Last weekend, Raphael Mimoun hosted a digital security training workshop via videoconference with a dozen activists. They belonged to one Southeast Asian country’s pro-democracy coalition, a group at direct risk of surveillance and repression by their government. Mimoun, the founder of the digital security nonprofit Horizontal, asked the participants to list messaging platforms that they’d heard of or used, and they quickly rattled off Facebook Messenger, WhatsApp, Signal, and Telegram. When Mimoun then asked them to name the security advantages of each of those options, several pointed to Telegram’s encryption as a plus. It had been used by Islamic extremists, one noted, so it must be secure.
Mimoun explained that yes, Telegram encrypts messages. But by default it encrypts data only between your device and Telegram’s server; you have to turn on end-to-end encryption to prevent the server itself from seeing the messages. In fact, the group messaging feature that the Southeast Asian activists used most often offers no end-to-end encryption at all. They’d have to trust Telegram not to cooperate with any government that tries to compel it to cooperate in surveilling users. One of them asked where Telegram is located. The company, Mimoun explained, is based in the United Arab Emirates.
First laughter, then a more serious feeling of “awkward realization” spread through the call, says Mimoun. After a pause, one of the participants spoke: “We’re going to have to regroup and think about what we want to do about this.” In a follow-up session, another member of the group told Mimoun the moment was a “rude awakening.”
Earlier this month, Telegram announced that it had hit a milestone of 500 million active monthly users and pointed to a single 72-hour period when 25 million people had joined the service. That surge of adoption seems to have had two simultaneous sources: First, right-wing Americans have sought less-moderated communications platforms after many were banned from Twitter or Facebook for hate speech and disinformation, and after Amazon dropped hosting for their preferred social media service Parler, taking it offline.
But ask Raphael Mimoun—or other security professionals who have analyzed Telegram and who spoke to WIRED about its security and privacy shortcomings—and it’s clear that Telegram is far from the best-in-class privacy haven that Durov describes and that many at-risk users believe it to be. “People turn to Telegram because they think it’s going to keep them safe,” says Mimoun, who last week published a blog post about Telegram’s flaws that he says was based on “five years of bottled up frustration” about the misperceptions of its security. “There is just a really big gap between what people feel and believe and the reality of the privacy and security of the app.”
Telegram’s privacy protections aren’t necessarily faulty or broken on a fundamental level, says Nadim Kobeissi, a cryptographer and founder of the Paris-based cryptography consultancy Symbolic Software. But when it comes to encrypting users’ communications so that they can’t be surveilled, it simply doesn’t measure up to WhatsApp—not to mention the nonprofit secure messaging app Signal, which Kobeissi and most other security professionals recommend. That’s because WhatsApp and Signal end-to-end encrypt every message and call by default, so that their own servers never access the content of conversations. Telegram by default only uses “transport layer” encryption that protects the connection from the user to the server rather than from one user to another. “In terms of encryption, Telegram is just not as good as WhatsApp,” says Kobeissi. “The fact that encryption is not enabled by default already puts it way behind WhatsApp.”