Following the arrest of Telegram CEO Pavel Durov in Paris last week, privacy advocates quickly rallied to his defense, with the likes of Proton CEO Andy Yen calling Durov’s arrest “insane.”
But in the days since, a rift has opened up among the developers of privacy-focused apps and cryptocurrencies, with some questioning Telegram’s tools for “protecting user privacy.”
In a recent interview with WIRED, Meredith Whittaker, president of the secure messaging app Signal, argued that Telegram “doesn't provide meaningful privacy or end-to-end encryption.” She drew a distinction between Signal as a “private and secure communications app” and Telegram as a “social media app that allows an individual to communicate with millions at once.”
Signal co-founder Moxie Marlinspike doubled down on Whittaker’s claims in a tweet, pointing out that “Telegram messages aren't [end-to-end] encrypted. It is also a ‘cloud messenger,’ meaning that all messages live on Telegram's servers rather than the user's device.”
Zooko Wilcox-O'Hearn, former CEO of the Electric Coin Company, the company behind privacy coin Zcash, also took to Twitter to criticize Telegram’s “decision to falsely advertise itself as an encrypted, secure service.”
Other experts are similarly skeptical.
“Telegram branded itself as an encrypted messenger, it really isn't, it's centralized, and those keys are not private,” Christien Rioux, president and chief architect of the Veilid Foundation, told Decrypt. “The fact is if you can compel a company to hand over information, then it really wasn't private to begin with.”
Veilid is a peer-to-peer, open-source framework for building private apps. Veilid Foundation vice president Katelyn Bowden went further.
“Telegram isn't private, it's not encrypted, and considering the most recent events with Pavel Durov getting arrested and then being released, there's a very good chance that the French government already has all the data they need, and I think that really should be concerning,” Bowden said.
Kim Crawley, cybersecurity expert, author, and instructor at the Open Institute of Technology, told Decrypt that the sense that Telegram is secure is widespread.
“It's interesting because I have personally seen a lot of Dark Web drug dealers also set up shop through Telegram,” she said, noting that the technical debate can also get lost in the weeds.
“It would be nice if all these platforms were as secure as advertised, so your average layperson doesn't have to be a paranoid hacker,” Crawley said.
Telegram and encryption
While Telegram does offer end-to-end encryption, that level of security is not the default and is only available on its Secret Chat messaging feature. The majority of chats on the platform using cloud-based encryption, making messages in Cloud Chats “theoretically” accessible by third parties.
Telegram claims that decryption keys for Cloud Chats are “split into parts and are never kept in the same place as the data they protect,” and it would require “several court orders from different jurisdictions” to force the firm to surrender those keys. “We have disclosed 0 bytes of user data to third parties, including governments, to this day,” the firm notes.
Decrypt has reached out to Telegram for comment and will update this story should they respond. In a pre-written statement, the firm said that it is “committed to protecting user privacy and human rights such as freedom of speech and assembly.”
Durov was arrested by France’s National Anti-Fraud Office on Saturday, and taken to court on Wednesday, where he was formally indicted on multiple charges including enabling the use of his platform for drug trafficking, organized fraud, and the dissemination of child sexual abuse material (CSAM).
As well as paying a €5 million bond (about $5.5 million), the Telegram CEO has been prohibited from leaving French territory and must report to a police station twice a week.