Today we continue our journey through the world of messaging applications, ‘Secure or not so secure?’. Having covered off Threema, Signal and Riot so far, let’s continue our quest with Telegram
So what is Telegram?
Telegram is a cloud-based messaging app developed by Russian entrepreneurs and brothers Nikolai and Pavel Durov. Although its founders are Russian, the company is registered in both the US and the UK.
The messaging app has reached over 200 million monthly active users, offering secret (encrypted) chats that are augmented by numerous other popular features such as stickers (I hear you, others have stickers too.. but Telegram has by far the best!), bots and the ability to store messages in the cloud so that they can be accessed on any of a user’s devices.
When thousands of protesters took to the streets in Hong Kong during this month’s protests against the proposed and controversial new extradition law, many turned to Telegram to help get organized. Pitched as a secure communication tool, Telegram has been used by both activists and others to avoid government scrutiny.
Telegram is also very popular in the crypto world and many projects, even decentralize.today, have groups and chats facilitated by Telegram.
First things first, the encryption is just the same as on Riot and so is not enforced, but only when set up in secret chat! Other messages are stored in plain text!
Telegram can see (and hand over) your IP address, your entire metadata, including the telephone numbers of yourself and the recipient plus your location!
Telegram’s mobile app has also been accused of exposing crucial digital footprint information and researchers at MIT have shown how a hacker can pinpoint to the second when a user goes on and offline.
And whilst they have been known to deny these requests, it is possible! You have been warned!
Unlike regular messages, secret chats are not cloud-based and can only be accessed on the device used. Encryption keys are exchanged when a secret chat is initiated, therefore securing the messages sent.
Messages in these secret chats can be deleted at any time and even set to “self-destruct” after a set time. Yet, even with this feature, some experts argue that Telegram’s encryption is fundamentally flawed. The service uses its own proprietary protocol called MTProto, which is difficult for outside cryptographers to audit.
And just like with most messaging apps, there’s no way of stopping any chat participant from taking screenshots of your conversation and sharing or storing it.
During the protest in HK, Telegram was Hong Kong's most downloaded app on android and iOS!
However, on the day of the protests, Telegram told its users that it suffered a distributed denial of service (DDoS) attack, where its servers were overloaded with “garbage requests”, causing connection issues for many users.
Telegram CEO Pavel Durov wrote on Twitter.
“IP addresses coming mostly from China. Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception.”
The issue is that some users don’t seem to be aware of the risks of using Telegram. During the recent protests, police in Hong Kong arrested the administrator of a Telegram group with some 30,000 participants. He was accused of plotting with others to storm a government complex and block adjacent roads.
Group chats on Telegram can accommodate up to 200,000 members, far more than on WhatsApp, iMessage, Riot, Signal or Threema, in fact pretty much more than any other messaging app.
One other feature, Channel, allows messages to be broadcast to an unlimited number of subscribers. Anyone can join a public channel, while private channels require an invitation.
Telegram forces you to sign up with your telephone number, however, you are not forced anymore (unlike former versions) to share your number with others. Formerly the other side needed to know your telephone number or you needed to share it with the other end. Telegram addressed this issue by conveniently allowing you to add a new contact based on a fresh chat even without their number.
Additionally, this upgrade adds location-based updates to Telegram including the ability to scan other users nearby to add them as contacts as well as create location-based groups. There are other handy options including a feature to transfer ownership of groups and to manage notifications in a more appropriate fashion.
So a couple of comments to add on these upgrade features....
.....first off, the ability to add new contacts even without having them reveal their number upholds Telegram’s stand on privacy. Now, when you receive a message from a new contact, you will see a button at the top to add them to your list of contacts. This button will be visible even if they have chosen to hide their mobile number. Instead, if you wish to stay away from the contact, a Block User button is now also available at the top. Unfortunately, the feature is not available for chats from new contacts before the upgrade.
Secondly, this update for Telegram brings a feature to scan nearby users and groups based on your GPS location. This is ideal if you wish to add someone as a contact that you’ve just met as it removes the hassle of calling the other phone or manually exchanging numbers. Besides messaging others and joining groups, you can also create location-based groups which other users can find and join.
And you can still use your telephone number to sign up with Telegram, if you so chose.
Telegram has one of the best eco-systems around, meaning not only iOS and android (and also an f-droid download option), but also an excellent desktop app for Linux, Mac and Windows.
If you weren’t forced to register for the service with your telephone number, if Telegram would implement a way to remove metadata and have chats end-to-end encrypted (with an open source and proven encryption) there would not be much to beat Telegram. Unfortunately, this is not the case and we have seen hacks and leaks over the years involving the service.
In conclusion, whilst Telegram wouldn’t be my first choice when it comes to privacy, it’s still a sleek and handy messaging application.