Telegram was never 'privacy-focused,' but it had a lot of people fooled

13 Oct 2024, 11:19 by Chris Thomas · Android Police

Given unlimited electricity, the world's most powerful supercomputer could crack 128-bit encryption — like secure banking apps use — in somewhere between 1,000 and 13 billion years. Entire governments would rise and fall while the supercomputer tests key after encryption key. That kind of security can definitely keep your messages private.

Telegram frequently comes up as an alternative to WhatsApp; many assume it's private, but Telegram, unlike WhatsApp, has never been encrypted by default, meaning admins, authorities, and hackers can, theoretically, read its messages. Fortunately, users are more aware of the app's lack of encryption; the investigation and arrest of Pavel Durov, Telegram CEO and founder, has surprised many, as the company's disclosure of phone numbers and IP addresses has been unveiled.

How to export Telegram chats, groups, channels, and images (HTML and JSON)

Telegram has data export built into its platform

Why people recommend Telegram over others

Messaging platform, or social media app?

Telegram's strength lies in its features; chat organization, community management, sent message tweaks, and other quality-of-life functions have long led the market in both variety and effectiveness. The interface gets the job done on any size screen, with agreeable layouts and logical menus and settings.

Features like pinned chats, animated emoji, and group anonymity are so popular that WhatsApp regularly copies them. Its versatility pushes Telegram closer to social media than other messaging apps, with communities sharing bleeding-edge tech leaks and to-the-minute international news updates.

Founder Durov has always emphatically insisted that competitors Signal and WhatsApp are inherently compromised due to their owner's identity or long-past government grants. He's also previously explained that Telegram's purpose is to enable free expression, repeatedly implying and outright stating that his is the most secure messaging app.

But it's simply not true.

Are Telegram messages encrypted?

Source: Telegram

"Secure" and "strong encryption" may be exaggerations.

Telegram encrypts typical messages in transit, so even if they're intercepted, they can't be read. However, the vast majority of content you send on the app isn't end-to-end encrypted, the relevant use of "encryption" in terms of messaging apps. In theory, Telegram administrators can access nearly all your chats, and provide the content to, for example, law enforcement officials.

Telegram does support optional encryption, but you need to jump through hoops to enable it, and it's not very convenient. To start what's called a Secret Chat, you need to open a contact's profile, access the underlying options, open the Secret Chat menu, confirm the Secret Chat, and then you can begin. Oh, and the other party has to be online.

Telegram can't even set up a fully encrypted chat if the recipient's offline or either of you is using the desktop client. And you can't encrypt group chats at all.

How to set up and use the Telegram web app on your Mac or PC

Yep, you can access Telegram from a web browser as well

What's more, even Secret Chats' encryption worries leading cryptography professionals. Its proprietary, complex, and generally obfuscated implementation is impossible to thoroughly vet. In other words, even if users deal with activating a Secret Chat, there's no guarantee of fundamentally sound encryption free from common backdoors.

Altogether, cumbersome Secret Chats and unverifiable encryption make Telegram a poor choice for sensitive topics, if that really matters to you.

The cold, hard truth about encrypted messaging

How do we know any encryption is secure?

Source: Android Police

You can only be 100% certain of an app's message security if it uses an open-source encryption algorithm like the original Signal Protocol. Some do, but the most popular, like WhatsApp, add proprietary code on top, so they're not open-source and can't be audited.

An app's owner needs to make the up-to-date code available on a regular basis if it wants the security community to respect its open-source claims. Not just for the end-user client, either, but also the server: Signal once went a year without publishing its server encryption code, only bowing to public backlash in the end.

How to translate Telegram messages

It’s getting easier to chat with your friends from across the world

With no auditing, it's possible (some say likely) that proprietary encryption includes backdoors for law enforcement to access messages upon request. The only way for third-parties to beat properly audited encryption is to access your device or the recipient's, and employ malware that, for example, takes screenshots or intercepts notifications.

Thus, the difficulty of proving encryption comes from top messaging apps' failure to allow for verification. For truly secure transmission, consider lesser-used messaging apps that aren't tied to phone numbers (Teleguard or Threema, for example), but only if you absolutely trust the people you're chatting with.

Encryption almost doesn't matter — until it does

Most people aren't very important. Occasional speeding notwithstanding, Android Police readers almost never break the law, let alone frequently encounter sensitive information that could pose a danger if leaked. Upstanding citizens rarely need to worry about government agencies watching their every move.

Regardless, it's still worth keeping personal conversations out of bad actors' hands. That's especially true today, with online tools managing the most sensitive parts of our digital existence. At the very least, consumers deserve to make informed decisions on which platforms deserve our trust.

How to send encrypted and confidential emails on Gmail

Maximize your privacy while using Gmail

People who regularly engage with sensitive information, including investigative journalists, political activists, and government contractors, have even more at stake. Less safety-oriented information, like industry trade secrets, can also fall prey to hackers without proper encryption. And while some of the best messaging platforms use E2EE by default, it's by no means the only step toward locking down your info and communications.

Worthwhile security practices for everyday people

Your info is your responsibility

Don't rely on corporations or other organizations to keep you secure; an open-source encryption algorithm doesn't mean much if, for example, someone clicks on questionable links within spam emails. Some relatively simple tools can keep your money, identity, and other digitally accessible property out of the wrong hands, including:

Password managers: Memorizing one primary password, and letting a trusted tool create and organize the rest, makes online life easier and safer.
Two-factor authentication: Requiring a separate confirmation other than a login screen, like a code delivered via SMS or email, greatly reduces vulnerability. It's far less likely a hacker will compromise multiple critical accounts at once.
Tap-to-pay services: Contactless payment, like with Google Wallet, adds another security layer that makes real-world theft essentially impossible.
Conscientious information sharing: Don't give away too many personal details on social media. Seemingly innocuous details like addresses, employers, and schools can allow bad actors to impersonate you, or steal account details via social engineering.
Scam awareness: Don't. Click. Unfamiliar. Links. If a message gives you a link to "fix your account," you should, instead, navigate to the site and log in manually — there's a decent chance the link is phishing you. Beware of strangers who message you first, especially if they insist on starting a long-distance business or personal relationship.
VPNs: Virtual private networks encrypt all data transmitted via your internet connection, hiding your activity from your provider. But they don't affect what happens to it on the server in any way.

Best Android VPN in 2024

Give your Android an upgrade with a VPN app

Most people don't need to worry much about full end-to-end message encryption, but it's important to have the right information, for physical security, fraud protection, and simple peace of mind. Luckily, a little attention to detail can preemptively thwart the most common scams. Of course, it also helps to avoid engaging in nefarious activities that the authorities might care about, but our readers would never do such things.