- Pavel Durov’s warning: On October 9, 2025, Telegram founder Pavel Durov said we are “running out of time to save the free Internet,” citing a “dark, dystopian world” of mounting surveillance, in a post on X that sparked global headlines. X (formerly Twitter)
- Why this matters now: Europe’s “Chat Control” proposal to scan private messages (including on encrypted apps) is slated for an EU Council vote on October 13–14; Germany and several other countries have voiced opposition, but the measure remains live. European Digital Rights (EDRi)
- UK pressure on encryption: The UK Online Safety Act and powers under the Investigatory Powers Act have intensified tensions with tech companies. In 2025, Apple withdrew its Advanced Data Protection (end‑to‑end encrypted iCloud backups) for UK users after a government order—prompting outcry from digital rights groups. Financial Times
- Digital IDs expanding: Australia enacted a national Digital ID law in 2024; the EU is rolling out an EU Digital Identity Wallet; and the UK just announced a new digital ID scheme—moves framed as convenience and security, but criticized by some security experts as potential surveillance infrastructure. GOV.UK
- Expert consensus on “backdoors”: Leading cryptographers (Abelson, Anderson, Green, Rivest, Schneier and others) have long warned that mandated access or client‑side scanning breaks end‑to‑end encryption and creates systemic risk. Schneier on Security
The story
When Telegram founder Pavel Durov warned this week that governments are moving to strip away online privacy, it wasn’t just hyperbole designed to juice engagement. His Oct. 9 post (coinciding with his 41st birthday) argued that “the free Internet” is being repurposed into “the ultimate tool of control” as states push laws that normalize mass scanning and ID‑linked access to services. The message quickly ricocheted across crypto and tech media. X (formerly Twitter)
Durov’s critique lands amid real, time‑sensitive policy fights. In the European Union, the proposed Child Sexual Abuse Regulation (CSAR)—widely dubbed “Chat Control”—could empower authorities to order messaging services to scan user content, including on devices before messages are encrypted. Civil society groups and technologists have warned that such “client‑side scanning” eliminates any meaningful private space online. A Council vote is expected next week; Germany and a bloc of countries have publicly pushed back, but the file is still alive. European Digital Rights (EDRi)
In the United Kingdom, the 2023 Online Safety Act expands proactive duties against illegal content, while powers under the Investigatory Powers Act (IPA) let the government compel technical changes that can weaken encryption. In early 2025, Apple withdrew its end‑to‑end encrypted iCloud backups (Advanced Data Protection) in the UK after receiving an IPA order—citing its refusal to build backdoors. Amnesty International and Human Rights Watch condemned the move as harmful to privacy globally. Financial Times
At the same time, governments are racing to formalize digital identity systems. Australia’s Digital ID Act 2024 is in force, with regulators stressing privacy safeguards. The EU Digital Identity Wallet (eIDAS 2.0) entered into force in 2024, and implementation rules are rolling out. In late September, the UK announced a new digital ID scheme, pitched as convenience and fraud control. Proponents say these IDs can be privacy‑preserving; critics warn they risk concentrating sensitive data and enabling pervasive tracking if design and legal safeguards fail. GOV.UK
What experts say about scanning and “lawful access”
Security researchers have been near‑unanimous for a decade: you cannot build a secure “exceptional access” system that only the “good guys” can use.
- In the landmark “Keys Under Doormats” paper (2015), 14 leading cryptographers—including Whitfield Diffie, Ron Rivest, Matt Green, and Bruce Schneier—concluded that mandating government access would “mandate insecurity,” expanding system complexity and introducing exploitable vulnerabilities at Internet scale. Schneier on Security
- A 2024 peer‑reviewed analysis, “Bugs in Our Pockets: The Risks of Client‑Side Scanning,” found that scanning on user devices breaks the core security guarantees of end‑to‑end encryption and can be extended beyond a single abuse category to broader surveillance. OUP Academic
- The Electronic Frontier Foundation has repeatedly warned that the EU’s “Chat Control” model obliterates private spaces by putting the state (or its proxies) at one “end” of an encrypted conversation. Electronic Frontier Foundation
- Cryptography professor Matthew Green has argued that client‑side scanning deputizes companies to search people’s private data and is “a door” to compel scanning for other purposes. A Few Thoughts on Crypto Engineering
These aren’t theoretical quibbles. Once scanning code must run on every device—or backdoors must exist—attackers, abusive insiders, or authoritarian governments can target those same mechanisms. That risk calculus is exactly what Durov is pointing to.
