Telegram Isn't As Private As You Think
So a strange thing happened this week. Around the internet’s global town square I started to see all kinds of messages making vague accusations against the private messaging app, Signal, and encouraging people to switch to Telegram.
I’m not talking about the question as to whether or not Katherine Maher is an appropriate choice for the Signal Foundation board (I don’t think she is) — I’m talking about unsubstantiated anecdotes of vague Signal insecurities no one is able to find.
All this chatter would have seemed to a normal X (/Twitter) user like some "organic" movement. Let’s presume the people involved really don't want to use Signal for some reason, and maintain that their prime motivator is that they value privacy so much.
So why on EARTH would they recommend an app without any private groups chats? Where private DMs aren't even available on desktop? Where privacy relies on trusting a person, instead of trusting encryption??
My spidey-senses went off big time.
As cryptography professor at Johns Hopkins University, Matthew Green, said:
“Seems like we’re getting a major push for activists to switch from Signal to Telegram, which has no encryption by default and a pretty shady history of refusing to add it. Seems like a great idea, hope folks jump all over that.”
(/s for last sentence, obvz.)
Renowned security expert and software engineer, Alec Muffett, added:
“Gosh, who would profit from getting activist communities to move from secure signal to insecure telegram?”
Good question, Alec :)
Here’s the thing, I’ve done a lot of digging in to Telegram in the past, and we even did a video about some of the red flags in Telegram:
In recent weeks I’ve read a lot of posts from Telegram CEO Pavel Durov, and also watched his recent interview with Tucker. He’s very charismatic, and talks endlessly about how much he cares about privacy. But consider revealed preference: Pavel would rather keep a database filled with a record of everyone’s messages, vulnerable to any government or hacker getting access, instead of taking all this data out of his own reach.
I have come to the conclusion that Pavel is a master deflector when it comes to questions about Telegram's privacy. Telegram’s own website is incredibly dishonest when they talk about the privacy guarantees users actually get. They conflate E2EE with encryption in transit constantly, in what can only be viewed IMO as a deliberate attempt to mislead people.
TLDR: Red Flags abound! Stay vigilant, Privacy-goers!
Below I have reposted one of the pro-Telegram anti-Signal screenshots that’s been doing the rounds on social media, and a fantastic rebuttal that a friend of mine wrote.
Yours in privacy,
Naomi