[Cody-99]

This shouldn't surprise anyone. If a company collects info about some user and the government comes to them with a legitimate warrant they have to handover the information about that user (or risk going to jail/other action by the court) . There is a reason other companies like signal go out of their way to collect as little as possible.

[molticrystal]

>the government comes to them with a legitimate warrant

Which government, such as the French government for all Russian users, the Russian government for all Ukraine users, or the USA government for all users?

Whose standard for warrants, and how much use of coercion and force are they allowed to use for enforcement. Can the USA kidnap the owners for non-compliance, can the Russians?

[kortilla]

You’re asking very basic questions that the answers to have been the same for hundreds of years. If you do business in a country you have to answer to its laws or you risk asset forfeiture or arrest.

[standardUser]

That would only be true if you step foot in that country or posses assets in that country, right? Though I imagine the US government can reach a lot farther than the Russian or Chinese governments.

[DannyBee]

Not quite.

Here: https://www.asil.org/sites/default/files/benchbook/jurisdict...

This is both a reasonable exposition and fairly short.

But also keep in mind data collection and transmission and sharing and rule enforcement are not really a jurisdiction thing.

[ocdtrekkie]

Also bear in mind that government can convey restrictions on any other business in that country. See Brazil requiring ISPs to ban Twitter (even a penalty on individuals bypassing the block using VPNs!), or the US basically prohibiting any business with anyone in Russia.

Basically if you want to operate in a country, you probably need to obey their laws, no matter what you think of those laws. If you ignore them, you can't really be surprised if you get blocked or penalized from doing business there.

[beaglesss]

The ironic consequence of this is eventually if you want to use big tech for messaging privacy you'll be forced to basically pick one under the jurisdiction of an enemy non-extradition state like Russia or China. Sure their governments will farm and exploit the metadata even if encrypted, but they won't be handing it over to the west unless the deal is juicy.

[Gud]

Another option is to use free and open source encryption software, like gpg/pgp.

Like what most darknet markets use.

[ocdtrekkie]

Eh, not really, because the US has shown it's happy to go ahead and make it illegal to have TikTok here as well. The real result is probably much, much simpler: Globally-operating apps won't make as much sense as they got away with in pre-regulatory eras of the Internet.

Big Tech has basically spent the past twenty years pretending their global status made them above the law of any one nation, but in reality, being a global company just means you're subject to all the laws of all the nations.

[stvltvs]

Or the countries you live or travel in have extradition treaties with the other country.

[mistrial9]

remarkably, these are not very basic questions, and the answers are not the same for hundreds of years since this is electronic records that cross international boundaries

[DannyBee]

Certainly principles of international jurisdiction are well settled and fairly consistent. In that sense the comment was correct. However, you are also correct that legal principles around information collection and transmission are both new and not well settled.

This feels like one of those hn discussions where everyone will end up talking past each other because of terminology failure.

[pixl97]

I mean if you were shit talking France when living in England a few hundred years back you're likely to get put on the enemies of France list, even if your pages were for consumption in England. Now if you never left England there wouldn't be much to worry about, unless they suddenly became friends and decided to export your corpse for goodwill.

[mikrotikker]

I have never paid telegram for their business

[mikae1]

So, using the same logic, Meta should not be liable for what happens on Facebook because users do not pay…

That's some Barlowesque[1] thinking that would play into the hands of big tech.

If Telegram didn't want to answer to French law, they should've blocked French phone numbers from registering users. Problem solved.

[1] https://disconnect.blog/reclaiming-sovereignty-in-the-digita...

[mikrotikker]

Meta sells my data to advertisers

[dkasper]

I think you answered why the only real solutions are

a) don’t collect the data (signal approach)

b) hire an army of lawyers and compliance people (big tech approach)

c) ban users from entire countries where you don’t comply (common in crypto)

d) risk jailtime or asset forfeiture

[AyyEye]

Signal has both phone numbers and IPs.

[shakna]

Signal hand over IP logs, phone numbers, and the datetime of last connection. [0]

[0] https://signal.org/bigbrother/central-california-grand-jury/

[PawgerZ]

That link states that they only have two data points tied to an account: time of account creation and time of last connection. Since phone numbers are used as the account identifier, law enforcement would need to supply the phone number for signal to look up the account, right?

Do you have any source for Signal supplying IP logs?

[larodi]

This all seems bad news for all Russian war channels, but I guess they had enough time to migrate already. Influencers influence the whole world anyway, so they should expect a knock on the door if so brave. Stupid drug dealers will find other ways to deal or will go deeper the crypto/tor hole. Childporn offenders are anyway legit target for Mr.Robot. Who's left then...? Music pirates - who cares, Spotify lives on, Soulseek does well to. Torrents apparently kill business only where it cannot exist at all due to cultural specifics.

This all somehow leaves perhaps not-so-big list of particularly interesting gentlemen then certain countries will undergo a lot of trouble to get to. No wonder then they did so this time, but wonder which particular among these is the culprit this time...

[mikrotikker]

Bad news for the OSINT community who gets tonnes of leaks from Russian war telegram channels

[larodi]

I doubt the war channels are to be concerned, perhaps the secret chats, and leftover magic in the normal chats. Or even simpler - the phone of the devices allows mobile net tracking, for certain operations this is potentially more than enough.

[crabbone]

This will depend on how the company is registered and represented in the states it operates in. It will also depend on the citizenship of the kidnapped owners (and whether it will be even necessary, as maybe extradition would also work).

In any case, a court in any particular state will be responsible for issuing the documents entitling the law enforcement to particular data. There's also the process to dispute issuance or legitimacy of such documents, again, through courts.

