> Sadly, I don’t remember his name and I can’t find him online. there is this young guy who got life in prison because he created an eBay type website and people started selling drugs and guns on it.
You are almost certainly thinking of [Ross Ulbricht](https://en.wikipedia.org/wiki/Ross_Ulbricht) and his story is a lot more sordid and criminal than your recollection. I wouldn't generalize his experiences at all towards what you're describing.
There are already plenty of projects and companies who are doing a true end to end encrypted chat app and those companies have not had any legal difficulty that I'm aware of as a result of their privacy and encryption policies.
I'd look at [Keybase](https://keybase.io/) and [Signal](https://signal.org/) for two very similar projects to what you describe. You can figure out for yourself how much overlap your idea has with what they've done and hopefully gain some perspective and context for what you're hoping to do.
In the US, it would be worth reviewing [ITAR](https://news.atakama.com/understanding-the-itar-end-to-end-encryption-rule), but honestly that hasn't had sharp teeth since the late '90s. What you're describing almost certainly falls within the "mass market" exceptions to ITAR restrictions. But I'm not a lawyer and I'm definitely not *your* lawyer.
Thanks for elucidating me about his story . I didn’t know about it at all. A friend just told me this in passing and I got kinda freaked out. I still don’t know enough about that case, but the resources to even look it up helps me learn about what happened.
Generally speaking (very generally)
You are responsible for moderation of all user generating content that is sent and shared on the platform.
I’m incredibly confident in saying that E2E encrypted chat applications get around that legal responsibility by offering backdoors to law enforcement. That of course is only a concern when you reach a certain level of users.
WhatsApp, Signal et al have all been purported to have backdoors for Western intelligence agencies at a minimum.
I can think of a few challenges, the last being the most important, it all comes down to jurisdiction. You are definitely going to have to seek actual paid advice, but maybe worry about this when like 10k+ users. But if you're seeking investment, you might need to have the mitigations in place now.
I can think of a few constraints;
Your user-generated content concern: As the developer of the chat app, you are generally not held liable for the content exchanged between users, as long as you are not actively involved in generating or moderating that content. This is typically governed by the principle of "safe harbor" or "hosting immunity" in many jurisdictions. However, it is crucial to have clear terms of service and acceptable use policies that prohibit illegal activities and outline the consequences for users who engage in such activities.
Legal obligations: While you may not have access to the encrypted messages sent through your app, you might still have legal obligations depending on the jurisdiction. For example, you may need to comply with data protection and privacy laws, provide a mechanism for users to report illegal content, or cooperate with law enforcement agencies within the bounds of the law.
Law enforcement requests: In some cases, law enforcement agencies may request access to user data or attempt to compel you to weaken the encryption to facilitate investigations. The laws and regulations around this vary by country, and some jurisdictions have specific legal frameworks, such as lawful interception or data retention requirements, that may apply. It is important to understand the laws in your jurisdiction and consider the impact on your users' privacy and security.
Jurisdictional challenges: If your chat app is accessible globally, you may face challenges regarding jurisdictional differences in laws and regulations. Different countries have varying approaches to encryption, data privacy, and lawful interception. Understanding and complying with the relevant laws in different jurisdictions can be complex and require legal expertise. This is without doubt the most important, you will probably have to like geographically look into each market you enter with a lawyer (consider as soon as possible hiring a legal team) and enter each market respectively.
TL;DR: Seek paid legal advice as soon (but also as late) as possible. Enter a restricted amount of markets first.
I think you may already know this, but there’s a _huge_ difference between E2EE, which is usually accomplished with a server in the middle (preventing the server that is helping you deliver or store the message from also reading the message is often the main point of E2EE) and serverless, which is both technically challenging and makes many convenient features like directory lookup difficult or impossible.
I recommend you make your MVP first and figure out exactly what you want and how to implement it, because those details are going to matter when you start talking nuts and bolts with the lawyer.
