This article is not sponsored. Telegram does not pay for sponsorship. These words are my personal opinions alone.
2013 was the year that my messaging crisis began.
I move around. A lot. New York, Tennessee, cities. My friends and family don’t move with me. I rely heavily on messaging and calling to keep in contact with those I care about. I thought that my messages and calls were private conversations.
Then Snowden happened. (TL;DR: The government reads all of your stuff to “protect” you.)
2013 was a time when pretty much every messaging solution sucked except for iMessage, and even iMessage sucked because it was often disorganized across multiple devices and only works within iOS and macOS devices (Read: You can only read your messages on Apple devices, and you can only message your friends if they’re on Apple devices.)
At the time, which now seems like a laughably terrible idea, I was using Google’s Hangouts solution to message my friends. They created it from scratch, so Google had every opportunity to revolutionize messaging using privacy, encryption, beauty, and AI smarts. Instead, we got a laggy, crashy, sort of green funnel into the NSA’s servers.
It was late 2014 that I discovered a nifty little gem: Telegram.
Classy, speedy, and named after the original electronic messaging service, actual telegrams, ahem, Telegram is almost everything that a good messenger should be. It’s also one thing that Hangouts, Facebook Messenger, and iMessage can never be: Not operated by a gigantic multinational corporation with ties to numerous governments around the globe.
Perhaps the biggest endorsement for Telegram came, ironically, from Apple itself when its chief lawyer attempted to criticize the service but ended up just confirming the service’s value and security:
“One of the most pernicious apps that we see in the terrorist space is Telegraph [sic]. It has nothing to do with Apple.”
The disconnection of powerful people from the needs and desires of ordinary people is unreal. Apple also apparently mishandles Telegram updates, according to Telegram co-founder Pavel Durov.
Did you know that the only way to get apps on your iOS device without “jailbreaking” (a lengthy and dangerous process) is Apple’s App Store? All apps on iPhone and iPad have to follow Apple’s rules, and they can reject apps for any reason at all, including if they just feel like it. While the Cupertino company’s steps towards user privacy are admirable, their steps towards user freedom are nearly non-existent.
In fact, in an illegal and monopolistic move, Apple temporarily deleted the Telegram app off of the App Store for several hours, citing bogus and false claims of “objectionable content” on January 31st, 2018. In reality, they are concerned that Telegram competes with their precious iMessage and makes it difficult for their buddies at the NSA to unconstitutionally spy on Americans.
If you hardly care about the context of security, privacy, encryption, and ethics, worry not, Telegram is feature packed even for those that would be happy to steam their every move to Trump himself.
- Way faster than any other messaging app I’ve tested, significantly so
- Group chats (of up to 5000 members)
- Crystal-clear voice calls (that sound way better than WhatsApp calls)
- Voice messages
- Sending gigantic files of any type
- Automatically compressing photos and videos to save data
- Optionally not compressing photos and videos to save quality
- Channels (which are public group chats where only some people are allowed to post, sort of like a.. channel.)
- Sticker packs, made by anybody
- Bots, made by anybody and addable to any group chat
- Link previews with the ability to play YouTube videos directly in the app
- Optional “Last Seen” badge for your contacts
- See when your messages were read by the recipient
- The ability to let someone message you by giving them your username but not your phone number (ladies?)
- Optional profile photos
- Customizable notification settings on a per-chat basis
- Mute certain chats indefinitely, or just for a few hours
- The ability to automatically delete your account if you don’t sign in for a few months
- Custom chat backgrounds and themes on Android
- Native phone, tablet, desktop, and web apps – there’s even an Xbox app.
- An open-source client code and encryption protocol for easy audit by third-parties
- APIs for developers to create their own bots and even Telegram apps (for example, on Xbox where Telegram itself has not yet created an official app)
- Secret chats, which can self-destruct and are not stored on Telegram’s servers and cannot be backed up
- Non-secret chats are stored encrypted on Telegram’s servers, and the keys to these chats are stored in a different geological location such that physical intruders or local engineers couldn’t ever decipher a non-secret chat (more on this later)
- A much nicer and classier name than WhatsApp, which sounds like a child trying to make a pun
- A comprehensive FAQ
For the privacy-minded: A completely secure Telegram.
