Telegram is one of the most widely used messaging apps in the world today, claiming a billion monthly active users. The reason for its rise has to do with its brand reputation for valuing and enforcing privacy. However, there are substantial reasons to be suspicious of the service's true security and integrity, according to recent reporting by the Organized Crime and Corruption Reporting Project (OCCRP), which reveals troubling ties to Russian state intelligence services through shadowy organizations that run significant aspects of its network infrastructure.
While this new reporting is alarming, it is also a good reminder that in our current digital landscape, organizations cannot take sovereignty, privacy, protection, and app security for granted. Beyond the scandalous assertions of the OCCRP’s research are more fundamental issues with how many so-called secure communications apps market themselves versus how they function, and how they are managed.
When considering secure communications for your organizations, there are clear markers of trustworthiness that you can look for. This blog not only gives you the juice on Telegram, but gives you four key trust signals to look out for in choosing a secure communications platform.
Despite its security brand and assumed privacy credentials, OOCRP reporting shows that Telegram retains deep connections to individuals and organizations with close ties to the Russian state apparatuses that perform mass signal intelligence.
“When reporters investigated who controls the infrastructure that keeps Telegram’s billions of messages flowing, they found a man with no public profile but unparalleled access: Vladimir Vedeneev, a 45-year-old network engineer.
Vedeneev owns the company that maintains Telegram’s networking equipment and assigns thousands of its IP addresses. Court documents show that he was granted exclusive access to some of Telegram’s servers and was even empowered to sign contracts on Telegram’s behalf.” According to the reporting, two of Vedeneev’s companies which have operational involvement with Telegram infrastructure, have had multiple clients tied to Russian security services, including the FSB intelligence agency and a secretive agency that helped plan the invasion of Ukraine and developed tools to de-anonymize Internet users.
These relationships are one piece of a troubling picture of potential mass metadata mining. The other puzzle piece is the fact that unlike the perception of secure , encrypted communications, for most users Telegram is anything but. In fact, the way that both the core MTMproto encryption protocol and the app are designed mean that Telegram generates huge amounts of both plain-text user content and signaling metadata that is ripe for mass surveillance.
A secure communications app or platform is fundamentally defined by the default use of end-to-end encryption (E2EE). Despite its reputation, Telegram doesn’t meet this minimum bar. According to OCCRP reporting, the default for all communications is with encryption off. You have to turn on a “secret chat” function, which is only for 1:1 chats. All group messaging is in the clear. The article highlights that “Durov’s former colleague Anton Rosenberg pointed out as far back as 2018, the vast majority do not do so, instead corresponding through regular “cloud” chats, which are stored on the company's servers.”
So much for secure communications. In essence, if Rosenberg is to be believed, Telegram is 99% social media and 1% secure communications.
While Telegram claims all user data is secure, you don’t have to dig into salacious reporting about Kremlin connections to know that any infrastructure hosted in or by a Russian entity is subject to surveillance laws. The same goes for Chinese apps. Or, due to the Cloud Act and other measures, the United States.
When it comes to sovereignty, the safe assumption is to count on surveillance states acting precisely how their laws define. In the case of Telegram, that huge sucking sound you hear just might be your data being collected and surveilled by Russian intelligence.
The article uncovers one other fascinating or depending on your perspective, scary fact, which is that the transport encryption protocol that Telegram utilizes has built-in metadata collection. According to the article, the MTProto protocol specifies that an unencrypted element, called ‘auth_key_id’ is attached to the beginning of each encrypted message.
According to Michał “rysiek” Woźniak, a security specialist who used to work for OCCRP as head of infrastructure and information security. “This makes it possible to identify a specific user device. If I know your device’s ‘auth_key_id,’ and I can listen in on the network that handles the data … I know it is your specific device communicating with Telegram servers,” he explains. “By looking at the network packets … I also get your IP address at a given time, which tells me your rough geographic location.”
Combine this metadata collection with the reporting on Russian intelligence connections to the folks who run the network infrastructure, and you start to get the picture of a massive metadata machine.
