Last weekend Raphael Mimoun led a digital security training workshop by videoconference with around ten activists. They belonged to a pro-democracy coalition in a Southeast Asian country, a group at direct risk of being watched and suppressed by its government. Mimoun, the founder of digital security nonprofit Horizontal, asked attendees to list the messaging platforms they had heard of or used, and they quickly opted out. Facebook Messenger, WhatsApp, Signal, and Telegram. When Mimoun then asked them to name the security benefits of each of these options, several pointed out Telegram’s encryption as a plus. He was used by Islamic extremists, one of them noted, so it needs to be secure.
Mimoun explained that yes, Telegram encrypts messages. But by default, it encrypts data only between your device and Telegram’s server; you must enable end-to-end encryption to prevent the server itself from seeing the messages. In fact, the group messaging feature that Southeast Asian activists used most often offers no end-to-end encryption. They should trust Telegram not to cooperate with any government that tries to coerce it into cooperating to monitor users. One of them asked where Telegram is. The company, Mimoun explained, is based in the United Arab Emirates.
First laughs, then a more serious sense of “awkward realization” spread through the call, Mimoun says. After a pause, one of the attendees spoke: “We’re going to have to regroup and think about what we want to do about this.” In a follow-up session, another member of the group told Mimoun that the moment was a “rude awakening”.
Earlier this month, Telegram announced it had passed the 500 million monthly active user milestone and cited a single 72-hour period in which 25 million people had joined the service. This wave of adoption appears to have had two simultaneous sources: First, right-wing Americans sought less moderate communication platforms after many have been banned Twitter or Facebook for hate speech and disinformation, and after Amazon ditched hosting its favorite social media service Speak, put it offline.
But ask Raphael Mimoun – or other security professionals who have analyzed Telegram and spoken to WIRED about its security and privacy gaps – and it’s clear that Telegram is far from the best haven. privacy described by Durov, and that many – at-risk users believe. “People are turning to Telegram because they think it will keep them safe,” said Mimoun, who last week posted a blog post about Telegram flaws which, he says, was based on “five years of bottleneck frustration” over misperceptions of his safety. “There is just a huge gap between how people feel and believe and the reality of app privacy and security.”
Telegram’s privacy protections aren’t necessarily flawed or broken at a fundamental level, says Nadim Kobeissi, cryptographer and founder of Paris-based crypto consultancy Symbolic Software. But when it comes to encrypting users’ communications so they can’t be monitored, it just doesn’t match WhatsApp – let alone the the non-profit secure messaging app Signal, which Kobeissi and most other security professionals recommend. This is because end-to-end WhatsApp and Signal encrypt every message and call by default, so their own servers never access the content of the conversations. Telegram defaults to only “transport layer” encryption which protects the user’s connection to the server, rather than from one user to another. “In terms of encryption, Telegram is just not as good as WhatsApp,” Kobeissi says. “The fact that encryption is not enabled by default already puts it far behind WhatsApp.”