this post was submitted on 09 Dec 2023
32 points (92.1% liked)

Privacy

31886 readers
496 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
32
submitted 11 months ago* (last edited 11 months ago) by FarLine99@lemmy.world to c/privacy@lemmy.ml
 

How do notifications work in the official Telegram Android app (Play Store vs Site version maybe)? Does it have the same mechanism as Signal, which only recognizes the presence of notifications via Google services, but sends them via its web socket service?

top 48 comments
sorted by: hot top controversial new old
[–] LWD@lemm.ee 15 points 11 months ago* (last edited 10 months ago) (3 children)
[–] FarLine99@lemmy.world 6 points 11 months ago (1 children)

I know and use Signal to communicate with family/friend. but everyone at work uses telegram, I can't give them all an ultimatum to switch to Signal

[–] Gooey0210@sh.itjust.works 1 points 11 months ago (3 children)

If you're ready to put on tinfoil, signal is not the way to go too

Phone number requirement is a big no-no in privacy community, plus signal wants to centralize more and more, when they could actually make it possible to selfhost signal

[–] FarLine99@lemmy.world 4 points 11 months ago

I don't agree with you. so far Signal is the most mature and feature-rich messenger of the rest. yes, it provides privacy, not anonymity. but all new people are used to the algorithm of adding people, unlike SimpleX, Matrix, etc.

[–] LWD@lemm.ee 2 points 11 months ago* (last edited 10 months ago)
[–] miss_brainfart@lemmy.ml 1 points 11 months ago

Phone numbers harm anonymity, not privacy.

[–] rdri@lemmy.world 3 points 11 months ago* (last edited 11 months ago) (2 children)

I've been using Telegram enough to understand that such allegations are useless. The first link is literally not about Telegram but about its 3rd party fork that original developers can't do anything about. The second link is about piracy, and any app owner would handle any data they could in similar situations.

Telegram is not just a messaging app but a public platform with channels and public chats. Any app with these properties will eventually have the same issues. If you don't want to risk, you just use it as a personal messaging app and that's it - in this way it's not much different from other "secure" messaging apps.

The way for apps like Signal to remain "truly secure" in "careful" users' eyes is avoiding the introduction of the public communication part, which could lead to all the same problems some people don't like Telegram for.

That said, Telegram actually has a history of being a "bad actor" if you want to call it so. Namely:

  • At first it was possible to steal someone's account by faking a SIM card (any government can do this). Later Telegram introduced cloud password that helped to prevent such cases.

  • At various points Telegram wrongfully banned and marked as "fake" various channels and bots used by opposition in Russia.

But I can't agree that either of that makes Telegram an insecure messaging platform. It's either about bad management decisions in specific situations (e.g. Durov being worried about Telegram getting banned) or technical aspects of how user reports are handled (basically any channel can get marked "fake" if enough user reports are received).

[–] LWD@lemm.ee 1 points 11 months ago* (last edited 10 months ago) (1 children)
[–] rdri@lemmy.world 2 points 11 months ago (1 children)

third incident

Not third but another one out of many. Incidents that don't really mean the app is not secure.

You can see from the article that Telegram would have to give up on a basic feature expected from similar apps in order to fix that "issue" with public groups.

Again, it's the public communication features that lead to such issues, and I expect any other app to have very same "issues" if they introduce similar features and make them useful enough for protesters to try to rely on them when fighting against oppressive governments.

You can't expect messengers like these to be a proper instrument for protesters that makes them safe. These public groups need to grow to become effective, and apps specifically aimed for protesters would not have enough user base. Still, Telegram is the most used app by protesters from what I see, and it does provide adequate level of protection if you use it correctly (if you understand how it works).

Signal pushes back against third party apps

So it doesn't like to be open enough for others to do what they want with it. Still, one shouldn't expect it to work anyway. If you make your client open source, there will be forks that allow communicating with your servers. You'd have to introduce a black box, and open source community won't like that.

Signal seems to do quite enough of useless stuff. People rate it more secure than Telegram. One of reasons for that is that it supports e2e encryption in group chats. But it's useless when comparing to all the issues with Telegram, already because it's always about public groups. Let me see how Signal would protect people in such groups while staying in scope of private communication app.

can pressure a CEO into simply handing over previously accrued user data, then the app was never secure to begin with

Nah, actually: "if a public service uses servers, then it is never secure". Any service will handle all the data they have if pressured. Servers have to know your IP address (though you can always use proxies) and phone number at least to provide service at all. You can't really blame owners of public service. You could blame them if their service was serverless though, because that would mean they store something they shouldn't need to operate.

[–] LWD@lemm.ee 1 points 11 months ago* (last edited 10 months ago) (1 children)
[–] rdri@lemmy.world 1 points 11 months ago (1 children)

What basic feature?

Contacts sync.

Telegram has told people to make third-party clients

What? No. It just didn't tell them they have to use their own servers to use their forks.

the fact people found it easier to find and download a third party client really speaks to how little they cared about that particular area.

