two-front war. It was an unusual and impressive move. Most people who run afoul of politics in Russia and find themselves seeking safety in the West as modern-day dissidents usually fall into line with the West’s own propaganda aims, uncritically siding with American interests and players, no matter how unpleasant. Think Pussy Riot fleeing Russia and criticizing Vladimir Putin, while doing photo ops with Secretary of State Hillary Clinton.
As far as his cryptography, well, there’s no assurance that Telegram will prove to be more secure than its Silicon Valley rivals. Then again, there’s no way that the West’s spy-funded, profit-driven quest for online privacy can yield any reasonable approximation of the real thing, either.
In our post-Snowden world, we have outsourced our privacy politics to crypto apps. By doing so, we’ve entered a paranoid game theory nightmare world—a place where regular people have no true power and must put their faith in the people and organizations stoking the algorithms that make this crypto tech. In the end, it all comes down to trust. But can any of these people and organizations be really trusted? The young Russian mogul on the skids with the Kremlin? The former American spy-for-hire on the run and hiding out in Russia? Boutique crypto apps funded by the regime change wing of the State Department? Google and Facebook, who partner with the NSA?
Confused? Don’t know who to trust? Well, that’s the state of our privacy movement today.