With the news that Pavel Durov, CEO of the Telegram messaging app, was arrested in France I have again seen some pretty uncritical reporting from big news media. Of course, the security of Telegram was not the main point of the reporting on Durov’s arrest, but nevertheless, media should correctly report that Telegram is not a secure messaging app.
Telegram is an encrypted messaging app
The media will often report that Telegram is an encrypted messaging app. While this might be technically true, it is in my opinion an oversimplification and largely misleading.
While, yes, there is encryption in Telegram, this is a massive oversimplification. For a few years now, almost all digital communications have been encrypted in transport, and rightly so. In fact, according to this definition, this is an “encrypted” blog, as it uses https
. Encryption is everywhere now, but when it comes to messaging and communication, I think that the only relevant part is end-to-end encryption, where only the sender and the recipient can read the messages. This is not the case for Telegram, unless you explicitly use secret chats to message. As such, Telegram can read messages sent through the normal chats or group chats on their servers. And arguably, someone with access to the servers could also read the messages1.
Again, I’m not entirely sure what those “desirable encryption features” are. Encryption in transport is required for any iOS app to use, it’s the default for most websites. So I’m not entirely sure if these encryption features are “desirable” when they appear to be pretty standard.
Telegram is not an end-to-end-encrypted messaging app
The thing is, for messages end-to-end encryption should be the standard. Only the person writing a message and the person reading it should get the message. No one in between should be able to read the message. And this is done by end-to-end encryption. Simple as that!
As the Guardian reports here, Telegram does offer end-to-end encrypted messages. So the statement is technically true. But again it’s a strong oversimplification. The vast majority of the messages sent through Telegram are not end-to-end encrypted. Most messages are protected about as well as a letter being sent by mail. Unless people specifically use the Secret Chats features, Telegram is not end-to-end encrypted.
Why message encryption is important
This really grinds my gears because I think that messages should be completely private and encrypted. For messaging apps, end-to-end encryption should be the standard and any messaging apps that are not end-to-end encrypted should be considered insecure, and if possible, avoided. Just like we expect banks to ensure security on their online systems2. Just like a bank is not secure if someone can withdraw money without your security features, a messaging app is not secure if it doesn’t use end-to-end encryption.
And especially with Telegram, which is quite popular in Russia and Ukraine, this is extra important. In Russia, good encryption of your messages might be necessary to protect your freedom or safety. People fighting against the current Russian regime should be protected as good as possible and that is only possible by using secure messaging, and not Telegram — which is not end-to-end encrypted.
Update at 08:12: The Verge has good reporting
I just read another article, this time from the Verge:
See, it’s not that hard, and some media can properly report on Telegram’s encryption features.
In this case, it’s probably not the operators of the servers, but rather a state actor with surveillance aspirations. ↩︎
Banks largely follow best practices when it comes to security. There are, of course, some notable exceptions to that. But then a bank will probably also have some insurance in case something goes horribly wrong. ↩︎