Last weekend, Raphael Mimoun organized a digital security training workshop via videoconference with a dozen activists. They belonged to a pro-democracy coalition in a Southeast Asian country, a group at direct risk of surveillance and repression by their government. Mimoun, the founder of the non-profit digital security organization Horizontal, asked participants to list the messaging platforms they heard about or used, and they quickly released Facebook Messenger, WhatsApp, Signal and Telegram. When Mimoun asked them to mention the security advantages of each of these options, several pointed to Telegram encryption as a plus. It had been used by Islamic extremists, noted one, so it must be safe.
Mimoun explained that yes, Telegram encrypts messages. But, by default, it encrypts data only between your device and the Telegram server; you must enable end-to-end encryption to prevent the server itself from seeing messages. In fact, the group messaging feature that Southeast Asian activists have used most often does not offer end-to-end encryption. They would have to rely on Telegram not to cooperate with any government that tries to force it to cooperate in monitoring users. One of them asked where Telegram is located. The company, Mimoun explained, is based in the United Arab Emirates.
Laughter first, then a more serious feeling of “strange accomplishment” spread during the call, says Mimoun. After a pause, one of the participants said: “We are going to have to regroup and think about what we want to do about it.” In a follow-up session, another member of the group told Mimoun that the moment was a “rude awakening”.
Earlier this month, Telegram announced that it reached the mark of 500 million monthly active users and pointed to a single period of 72 hours, when 25 million people joined the service. This wave of adoption seems to have had two simultaneous sources: first, right-wing Americans sought less moderate communication platforms after many were banned from Twitter or Facebook for hate speech and misinformation, and after Amazon abandoned hosting its service preferred social media player, taking it offline.
The founder of Telegram, Pavel Durov, however, gave more impetus to WhatsApp’s clarification about a privacy policy that includes sharing certain data – although not the content of messages – with its corporate father, Facebook. Tens of millions of WhatsApp users responded to this reaffirmation of their (years) information-sharing practices by fleeing the service, and many went to Telegram, no doubt attracted in part by their claims of “heavily encrypted” messages. “We’ve had peak downloads before, over our 7-year history of protecting user privacy,” wrote Durov from his Telegram account. “But this time is different. People no longer want to exchange their privacy for free services.”
But ask Raphael Mimoun – or other security professionals who reviewed Telegram and talked to WIRED about its security and privacy flaws – and it is clear that Telegram is far from the best privacy haven in the class that Durov describes and that many are at risk users believe it to be. “People turn to Telegram because they think it will keep them safe,” says Mimoun, who last week posted a post about Telegram’s flaws that he says was based on “five years of pent-up frustration” about misconceptions about your security. “There is a very large gap between what people feel and believe and the reality of the privacy and security of the application.”
Telegram’s privacy protections aren’t necessarily defective or broken on a fundamental level, says Nadim Kobeissi, a cryptographer and founder of the Paris Symbolic Software-based cryptography consultancy. But when it comes to encrypting users’ communications so they can’t be watched, it simply doesn’t compare to WhatsApp – not to mention the Signal non-profit secure messaging app, which Kobeissi and most other security professionals recommend. That’s because WhatsApp and Signal encrypt end-to-end all messages and calls by default, so their own servers never access the content of conversations. By default, Telegram uses only “transport layer” encryption, which protects the user’s connection to the server, and not from one user to another. “In terms of encryption, Telegram is not as good as WhatsApp,” says Kobeissi. “The fact that encryption is not enabled by default already puts it behind WhatsApp.”