The contradiction: Telegram champions privacy—but isn’t immune to pressure
Durov’s stance also invites a look in the mirror. Telegram is not end‑to‑end encrypted by default for regular chats and public channels; only “Secret Chats” have E2EE. Independent explainers have long cautioned users that much of Telegram’s ecosystem is cloud‑based and therefore accessible to the company. Proton VPN
And despite a reputation for defiance, Telegram has acknowledged sharing IP addresses and phone numbers with authorities under valid legal requests since 2018 (a point that became headline news after Durov’s 2024 detention in France). The Verge and other outlets noted the privacy‑policy clarification; Durov later said “little has changed,” framing it as targeted disclosures about serious criminal suspects. The Verge
Meanwhile, governments are escalating pressure on platforms that resist. Vietnam ordered carriers to block Telegram in May 2025 over non‑cooperation claims, and French authorities placed Durov under formal investigation in 2024, inflaming a broader fight over speech, moderation and encryption. In May 2025, Reuters reported Durov’s claim that a senior French intelligence official asked him to ban certain political voices—an allegation that, if true, illustrates how governments can seek informal speech controls alongside legal demands. Reuters
Digital IDs: convenience vs. control
Durov also flagged digital ID schemes as part of a shift toward identity‑tethered Internet use. Here, nuance matters:
- Australia’s Digital ID Act 2024 explicitly sets out privacy safeguards and splits oversight between competition and privacy regulators, while limiting enforcement access to ID data. That’s a very different design choice than an ID used as a broad tracking key. digitalidsystem.gov.au
- The EU Digital Identity Wallet is positioned by the Commission as user‑controlled and privacy‑by‑design. How it is implemented in national apps and what metadata governments or relying parties collect will determine whether it enhances or undermines privacy. European Commission
- The UK’s new digital ID scheme is framed as easing access to services and cracking down on illegal work. Some security experts (e.g., Prof. Alan Woodward) warn that centralizing identity data can create “an enormous hacking target” if governance and technical design don’t minimize data collection and linkage. GOV.UK
Bottom line: Digital ID is not intrinsically surveillance—but without strong legal limits and privacy‑preserving architecture, it can become a powerful vector for mass tracking.
The policy flashpoints to watch
- EU “Chat Control” (CSAR): A Council vote (Oct. 13–14) could move scanning mandates forward despite significant legal and technical criticism. Even partial adoption that targets “only the worst content” risks normalizing device‑level surveillance. The EU’s own privacy regulators (EDPB/EDPS) have warned about the proposal’s fundamental rights impacts since 2022. European Digital Rights (EDRi)
- UK encryption powers: The tug‑of‑war over Apple’s encrypted backups shows IPA notices can have global implications—even when targeted at one country. Expect further litigation and regulatory maneuvering. Financial Times
- Global spillover: Pressure travels. Russia, Vietnam, India, and others have pursued blocks, throttling, or expansive compliance demands; the EU and UK choices will inform copy‑cat efforts worldwide. Reuters
What this means for you
- Encrypted by default matters. If private spaces are important to your work (journalists, lawyers, healthcare workers, activists), prefer messengers with default E2EE (Signal, WhatsApp) and verify safety numbers/keys where applicable. Client‑side scanning mandates would weaken this protection. Electronic Frontier Foundation
- Don’t conflate “account privacy” with message secrecy. On Telegram, only Secret Chats are end‑to‑end encrypted; channels and normal chats are not. Adjust expectations and threat models accordingly. Proton VPN
- Digital ID ≠ surveillance by default—but stay engaged. Demand strong purpose limits, minimization, local processing, unlinkability by design, and hard bans on ID data being repurposed for law enforcement absent individualized judicial authorization. digitalidsystem.gov.au
The big picture
Durov’s jeremiad resonates because the direction of travel in many democracies is toward more scanning, more data retention, and identity‑binding—often in the name of laudable goals (child protection, fraud prevention, national security). But security engineers have hammered the same point for years: there is no safe way to create special access without making everyone less safe. That’s not ideology; it’s engineering. Schneier on Security
If Europe green‑lights device scanning or if the UK continues to leverage the IPA to disable strong encryption features, those precedents will be cited everywhere else. And if digital identity systems skimp on privacy by design, they risk hard‑wiring surveillance into the infrastructure of everyday life—exactly the future Durov is warning about. Electronic Frontier Foundation
Sources & further reading
- Durov’s warning and coverage: X post (Oct. 9, 2025); Cointelegraph and LiveMint summaries. X (formerly Twitter)
- EU “Chat Control”: EFF analysis (Sep. 29, 2025); EDRi explainer and timeline; CyberScoop preview of the Oct. 14 vote; TechRadar on member‑state opposition. CyberScoop
- Expert consensus: Keys Under Doormats (Abelson et al., 2015); Bugs in Our Pockets (Abelson et al., 2024). Schneier on Security
- UK encryption fight: FT and AP on Apple’s UK ADP withdrawal; Amnesty/HRW statement; UK government & Ofcom overviews of the Online Safety Act. www.ofcom.org.uk
- Digital IDs: Australia’s Digital ID Act; EU Digital Identity Wallet (eIDAS 2.0); UK digital ID announcement and expert criticism. The Guardian
- Telegram’s posture and pressure: The Verge on Telegram data disclosures; Reuters on Vietnam blocking Telegram; Reuters/AP context on Durov’s French case and claims of political pressure. Reuters
Reporting note: The status of EU CSAR and UK encryption orders is fluid. Dates and positions above are current as of October 10, 2025; see the linked sources for the most recent updates. Electronic Frontier Foundation