There are some things you have to know if you want to maximize your security when using Telegram. Firstly, by default, all you or an attacker (your wireless carrier for example) need to login to your Telegram account and access all of your non-secret chats is access to a code that Telegram will text to your phone.
To circumvent this, Telegram allows you to set an additional password that is needed on top of the verification code. That way, to login into Telegram, you or the attacker will need to receive the text message, enter it into Telegram, and then also enter your password. Keep in mind that Telegram will always notify all other devices with your account any time a new device is added.
Remember that secret chats, which are not stored on Telegram’s servers could not be compromised in this way because they’re only available on the two devices they were originally sent to and from. If you’re discussing something highly sensitive, always use secret chats, just in case. If you’re just sending embarrassing photos from the Christmas party, regular chats are absolutely fine, especially if you’ve taken the steps above.
By the way, you may wonder, why not just do all secret chats? Well, you can, but Telegram notes why they don’t make all chats secret by default:
All Telegram messages are always securely encrypted. Messages in Secret Chats use client-client encryption, while Cloud Chats use client-server/server-client encryption and are stored encrypted in the Telegram Cloud (more here). This enables your cloud messages to be both secure and immediately accessible from any of your devices – even if you lose your device altogether.
In regards to why even “cloud chats” are very secure, Telegram offers this:
To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.
Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people’s privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.
To this day, we have disclosed 0 bytes of user data to third parties, including governments.
Facebook Messenger and other cloud-chat services do not use this method, making them vulnerable to warrants from just one government. Unlike Telegram, Facebook is an advertising corporation and wants to increase profits by keeping governments happy and selling your information to advertisers (including 100% of your metadata on WhatsApp). Telegram doesn’t sell ads, charge fees, or care about getting blocked in a specific country. In fact, the only precautions I see Telegram take are ones to remain on Apple’s draconic App Store and Google’s much friendlier Play Store. This makes sense to me, as the best push against Apple’s monopoly on iOS apps would to be to fight them with pro-freedom legislation. Otherwise, Telegram will just get banned and lose all its traction.
In order to grow Telegram into the gigantic network that it needs to be to defeat the corporate messengers of our world, Telegram needs secure backups. That’s what people want, and that’s what the Telegram team gave them, along with secret chats for those who don’t.
For the sake of speed in poor connection areas and on old phones, Telegram also rolled their own encryption method called “MTProto,” which has yet to be cracked in any contest (even when Telegram offered $300,000 to do so). It has drawn criticism from both good guys and bad guys who claim that less tested encryption methods shouldn’t be used by those seeking absolute privacy. However, these dogmatic idealists fail to rank the probability of MTProto being broken way below someone simply stealing your phone’s passcode and reading your messages that way. There are many methods a hacker or government would want to deal with before attempting to crack MTProto, as this would likely involve spending billions of dollars (try covering that up) on computing power to run algorithms. Even then, Telegram would patch it immediately, or way more than likely (>99% chance) the invading force would fail altogether.
MTProto relies on stronger versions of classic and simple encryption methods, which is why Telegram is the fastest encrypted messaging app in the world. Plus, it’s open-source and doesn’t require licensing, unlike Signal’s encryption, which is slower and much more corporate. Reportedly much of the criticism of MTProto comes from a media push from Open Whisper Systems to bully everyone into using their own method, thus needing to pay them fees. Funny. More on “Signal” later.
They’re great. Lance Lettieri and I have tested these from across the country, comparing them to FaceTime Audio, WhatsApp calls, and actual phone calls. Telegram has the best voice quality by far (about equal to Discord, though), and uses AI to automatically adjust settings to improve call quality as your network connection varies while driving or walking around. These calls are also end-to-end encrypted just like secret chats are, meaning that there is a 0% chance Obama tapping your Telegram calls. Or anyone else, all jokes aside. Telegram never stores these calls on a server and attempts to connect your devices directly when possible, circumventing the need to bounce off of a server altogether. You can finally talk about your otter-this-world otter porn collection, privately.