No, it speaks to how no big developer can do anything to prevent their apps from being banned by oppressive governments. Hence why opposition resorted to 3rd party forks.

And Telegram now has an increasing history of supporting state governments over the people.

Telegram has experience of trying to protect people when they oppose governments. Signal is not interested in getting any similar experience. It will remain useless to opposition it seems.

Telegram stores far more data than Signal, including the memberships of groups

Signal would have to store the same data to allow users participate in public groups.

and the contents of every message in every group.

I don't think Telegram ever disclosed anything like that. Public groups are open for everyone including governments. Any service that is not serverless will store the same amount of metadata, otherwise it won't work.

[–] LWD@lemm.ee 1 points 11 months ago* (last edited 10 months ago) (1 children)
[–] rdri@lemmy.world 1 points 11 months ago (1 children)

This is useless when groups are public.

And when groups are not public, there is no ground for any action from the service.

[–] LWD@lemm.ee 1 points 11 months ago* (last edited 9 months ago) (1 children)
[–] rdri@lemmy.world 1 points 11 months ago (1 children)

This argument will have some weight if you can provide examples where telegram shared some information about private groups with someone unauthorized.

I'm not shilling. Just pointing out obvious differences in products' features that one has to take into account when judging about app developer's "wrongdoings".

[–] LWD@lemm.ee 1 points 11 months ago* (last edited 9 months ago) (1 children)
[–] rdri@lemmy.world 1 points 11 months ago* (last edited 11 months ago) (1 children)

It is you who refuses to take logical steps to agree that every single app with the same feature set will be vulnerable to governments' decisions. Signal is not a subject of that only because it does not provide such features and therefore is not used by protesters.

Yes, telegram knows all your private groups. But you are missing everything by assuming it is bad for you. You will be arrested not because telegram will disclose your private groups. You will be arrested because some person will join your private group and leak your presence there. That person will not need to get any information from Telegram for that. This is not an issue a service could solve by any encryption.

[–] LWD@lemm.ee 1 points 11 months ago* (last edited 9 months ago) (1 children)
[–] rdri@lemmy.world 1 points 11 months ago (1 children)

Yes it is. Wtf

Could you prove that? More specifically, I need proof that it allows public groups for protesters to gain mass and protect their identifies adequately at all times.

It doesn't need to do that

It does need that. Signal stores this information too. Just because it's encrypted doesn't mean it will not be handled to someone against your will.

Why would it not disclose groups?

I don't know, maybe because I can't imagine why even the most insane government would come up with laws that would allow it to ask internet services something like "hey there is this person, please provide some data of their activity on your service" instead of just capturing that person and making them spill out everything themselves. If you are at the point where your groups are disclosed this won't be the result of government's requests to some service. It'll be the starting point for those.

A year ago, you would have said Telegram doesn't disclose people's identities.

I wouldn't.

ignoring every other problem Telegram has but Signal does not

Signal's way to "not have problems" is to avoid users who could bring them.

[–] LWD@lemm.ee 1 points 11 months ago* (last edited 9 months ago) (1 children)
[–] rdri@lemmy.world 1 points 11 months ago (1 children)

And why should I accept your reframing when you try to compare signal to telegram?

I see, signal wants to keep its servers free from content. Cool. This automatically means groups can't accept new members and allow them seeing all the previously posted content. This is what protests use to grow. So signal can't be used to grow protest groups. Only fixed groups would use it to do stuff they want, and "making more people join the protest" would not be on list. They will need to resort to other methods to spread infornation if they wanted to grow. Protesters groups that don't want to grow are not what I could consider a real protest.

Protest is a public movement. It will not be effective when it's private or wants to keep its members anonymous. This is basically what oppressive governments are fine with, so signal helps them in a way.

What led to telegram's "wrongdoings" would not be possible if it did not provide public communication. Signal doesn't provide it either so they'd have to use a different platform. That would lead to the same consequences.

Affected people could use private groups in telegram to avoid issues. But then it would not be what they wanted, and their actions would not be impactful enough (without other platform capable of public communication) for government to get interested in them.

[–] LWD@lemm.ee 1 points 11 months ago* (last edited 9 months ago) (1 children)
[–] rdri@lemmy.world 1 points 10 months ago

Sure you can grow groups in Signal.

Up until you allow to join that one member that will leak every single thing you wanted to keep private.

But giving law enforcement first-class access to groups helps them avoid law enforcement how?

Not sure my English skill is enough to understand this sentence.

Who exactly gave anyone first class access to anything?

And no, private groups in Telegram are still fully visible to the state-supporting Telegram corporate employees.

This is like saying that an email provider has access to your emails. Not even trying to argue with the rest of implications. So what? You're still avoiding the point. No service can protect you from the real world. You must avoid real world issues yourself. By either using private features of apps, or by not participating in public communication, or by using apps that prevent you from participating in public communication etc.

