Why Telegram isn’t as secure as you think
Telegram is marketed as a secure messaging app and used by Hong Kong protesters, but experts say it has flaws
Hang on a second, what exactly is Telegram?
Telegram is a free messaging app. Just like other similar services, you can send texts, videos and other files.
The platform was founded in 2013 by Pavel Durov, a Russian entrepreneur currently in exile after a spat with the administration of President Vladimir Putin. The company is registered both in the US and the UK, and it runs mostly on funds from Durov himself.
Why is Telegram in the spotlight in Hong Kong?
Demonstrators occupied a key road near the government headquarters on Wednesday, calling for the city’s leader to shelve a bill that would enable Beijing to extradite fugitives to mainland China. Authorities say the law is designed to plug loopholes, but critics fear it would be used to target political dissidents.
Protesters used Telegram to share news and exchange logistic details. Some of these groups or channels have tens of thousands of members and subscribers. On the same day, though, Telegram reported that it suffered a distributed denial of service (DDoS) attack, as its servers became overloaded with an extraordinarily large number of requests.
Telegram’s Durov said the IP addresses executing the attacks came “mostly from China.”
Why would protesters use Telegram?
For one, Telegram lets you communicate with a massive number of people all at once.
Group chats on Telegram can accommodate up to 200,000 members, far more than on WhatsApp or iMessage. Another feature, Channel, allows messages to be broadcast to an unlimited number of subscribers. Anyone can join a public channel, while private channels require an invitation.
How about security? Are Telegram messages safe from snoopers?
Telegram has marketed itself as a secure messaging app. There are indeed ways to keep chats private on Telegram, but only if you know how.
Unlike WhatsApp and iMessage, Telegram conversations aren’t encrypted end-to-end by default. Instead, users have to select the Secret Chat feature to ensure only they and the intended recipient can read the message.
But even with this feature, some experts argue that Telegram’s encryption is fundamentally flawed. The service uses its own proprietary protocol called MTProto, which is difficult for outside cryptographers to audit.
And just like with all messaging apps, there’s no way of stopping any chat participant from taking screenshots of your conversation and sharing it with others.
The problem is that some users don’t seem to be aware of the risks of using Telegram. On Tuesday, police in Hong Kong arrested the administrator of a Telegram group involving some 30,000 participants. He was accused of plotting with others to charge the government complex and adjacent roads.
Are there any safe alternatives out there?
WhatsApp, iMessage and Signal all use end-to-end encryption. Their protocols have been checked and praised by many professional cryptographers. Users can safely assume that their messages are private, unless their phones or computers have been compromised.
Still, while attackers are unable to access the content of your chats, each message actually leaves behind certain metadata. It’s possible for attackers to see whom a user has been contacting, at what time and for how long.
Signal has been exploring ways to minimize metadata exposure to keep a sender’s identity protected even if the communication is intercepted.