Telegram's Privacy Mirage
I've been banging this drum for almost a decade: stop using Telegram. Seriously, folks, it's high time we faced the facts about this so-called "secure" messaging app. Just the other day, someone told me my name was mentioned in the Cypherpunks Brasil Telegram group. My immediate reaction? "First of all, stop using Telegram!"
Back in December 2015—yeah, nearly ten years ago—I tweeted about the anonymity issues with Telegram. I shared an article highlighting four security flaws found by experts. The gist? Telegram's supposed privacy features were nothing more than smoke and mirrors.
Fast forward to 2021, and I was still at it. When WhatsApp updated its privacy policy, people flocked to Telegram as a safer alternative. I couldn't help but point out that Signal is infinitely superior to Telegram in terms of security. Telegram doesn't use end-to-end encryption by default, stores all your messages and files, and has possible agreements with governments to avoid legal troubles.
I even found an old post where we did a proof of concept. We proved that even if you delete a message or set it to self-destruct before it's read, it's still possible to recover the content later. Translation: everything is stored. In 2022, when Brazil temporarily banned Telegram, I noted that it aligned us with countries known for heavy censorship like China and Iran. The ban didn't last, of course. Telegram likely made some concessions to keep operating, possibly sharing data with the government.
Now, let's talk about that Wired article from earlier this year, titled "The Kremlin Has Entered the Chat". It's a must-read. It tells the story of activists in Russia who were arrested, and their private Telegram messages were already in the hands of authorities—even before their devices could be searched. One activist noted, "They already knew everything I was saying. There wasn't enough time for them to scan my phone. They had the information beforehand."
How is this possible? The article delves into the history of Telegram, including how founder Pavel Durov and his brother initially wanted to create a platform for free communication. Noble intentions, perhaps, but somewhere along the line, things went awry.
Telegram's group messages are accessible through an open API. You can retrieve information from any group, including all participants and messages, without even being a member. Yes, you read that right. You don't need to be in a group to extract all its messages. I'll even show you how.
There are scripts and tools—like Telethon and Telepathy—that allow you to automate data collection from public channels and groups. With a few lines of code, you can pull messages, media, documents—everything. There's an article on Medium that walks you through how to do this step by step. It's that easy.
But wait, there's more. You can geolocate users. There's a tool called Telepathy that lets you find Telegram users nearby. It leverages the app's "People Nearby" feature, which is enabled by default. This means anyone can find out who's using Telegram around them, down to a few meters. Think about the privacy implications of that.
Recently, Pavel Durov announced that he's disabling the personal geolocation feature on Telegram. According to a Cointelegraph article, Durov acknowledged that security researchers had found a way to use this feature to triangulate a user's exact location. So, he decided to disable it to protect user privacy.
But is that enough? Disabling one feature doesn't address the fundamental issues with Telegram's architecture. The app doesn't use end-to-end encryption by default, and group chats are not encrypted at all. Everything is stored on Telegram's servers, which could be accessed by governments or malicious actors.
Remember, the founder's reemergence has sparked debates in the crypto community. As reported by Decrypt, some see Durov as a champion of privacy, while others are skeptical of his motives and Telegram's security practices.
In the Wired article, they also discuss how Telegram was banned in Russia at one point, only to be unbanned after possible agreements were made. The speculation is that Durov may have struck a deal with the Kremlin to provide access to user data in exchange for the app's continued operation in Russia.
And let's not forget the investors behind Telegram. The article mentions that Russian entities have funneled money into Telegram. So, when Durov flies from Azerbaijan to France—where he has legal issues—you have to wonder what's really going on behind the scenes.
So, what can you do? Stop using Telegram. There are better alternatives out there. Signal is infinitely superior when it comes to security. It uses end-to-end encryption by default and doesn't store your data. There's also Session and SimpleX, which don't even require a phone number to use.
Another promising platform is Veilid, developed by the Cult of the Dead Cow—the same group that coined the term "hacktivism" and has been pioneering digital privacy since the '80s. Valet uses strong encryption and decentralization to protect your communications.
And let's not forget about Element, which operates on the Matrix protocol. It's decentralized and offers end-to-end encryption, making it another solid choice for secure messaging.
In conclusion, Telegram is not the privacy-focused app it claims to be. Its architecture and business practices raise serious concerns about user privacy and data security. With so many better alternatives available, there's no reason to keep using Telegram.
I've been saying this for years, and the evidence keeps piling up. So, please, for your own sake, stop using Telegram. Switch to a platform that genuinely respects your privacy and keeps your data secure.
Technical Considerations When Choosing a Messaging Platform
When evaluating messaging apps, it is essential to consider the following technical aspects:
- End-to-End Encryption by Default: Ensures that only the participants in the conversation can read the messages.
- Open Source: Allows the community to review the source code for vulnerabilities or backdoors.
- Metadata Collection: Minimizing or eliminating metadata collection reduces the risk of user profiling.
- Decentralization: Reduces single points of failure or control, increasing resistance to censorship and surveillance.
- Registration Requirements: Avoiding the need to provide personal information, such as phone numbers or emails, enhances anonymity.
Practical Recommendations for Users
- Disable Geolocation Features: As advised by Pavel Durov, disable "People Nearby" to prevent unwanted tracking.
- Use Secret Chats: If you continue to use Telegram, always use "secret chat" for sensitive conversations, and
- Never, ever store sensitive information like passwords or private keys in your Saved Messages.
- Keep the App Updated: Updates often contain critical security fixes.
- Explore Secure Alternatives: Consider migrating to apps like Signal, Session, or SimpleX for communications requiring a high level of privacy.
- Continuous Education: Stay informed about best practices in digital security and be aware of emerging threats.
References:
- "The Kremlin Has Entered the Chat" - Wired
- Collecting Data from Telegram Channels and Groups Using Telethon - Medium
- Durov Disabling Personal Geolocation on Telegram - Cointelegraph
- Telegram Founder’s Reemergence Sparks Split - Decrypt
Alternative Messaging Apps:
- Signal: End-to-end encryption by default, open-source, and highly respected in the security community.
- Session: No phone number required, uses blockchain technology for decentralization.
- SimpleX: Doesn't require personal identifiers, focuses on strong privacy.
- Veilid: Developed by Cult of the Dead Cow, emphasizes privacy and security.
- Element: Based on the Matrix protocol, decentralized, and offers end-to-end encryption.
Final Thoughts:
Privacy isn't just a buzzword; it's a fundamental right. Don't be lulled into a false sense of security by apps that claim to protect you but do the opposite. Do your research, choose wisely, and take control of your digital life.