Why WhatsApp is 100% encrypted, yet completely insecure
WhatsApp was the original Telegram. When both launched, their themes were nearly identical and they both served nearly the same function and purpose: messaging. However, WhatsApp was eventually acquired by Facebook (startling on its own) and fails to open-source its client code.
WhatsApp, while encrypting all messages by default (via the Signal protocol), negates the value of encryption entirely by giving itself the ability to secretly change the keys on your device and resend messages with new keys. What this means is that Bob from the NSA could tell Facebook (who is very good friends with the NSA) to fork over absolutely any WhatsApp messages that are still on at least one person’s phone.
WhatsApp can remotely trigger key changes and resend messages using a new key, even when the users didn’t request it. As a result, WhatsApp is able to get transcripts of entire conversations without sending any notifications to the participants.
This completely negates the purpose of encryption in the first place if you’re worried about spying. Yes, the hacker next to you in the coffee shop can’t steal your messages on public WiFi, but the orange baby with nuclear codes watching Fox News in the White House can. I’ll take the hacker anyways.
WhatsApp also chooses to ask users to back their messages up to iCloud or Google Drive; unencrypted beyond the cloud’s own. This means that if either you or the person you’re chatting with has chosen this method, your messages are stored on a government accessible hard disk somewhere. Since Apple’s iCloud, Google’s Drive, and other major cloud services hand over their user’s information when legally required to or where financially motivated to, Uncle Sam (or whoever your country’s uncle is) has nearly complete control over when he gets to snoop on your private life.
WhatsApp provides a mechanism to back messages up to the cloud. In order to back messages up in a way that makes them restorable without a passphrase in the future, these backups need to be stored unencrypted at rest. Upon first install, WhatsApp prompts you to choose how often you wish to backup your messages: daily, weekly, monthly, or never. In SSD, we have advised users to never back up their messages to the cloud, since that would deliver unencrypted copies of your message log to the cloud provider. In order for your communications to be truly secure, any contact you chat with must do the same.
As mentioned earlier, Telegram also stores your chats in the cloud, but using the secure multi-jurisdiction method detailed above and without a profit motive, unlike WhatsApp and Facebook. Telegram is also blocked in several countries where WhatsApp is not, leading me to believe (because governments throw temper tantrums when they can’t thought police their citizens) that said nations can actually access WhatsApp messages, even if it’s a lengthy process involving collaboration with Facebook. They therefore block Telegram completely since they cannot read those messages, even with a warrant.
Speaking of profit motive, WhatsApp was fined $3 million for forcing all its users to give their personal information to Facebook, including those without a Facebook account. Even without scanning each WhatsApp message in order to target interests for advertisers, Facebook can see all of your unencrypted metadata. This is who you talk to, when you talk to them, how often, and what your phone numbers are. Trust me when I tell you that advertisers and governments alike cherish knowing this stalky information about you. They’re building gigantic sociograms that will eventually be combined with AI to predict your every move for advertisers, or any other reason.
Facebook knows that they make a ton of money off of selling this data about you, which is why they also block all links to Telegram inside of WhatsApp. This means that WhatsApp is could be sending unencrypted versions of links you share within the app to their servers in order to process whether or not they’re Telegram links (since it’s unlikely that the actual app is doing this offline). They even know when you’re discussing switching away from using their service.
Besides privacy concerns, WhatsApp is just dry as compared to Telegram’s extensive feature list.
Just kidding, by the way. Telegram doesn’t support groups up to 1,000 members. They bumped it up to 5,000.
What’s wrong with iMessage and texting?
A lot, or very little, depending on yourself, your friends, and your paranoia.
- Firstly, iMessage can only work between Apple devices. The Messages app on iOS will default to hilariously insecure SMS messages if the number you’re texting isn’t activated with an iPhone. SMS messages are so insecure that they are often provided to law enforcement without a warrant. Deleting text messages off of your phone has no effect; they are stored for however long your carrier wants, unencrypted, for anyone inside the company to see. Hope your ex doesn’t work there. By the way, telecoms usually charge police a fee to do this, meaning that law enforcement is using your tax dollars to pay a multinational corporation to spy on you. Great!
