Last weekend, Raphael Mimoun hosted a digital security training workshop via video conference with a dozen activists. They were part of one pro-democracy coalition in a country in Southeast Asia, a group at direct risk of oversight and oppression by their government. Mimoun, the founder of the digital security organization Horizontal, asked participants to name messaging platforms they had heard of or used, and they quickly cracked down on Facebook Messenger, WhatsApp, Signal and Telegram. When Mimoun then asked them to name the security benefits of each of the options, a few pointed out that Telegram’s coding is a plus. One said it was used by Islamic extremists, so it should be safe.
Mimoun explained that yes, Telegram encrypts messages. But by default it only encrypts data between your device and the Telegram server; you must enable end-to-end encryption to prevent the server from seeing the messages. The group messaging feature used by the Southeast Asian activists usually provides no end-to-end coding. They will have to trust Telegram not to cooperate with any government that tries to force it to cooperate in the survey of users. One of them asked where Telegram was located. The company, Mimoun explained, is based in the United Arab Emirates.
First laugh, then spread a more serious feeling of ‘uncomfortable realization’ through the call, Mimoun says. After a break, one of the participants spoke: “We will have to regroup and think about what we want to do about it.” In a follow-up session, another member of the group told Mimoun that the moment was a “rude awakening.”
Earlier this month, Telegram announced that it had reached a milestone of 500 million monthly active users, pointing out that a 72-hour period saw 25 million people join the service. The increase in adoption apparently had two simultaneous sources: first, right-wing Americans sought less moderate communication platforms after many of Twitter or Facebook were banned for hate speech and disinformation, and after Amazon preferred hosting for their social media service. Parler, take it offline.
Telegram founder Pavel Durov attributed the boost more to WhatsApp’s explanation of a privacy policy that includes sharing certain data (though not the content of messages) with its industry parent, Facebook. Tens of millions of WhatsApp users have responded to the restoration of its (age-old) practices of sharing information by fleeing the service, and many have gone to Telegram, which has undoubtedly been attracted in part by allegations of ‘highly encrypted’ messages. “We have had an increase in downloads before, through our 7-year history of protecting users’ privacy,” Durov wrote from his Telegram account. “But this time is different. People no longer want to trade their privacy for free services.”
But ask Raphael Mimoun – or other professional security personnel who analyzed Telegram and who spoke to WIRED about the shortcomings in security and privacy – and it is clear that Telegram is far from the best privacy resort that Durov describes and that many at risk are users believe it is. “People turn to Telegram because they think it will keep them safe,” said Mimoun, who last week published a blog post about Telegram’s shortcomings, which he said was based on ‘five years of frustrated frustration’ over the misperceptions of the safety thereof. “There’s just a huge gap between what people feel and believe and the reality of the app’s privacy and security.”
Telegram’s privacy protection is not necessarily fundamentally flawed or broken, says Nadim Kobeissi, a cryptographer and founder of the Paris-based cryptography consultant Symbolic Software. But when it comes to encrypting users’ communications so that they can not be detected, it simply does not match WhatsApp – to speak of the unprofitable secure messaging program Signal, which Kobeissi and most other security professionals recommend. This is because by default WhatsApp and Signal encrypt every message and call, so their own servers never have access to the content of conversations. By default, Telegram uses only “transport layer” encryption that protects the connection from the user to the server, rather than from one user to another. “In terms of coding, Telegram is just not as good as WhatsApp,” says Kobeissi. “The fact that encryption is not enabled by default already puts it behind WhatsApp.”