Last weekend, Raphael Mimoun held a digital security training workshop via video conference with a dozen campaigners. They belonged to the pro-democracy coalition of one Southeast Asian country, a group that was under direct threat of vigilance and repression by their government. Mimoun, founder of the nonprofit digital security Horizontal, asked the participants to make a list of messaging platforms they had heard or used, and quickly left Facebook Messenger, WhatsApp, Signal , and Telegram. When Mimoun asked them to name the security benefits of each of these options, several of them identified Telegram encryption as an addition. It was used by Islamic extremists, one person said, so it must be secure.
Mimoun explained that, Telegram is circulating messages. But basically it only circulates data between your device and Telegram server; you need to turn on end-to-end encryption to prevent the server itself from seeing the messages. Of course, the group messaging feature that Southeast Asian campaigners would typically use does not offer end-to-end encryption at all. They would have to trust Telegram not to cooperate with any government that tries to force cooperation in customer monitoring. One of them asked where Telegram is. The company, Mimoun explained, is based in the United Arab Emirates.
First a smile, then a more dangerous feeling of “strange accomplishment” spread through the call, Mimoun said. After some rest, one of the participants spoke: “We need to regenerate and think about what we want to do about this.” In a follow-up session, another member of the group told Mimoun that the moment was an “awkward awakening.”
Earlier this month, Telegram announced that it had hit a milestone of 500 million monthly active users and surfaced in one 72-hour period when 25 million people had come in. to the service. That adoption boost seems to have been on two sources at once: First, right-wing Americans have sought out less-than-usual communication platforms after many were blocked from Twitter or Facebook for hate speech and disinfection, and after Amazon dropped to host for Parler ‘s favorite social media service, taking it offline.
Telegram founder Pavel Durov, however, has been impressed by the further increase in WhatsApp’s clarification of a privacy policy that includes the sharing of certain data – though not the content of messages – by its corporate parent, Facebook. Tens of millions of WhatsApp users responded to that repetition of its information-sharing practices (one year old) by fleeing the service, and many went to Telegram, no doubt attracted partly by his claims about “highly circulated” messages. “We have seen an increase in downloads in the past, throughout our 7-year history of protecting user privacy,” Durov wrote from his Telegram account. “But this time is different. People no longer want their privacy exchanged for free services.”
But ask Raphael Mimoun – or other security professionals who have analyzed Telegram and talked to WIRED about its security and privacy vulnerabilities – and Telegram is clearly far from the best-in-class privacy centers which Durov explains and that many are at risk consumers believe. “People turn to Telegram because they think it’s going to keep them safe,” said Mimoun, who published a blog post last week about the flaws of Telegram which he says were based on “five years of bottle harassment” about the misunderstandings about its security. “There’s just a huge gap between what people feel and believe about and the reality of the app’s privacy and security.”
Telegram’s privacy protections may not be flawed or violated at a basic level, says Nadim Kobeissi, a cryptographer and founder of Paris-based symbolic cryptography consulting software. But when it comes to circulating user contacts so that they can’t be tracked, it doesn’t just measure up to WhatsApp – not to mention Mark’s nonprofit secure messaging app, which Kobeissi and most other security professionals recommend. That’s because WhatsApp and Signal end-to-end basically circulate all messages and calls, so their own servers never have access to chat content. Telegram basically uses only “transport envelope” encryption that protects the connection from the user to the server rather than from one user to another. “In terms of encryption, Telegram is just not as good as WhatsApp,” Kobeissi says. “The fact that encryption is not enabled by default is already putting WhatsApp behind it.”