The company has updated its FAQ page to say that private chats are no longer shielded from moderation.
Telegram has quietly removed language from its FAQ page that said private chats were protected from moderation requests. The change comes nearly two weeks after its CEO, Pavel Durov, was arrested in France for allegedly allowing “criminal activity to go on undeterred on the messaging app.”
Earlier today, Durov issued his first public statement since his arrest, promising to moderate content more on the platform, a noticeable change in tone after the company initially said he had “nothing to hide.”
“Telegram’s abrupt increase in user count to 950M caused growing pains that made it easier for criminals to abuse our platform,” he wrote in the statement shared on Thursday. “That’s why I made it my personal goal to ensure we significantly improve things in this regard. We’ve already started that process internally, and I will share more details on our progress with you very soon.”
Translation: Durov is completely compromised and will do whatever NATO tells him to do. Do not trust in the security of Telegram, which frankly was never that good to begin with. And do not trust anything else even remotely connected to the company or Durov personally.
Telegram has a few different chat type options:
Public, which is what it sounds like, available for groups. Server-side encryption, so Telegram (the company) can see everything.
Private, which is like an unlisted/unsearchable public group chat, same encryption limitations.
Secret, which are strictly one-on-one, and default to server-side encryption. The user can select end-to-end encryption for these on a per-chat basis. It can't be made the default.
Oh it always has been from a security perspective. They use a homegrown E2EE known-to-be-flawed protocol called MTProto instead of using a professionally-audited one like in Matrix.
If I were to choose one app, it would probably be Matrix due to the fact that is supports E2EE not only in private messages, but in chatrooms, and due to the fact that you can self-host it (this is a simple requirement which all these other "apps" fail). But it Matrix isn't a panacea either. From my understanding, while the cryptography is considered to be sound, the protocol itself reveals a lot of metadata. If I were going to use Matrix for ninja shit, it would absolutely not be on a publicly federated server. It would be a private, unadvertized server which only the cool kids get told about.
If it were a matter of life or death, the only thing I'd really trust is GPG and dead drops.
I agree on Matrix. It's not ideal right now but it's easily better than the alternatives. I don't trust systems that can't be self-hosted.
I like the cut of your jib.
For reference, the metadata leaked is: Sender id, recipient id, if the recipient saw the message, when the message was delivered, all reactions and the length of the message.
For example, this is what the server sees in an encrypted message:
And after decryption, you get this: