Sign In Get Started
News

The Durov Prosecution: What the Case Against Telegram's Founder Means for Private Communications

A CEO in the Crosshairs

On August 24, 2024, Pavel Durov — the founder and CEO of Telegram — stepped off a private jet at Le Bourget Airport near Paris and was immediately detained by French police. He was held for four days before being indicted on twelve criminal charges, including complicity in the distribution of child sexual abuse material, drug trafficking, money laundering, and providing cryptographic services without filing the required government declaration.

Eighteen months later, the case has not gone to trial — but its consequences are already reshaping the landscape of encrypted communications, platform liability, and digital privacy worldwide.

And as of today, February 24, 2026, Russia has opened its own criminal case against Durov, accusing him of facilitating terrorist activity through Telegram. The man who left Russia in 2014 rather than hand over VK user data to the FSB is now being prosecuted by both a Western democracy and an authoritarian state — for the same fundamental reason: refusing to make his platform a tool of state surveillance.

The French Charges: A Dangerous Precedent

The twelve charges against Durov in France are wide-ranging, but they share a common thread: holding a platform’s CEO personally liable for crimes committed by the platform’s users.

French prosecutors alleged that Telegram exhibited an “almost total failure to respond to judicial requests,” citing 2,460 unanswered law enforcement requests over eleven years. The charges include complicity in managing an online platform that enables illicit transactions, failure to moderate content, and refusal to cooperate with criminal investigations into fraud, drug trafficking, and the distribution of child exploitation material.

One charge stands out for its broader implications: Durov was charged under France’s Law for Confidence in the Digital Economy (LCEN, Law 2004-575, Article 30-I) for importing a cryptographic service into France without filing the required declaration with the government. This law requires technology services deploying cryptographic tools to register with the French prime minister’s office. The charge effectively criminalizes the distribution of encryption software that the state hasn’t pre-approved.

Privacy advocates immediately recognized the danger. The Electronic Frontier Foundation noted that the prosecution “has the potential to pose a serious danger to security, privacy, and freedom of expression” for Telegram’s nearly one billion users, and warned that other end-to-end encrypted services — including Signal and WhatsApp — could face similar legal theories.

The Timeline Since Arrest

Durov was released on bail of 5 million euros, banned from leaving France, and required to report to police twice a week. In March 2025, an investigating judge granted him permission to temporarily leave the country. Starting in July 2025, he was allowed to leave for up to two weeks at a time.

In June 2025, Durov gave his first public interview since the arrest — an hour-long conversation with Tucker Carlson. He called the case “very disconcerting” and disputed the prosecution’s characterization: “They said we didn’t respond to their legal requests, but that’s completely false. We fully complied with every legally binding request we received.” He described the charges as relying on “a very extensive interpretation of complicity even for the French legal and judicial system.”

In November 2025, French authorities fully lifted all travel restrictions. Durov is no longer required to remain in France or report to police. However, the formal investigation remains open, and prosecutors can still compel his appearance for questioning. No trial date has been set.

Russia Opens a Second Front

On February 24, 2026, Russian state media reported that the FSB has opened a criminal investigation against Durov under Article 205.1 of the Russian Criminal Code — “assistance to terrorist activity” — carrying a maximum sentence of fifteen years in prison.

The FSB claims Telegram has been used in more than 153,000 crimes since 2022, including 33,000 involving sabotage, terrorism, and extremism. Russian authorities allege that Durov refused to cooperate with more than 150,000 requests to remove illegal content and that intelligence agencies from NATO countries and Ukraine are using Telegram as a tool of “hybrid warfare” against Russia.

Russia has been escalating pressure on Telegram throughout 2025 and into 2026, partially restricting the app alongside WhatsApp by August 2025, blocking Snapchat and FaceTime in December 2025, and fully blocking WhatsApp in February 2026. On February 10, 2026, Durov wrote: “Russia is restricting access to Telegram in an attempt to force its citizens to switch to a state-controlled app built for surveillance and political censorship.”

The simultaneous prosecution by France and Russia is historically extraordinary. A platform founder is facing criminal charges from both a NATO democracy and the government he originally fled — both accusing him of enabling crime by not making his platform sufficiently transparent to state surveillance.

The Chilling Effect Is Already Visible

The Durov case hasn’t just affected Telegram. Its ripple effects are being felt across the entire ecosystem of privacy-focused technology.

Telegram’s Own Retreat from Privacy

The most immediate casualty has been Telegram itself. Following Durov’s arrest, Telegram dramatically expanded its cooperation with law enforcement. In September 2024, the platform announced it would comply with law enforcement requests to share user IP addresses and phone numbers with valid warrants — reversing its longstanding policy of limiting data sharing to cases involving terror suspects.

By 2025, Telegram reported blocking more than 34 million groups and channels and complied with over 900 data requests, disclosing information on 2,253 users in 2024 alone. This represents a fundamental shift for a platform that built its reputation on resisting government demands.

The lesson for users is clear: the privacy guarantees of any centralized platform are only as durable as the legal pressure its operators can withstand. When the CEO faces prison, the platform’s principles tend to bend.

GrapheneOS Flees France

In November 2025, GrapheneOS — the open-source, privacy-focused Android operating system — announced it was ceasing all operations in France. The project migrated its server infrastructure from French hosting provider OVH to servers in Canada and Germany, and prohibited its developers from traveling to or working in France.

The trigger was a report in Le Parisien that characterized GrapheneOS as a tool enabling criminal activity. France’s cybercrime prosecutor, Johanna Brousse, stated that authorities would pursue legal action against platforms with criminal organization ties if they refuse cooperation. GrapheneOS developers reported that French authorities had threatened arrests and server seizures similar to the actions taken against SkyECC and EncroChat — encrypted communication networks that were dismantled through aggressive law enforcement operations in previous years.

GrapheneOS noted that introducing a backdoor into their system is technically impossible because the phone’s hardware secure element enforces a chain of trust that only permits properly signed firmware to run. Nonetheless, the legal threat was sufficient to drive an entire privacy project out of the country.

The Broader Signal to Developers

The message being sent to developers and platform operators worldwide is unmistakable: if you build tools that protect user privacy, you may face personal criminal liability for what your users do with those tools. This is the equivalent of prosecuting a locksmith for burglaries or a postal service for the contents of sealed letters.

This reasoning, if accepted as legal precedent, would make it functionally impossible to operate any privacy-respecting communications platform. Every encrypted messaging service, every zero-knowledge cloud provider, every VPN operator would face the same calculus: compromise your users’ privacy, or risk prison.

What This Means for the Future of Private Communications

The Durov case sits at the intersection of several converging pressures on encrypted communications:

France’s encryption registration law requires cryptographic services to register with the government before operating in France — a framework that treats encryption itself as suspect, something to be licensed and controlled rather than deployed freely.

The UK’s Online Safety Act gives regulators the power to require platforms to scan encrypted messages for illegal content — a technical impossibility without breaking the encryption for everyone. Signal has stated it will leave the UK entirely rather than comply.

The EU’s proposed Chat Control regulation would require messaging platforms to scan all private messages, including encrypted ones, for child sexual abuse material. Germany and other member states have blocked the proposal, but the European Commission has not withdrawn it.

Russia’s blocking of encrypted services — Telegram partially restricted, WhatsApp fully blocked — represents the authoritarian endgame of the same logic: if you can’t surveil it, ban it.

These aren’t isolated policy decisions. They are coordinated expressions of a single principle: governments believe they have a right to read your messages, and any technology that prevents this is inherently criminal.

The Durov prosecution is the most visible test case for this principle. If France successfully establishes that a CEO can be held personally criminally liable for the private communications of nearly a billion users, the precedent will be cited in every jurisdiction attempting to weaken encryption or expand platform liability.

The False Choice Between Safety and Privacy

Proponents of these prosecutions frame them as necessary to combat child exploitation, terrorism, and drug trafficking — genuine harms that deserve serious law enforcement attention. But the framing presents a false binary: either platforms provide governments with access to all communications, or criminals operate with impunity.

