SIGNAL WARNS USERS TO BEWARE OF “DANGEROUS DISINFORMATION” FROM TELEGRAM

On 10 May, Signal president Meredith Whittaker criticised Telegram. In her post on the X platform (formerly Twitter), she stated:

“Telegram is notoriously insecure and regularly collaborates with governments behind the scenes, despite its big claims of free speech and privacy. Even their limited encryption, which must be configured by the user, raises suspicions….”

Telegram founder Pavel Durov has claimed that messages on Signal are not as private as they are presented, and that the company’s security claims cannot be verified. This claim has been strongly refuted by Signal and the wider crypto community.

Signal representatives said that Telegram’s statements are “another example of a familiar pattern of dangerous misinformation designed to confuse people about the level of security and privacy that Signal provides in order to steer them towards more controlled and vulnerable platforms.”

Why is this important at all?

Some allegations seem so far-fetched and outlandish that most people would probably immediately dismiss them as conspiracy theories or FUD tactics. And while it is certainly reasonable to remain sceptical of implausible claims, it is still worth remembering that there are many cases where supposedly secure communication services have been tapped or controlled by government agencies without users noticing.

Safety is out of sight

Anyone familiar with secure communications should know that Telegram cannot be considered safe by modern industry standards. This is primarily a cloud-based messenger that means that messages are permanently stored on the server without end-to-end encryption and can therefore be read at any time. End-to-end encryption can only be enabled in individual chats.

Instead, Signal is highly respected for its cryptography (and was the second cross-platform messaging app to offer strong end-to-end encryption after Threema). However. Durov claimsthat Signal’s communications of “important people” with whom it communicated were used in US courts or media (probably referring to Tucker Carlson, who recently interviewed Durov and previously claimed that the US National Security Agency had hacked his Signal account).

However, you can read similar stories on the Internet about almost any secure chat application. In those cases where this is the case, the authorities were most likely able to gain physical access to the mobile device, which may also have been the device of one of the suspect’s chat partners. In high-profile cases, of course, it is also possible that the suspect’s device was infected with spyware at the operating system level, in which case the entire device is compromised and the security of any application running on it (including Signal, Telegram and Threema) is compromised. Therefore Durov’s statements about Signal’s security should not be taken seriously. However, he draws attention to two other points that deserve attention.

First, he argues that “the same encryption [as in Signal] is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype“. The assumption that this may be because “large tech companies in the US are not allowed to create their own encryption protocols that are independent of government interference” is an obvious FUD tactic. However, it is worth noting that iMessagewhich Durov forgot to mention, is the only mainstream messaging app developed in the US that does not rely on Signal encryption. While it is not recommended to “implement your own encryption”, a monoculture is probably not ideal either.

Second, Durov mentions that unlike Signal, Telegram offers playable builds on both Android and iOS platforms. This is true. Signal (like Threema) currently only offers playable builds on Android. Due to Apple’s restrictions, it’s not possible to support playable builds on iOS in a simple and fully satisfactory way. To their credit, Telegram has stepped up to the plate and provided at least the best solution available.

Comparison of messaging services

Of course, playable Telegram builds for iOS is a slight advantage over full end-to-end Signal encryptionand switching from Signal to Telegram for security reasons (as some people apparently do) is is a clear mistake.

However, when it comes to comparing messaging services, things are rarely as clear-cut as they are in this case. As any messenger comparison shows, there are a wide range of aspects that affect the overall security and privacy of a communication service. And even the most comprehensive comparison can only cover a relatively small list of important aspects.

Moreover, the combination of certain factors is is what really matters in practice. For example, reproducible builds suddenly play a very important role if the service is based in a country where the government can force developers to implement backdoors into their software without disclosure.

Government relations and transparency reports

Durov’s claim of a $3 million grant received by Signal from the Open Technology Fund is easy to verify. However, it is unclear how this partial seed funding should be relevant today. (For comparison, Brian Acton, co-founder of WhatsApp and current CEO of Signal, has invested over $100 million in Signal).

However, it is not entirely clear what exactly Whittaker means when she says that Telegram “regularly works with governments behind the scenes”. If she is simply referring to cases where Telegram has been forced to comply with existing legislation, then it is hardly worth mentioning. On the other hand, if she has some inside information, it would be important to let Telegram users know.

Most interestingly, despite accusations of covert ties to the government, none of these companies has produced a transparency report that lives up to the name. The Telegram transparency report could just as easily be called a “non-transparency report”. It is regional, available only through the Telegram app and does not produce any results , for example, for Switzerland, which is highly questionable given the size of Telegram’s user base. Attempts to obtain reports for other countries, such as Germany or the United States, have not yielded any results.

Signal has a publicly available transparency report, but it seems to be extremely incomplete and outdated. It contains only five entries, the last of which dates back to 2021. Compare this to Threema (170 official requests in 2023 alone) or, for example, the Proton report (6,378 requests in 2023). There is simply no way that a service of Signal’s size could have received only five official requests in almost a decade. (As Signal is based in the US, it is possible that they have received a court injunction preventing them from disclosing or publishing certain information.)

Solutions for business

If you’re looking for a reliable and secure solution for your company, consider Threema Work or Threema OnPrem.

Threema is a Swiss developer and leading provider of secure and confidential instant messaging solutions.

The enterprise-class solution Threema Work is a reliable business messenger that meets the requirements of the GDPR. The platform offers companies and organisations secure communications in the form of a messaging application that meets the highest security standards thanks to end-to-end communication encryption. Today, two million users from 7,000 companies, government agencies, schools and organisations around the world use the company’s solutions for internal and external communication.