Telegram has several design issues influencing it’s overall security and privacy. It is not recommended for users requiring secure communications and people who want to preserve their privacy. For those users better and free alternatives exists. One of recommended secure messengers is application Signal. There is no need to use the Telegram when there are more secure alternatives with similar features.
Telegram does not use end-to-end encryption, but only the transport-level encryption, which means that Telegram creators can see all user’s messages at any time. They also store all user’s data and messages on their servers.
Regarding the implementation of encryption of the communications, two concepts apply. One is to use encryption at the data transfer level where the message is encrypted only during transfers between different servers (but not on the servers). In this case data at the target server is decrypted and then stored on a server or forwarded to another server (in that case it could be re-encrypted, but with different key).
The second concept is encrypting the entire communication path. This concept is also known as end-to-end encryption (E2E). Here, an encrypted session is established between each endpoint (e.g., two communication terminals), which means that communications are encrypted along the entire communication path from device A to device B. Therefore, communications cannot be eavesdropped by the network infrastructure provider or by the communications service provider (however, it could be intercepted at the source or target endpoint, but this is also true when using transport-level encryption).
Telegram is by default a cloud database with a copy of every message everyone has ever sent (including photo, video and other types of documents). This database also contains all contacts and group memberships of a user. This can be easily checked by uninstalling Telegram from a mobile phone and installing it on the other mobile device – Telegram will sync all your contacts and messages to the new device without asking for any password. Messages and contacts could be removed from Telegram’s server only if user deletes his or her account through https://my.telegram.org/auth?to=delete.
By default, Telegram does not use end-to-end encryption. However, they are advertising they are offering end-to-end encryption, but only because they have a feature called Secret Chat that end-to-end encrypts sent messages. However, this feature must be manually enabled by users and this is inconvenient to use. Telegram also states on their site that Telegram secret chats are device-specific – if user starts a secret chat with a friend on one of his/her devices, this chat will only be available on that device. If user logs out, he/she will lose all the secret chats.
For encryption, Telegram uses proprietary encryption protocol known as MTProto. This encryption protocol has been developed by Telegram.
MTProto has been analyzed by some security experts, and several weaknesses have been found.
Jakob Bjerre Jakobsen from Aarhus Univesity performed a cryptanalysis of the Telegram messaging protocol in 2015 for his master’s thesis and found two smaller attacks on the underlying encryption scheme. He concluded that well-studied, provably secure encryption schemes that achieve strong definitions of security are to be preferred to home-brewed encryption schemes. Computer scientists from from ETH Zurich and Royal Holloway, University of London made a security review of MTProto in June 2021. ETH Zurich professor Kenny Paterson commented that encryption services “could be done better, more securely, and in a more trustworthy manner with a standard approach to cryptography”.
It is true, that weaknesses were not very serious, and Telegram also responded quickly and fixed those vulnerabilities almost immediately. However, the analysis has shown the importance of the so called number one rule in cryptography, which is: never create your own crypto. This rule means you shouldn’t create your own crypto algorithms and schemes, because you will probably make a major security mistake if you are not an expert in security/cryptography and have had your scheme analyzed by multiple security experts.
Telegram has access to geolocation data of it’s users, so it can track their exact locations
Telegram has a feature (which must be activated by users manually) which allows users to find people and group chats close to their location. In the past, Telegram was showing the users the relative distance between them and other users in meters. In March 2021 a security researcher Jeffrey Koopman found out that this feature could be abused to pinpoint someone’s general location.
He developed a proof of concept and a software that could be used for automatic collecting of locations of Telegram users. He also notified Telegram developers of this and it took since end of February 2022 (around a week after the war between Russia and Ukraine starts) that Telegram lowered the accuracy of the “People Nearby” function.
It is also important to note that this vulnerability has been patched after OS2INT (organization that is offering training and development consultancy on open source intelligence) has published a detailed article how to track the movement of Russian armed forces through this vulnerability in February, 3rd 2022. In their article they have shown how to get the detailed movements of Russian military forces within the Soloti Military Deployment Area in real time.
Source and credits: OSINT Workflow: Applying effective OSINT to geo-monitor Russian military activity. Picture is showing tracking of a Telegram user from the likely vehicle staging area to the main gate of the Soloti Military Deployment Area by vehicle (according to the speed of movement and user’s locations).
While it is true that Telegram is now showing lowered accuracy of the users’s locations, it is very likely that Telegram creators still have access to high accuracy geolocation data of their users (for those who gave the Telegram location permission).
They also state that they can read user’s chat messages to investigate spam and other forms of abuse.
Telegram and Russian intelligence services
Russia and some other countries (most known is a case of Iran) have been trying to block Telegram several times in the past. While Iran has not been very successful blocking Telegram, Russia took a more active approach.
