Because the chat app doesn’t encrypt conversations by default—or at all for group chats—security professionals often warn against it.
Last weekend, Raphael Mimoun hosted a digital security training workshop via videoconference with a dozen activists. They belonged to one Southeast Asian country’s pro-democracy coalition, a group at direct risk of surveillance and repression by their government. Mimoun, the founder of the digital security nonprofit Horizontal, asked the participants to list messaging platforms that they’d heard of or used, and they quickly rattled off Facebook Messenger, WhatsApp, Signal, and Telegram. When Mimoun then asked them to name the security advantages of each of those options, several pointed to Telegram’s encryption as a plus. It had been used by Islamic extremists, one noted, so it must be secure.
Mimoun explained that yes, Telegram encrypts messages. But by default it encrypts data only between your device and Telegram’s server; you have to turn on end-to-end encryption to prevent the server itself from seeing the messages. In fact, the group messaging feature that the Southeast Asian activists used most often offers no end-to-end encryption at all. They’d have to trust Telegram not to cooperate with any government that tries to compel it to cooperate in surveilling users. One of them asked where Telegram is located. The company, Mimoun explained, is based in the United Arab Emirates.
First laughter, then a more serious feeling of “awkward realization” spread through the call, says Mimoun. After a pause, one of the participants spoke: “We’re going to have to regroup and think about what we want to do about this.” In a follow-up session, another member of the group told Mimoun the moment was a “rude awakening.”
Earlier this month, Telegram announced that it had hit a milestone of 500 million active monthly users and pointed to a single 72-hour period when 25 million people had joined the service. That surge of adoption seems to have had two simultaneous sources: First, right-wing Americans have sought less-moderated communications platforms after many were banned from Twitter or Facebook for hate speech and disinformation, and after Amazon dropped hosting for their preferred social media service Parler, taking it offline.
But ask Raphael Mimoun—or other security professionals who have analyzed Telegram and who spoke to WIRED about its security and privacy shortcomings—and it’s clear that Telegram is far from the best-in-class privacy haven that Durov describes and that many at-risk users believe it to be. “People turn to Telegram because they think it’s going to keep them safe,” says Mimoun, who last week published a blog post about Telegram’s flaws that he says was based on “five years of bottled up frustration” about the misperceptions of its security. “There is just a really big gap between what people feel and believe and the reality of the privacy and security of the app.”
“It’s like if everyone else in the world has agreed that we’re going to use drywall to do the walls in a house, and then you’ve got somebody who’s using toothpaste.”
Matthew Green, Johns Hopkins University
Telegram’s privacy protections aren’t necessarily faulty or broken on a fundamental level, says Nadim Kobeissi, a cryptographer and founder of the Paris-based cryptography consultancy Symbolic Software. But when it comes to encrypting users’ communications so that they can’t be surveilled, it simply doesn’t measure up to WhatsApp—not to mention the nonprofit secure messaging app Signal, which Kobeissi and most other security professionals recommend. That’s because WhatsApp and Signal end-to-end encrypt every message and call by default, so that their own servers never access the content of conversations. Telegram by default only uses “transport layer” encryption that protects the connection from the user to the server rather than from one user to another. “In terms of encryption, Telegram is just not as good as WhatsApp,” says Kobeissi. “The fact that encryption is not enabled by default already puts it way behind WhatsApp.”
Telegram does offer end-to-end encryption for one-to-one chats but requires users to enable a “secret chats” feature, which must be switched on for every contact individually. Starting that secret chat requires four menu taps that aren’t particularly intuitive. (Tap the contact’s name, then “more,” then “start secret chat,” and then confirm when a prompt asks whether you’re sure.) Conversation history from the default chat doesn’t carry over to the “secret” one, and you have to initiate that encryption option every time you pick a conversation back up with a contact.
“Would you rather go for the car where airbags work any time you get into a crash?” asks Kobeissi. “Or are you going to go for the car where, every time you turn it on you have to type in a PIN to enable airbags? Why not have them on by default? There’s going to be a time where you’re going to forget to type that PIN and you’re going to get into a crash.”
