Philippines, we need to talk about Telegram
If you are using Telegram because anything to do with “security” then please stop what you are doing, you are at risk and all the previous data you have exchanged on Telegram is at risk.
I’ve been wanting to write something about Telegram for months and in the past few weeks several things have occurred that really highlights what Telegram is and is not.
Short story -
If you are using Telegram because it’s an delightful communications tool with friends and communities you interact with then great.
If you are using Telegram because anything to do with “security” then please stop what you are doing, you are at risk and all the previous data you have exchanged on Telegram is at risk. Telegram is not an end-to-end encrypted communications platform and the Telegram app ability to establish end-to-end encrypted channels is difficult to access through user-interface and technically limited in implementation.
Period.
If you are using Telegram in a business setting, your customers would not expect you to exchange their personal data on a platform that you have no contract or legal recourse with, that has full observably of your data and communications, and is operated by a company domiciled in a country under heavy international trade control.
If you are a security practitioner and you are using Telegram in an operational context you might feel upset by this. Don’t take my word for it, read the assessment by well-known and well-respected cryptographer professor Matthew Green from Johns Hopkins University on what Telegram is and is not.
Telegram does have many excellent threat/data intelligence sources that are important in a cybersecurity context. That these OSINT sources exist on Telegram does not impart some kind of security onto the platform, Telegram is merely a fantastic in-the-open public broadcast platform.
The posts on Telegram are not secure from observation by the platform or from actors that influence the operations of the platform because it is not end-to-end encrypted by default.
Last week Telegram declared that they will cooperate with law-enforcement on user data-requests, undoubtedly this is a result of the Telegram Founder/CEO being arrested in France recently - the thing to learn here is not that Telegram will share data with law-enforcement, it’s that they have observably of the communications data - let that sink in.
Telegram is a lovely tool to use, however their claims of “encryption” have been fast and loose about where the encryption is actually applied.
Further reading - Matthew Green Blog, Bleeping Computer, The Record, Reuters