Last weekend, Raphael Mimoun organized a digital security workshop via video conference with a dozen activists. They were part of the pro-democracy coalition of a Southeast Asian country, a group directly at risk of being controlled and oppressed by their government. Mimoun, the founder of the digital security nonprofit, asked participants to list messaging platforms they’d heard of or used, and they quickly rattled off Facebook Messenger, WhatsApp, Signal, and Telegram. Then when Mimoun asked them to name the security benefits of each of those options, several pointed to Telegram’s encryption as a plus. It had been used by Islamic extremists, one noted, so it should be safe.
Mimoun explained that yes, Telegram does encrypt messages. But by default it only encrypts data between your device and Telegram’s server; you must enable end-to-end encryption to prevent the server itself from seeing the messages. In fact, the group messaging feature most often used by Southeast Asian activists doesn’t offer end-to-end encryption at all. They should trust Telegram not to cooperate with a government trying to force it to cooperate in user monitoring. One of them asked where Telegram is located. The company, Mimoun explained, is based in the United Arab Emirates.
Laughter at first, then a more serious sense of “uncomfortable realization” spread through the call, Mimoun says. After a pause, one of the participants spoke: “We will have to regroup and think about what we want to do about this.” In a follow-up session, another member of the group told Mimoun that the moment was a “rude awakening.”
Earlier this month, Telegram announced it had hit a milestone of 500 million active monthly users and pointed to a single 72-hour period where 25 million people had joined the service. That wave of adoption appears to have had two simultaneous sources: First, right-wing Americans have looked for less moderated communication platforms after many were banned from Twitter or Facebook for hate speech and disinformation, and after Amazon dropped hosting for their favorite social media service. . Parler, take it offline.
However, Telegram founder Pavel Durov attributed the boost more to WhatsApp’s clarification of a privacy policy that includes sharing certain data – but not message content – with parent company, Facebook. Tens of millions of WhatsApp users responded to that reformulation of their (years-old) information-sharing practices by fleeing the service, and many went to Telegram, no doubt drawn in part by the claims of “heavily encrypted” messages. “We’ve had a massive increase in downloads before, over our 7-year history of protecting user privacy,” Durov wrote from his Telegram account. “But this time is different. People no longer want to trade their privacy for free services.”
But ask Raphael Mimoun – or other security professionals who analyzed Telegram and spoke to WIRED about its security and privacy shortcomings – and it’s clear that Telegram is far from the best privacy port in its class that Durov describes and many at risk users think it is so. “People are turning to Telegram because they think it will protect them,” said Mimoun, who last week published a blog post on Telegram’s shortcomings that he says was based on “five years of pent-up frustration” over the misconceptions about Telegram. its security. “There’s just a really big gap between what people feel and believe and the reality of the privacy and security of the app.”
Telegram’s privacy protections aren’t necessarily faulty or fundamentally broken, says Nadim Kobeissi, a cryptographer and founder of Paris-based cryptography consultancy Symbolic Software. But when it comes to encrypting users’ communications so they can’t be monitored, it simply doesn’t compare to WhatsApp – not to mention the non-profit secure messaging app Signal, which Kobeissi and most other security professionals recommend. That’s because WhatsApp and Signal encrypt every message and call end-to-end by default, so their own servers never access the content of conversations. By default, Telegram only uses “transport layer” encryption that protects the user’s connection to the server, rather than one user’s to another. “In terms of encryption, Telegram is just not as good as WhatsApp,” says Kobeissi. “The fact that encryption is not enabled by default puts it far behind WhatsApp.”