Investigation by investigative journalism outlet IStories (EN version by OCCRP) shows that Telegram uses a single, FSB-linked company as their infrastructure provider globally.

Telegram’s MTProto protocol also requires a cleartext identifier to be prepended to all client-server messages.

Combined, these two choices by Telegram make it into a surveillance tool.

I am quoted in the IStories story. I also did packet captures, and I dive into the nitty-gritty technical details on my blog.

Packet captures and MTProto deobfuscation library I wrote linked therein so that others can retrace my steps and check my work.

  • rysiek@szmer.infoOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    5 months ago

    Do you think that Telegram can continue to be used for this purpose while taking additional security precautions?

    No. Their very existence on Telegram is drawing more people to Telegram, and helping keep on Telegram people who might already be thinking of leaving it. Publishing on Telegram helps the FSB spy on more people. In this case, people who are anti-Putin.

    In other words, by continuing to use Telegram and thus by drawing more people onto that platform and keeping them there through network effects these organizations are drawing people opposed to Putin’s regime directly into FSB’s dragnet.

    I cannot see this as anything but massively irresponsible.

    Or do you think the risk is too great, and no amount of precautions can justify using the service?

    In my opinion the only somewhat justifiable way to use their Telegram presence today would be to try and get people who are on Telegram out of Telegram. But that’s a very tall order, and would have to be done thoughtfully, carefully, and with a plan.

    • Five@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      What platforms do you approve of that could be viable alternatives?

      • rysiek@szmer.infoOP
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        Signal would be a good replacement for private messages and groups. I’m in groups of hundreds of people there, I’m sure larger groups exist.

        As to channels… seriously just set up a simple website with an RSS feed? That’s the simplest. A lot of providers have free DDoS protection now as well. If you’re worried about privacy and whatnot, choose a provider like 1984.is or FlokiNET.

        The broader point is: we really need to get people out of centralized platforms and onto less gate-kept spaces. Because with centralized platforms it is always possible they enshittify or turn out to be bad in some important way, and when that happens, the network effects hold us and our audience ransom. Moving back to web is one way of doing that. Joining the Fediverse (hullo!) is another.

        And yes, I am waiting for truly decentralized end-to-end encrypted internet messaging tools to become usable enough to replace Signal eventually. One thing I am looking at – and again, it is not ready yet! – is Cwtch. Another thing I am really hopeful for is the Veilid protocol. But these are still ways off from being ready for prime time and widespread non-techie use. One day though!