The arrest of Pavel Durov, CEO of Telegram, in August 2024, inspired us to write our article ‘Prosecuting communication service providers as crime facilitators: A cautionary tale’ for the journal Computer Law & Security Review. French law enforcement authorities charged Durov with multiple offences, including criminal association, the refusal to provide information for lawful interception, and complicity in the distribution of child sexual abuse material, drug trafficking, money laundering, computer crime, and fraud.

In our article, we examine the recent strategy of law enforcement authorities and public prosecutors to target communication service providers in criminal investigations and how fundamental rights constrain their strategy. In this blog post, we introduce our article and share the main findings.

We have also auto-generated a podcast using NotebookLM. It takes a more playful and hyperbolic tone than the article itself, but it captures the main ideas well. When you listen to it, please consider it a fun companion to the full paper rather than a literal retelling.

Similarly, we have included a video (created with NotebookLM). While it also adopts a more dramatic tone than our academic article, it serves as an accessible introduction to the core themes.

From reactive to proactive investigations

In our article, we first explain how the significant challenges of anonymity, encryption and jurisdiction in reactive criminal investigations into cybercrime led to a shift towards proactive investigation. Law enforcement authorities shifted to an intelligence or ‘data-driven’ approach. We illustrate how law enforcement authorities, working with other agencies, took down entire IT infrastructures used by criminals for botnets, ransomware and online marketplaces. The data stored on those servers can provide a treasure trove of information about buyers, sellers and administrators of online forums.

We then explain how this strategy is now employed for many different types of cybercrime and even used to combat organised crime. Increasingly, EU law enforcement authorities target communication service providers, such as VPN providers, certain types of hosting providers, and cryptophone providers. They collect large amounts of data which can then be used to start new investigations that may lead to the prosecution of suspects involved in serious crime. This poses interesting questions relating to the right to privacy (including data protection law) and the right to a fair trial.

However, in our article, we focus instead on the question of criminal liability and complicity for communication service providers arising from criminal activities committed by their clients. If you are interested in the human rights implications of data driven investigations, you can read our previous article ‘The future of data driven investigations in light of the Sky ECC operation’.

Fundamental rights constraints & case law analysis

The ECtHR has ruled that the mere offering of an encrypted communication service does not, in itself, amount to criminal liability for the provider. As shown in our case law analysis, this principle is upheld in Dutch courts. However, in both cryptophone cases analysed, directors of these companies were sentenced for directing a criminal organisation. The courts took into account the fact that they facilitated complete user anonymity by not registering personal data, assigning anonymous usernames, and accepting cash or Bitcoin payments.

The public prosecutor was required to prove that the defendants knew these phones were being provided to criminals. This aligns with the ECtHR’s requirement that the prosecution must establish proof that the accused had knowledge of the criminal organisation’s activities. As a result, the burden of proof extends beyond demonstrating the material elements of a criminal offence (actus reus) to establishing intent in forms of participation in crime, specifically by providing the means to commit offences to third parties. This requires proof of the perpetrator’s criminal intent (the mental element of the crime, or mens rea). In the context of a ‘bulletproof’ hosting provider or crypto communication service provider, the actus reus typically relates to the physical act of providing the technical means to commit a crime (e.g., servers and applications). Criminal intent can, for example, be demonstrated through communications with clients or advertisements on criminal marketplaces.

Under the principle of “double intention”, the prosecution in many jurisdictions must demonstrate that the provider not only intended to provide the technical service but also specifically intended to facilitate the underlying crimes committed by the users. The requirements to establish this type of intent vary across EU member states, depending on the specifics of national criminal law.

Finally, our analysis of national case law highlights the growing relevance of KYC (Know Your Customer) procedures and anti-money laundering measures in establishing criminal liability. Our findings indicate that evidence of criminal intent can be inferred from a deliberate lack of due diligence by the provider, even in the absence of strict legal obligations. This includes instances of inadequate customer administration, a failure to implement anti-money laundering measures, and the systematic ignoring of abuse notifications and law enforcement requests.

Future research

Further research exploring the intersection between the due diligence obligations of communication service providers and substantive criminal law would be valuable. Accordingly, a doctrinal analysis of the various modes of criminal participation is recommended, specifically within the legal systems of those states that actively employ this prosecution strategy: namely the Netherlands, France, Germany, and Belgium.

In this context, the ongoing proceedings against Pavel Durov in France warrant close attention. It is essential to distinguish Telegram from the significantly smaller bulletproof hosting providers and crypto communication service providers discussed in this article. The proportion of criminal activity on Telegram, relative to its total user base, will likely differ from that of providers allegedly targeting criminals exclusively.

Consequently, establishing the requisite mens rea for prosecution, specifically regarding co-perpetration and complicity, will present significant evidentiary hurdles. Therefore, continued scrutiny of cases such as the one involving Pavel Durov is essential.

Jan-Jaap Oerlemans & Sofie Royer

Read the full article here

This post can also be found at sofieroyer.be