How journalists should talk about Telegram

This post is migrated from the old Wordpress blog. Some things may be broken.

Tl;dr: Telegram is not an encrypted messaging app. Or it’s not especially encrypted in a way that it’s somehow a feature. If you read no further, then that’s the walk-away message from this post. And there’s nothing about it that implies it should be called a “secure messaging app,” either. Unless you also describe, I don’t know, Deliveroo as “secure” for some reason ahead of its other more prominent features. There are no unique properties about Telegram that make it secure compared to other run-of-the-mill social messaging apps. Reporters should stop referring to is using these terms when writing about it.

Whenever Telegram is back in the news, I tend to wince a little. there are going to be the usual series of bad takes, poor descriptions and just inaccurate descriptions. There’s a mix of over-playing Telegram’s security and also writing about a common security tool we all use without thinking on a daily basis — end-to-end encryption — as somehow a suspicious or dark magic ingredient that no one with “nothing to hide” should have any truck with. And with this weekend’s news of Telegram’s founder and CEO, Pavel Durov, being arrested in France, I knew the Bank Holiday weekend’s coverage was going to just be annoying. And sure enough, a little causual scroll of Google news results shows it’s still very common for mainstream press to refer to Telegram as an “encrypted app” and occasionally go so far as to suggest it has a focus on privacy and that messages can’t be intercepted or read by other parties. Gentle people of the press, we must stop this lazy madness. You don’t need to pass on the snake oil saleseman pitch as if it was your own.

As of this posting on Monday night, people can only speculate as to why Durov has been arrested. It could be anything. He’s a tech billionaire and runs a dodgy company that makes dubious claims. His company has no clear business model. There could be all kinds of reasons from the mundane to the exotic. What I’m here to do is to encourage any journalists coming across these words to to stop both the hype around Signal and the fear mongering over encryption.

Also, read these…

• Alec Muffet: So, Alec, what do *you* believe is happening with Pavel Durov and Telegram Messenger and the French Government?
• Matthew Green: Is Telegram really an encrypted messaging app?

Telegram is neither especially encrypted or secure

Most of Telegram has no end-to-end (e2e) encryption function at all. There is an option in one-to-one user chats to activate something called “Secret Chat,” but users need to activate this on an individual chat basis each time… and most people don’t think to do it. If used, that encryption is based on an unknown and unreviewed protocol called MTProto which isn’t open and can’t be comprehensively researched or independently tested cryptography experts. There is no way to determine whether Telegram’s Secret Chats aren’t exploitable, and some clues that at least in the past it has been.

So, Telegram has full access to group chats and all those unencrypted one-to-one chats and maybe or maybe not access to those allegedly securely encrypted chats, we just don’t know. And to use Telegram’s weird, secret recipe homebrew encryption with another user, they both need to be online at the same time. Truly e2e encrypted apps such Signal, WhatsApp, Threema, Wire and a few others, don’t require these kinds of things.

Telegram is more similar to x.com (rip, Twitter) or Discord or many other popular social platforms at also have a lot of engagement and little in terms of privacy features. It’s certainly popular and widely used, with something like a billion downloads and an endless number of news channels around the world in various languages. It has been widely adopted in many countries where other social network sites are less accessible, blocked or seem to have moderation policies that are (or are at least perceived to be) censoring local information.

So, by all means, feel free to call it a social platform and a popular, or widely used app. It’s also one with both limited and opaque moderation policies, and no disclosure policies when it does cooperate with governments or hands over user data. But there is nothing especially secure or encrypted about it. And that’s the real problem. The encryption isn’t the bogeyman, the broken promise of it is. People should be using strong, open and provable encryption that’s well implemented in the software they talk to one another with if their expectation is security or privacy. Encourage people to do that, and let them know it’s not happening on Telegram.