Worse still, Telegram doesn’t offer its secret chats feature at all for group chats, where many of its most at-risk users congregate. It also stores all default chat histories on its servers. That adds a measure of convenience; threads conveniently reappear whenever you install the app on a new device. But the approach leaves them vulnerable to being read by everyone, from Telegram itself to hackers who manage to breach the company’s network and legal authorities who compel it to share user data.
That threat of government coercion became more concrete when Telegram moved its development team—and the official headquarters of one company in the Telegram Group—from Berlin to Dubai three years ago. Though Telegram keeps its servers spread elsewhere around the world, that location nonetheless leaves the company particularly vulnerable to pressure from the United Arab Emirates, a country known for its record of aggressively hacking and surveillinghuman rights activists and dissidents.
When WIRED reached out to Telegram for comment on these criticisms, its head of marketing, Mike Ravdonikas, responded in a Telegram message that the company doesn’t store data in the UAE and has never received a data request from the UAE government. He added that its “lean Dubai-based team is ready to move to a different location if it ever faces pressure.” As for its lack of end-to-end encryption by default, Ravdonikas writes that Telegram’s non-secret chats have features that “are not possible to implement in an end-to-end encrypted environment,” such as persistent chat histories across devices, very large user groups, and sending large documents and video. “We are not going to cripple Telegram by throwing away dozens of its great features because some folks are misled by marketing tricks from our competitors or are too lazy to start Secret Chats when they think they need them,” Telegram founder Durov wrote on his public Telegram channel earlier this month.
But many cryptographers remain wary of Telegram’s encryption scheme, even in secret chats. The company uses its own unique encryption protocol known as MTProto. That preference for homebrewed encryption is widely considered deeply unwise by cryptographers who have long held that it’s far safer to implement standard, well-tested protocols. After all, sussing out the vulnerabilities in any new protocol takes years of work and careful auditing, no matter how clever a company’s in-house cryptographers may be.
Telegram’s MTProto protocol isn’t obviously broken in a practical way, concedes Matt Green, a cryptographer at Johns Hopkins University who has consulted for Facebook on encrypted messaging systems. But it’s uniquely “weird,” he says, in a way that suggests its inventors don’t understand tried-and-true cryptography practices and raises his suspicions that it may yet have undiscovered vulnerabilities. “It’s like if everyone else in the world has agreed that we’re going to use drywall to do the walls in a house, and then you’ve got somebody who’s using toothpaste,” says Green. “Even if the toothpaste works and makes a nice wall, that’s weird. How do you know they’re not doing other weird, nonstandard things when they put the electrical wiring into the house? And that’s what scares me.”
Telegram’s Ravdonikas argues that “Telegram encryption relies on classical algorithms, because we consider some approaches promoted by US-based cryptographers after 9-11/the Patriot Act (which your sources refer to as ‘state of the art cryptography’) questionable.”
That rebuttal elicited an eye-roll emoji from Johns Hopkins’ Green. “We use these standard approaches because they have public and verifiable mathematical proofs of security,” Green says. The standard protocols that Telegram avoids have had plenty of scrutiny outside of the US, he adds in response to the allegation that the Patriot Act biases US cryptographers who have examined them. And Telegram itself uses standard crypto algorithms developed and certified by US government agencies, just in nonstandard ways.
But Green emphasizes that any criticism of Telegram’s encryption protocol is almost academic. The real, overarching problem with Telegram’s security protections is that it doesn’t actually offer end-to-end encryption by default. “If you’re not using secret chats, then Telegram and anyone who hacks into Telegram’s servers sees all of your communications. And that’s really the biggest problem,” Green says. “Signal has default end-to-end encryption. WhatsApp has default end-to-end encryption. Telegram does not.”
Raphael Mimoun, the digital security trainer, says he has resorted to sending every friend, relative, or even journalist or activist acquaintance who appears in his Telegram contacts a warning message. “Welcome to Telegram,” it reads. “Telegram isn’t particularly secure or private (or trustworthy).” Lately, as more WhatsApp refugees join the service than ever, he’s having a hard time keeping up.
All Rights Reserved for Andy Greenberg