If your organization is handling high value IP, regulated data, or classified communications, it is high time to ensure that you can in fact conduct secure communications, rather than relying on potentially misleading claims or assumptions. Here are four trust signals you should be looking for:
“We have encryption” isn’t enough. We are “end-to-end encrypted” isn’t enough. Telegram isn’t the only “secure messaging” app that turns off E2EE by default. Even the venerable and generally well-regarded Element/Matrix defaults to non-encrypted in certain group chats. This is dangerous. Why? The reason is that anything that you reveal can and will be used against you. And every app designer knows that users will always choose the path of least resistance, especially when it comes to turning on security features.
So every chat, call, video-conference, emoji, and file shared, should be E2EE by default, with no exceptions and no excuses. When apps are designed to default to non-encrypted, this is a clear sign that they are not serious about protection and that the app will introduce significant risk in practical use.
Wire defaults E2EE on for every single feature and always strives to make the highest degree of security delightfully invisible to end users.
If you want to avoid getting snared by a SignalGate-level fiasco, make sure your secure communications app makes it very clear who is part of any group–internal, external, or guest. This is a major downfall of consumer social-media oriented apps like WhatsApp, Signal, and Telegram. They aren’t made for keeping organizational boundaries secure. They’re built for planning vacation with granny or NSFW conversations. Make sure that your secure communications platform makes it easy to control and to display clearly who is in a group membership. You shouldn’t have to be an expert, it should be obvious. This is another design principle that Wire holds to strictly. In the Wire app, it’s easy to manage access and to see visual cues about internal, external, and guest members.
While the above points on E2EE and clear access control are important enough to single out, in general secure communications requires both zero trust and zero knowledge design.
Zero trust means no implicit trust. All users, devices, systems must continuously prove identity and authorization. For example, when dealing with a large base of users and devices, this means for example that you need automated, cryptographic device fleet verification.
Zero knowledge means that the app provider and admins have no access to user data, keys, or metadata that can be used to decrypt content. Only the user holds the cryptographic material required to access their data. If your secure messaging app stores keys centrally with any possibility of admin access, this is a clear violation of zero knowledge principles.
Wire strictly adheres to both zero trust and zero knowledge principles, to ensure the highest possible security.
One of the key lessons from the Telegram reporting is that data sovereignty is foundational to secure communications. If your app is subject to a surveillance state’s intrusion, your communications aren’t secure. Remember that it’s not just about the location of servers. Tech companies can make all the promises they want about data sovereignty, but at the end of the day they will still be subject to the laws of their headquarter country. For example, the U.S. Cloud Act specifies any data *managed* by a U.S. cloud provider must be made available to the U.S. government. FISA 702 allows NSA bulk collection of anything that flows through U.S. infrastructure or providers.
The EU currently has the strongest rights-based, privacy-centered data sovereignty laws. Wire is headquartered and operates in Germany, which upholds some of strictest privacy-oriented data sovereignty laws, and Wire Cloud servers are hosted within the EU to ensure the strongest adherence to these laws and principles.
Sadly, data is not the only sovereignty matter to be concerned about. The recent news of Microsoft blocking the International Court of Justice’s chief prosecutor’s access to its services due to geopolitical aims of the U.S. administration is a sign that we have also entered a new risk landscape related to app sovereignty. If your organization runs afoul of the political opinions of an app’s home country, you might suddenly suffer a political denial of service attack. This is a further reason why privacy-oriented laws are so important. For example, GDPR (Articles 9, 21, 22, etc.) provides strong protections against arbitrary denial of service due to political views. Wire strictly complies with GDPR and other such EU data privacy laws.
If there is a single lesson to be learned from the reporting on Telegram, it is that if your data and communications are valuable enough to protect, then you should seriously evaluate whether your “secure communications” are delivering that in more than name or marketing. The risk of data breaches in today’s highly threatening digital environment is too high to be complacent. Apply the trust signals outlined in this blog. And if you haven’t yet, learn about Wire–the industry’s gold standard for secure communications. If you’re ready to start, you can get hands on by yourself by signing up for a free account, or contact us for a more in-depth discussion of your needs and goals.