Following the arrest of Telegram CEO Pavel Durov in Paris last week, privacy advocates quickly rallied to his defense, with the likes of Proton CEO Andy Yen calling Durov’s arrest “insane.”
But in the days since, a rift has opened up among the developers of privacy-focused apps and cryptocurrencies, with some questioning Telegram’s tools for “protecting user privacy.”
In a recent interview with WIRED, Meredith Whittaker, president of the secure messaging app Signal, argued that Telegram “doesn't provide meaningful privacy or end-to-end encryption.” She drew a distinction between Signal as a “private and secure communications app” and Telegram as a “social media app that allows an individual to communicate with millions at once.”
Signal co-founder Moxie Marlinspike doubled down on Whittaker’s claims in a tweet, pointing out that “Telegram messages aren't [end-to-end] encrypted. It is also a ‘cloud messenger,’ meaning that all messages live on Telegram's servers rather than the user's device.”
Zooko Wilcox-O'Hearn, former CEO of the Electric Coin Company, the company behind privacy coin Zcash, also took to Twitter to criticize Telegram’s “decision to falsely advertise itself as an encrypted, secure service.”
Telegram Responds to Founder and CEO Pavel Durov's Arrest in France
Telegram has hit back against the stunning arrest of its CEO and founder, Pavel Durov, claiming he has "nothing to hide" in a statement posted to the messaging platform's official news channel. "Telegram abides by EU laws, including the Digital Services Act—its moderation is within industry standards and constantly improving," it said on Sunday. Durov was arrested in France late Saturday after arriving from Azerbaijan on his private jet at Le Bourget airport outside Paris. The detention of Durov...
Other experts are similarly skeptical.
“Telegram branded itself as an encrypted messenger, it really isn't, it's centralized, and those keys are not private,” Christien Rioux, president and chief architect of the Veilid Foundation, told Decrypt. “The fact is if you can compel a company to hand over information, then it really wasn't private to begin with.”
Veilid is a peer-to-peer, open-source framework for building private apps. Veilid Foundation vice president Katelyn Bowden went further.
“Telegram isn't private, it's not encrypted, and considering the most recent events with Pavel Durov getting arrested and then being released, there's a very good chance that the French government already has all the data they need, and I think that really should be concerning,” Bowden said.
Kim Crawley, cybersecurity expert, author, and instructor at the Open Institute of Technology, told Decrypt that the sense that Telegram is secure is widespread.
“It's interesting because I have personally seen a lot of Dark Web drug dealers also set up shop through Telegram,” she said, noting that the technical debate can also get lost in the weeds.
“It would be nice if all these platforms were as secure as advertised, so your average layperson doesn't have to be a paranoid hacker,” Crawley said.
Hong Kong Just Kicked Out Worldcoin Over Privacy Concerns
The Hong Kong government ordered Worldcoin to cease operations within its borders on Wednesday, accusing the identity project of skirting its privacy rules. The administration's Privacy Commissioner for Personal Data (PCPD) is demanding Worldcoin leave Hong Kong—and is asking citizens to report if they see further Worldcoin operations. “The privacy commissioner has served an enforcement notice on Worldcoin Foundation, directing it to cease all operations of the Worldcoin project in Hong Kong in...
Telegram and encryption
While Telegram does offer end-to-end encryption, that level of security is not the default and is only available on its Secret Chat messaging feature. The majority of chats on the platform using cloud-based encryption, making messages in Cloud Chats “theoretically” accessible by third parties.
Telegram claims that decryption keys for Cloud Chats are “split into parts and are never kept in the same place as the data they protect,” and it would require “several court orders from different jurisdictions” to force the firm to surrender those keys. “We have disclosed 0 bytes of user data to third parties, including governments, to this day,” the firm notes.
Decrypt has reached out to Telegram for comment and will update this story should they respond. In a pre-written statement, the firm said that it is “committed to protecting user privacy and human rights such as freedom of speech and assembly.”
Durov was arrested by France’s National Anti-Fraud Office on Saturday, and taken to court on Wednesday, where he was formally indicted on multiple charges including enabling the use of his platform for drug trafficking, organized fraud, and the dissemination of child sexual abuse material (CSAM).
As well as paying a €5 million bond (about $5.5 million), the Telegram CEO has been prohibited from leaving French territory and must report to a police station twice a week.