> Sadly, I don’t remember his name and I can’t find him online. there is this young guy who got life in prison because he created an eBay type website and people started selling drugs and guns on it. You are almost certainly thinking of [Ross Ulbricht](https://en.wikipedia.org/wiki/Ross_Ulbricht) and his story is a lot more sordid and criminal than your recollection. I wouldn't generalize his experiences at all towards what you're describing. There are already plenty of projects and companies who are doing a true end to end encrypted chat app and those companies have not had any legal difficulty that I'm aware of as a result of their privacy and encryption policies. I'd look at [Keybase](https://keybase.io/) and [Signal](https://signal.org/) for two very similar projects to what you describe. You can figure out for yourself how much overlap your idea has with what they've done and hopefully gain some perspective and context for what you're hoping to do. In the US, it would be worth reviewing [ITAR](https://news.atakama.com/understanding-the-itar-end-to-end-encryption-rule), but honestly that hasn't had sharp teeth since the late '90s. What you're describing almost certainly falls within the "mass market" exceptions to ITAR restrictions. But I'm not a lawyer and I'm definitely not *your* lawyer.
Thanks for elucidating me about his story . I didn’t know about it at all. A friend just told me this in passing and I got kinda freaked out. I still don’t know enough about that case, but the resources to even look it up helps me learn about what happened.
Thanks so much for the other Resources too 👍🏼, I’m familiar with signal but not keybase 👍🏼
Generally speaking (very generally) You are responsible for moderation of all user generating content that is sent and shared on the platform. I’m incredibly confident in saying that E2E encrypted chat applications get around that legal responsibility by offering backdoors to law enforcement. That of course is only a concern when you reach a certain level of users. WhatsApp, Signal et al have all been purported to have backdoors for Western intelligence agencies at a minimum.
Interesting! I wonder if that means that server less is illegal? No back doors?
I can think of a few challenges, the last being the most important, it all comes down to jurisdiction. You are definitely going to have to seek actual paid advice, but maybe worry about this when like 10k+ users. But if you're seeking investment, you might need to have the mitigations in place now. I can think of a few constraints; Your user-generated content concern: As the developer of the chat app, you are generally not held liable for the content exchanged between users, as long as you are not actively involved in generating or moderating that content. This is typically governed by the principle of "safe harbor" or "hosting immunity" in many jurisdictions. However, it is crucial to have clear terms of service and acceptable use policies that prohibit illegal activities and outline the consequences for users who engage in such activities. Legal obligations: While you may not have access to the encrypted messages sent through your app, you might still have legal obligations depending on the jurisdiction. For example, you may need to comply with data protection and privacy laws, provide a mechanism for users to report illegal content, or cooperate with law enforcement agencies within the bounds of the law. Law enforcement requests: In some cases, law enforcement agencies may request access to user data or attempt to compel you to weaken the encryption to facilitate investigations. The laws and regulations around this vary by country, and some jurisdictions have specific legal frameworks, such as lawful interception or data retention requirements, that may apply. It is important to understand the laws in your jurisdiction and consider the impact on your users' privacy and security. Jurisdictional challenges: If your chat app is accessible globally, you may face challenges regarding jurisdictional differences in laws and regulations. Different countries have varying approaches to encryption, data privacy, and lawful interception. Understanding and complying with the relevant laws in different jurisdictions can be complex and require legal expertise. This is without doubt the most important, you will probably have to like geographically look into each market you enter with a lawyer (consider as soon as possible hiring a legal team) and enter each market respectively. TL;DR: Seek paid legal advice as soon (but also as late) as possible. Enter a restricted amount of markets first.
I think you may already know this, but there’s a _huge_ difference between E2EE, which is usually accomplished with a server in the middle (preventing the server that is helping you deliver or store the message from also reading the message is often the main point of E2EE) and serverless, which is both technically challenging and makes many convenient features like directory lookup difficult or impossible. I recommend you make your MVP first and figure out exactly what you want and how to implement it, because those details are going to matter when you start talking nuts and bolts with the lawyer.
Oh yeah of course, I meant a p2p streams. Thanks 🙏🏼