Telegram is not safe
Please tell your friends
There’s a terrible war being fought in Ukraine. And in Russia ordinary people are getting arrested for saying the wrong thing on social media. People in both countries need safe, secure messaging that the Russian government can’t read.
A lot of people may think the social media and messaging app Telegram, which is very popular in both Ukraine and Russia, provides that secure messaging. It markets itself as “encrypted,” “secure” and “private.”
That marketing is misleading. Telegram is not really an encrypted platform. Trusting Telegram with your life or your freedom would be a mistake.
For any conversations you’re worried about the FSB seeing you should use an alternative like Signal or WhatsApp if at all possible.
You should also use disappearing messages whenever you can if there’s a chance the police might demand to see your phone. Disappearing messages are available on Signal, WhatsApp and Telegram. You should use them even if you continue to use Telegram.
Why Telegram is not safe
Telegram does not use end-to-end encryption by default. Channels and Groups are never encrypted. Messages are sent to a server where they are stored in plaintext. Anyone with access to Telegram’s servers can read your messages. This probably includes lots of Telegram employees and the FSB.
Telegram offers optional end-to-end encryption, but they’ve probably given the FSB a backdoor so they can read your messages. Telegram was banned from Russia in 2018 because it wouldn’t backdoor end-to-end encrypted chats for the FSB. The ban was lifted two years ago after Telegram “agreed to help with extremism investigations.”
Telegram is a Russian app with Russian employees who are susceptible to pressure.
But I thought Telegram was secure and encrypted?
They’d like you to think this. Telegram’s marketing materials claim that “Telegram messages are heavily encrypted and can self-destruct” and that “Telegram keeps your messages safe from hacker attacks.”
These claims are not really true. In fact, Telegram messages are unencrypted while they’re stored on Telegram’s servers.
Here’s Moxie Marlinspike, the founder of Open Whisper Systems, on Telegram:
Even if the Telegram team hate Putin and are true Libertarians they’re still susceptible to pressure. Some of them will have families in Russia. And so it’s not only Telegram employees who may have access to your messages. It’s very possible that the FSB also has access.
The founder of Telegram is Pavel Durov, who also founded VKontakte, Russia’s Facebook clone. He left Russia years ago, says he’s a Libertarian, and says that the Russian authorities “can’t stand me.”
Here’s what he said to TechCrunch when he left VKontakte:
“I’m out of Russia and have no plans to go back. Unfortunately, the country is incompatible with internet business at the moment… I’m afraid there is no going back, not after I publicly refused to cooperate with the authorities. They can’t stand me.”
I have no idea whether he’s telling the truth or not.
But I can’t, for the life of me, understand why he wouldn’t make proper end-to-end encryption Telegram’s default mode. If he’s really a Libertarian cyberpunk who hates Putin… why wouldn’t he do this?
Telegram was banned in Russia on April 16, 2018 by the Russian information regulator, Roskomnadzor, because it refused to share encryption keys for “opt-in secret chats” with the FSB. The ban was lifted in June 2020 after Durov said Telegram had new ways to “catch and delete extremist and terrorist content.”
The Independent wrote at the time:
The dispute between Russia and Telegram revolved around the app's commitment to end-to-end encryption, which keeps messages safe as they are passed over the service. Such technology means that it is not possible for companies to read messages in transit, and that only the sender and recipient are able to access them.
Russia argued that this should not be possible, and that Telegram should store the keys to unlock and read those messages within Russia. That would allow them to read any messages they wanted to, which authorities argued was necessary to stop terrorism and other problem content.
Roskomnadzor did not indicate how the two organisations had been able to overcome that issue. It did not say whether it now had access to those messages, or what changes had happened to the platform.
I invite you to draw your own conclusions.
What about Viber?
While Telegram makes end-to-end encryption an option, Viber uses end-to-end encryption by default for 1:1 messages. Many group chats still don’t use end-to-end encryption.
Viber was threatened with a ban in Russia at the same time as Telegram, but wasn’t ultimately banned. Instead it opened a local office in Russia in order to avoid a ban.
It is likely that the FSB has access to chats on Viber, like it probably does on Telegram.
There’s a very long history of this
Governments have been doing this for centuries. In 1919 the American Black Chamber had a deal with Western Union to read any interesting telegrams it wanted. The NSA and Microsoft collaborated to put a backdoor in key encryption technology in Windows.
More recently, the National Security Agency and AT&T collaborated to monitor internet traffic at eight locations around the United States.
And let’s not forget Crypto AG, a Swiss company that sold a wide range of crypto devices from 1952 to 2018. It was literally owned by the CIA for 48 years while selling supposedly secure hardware to various companies and governments.
Governments have been doing this for centuries. It would be crazy to think Russia wouldn’t at least try to do this with Telegram. In fact, we know they have.
So, look, maybe Pavel hates Putin and deplores the invasion of Ukraine. Who knows. He may be a legitimately great guy.
All I know is that if anyone at Telegram with access to their message databases is compromised — in any way — then your messages aren’t safe. And that isn’t a risk worth taking when perfectly good alternatives exist.
Install Signal or WhatsApp instead
Signal and WhatsApp are truly end-to-end encrypted. They do not store messages in plaintext on any servers.
Signal is free to download and available for Android, iPhone and Mac. It is safe to use but it is sometimes blocked in Russia. Install here.
WhatsApp is free to download and also available for Android, iPhone, Mac and Windows. The one downside of WhatsApp is that it is made by Meta, an American company, and may get blocked in Russia at some point. Install here.
You should be careful with these. WhatsApp could be banned at any moment. And having Signal on your phone could be seen as incriminating. Please be careful.
Sorry but Whatsapp is pure theater. Any software that claims e2ee needs to publish the code. There is no serious security or privacy claim that can be defended with marketing alone. "It's secure! Trust me"
Signal is good for now, just worrisome to have a founder looking for a way to monetize it. He held back from publishing the code for the backend for many months while he integrated his shitcoin into it.
Go for matrix.org, spin your own instance(or pay 20 bucks for someone to do it for you to have a server for your family). Be the uncle Jim!
This is not only truly encrypted but the data is in your hands(can't say that about Signal). And for those pesky legacy contacts that stay in WhatsApp or even telegram, you can always bridge it until they are passed it.
Thanks for the article! Interestingly enough, this journalist says that WhatsApp tracking was used to target UK fighters who volunteered to join Ukrainian forces in a missile strike: https://twitter.com/kimzetter/status/1505696676299771906?s=21
I think the story is referring to metadata, not messages. My limited understanding of digital security says it could have happened with Signal too, right?
But the most mysterious piece about Telegram, compared to others, is that no one knows it’s business model. They try to run an ICO - that failed. They attempted to advertise, also limited success and rollout. So it remains a mystery to me how they keep running this business.
This investigative piece highlights, but doesn’t answer most of my questions: https://www.wired.com/story/how-telegram-became-anti-facebook/