This ignores several realities:

  1. Backdoors don’t stay limited. Any mechanism that allows law enforcement to access encrypted communications can be exploited by hackers, foreign intelligence services, and corrupt officials. The history of government-mandated backdoors is a history of security catastrophes.

  2. Targeted surveillance works. Law enforcement has always been able to obtain warrants targeting specific suspects and their communications. What governments are seeking isn’t the ability to investigate crime — it’s the ability to monitor everyone, all the time, without individualized suspicion.

  3. Criminals will adapt. Sophisticated criminal organizations will simply move to custom-built encrypted tools, peer-to-peer networks, or jurisdictions beyond reach. The people who lose access to private communications are ordinary citizens, journalists, activists, lawyers, and whistleblowers.

  4. The data already exists. Metadata — who contacted whom, when, and from where — is already available to law enforcement in most jurisdictions without breaking encryption. This metadata is enormously powerful for investigating criminal networks without requiring access to message content.

Protecting Yourself in a Post-Durov World

The Durov case reinforces a principle we’ve emphasized since the founding of I Am NOT The Product: you cannot rely on any single company’s commitment to privacy. You need architectural guarantees.

Here’s what that means in practice:

  1. Use end-to-end encryption that can’t be compromised by the operator. Signal remains the gold standard for messaging. Unlike Telegram, which only encrypts “secret chats” by default, Signal encrypts everything end-to-end with no server-side access to content.

  2. Choose services in privacy-protective jurisdictions. Swiss law (Proton Mail, Threema) and EU/German law (I Am NOT The Product, Tutanota) both provide stronger protections than French, British, or American law. In each case, any valid government data request must go through formal legal channels — a court or authority in that jurisdiction must review and approve it with a demonstrable legal basis. No casual hand-overs to foreign agencies.

  3. Prefer zero-knowledge architectures. If the service provider can’t read your data, they can’t be compelled to hand it over — regardless of what laws are passed or what charges are filed against their executives.

  4. Support open-source tools. Open-source software can be audited, forked, and run independently. If GrapheneOS were a proprietary product, France’s pressure might have killed it. Because it’s open-source, it simply moved to a friendlier jurisdiction and kept operating.

  5. Diversify your communications. Don’t put all your private conversations in one platform. Use Signal for messaging, Proton Mail or Tuta for email, and consider self-hosted solutions for the most sensitive communications.

  6. Remove yourself from data brokers. The less personal information available about you online, the harder you are to target and surveil. Our free Data Purge tool walks you through opting out of major data brokers that sell your personal information to anyone willing to pay.

The Stakes

Pavel Durov is not a perfect champion of privacy. Telegram’s encryption has always been weaker than Signal’s — group chats are not end-to-end encrypted by default, and the platform’s custom MTProto protocol has been criticized by cryptographers. Telegram’s rapid capitulation to law enforcement demands after Durov’s arrest demonstrated that its privacy protections were never architectural — they were a policy choice that could be reversed under pressure.

But the legal theory being tested in France doesn’t care about these technical distinctions. The theory is that a platform operator is personally criminally liable for failing to provide governments with access to user communications. If this theory prevails, it won’t be applied only to imperfect platforms like Telegram. It will be applied to Signal, to Proton, to every service that takes encryption seriously.

The Durov case is not really about one CEO or one platform. It’s about whether private communication will continue to exist as a legally protected right in the digital age — or whether encryption will be treated as criminal infrastructure, to be licensed, monitored, and ultimately controlled by the state.

The answer to that question will shape the next generation of the internet. It’s worth paying attention.

We built I Am NOT The Product on the principle that private communication is a fundamental right, not a privilege to be revoked at government discretion. EU-hosted on Hetzner DE, zero-knowledge encrypted, and architecturally designed so that even we can’t access your data. Learn more about our approach.

← Back to Resources

Ready to Take Control?

Join us in creating a more private and secure digital future.

Join Our Launch List Explore Features