As in all crises—especially geopolitical ones—affected persons often turn to messaging apps to keep in touch with loved ones and communicate with the wider world. One of the most popular messaging apps in the world—and one of the most popular in Ukraine—is Telegram. But now Ukrainians have been reminded about the app’s privacy limitation by the founder of the most secure messaging app in the world, Signal.
Moxie Marlinspike, the creator of Signal, has taken to Twitter to remind Ukrainians that Telegram isn’t truly an “encrypted” app in the way most people think about the term. When most people hear a messenger is “encrypted” they think that means no one can read their messages–even the company that owns the app. But that’s not true.
If an app is merely encrypted, the company that makes the app owns the keys and can unlock your messages at any time. Telegram is such an app that is only “encrypted” by default. That contrasts with truly secure apps like WhatsApp and Signal, which are “end-to-end encrypted,” which means even the makers of those apps cannot access your messages because they do not hold the encryption keys (only the users do).
Telegram can advertise that it offers end-to-end encryption, however, because it has a feature called Secret Chat that end-to-end encrypts messages sent. However, this feature must be manually enabled by users, and most Telegram users likely do not do this for every message sent.
So why should Telegram’s lack of true end-to-end encryption make Ukrainians wary?
As Marlinspike explained in a series of tweets, “[Telegram] is by default a cloud database w/ a plaintext copy of every msg everyone has ever sent/recvd…Every msg, photo, video, doc sent/received for the past 10 yrs; all contacts, group memberships, etc are all available to anyone w/ access to that DB.”
This is now a problem specifically for Ukrainians because “Many TG employees have family in Russia. If Russia doesn’t want to bother w/ hacking, they can leverage family safety for access,” Marlinspike wrote.
Every msg, photo, video, doc sent/received for the past 10 yrs; all contacts, group memberships, etc are all available to anyone w/ access to that DB
Many TG employees have family in Russia. If Russia doesn’t want to bother w/ hacking, they can leverage family safety for access.
— Moxie Marlinspike (@moxie) February 25, 2022
Marlinspike is far from the first to warn about Telegram and its encryption. Security researchers and privacy advocates often point out its privacy flaws and don’t recommend the app’s use by journalists, activists, and whistleblowers.
For those who want a deeper dive into why Telegram is less secure and private than most users think, Marlinspike’s Twitter thread from December 2021 is a nice explainer. Fast Company reached out to Telegram for comment.
It's amazing to me that after all this time, almost all media coverage of Telegram still refers to it as an "encrypted messenger."
Telegram has a lot of compelling features, but in terms of privacy and data collection, there is no worse choice. Here's how it actually works:
— Moxie Marlinspike (@moxie) December 23, 2021
Reached for comment, a spokesperson for Telegram disputed that data is stored in plain text on the company’s servers, saying “everything stored in Telegram’s cloud is securely encrypted.” The spokesperson also said, “This kind of FUD is not surprising, coming from a minor competitor (and typical for this one). That said, we can confirm that we have neither developers, nor [servers] in Russia and we don’t see any of the mentioned risks.”