Why Telegram isn’t as secure as you think
Telegram is marketed as a secure messaging app and used by Hong Kong protesters, but experts say it has flaws
Update: Telegram responds to claims that its encryption is flawed.
When thousands of protesters took to the streets in Hong Kong Wednesday to protest a controversial extradition law, many turned to Telegram to get organized. Pitched as a secure communication tool, Telegram has been used by both activists and terrorists to avoid government scrutiny. But just how secure is it really?
Hang on a second, what exactly is Telegram?
Telegram is a free messaging app. Just like other similar services, you can send texts, videos and other files.
The platform was founded in 2013 by Pavel Durov, a Russian entrepreneur currently in exile after a spat with the administration of President Vladimir Putin. The company is registered both in the US and the UK, and it runs mostly on funds from Durov himself.
Telegram boasted 200 million monthly active users in March 2018, roughly 13% of WhatsApp’s user base at the time. In March this year, Telegram reported a sudden surge of 3 million new users within 24 hours when Facebook Messenger, Instagram and WhatsApp all suffered temporary outages.
Why is Telegram in the spotlight in Hong Kong?
The messaging app has become one of Hong Kong’s most downloaded apps this week, according to App Annie, as massive protests erupted in the city.
Demonstrators occupied a key road near the government headquarters on Wednesday, calling for the city’s leader to shelve a bill that would enable Beijing to extradite fugitives to mainland China. Authorities say the law is designed to plug loopholes, but critics fear it would be used to target political dissidents.
Protesters used Telegram to share news and exchange logistic details. Some of these groups or channels have tens of thousands of members and subscribers. On the same day, though, Telegram reported that it suffered a distributed denial of service (DDoS) attack, as its servers became overloaded with an extraordinarily large number of requests.
Telegram’s Durov said the IP addresses executing the attacks came “mostly from China.”
Why would protesters use Telegram?
For one, Telegram lets you communicate with a massive number of people all at once.
Group chats on Telegram can accommodate up to 200,000 members, far more than on WhatsApp or iMessage. Another feature, Channel, allows messages to be broadcast to an unlimited number of subscribers. Anyone can join a public channel, while private channels require an invitation.
How about security? Are Telegram messages safe from snoopers?
Telegram has marketed itself as a secure messaging app. There are indeed ways to keep chats private on Telegram, but only if you know how.
Unlike WhatsApp and iMessage, Telegram conversations aren’t encrypted end-to-end by default. Instead, users have to select the Secret Chat feature to ensure only they and the intended recipient can read the message.
But even with this feature, some experts argue that Telegram’s encryption is fundamentally flawed. The service uses its own proprietary protocol called MTProto, which lacks scrutiny from outside cryptographers.
Telegram’s mobile app has also been accused of exposing a crucial digital footprint called metadata. Researchers at MIT found that a hacker could pinpoint down to the second when a user goes online or offline.
A Telegram representative told us that MTProto's specifications are fully documented and that the app’s source code is open for evaluation. She also pointed out that a Telegram user can adjust their “last seen” settings to control who can see when they go online or offline.
Still, just like with all messaging apps, there’s no foolproof way of stopping any chat participant from taking screenshots of your conversation and sharing it with others.
The problem is that some users don’t seem to be aware of the risks of using Telegram. On Tuesday, police in Hong Kong arrested the administrator of a Telegram group involving some 30,000 participants. He was accused of plotting with others to charge the government complex and adjacent roads.
Are there any safe alternatives out there?
WhatsApp, iMessage and Signal all use end-to-end encryption. Their protocols have been checked and praised by many professional cryptographers. Users can safely assume that their messages are private, unless their phones or computers have been compromised.
Still, while attackers are unable to access the content of your chats, each message actually leaves behind certain metadata. It’s possible for attackers to see whom a user has been contacting, at what time and for how long.
Signal has been exploring ways to minimize metadata exposure to keep a sender’s identity protected even if the communication is intercepted.
WhatsApp says metadata is encrypted to remain hidden from “unauthorized network observers,” but it has reportedly cooperated with law enforcement by handing over metadata. Telegram says in its Terms of Service that it may collect metadata such as IP addresses and devices, and any collected data is kept for 12 months at most.
It’s also important to note that while your chats are end-to-end encrypted, the backups may not be. Apple’s iCloud, for instance, only promises end-to-end encryption for “certain sensitive information” such as health and payment info. However, Apple has stressed that only the company itself holds the encryption key to all the other iCloud data.