Last weekend, Raphael Mimoun hosted a digital security training workshop by videoconference with a dozen activists. They belonged to a pro-democracy coalition of a Southeast Asian country, a group at direct risk of surveillance and repression by their government. Mimoun, the founder of the nonprofit Horizontal digital security organization, asked participants to list the messaging platforms they had heard or used and quickly shook Facebook Messenger, WhatsApp, Signal and Telegram. When Mimoun asked them to name the security advantages of each of these options, several indicated the encryption of the Telegram as a plus. One mentioned that it had been used by Islamic extremists, so he must be sure.
Mimoun explained that yes, Telegram encrypts messages. But, by default, it encrypts data only between your device and the Telegram server; you must enable end-to-end encryption to prevent the server itself from seeing the messages. In fact, the group messaging feature that Southeast Asian activists have most often used does not provide end-to-end encryption at all. He should trust the Telegram not to co-operate with any government trying to force it to co-operate in user oversight. One of them asked where the Telegram was. The company, Mimoun explained, is based in the United Arab Emirates.
First laughter, then a more serious sense of “awkward accomplishment” spread through the appeal, says Mimoun. After a pause, one of the participants spoke: “We will have to regroup and think about what we want to do in this regard.” In a follow-up session, another member of the group told Mimoun that the moment was a “rude awakening.”
Earlier this month, Telegram announced that it had reached a milestone of 500 million monthly active users and indicated a single 72-hour period when 25 million people joined the service. This increase in adoption seems to have had two simultaneous sources: first, right-wing Americans sought less moderate communication platforms after many were banned from Twitter or Facebook for hate speech and misinformation, and after Amazon gave up. hosting their favorite social media service Parler, taking it offline.
Telegram founder Pavel Durov, however, attributed the increase to WhatsApp’s clarification of a privacy policy that includes sharing certain data – though not the content of messages – with its corporate parent, Facebook. Tens of millions of WhatsApp users responded to this reformulation of its (age-old) information-sharing practices by fleeing the service, and many went to Telegram, no doubt drawn in part by its claims of “heavily encrypted” messaging. “We have had increases in downloads before, throughout our 7-year history of protecting user privacy,” Durov wrote in his Telegram account. “But this time is different. People no longer want to change their privacy for free services.”
But ask Raphael Mimoun – or other security professionals who have looked at Telegram and talked to WIRED about its security and privacy shortcomings – and it’s clear that Telegram is far from the best privacy haven Durov has. also describes that many are in danger. users think it is. “People are turning to the Telegram because they think it will keep them safe,” said Mimoun, who last week posted a blog post about the Telegram’s flaws, which he says are based on “five years of bottled frustration” over misperceptions. of its security. “There is only a very big gap between what people feel and believe and the reality of application privacy and security.”
Telegram’s privacy protections are not necessarily flawed or broken at a fundamental level, says Nadim Kobeissi, cryptographer and founder of cryptographic consulting at Paris Symbolic Software. But when it comes to encrypting user communications so they can’t be monitored, they just don’t get on WhatsApp – let alone the non-profit secure messaging app Signal, which Kobeissi and most security professionals recommend. . This is because WhatsApp and Signal encrypt each message and call by default so that their own servers never access the content of the conversations. The default telegram only uses “transport layer” encryption that protects the connection from the user to the server, rather than from one user to another. “In terms of encryption, Telegram is not as good as WhatsApp,” says Kobeissi. “The fact that encryption is not enabled by default already puts it behind WhatsApp.”