- Apple devices, iMessage encryption, and iMessage clients are all closed-source and therefore cannot be audited by anyone except for Apple. This always leads open-source advocates like me to wonder: What are they hiding? Just a question. ¯\_(ツ)_/¯
- Apple servers distribute encryption keys, meaning that they have the encryption keys. This means that an Apple spy (someone within Apple working with the FBI or China) could at the very least instruct its server to send your device their own key instead of your friend’s key. In other words, you’d be chatting with the Apple spy instead of your friend. The spy could even then do the same to your friend, and then copy and paste your messages between the two and read the entire conversation after the point that they began spying. Keep in mind, this spy could be human or robot, and robots know no limits. I’m not accusing Apple of doing all of this, I’m just saying that they can, which DEFEATS THE PURPOSE OF ENCRYPTION™.
- The second vulnerability is the same one that WhatsApp faces- iMessages are backed up to iCloud if either you or your friend has this feature enabled. This allows Apple to read all of your past messages by simply restoring your iCloud backup to one of their own iPhones. By the way, if you’re on an iPhone or iPad reading this, go turn off iCloud backup (assuming you care since you’ve read this far).
Please keep in mind that if you and your contact are using iPhones, both of you have iCloud backups disabled, and neither are suspected of terrorism, there is only a very small chance that you’re being monitored. Apple isn’t an advertising company; they just don’t want to get in trouble with the law. They intentionally leave vulnerabilities like iCloud backup laying around simply to appease governments, but also provide knowledgable users (such as you) to disable these features. I generally like Apple, even if their lawyers start to sweat when big bad Telegram comes around.
All the other chat services
This is where debate can happen. Plenty of other encrypted chat services exist besides Telegram, all plenty safe and usable. So why Telegram? It’s the most usable. Your friends are highly unlikely to be disappointed once they download it, given it averages 4.5 stars in the App Store. You probably already have one or more friends sending off Telegrams on the daily, unbeknown to Facebook. Since it’s based off of your phone number rather than an obnoxious username and email signup, your contacts who use Telegram will show up immediately without having to search for them. It has the most features, the most usability, and the most practical security, period.
Another praised service is Signal, which is basically Telegram’s “secret chats” but with way less users and no desktop or tablet apps. The developer, Open Whisper Systems, also startles me with their passionate and blunt lies regarding the WhatsApp backdoor engineered by Facebook.
WhatsApp could try to “man in the middle” a conversation, just like with any encrypted communication system, but they would risk getting caught by users who verify keys.
This is Open Whisper Systems literally admitting that WhatsApp is capable of inserting a “man in the middle,” but arguing that they wouldn’t because they could get caught. News flash to OWS: They already got caught. Hence this entire freaking article. Also, as I keep hammering in: If they are even capable of inserting a MITM, then there is no. freaking. point. to. encryption. I hate these people.
If you’re on Android, you probably know that the built-in messaging app is simply your carrier’s texting service. On iPhone, it’s the green bubbles. As mentioned in my iMessage section above, carrier texts are 0% secure and can be read by anyone at your carrier or in law enforcement. Send only things in text messages that you want the world to know. Carriers make using secure services like Telegram difficult sometimes, since SMS texts are the only messages that can be sent when you have service, but don’t have a data connection. For most folks, this isn’t an issue with the gigantic data plans being used nowadays. But for customers who are constrained on data usage, this means that SMS is the only option between Wi-Fi areas.
I assume I don’t have to mention Facebook Messenger in this article. But just in case it isn’t obvious: It’s also owned by Facebook and possesses all of the intentional vulnerabilities that WhatsApp does. But unlike WhatsApp, Facebook openly scans all its conversations with AI to “report criminal activity to the police.” Even if that was the only reason, that’s extremely creepy. But don’t forget that they’re actually doing this to target you for advertisers, and god knows what other future reasons.
So… what’s my favorite solution to mass-surveillance?
Extra credit: Join our public Mad Indies channel on Telegram.