So, obviously, there isn't a single answer to your questions. But, obviously, they aren't without answer. Any specific case will produce a potentially different set of answers.

[limit499karma]

> Which government ... Whose standard

It depends entirely on where you land in your private jet.

[Cody-99]

Where ever they want to do business at. If they expect to be allowed to operate in France/the EU they will have to comply with legitimate French/EU warrants. No one is saying they can't fight it if there is a reason to.

>Can the USA kidnap the owners for non-compliance, can the Russians?

Jailing someone/holding a company in contempt that does business in your country for ignoring legal warrants isn't kidnapping. Trying to frame it that way is pretty silly and disingenuous.

[Ajedi32]

What does it mean to "operate" in a country though? If I operate a service in the US and have no servers in Iran, no employees in Iran, no physical presence in Iran whatsoever, but Iranians are communicating with me over the global public internet, does that mean I have to comply with Iranian law? What about if its France and not Iran? What if these French/Iranian users are not only communicating with me, but also sending me money and/or cryptocurrency in exchange for that communication?

[Ajedi32]

Personally I would contend that none of that counts as "operating" in France or Iran. You're operating entirely in the US, and it would be ridiculous for Iran or France to try to subject you to their laws just because people who live in their country are communicating with you or sending you money. (Though obviously those people are still subject to the laws of their respective countries in what they're allowed to do when interacting with you, just as you are subject to US law in your interactions with them.)

Of course, the fact that something is ridiculous doesn't prevent a sovereign country from trying to do it anyway. Iran can threaten to assassinate you for communicating with their citizens, and France can threaten to jail you if you ever travel to France or extradite you. Both of those threats are unjustified in my opinion and should not be supported or condoned by other countries (particularly not the US), but like I said; they're sovereign countries so we can't do much to stop them if they want to be unreasonable.

[tmottabr]

i disagree completely on this..

If you are serving people in Iran or France then you are operating in those countries regardless of where you or your servers are and so you do have to comply with their laws or risk facing the consequences.

Now, depending on where you are at the reach of the consequences can be negligible and not impact you at all or can be a major problem.

At minimum you will get your service banned in those countries.

[Ajedi32]

In this example everything is happening on U.S. servers, with U.S. employees, on U.S. soil. How is that "operating in" Iran or France?

If someone physically flew over from Iran and talked to me in-person instead of over the internet would you make the same argument? That I'm "operating in Iran" and should be subject to Iranian law because I'm talking to an Iranian citizen? What if it was via a letter? How about a phone call?

[cpa]

So what? Legitimate warrants cannot exist? Companies exist somewhere, and they follow the rules that can be enforced on them. I'll take warrents by imperfect democracies over autocracies and dictatorship any day.

[russdpale]

You ask these like they are some kind of gotcha moment, but all of these very simple questions have been answered for decades by international law. You think yourself clever but show yourself ignorant.

[colechristensen]

You have to follow the laws in the jurisdictions in which you do business.

If you want to not be subject to the laws of a country you need to blackhole that entire country.

[hartator]

Ha! The devil of the details.

[krick]

Every time someone brings up Signal in these threads I cringe. One can make up stories about spam protection as much as he wants, but given how little (basically none) control one has over him phone number, no messenger strictly requiring a phone number can be considered "privacy-oriented" by any sane person.

[maxwell]

What do you advocate for an alternative identifier and how do you combat spam without verifying a phone number?

[pier25]

no IDs, only connect to the users you choose to connect with

SimpleX comes to mind

https://simplex.chat/

[Cody-99]

Huh?

I think you are confusing "privacy-oriented" and anonymous! Signal is pretty privacy oriented since it has E2EE by default (and so does Whatsapp). Telegram would be much more privacy oriented if it had E2EE by default.

[fragmede]

they have usernames now

[zuhsetaqi]

You still can’t create an account without a phone number

[lostlogin]

User data is a liability, not an asset. However this is untrue when breaches, leaks and misuse aren’t prosecuted. It’s a shame we have ended up here.

[BadHumans]

This is only true if the cost of storing user data is greater than the profits it generates. When companies are allowed to sell out users and punishment for data leaks are just seen as the cost of doing business then why would you not store whatever data you can get your hands on?

[bdjsiqoocwk]

> User data is a liability, not an asset.

Yeah Google and Facebook are all losing money in those liabilities.

No theyre not, they're printing money because user data is an asset. Stop repeating silly sound bytes.

[sonofhans]

User data is only an asset if your business model demands it, like Google and Facebook. If you don’t have, and won’t create, a way to monetize it then yes, it’s strictly a liability.

[idle_zealot]

It's not that it is a liability, it's that it should be. Likewise, it currently is an asset, but shouldn't be monetizable.

[lostlogin]

When you quote part of my comment, it give a different message. Clever!

[upofadown]

The incentive is to claim to collect as little as possible. What a company actually collects is between them and any influential state actor that can manage to make use of the data in secret. A company can't support the needs of such an actor and law enforcement at the same time.

[slt2021]

you care confusing collecting data with persisting user data.

it is easy to prove what your app collects from OS's permission model and web traffic. People are less interested in whether you store it for future use or discard it immediately after receiving.

Even if you claim you don't persist any of user data, you would still be collecting it

[whycome]

"Legitimate warrant" is a flexible and fluctuating idea. When a new government takes over, they may want information on all potential opposition.

[beefnugs]

yep, and reading the news lately "legitimate warrant" means things like "has a harris poster on their lawn"

[chemmail]

But my crypto bro friends said they would only communicate by Telegram because it is 1000% secure!