Telegram has full access to all of the content of group chats and regular one-to-one chats due to lack of end-to-end encryption. Their opt-in secret chats use homegrown end-to-end encryption with weaknesses. Deleting the content from the app likely won’t remove all copies of it.
Telegram has heavily participated in misinformation campaigns targeting actual private messaging apps with always enabled, properly implemented end-to-end encryption such as Signal. Should stop getting any advice from anyone who told you to use Telegram as a private messenger.
Telegram is capable of handing over all messages in every group and regular one-to-one chat to authorities in France or any other country. A real private messaging app like Signal isn’t capable of turning over your messages and media. Telegram/Discord aren’t private platforms.
A major example of how Telegram’s opt-in secret chat encryption has gone seriously wrong before: https://words.filippo.io/dispatches/telegram-ecdh/.
The practical near term threat is for the vast majority of chats without end-to-end encryption: 100% of Telegram group chats and the regular 1-to-1 chats.
Companies should treat user data as toxic waste rather than as something they want to gather and hoard for business models like targeted advertising. It’s not a good thing to have a bunch of sensitive data which could be obtained by adversaries or requested by a government.
Not using E2EE creates a lot more legal risk than using E2EE at least while E2EE is still legal in most of the world. Not using E2EE gives the technical capability to moderate, provide data, etc. and therefore governments expect that to be done. That’s why they hate E2EE.
Apps like Signal and SimpleX can’t access messages, media and profiles. Telegram has access to all content in private group chats and regular private messages unless people used a secret chat. They can automatically scan it, moderate and provide data to authorities based on it.
Telegram chose to have the technical capability to see all private group chats and regular direct messages. In doing so, they put private user data at risk of seizure by governments. The scramble to try to delete data shows lack of basic threat modelling:
https://x.com/sambendett/status/1827712700299821277
Even Facebook’s WhatsApp uses end-to-end encrypted direct messages and group chats and WhatsApp is clearly not a private messaging app. It’s not a niche feature. Telegram shouldn’t have been heavily marketed as private/encrypted when most user data can be handed to governments.
Sorry to stray from the topic, but not sorry enough but to ask:
Anyone around here have evidence that WhatsApp actually does E2E?
I’m unwilling to accept Meta’s public claims, which could easily result in a tiny slap-on-wrist fine someday if Meta is lying. I consider Meta’s history of honesty about their security to be dubious.
With a closed source app, I figure we can see it’s encrypted as it leaves the device…
But I, personally, wouldn’t bet $25.00 that Meta doesn’t decrypt, sniff, data mine and then re-encrypt, at the server side.
I’ll admit, I am known to be a bit on the paranoid side.
Are we just repeating Meta’s claim? Or is there a reason I should I be giving Meta more credit?
This is a sincere question - Meta produces some fantastic open source products, so I do try to only dunk on them the correct amount…
General thought is that if meta was lying about E2EE, due to their massive size, it would likely be leaked to the general public that they were lying. The app also has such a large userbase of skilled security researchers that can and do reverse engineer it, so they’d also find if meta lied.
They had a flat text file with millions of users names/passwords in the office for almost a decade. I’m not so sure whether internal implementation details leak quicker than that or not