Last weekend, Rafael Mimoun hosted a digital security training workshop via video conference with a dozen activists. They belonged to a pro-democracy coalition in a Southeast Asian country, a group at direct risk of surveillance and repression by their government. Mimoun, the founder of the horizontal non-profit digital security goal, asked participants to list the messaging platforms they had heard or used, and quickly swept away with Facebook Messenger, WhatsApp, Signal and Telegram. When Mimoun asked them to name the security benefits of each of these options, several pointed to Telegram encryption as an advantage. One had pointed out that they had been used by Islamic extremists, so it must be safe.
Mimoun explained that yes, Telegram encrypts messages. But by default it only encrypts the data between your device and the Telegram server; you must enable end-to-end encryption to prevent the server itself from seeing the messages. In fact, the group messaging feature that Southeast Asian activists used most frequently offers no end-to-end encryption. They should trust Telegram not to cooperate with any government that tries to force it to cooperate in monitoring users. One of them asked where Telegram is. The company, Mimoun explained, is headquartered in the United Arab Emirates.
First laughter, then a more serious sense of “awkward realization” spread through the call, Mimoun says. After a pause, one of the participants spoke, “We’ll have to regroup and think about what we want to do about it.” In a follow-up session, another member of the group told Mimoun that the moment was a “wake-up call.”
Earlier this month, Telegram announced it had reached a milestone of 500 million monthly active users and noted a single 72-hour period when 25 million people had joined the service. This increase in adoptions seems to have had two simultaneous sources: first, right-wing Americans have sought less moderate communication platforms after many or two were banned from Twitter or Facebook for hate speech and misinformation, and after Amazon stopped hosting their favorite social networking service. Talk, disconnect it.
However, Telegram founder Pavel Durov has attributed further impetus to WhatsApp’s clarification of a privacy policy that includes sharing certain data (though not the content of messages) with its parent company, Facebook. Tens of millions of WhatsApp users responded to this reformulation of their (old) information exchange practices by fleeing the service and many went to Telegram, no doubt attracted in part by their “highly encrypted” messaging claims. ”. “We’ve had download uploads before, over our seven-year history of protecting users’ privacy, ”Durov wrote from his Telegram account. “But this time it’s different. People no longer want to change their privacy for free services.”
But ask Raphael Mimoun — or other security professionals who have analyzed Telegram and spoken to WIRED about its security and privacy shortcomings — and it is clear that Telegram is far from the best privacy refuge in its class that Durov describes. and that many at-risk users believe it is. “People turn to Telegram because they think it will keep them safe,” says Mimoun, who last week posted a blog post about Telegram’s flaws that he said was based on “five years of bottled frustration” about misperceptions of their safety. “There’s just a very big gap between what people feel and believe and the reality of privacy and application security.”
Telegram’s privacy protections are not necessarily flawed or broken on a fundamental level, says Nadim Kobeissi, cryptographer and founder of Paris-based cryptography consultancy Symbolic Software. But when it comes to encrypting user communications so they can’t be tracked, it just doesn’t correspond with WhatsApp, not to mention the secure non-profit messaging app Signal, which Kobeissi and most other professionals recommend. security. This is because WhatsApp and Signal end-to-end encrypt all messages and calls by default, so that their own servers never access the content of the conversations. By default, Telegram only uses “transport layer” encryption that protects the user’s connection to the server instead of one user to another. “In terms of encryption, Telegram is not as good as WhatsApp,” Kobeissi says. “The fact that encryption is not enabled by default is far behind WhatsApp.”