After Telegram refused to give Russian authorities access to user messages, a Moscow court in 2018 banned it in Russia. Telegram tried to evade censorship and has been playing cat-and-mouse with the Russian telecom regulator Roskomnadzor by rotating the IP address the application uses to communicate. However, Roskomnadzor decided to block 19 million IP addresses (including Amazon Web Services and Google Cloud which Telegram used) in order to effectively block Telegram use in Russia. Since the collateral damage to Russian business was huge, Roskomnadzor stepped a little back, but this event has shown that Russian authorities are willing to take drastic measures to get the access to Telegram’s user data. Russian authorities has since tried to press on the large cloud providers that host Telegram services to block Telegram, and on mobile companies not to offer the Telegram application in their app stores.
This shows that Russia was very keen trying to get access to the Telegram data in the past. However, Russia is known for strong misinformation campaigns and false flag operations, and this poses a legitimate question whether this cat-and-mouse game is not just another false flag operation with the aim to give users false impression that using Telegram is safe and secure?
Telegram is very widespread in post-Soviet countries and based on my knowledge and experience several of post-Soviet are occasionally blocking various messaging applications like WhatsApp and Signal, while Telegram is banned very rarely. This could be due to Telegram’s effective countermeasures or for some other reasons.
It is important to note that Vladimir Putin’s then adviser on Internet-related issues German Klimenko in 2017 clearly stated that the Telegram founder “sooner or later will be forced to cooperate and institutionalize himself in Russia”. In 2017 there were also some controversies whether Telegram was really operating outside Russia or not - while Telegram founder Pavel Durov denied that Telegram has employees in Russia, multiple sources claimed that Telegram employees at that time were still working in St. Petersburg in the same building as Kremlin-influenced social network VK.
Later, Telegram headquarters were moved outside Russia and in 2013 they registered a network of shell companies around the world, the better to avoid taxes, contract with local data centers, and disguise the application’s true ownership. Later they moved to Berlin, Germany, however from 2017 they are operating out of Dubai. It is important to note, that United Arab Emirates is a deeply repressive state, routinely jailing political dissidents and journalists for critizing the ruling family and therefore cannot be seen as a country supporting liberty and freedom of speech.
In the middle of the March 2022, Oleg Matveychev (has has also been called “a spin doctor for the Kremlin”), member of the Russian State Duma and deputy chairman of the committee on information policy, information technology and communications, said that “as long as the messenger is politically neutral, they will not touch it, and there is no need to become biased by Telegram”.
While other secure messengers are regularly blocked in Russia, Russian attitude towards Telegram is legitimately raising some questions.
What about alternatives?
On the other hand, better and free alternatives to Telegram exists. One of them is application Signal, which is multiplatform, opensource and free. It’s security model is very good and has been reviewed by several renowned security experts, supports end-to-end encryption by default, supports E2E encrypted group chats, including E2E encrypted group video chats, exchange of documents and multimedia files, etc. Signal collects only minimum of user’s data (only the date when user’s account was created and the last time user has been last connected to Signal’s network) and is known for their pro privacy oriented approach. Signal use is also recommended by several security experts and even by U.S. authorities.
There are also other free alternatives supporting E2E encryption by default, and some of them are also using open sourced Signal Protocol.
Some of these applications, for instance WhatsApp and Google’s Messages are offering E2E encryption by default, while others, for instance Facebook Messenger and Skype offer the protocol only optional (if user enables so called secret or private conversations). Viber is also offering E2E encryption, but they are using their own encryption protocol which they claimed is using the same concepts as the Signal Protocol.
The problem with these applications is that some of them are offering E2E encryption only optional and in some cases group communications are not E2E encrypted. This is not the case with application Signal, which is using E2E encryption for group communications by default.
Another problem is, that many of messenger applications are collecting personal data from users and try to monetize the application with targeted advertising. Some of these messengers are also owned by “big tech companies” which business model is established around collection of personal data (for instance WhatsApp is owned by Meta/Facebook). This is also not the case with Signal app, which is collecting really minimal amount of data and does not use the application for marketing. For instance, messaging applications needs to be able to determine which of the device’s contacts are using the same messenger application, so users can communicate with their contacts through that application.
While most of the messaging applications are collecting contacts from the user’s contact list, Signal has developed so called private discovery of contacts, which enables Signal application to determine which of the device’s contacts are using Signal, but without revealing the contacts in their address book to the Signal service. This is only one example of privacy preserving technologies developed and used by the Signal application, which is showing that Signal is taking the privacy of their users seriously.
Messaging applications have become critical in daily and professional life. Deciding which messaging application to use, should be based on informed decision. Especially if you want to keep your privacy and your communications secure.
Ključne besede: Signal, Telegram, Zasebnost, šifriranje