Type what you’re looking for and press Enter.

Telegram Messenger is spyware; stop using it

September 25th, 2024
No Comments

Pavel Durov, CEO of Telegram Messenger, was kidnapped on August 24th 2024 by the French robberment and put under pressure to give them more access to communications happening on Telegram and to assist with spying on users. Not too long after Durov was kidnapped, he was ‘released’ again on a €5 million bail (he’s still being held hostage and is not allowed to leave France). Apparently, some kind of deal was made with the French robberment, because shortly after Durov’s ‘release’, Telegram changed their privacy policy to now mention that they’ll give certain user data to robberments that ask for it.

The updated privacy policy on Telegram’s website now mentions:

8.3. Law Enforcement Authorities

If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency.

Previously Telegram used to boast about the fact that they did not share any user data with robberments, but that was a lie as I’ll discuss later below. It’s important to keep in mind that they also collect and store a lot of metadata from users:

3.4. Phone Number and Contacts

Telegram uses phone numbers as unique identifiers so that it is easy for you to switch from SMS and other messaging apps and retain your social graph. We ask your permission before syncing your contacts.

We store your up-to-date contacts in order to notify you as soon as one of your contacts signs up for Telegram and to properly display names in notifications. We only need the number and name (first and last) for this to work and store no other data about your contacts.

5.2. Safety and Security

Telegram supports massive communities which we have to police against abuse and Terms of Service violations. Telegram also has more than 900 million users which makes it a lucrative target for spammers. To improve the security of your account, as well as to prevent spam, abuse, and other violations of our Terms of Service, we may collect metadata such as your IP address, devices and Telegram apps you’ve used, history of username changes, etc. If collected, this metadata can be kept for 12 months maximum.

User chat history is also stored online in their cloud on multiple servers in different countries, so they also have all that data to give away to the robberment, even if you have deleted it. For example, apparently Russia has full access to all of this information:

Opening the meeting, Secretary of the National Security and Defence Council of Ukraine Oleksandr Lytvynenko stressed the importance of joining forces to strengthen national security and effectively counter threats in cyberspace.

The key topic of the meeting was the discussion of threats to national security posed by the use of the Telegram messenger, especially during a full-scale war between Russia and Ukraine.

The Chief of the Defence Intelligence of Ukraine Kyrylo Budanov provided substantiated evidence that Russian special services have access to personal correspondence of Telegram users, even deleted messages, as well as their personal data. The NCCC has decided to restrict the use of Telegram in government agencies, military formations, and critical infrastructure facilities, National Security and Defense Council of Ukraine (September 20th 2024)

This is very interesting because back in 2017–2018 Telegram was blocked in Russia and it wasn’t after Durov made a deal with the Russian robberment two years later that the ban was lifted.

Russia has unblocked Telegram, ending a largely ineffective two-year ban aimed at forcing the messaging app to comply with Moscow’s secret services. Roskomnadzor, the country’s internet censor, announced on Thursday that it would lift the ban after Telegram’s Russia-born founder Pavel Durov said it had improved its efforts to moderate and remove “extremist propaganda”.

Russian news agency Interfax cited an anonymous “source in Russia’s power structures” who said that Telegram had not given the intelligence services decryption codes to its secret chats but had co-operated on specific terrorism and extremism-related requests. The source also claimed that Russia now had additional antiterrorism powers thanks to a plan for a “sovereign internet”, approved last year, that centralises filtration and blocking powers in the hands of Russian censors. Russia lifts two-year ban on Telegram messaging platform, Financial Times (June 18th 2020)

The robberments own Telegram now

Apart from participating in censorship, I strongly suspect that some kind of deal was made between Telegram and the Russian robberment to give them special access to user data as mentioned by the Chief of the Defence Intelligence of Ukraine. That’s also probably why when Durov was kidnapped by France recently, Russia quickly jumped to defend him, pressuring the French robberment to provide strong evidence to justify the charges against him.

It has long been possible for robberments to obtain user data from Telegram, even while Telegram was claiming on their website that they never shared any user data before with robberments. For example, the Dutch police could obtain personal information from anonymous users, such as IP-addresses and phone numbers, from Telegram according to BNR.

The Dutch police claim they can request phone numbers via the Telegram chat app that users specifically want to keep private. This is evident from documents released by the police leadership following an appeal to the Open Government Act.

The documents include instructions for police officers to urgently obtain IP addresses and phone numbers from Telegram. “Requests are eligible if there is an immediate threat to life,” writes a police officer. The instructions were distributed in December of last year and include a form bearing the logo of the messaging service.

This capability contrasts with Telegram’s promises to its users. The messaging app claims to prioritize the privacy of its users and even asserts in its privacy policy that it has “never” shared personal data with law enforcement. However, it was already known that this promise should be taken with a grain of salt. In 2022, the German Federal Criminal Police Office (Bundeskriminalamt) reported having successfully requested personal data from the chat service.

A few months ago, the Germans did release figures. The federal police in their country have so far submitted around 230 requests for personal data to Telegram. In 25 cases, Telegram provided identifying information: IP addresses and phone numbers.

The fact that Telegram is not keeping its promises is sensitive because the demand for privacy was a driving force behind the explosive growth of the chat app. Politie zegt telefoonnummers anonieme Telegramgebruikers op te kunnen eisen, BNR (September 18th 2024)

I’ve been telling everyone for a few years now not to use Telegram because it lacks end-to-end (E2E) encryption by default and cannot be trusted. Without E2E encryption enabled by default, Telegram is able to read and monitor most one-on-one communications on their servers. On top of that, group chats are never E2E encrypted so Telegram can monitor and read all communications in group chats. This means that Telegram can easily scan communications in group chats and censor certain information.

Cryptographer Matthew Green from Johns Hopkins University wrote an article discussing whether or not Telegram is really an encrypted messaging app. In that article, he mentions that:

  • Unlike other messaging apps like Signal, Telegram does not enable end-to-end (E2E) encryption by default. This means that private messages can be accessed and read on Telegram’s servers. Users must manually activate E2EE via the “Secret Chats” feature, but this is not available for group chats and requires several complex steps to initiate, making it less accessible and practical for most users. Starting a “Secret Chat” in Telegram is a hassle and can only be done when both parties are online. This makes it difficult for casual users to consistently utilize encrypted conversations, leading to widespread underuse of the encryption features.
  • While Telegram positions itself as a secure platform, the lack of default encryption means the majority of communications could be exposed to surveillance or stored by Telegram servers. This is especially concerning for users who believe their messages are automatically secure.
  • Telegram is popular for public broadcasting through ‘channels’ and large group chats that do not support E2E encryption. However, many users mistakenly believe their private one-on-one chats are secure when, in reality, most are not protected by E2E encryption.
  • Like many platforms, Telegram still collects metadata (who is communicating with whom and when), which can be valuable for tracking user behavior, even if the content of the messages is encrypted.

After all of this information, I think you’d have to be pretty fucking stupid to use Telegram for anything.

Meta

This entry was published on Wednesday, September 25th, 2024 at 1:37 pm by Karel Donk and is filed under Information Technology Law Programming Software . You can use the permanent link to bookmark and/or share it.

Comments

There are 0 responses. Follow any responses to this post through its comments RSS feed. You can leave a response, or trackback from your own site.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The Eye of Providence

Subscribe to blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Note that this subscription is different from my newsletter.