Someone cut a hand with a saw when cutting a board. You saw that and thought "that saw manufacturer is at fault, I'd better use a saw from another manufacturer". What's happening really is you choosing a knife over a saw. Also it's very probable that people like you are not ever going to try to cut a board. That's what choosing signal looks like to me. I'm not judging you for choosing a knife or for avoiding boards, but it's worth it to understand the differences.

[–] wincing_nucleus073@lemm.ee 1 points 11 months ago* (last edited 11 months ago) (2 children)

yeah funny how the oh-so-private and amazing signal allows bad actors to take over your account with sim access, and telegram does not.

[–] toastal@lemmy.ml 2 points 11 months ago

Criticism of Telegram isn’t endorsement for Signal. They are both garbage in different ways.

[–] rdri@lemmy.world 1 points 11 months ago (1 children)

Well it still does by default. You must enable the cloud password by yourself.

[–] wincing_nucleus073@lemm.ee 1 points 11 months ago

ik but signal doesnt give you the option even

[–] Kissaki@feddit.de 1 points 11 months ago

Your first link:

42 million user IDs and phone numbers for a third-party version of Telegram were exposed online without a password. The accounts belong to users in Iran, where the official Telegram app is blocked.

How is that a state exploit of Telegram? It's not even about Telegram. It's a third party app.

[–] AnEilifintChorcra@sopuli.xyz 5 points 11 months ago (2 children)

Telegram uses Google services like Signal for notifications - https://telegra.ph/Notifications-FIX its the first point under the Android section

https://core.telegram.org/api/push-updates these are the docs for building your own Telegram app, specifically the push notifications section and again it mentions using APNS for iOS or FCM for Android but they also offer Simple push which would work with Unifiedpush and would be one way to bypass FCM but I don't know if they offer that in their official app or if there are any other Telegram apps that have implemented it

[–] FarLine99@lemmy.world 6 points 11 months ago* (last edited 11 months ago) (1 children)

"Signal only uses FCM to wake up the Android app if there are new messages waiting on the Signal server and the app isn't connected to it. Signal does not include any information in these notifications, encrypted or otherwise, so Google can only infer that your device has something queued on Signal's servers." I was wondering if a similar system has been implemented in telegram?

[–] Gooey0210@sh.itjust.works 2 points 11 months ago (1 children)

It's still metadata, ditch google play services all at once

[–] FarLine99@lemmy.world 1 points 11 months ago (1 children)

Too radical a solution for me, I used microG for a long time, but the notification problems made me go back to Google services. i've banned them from accessing camera/microphone/geolocation via App Ops (put them on ignore mode), so I'm pretty calm. but notifications are still a problem).

[–] Gooey0210@sh.itjust.works 1 points 11 months ago (1 children)

They are priv apps, I believe it's the same as root

Most of the privacy apps don't require you to have gapps and their notifications

[–] FarLine99@lemmy.world 2 points 11 months ago (1 children)

No, they don't have the same privileges as root permissions. this is easily demonstrated by the camera app built into LineageOS when you enable ignore mode for camera in App Ops and it crashes. and google services also start making very untypical requests for access to stuff.

Yes, but there aren't many apps that respect privacy on my phone compared to the usual ones).

[–] Gooey0210@sh.itjust.works 1 points 11 months ago (1 children)

Ok, I didn't know, it's just usually I see some notifications like "priv app is the same as root, be careful". Thank you

About the apps, I recommend switching, it's not as scary as I sounds, most of the apps have an alternative or sth like that

[–] FarLine99@lemmy.world 2 points 11 months ago
[–] poVoq@slrpnk.net 1 points 11 months ago

The Telegram client available on F-droid does not use FCM for push notifications.

[–] potemkinhr@lemmy.ml 2 points 11 months ago (1 children)

I've noticed notifications are working sporadically now for quite some time (at least half a year now) for both Android (both Play store version and APK) and iOS from my experience. Only on the deskptop version of it are notifications instant, hope they will fix it at some point

[–] FarLine99@lemmy.world 1 points 11 months ago (1 children)

I had this when I used microG, it started in the last month, official google services are fine so far)

[–] potemkinhr@lemmy.ml 1 points 11 months ago (1 children)

Damn, didn't occur to me at all, I do use MicroG, but that still doesn't explain late notifications on the iPhone. This is going on for quite some time, friends also report the same issues regardless of plaform

[–] FarLine99@lemmy.world 1 points 11 months ago

definetly bruh situation

[–] Undertaker@feddit.de 1 points 11 months ago (1 children)

Signal does not use google if it is not available, so no. If you think about privacy, stop using apps like Telegram and please stop using google services

[–] FarLine99@lemmy.world 0 points 11 months ago (2 children)

I still want to communicate with normal, normal people, play normal games. i don't want to put myself in complete isolation from the world, so i can't throw away google services yet).

[–] toastal@lemmy.ml 1 points 11 months ago

Normal people do care about their privacy, they just don’t know enough about tech to understand what services to use—which is why they trust the surface level privacy marketing from Apple. But if you are someone that does understand the tech, then you should feel empowered to help these folks out on their messaging front. If you host it & give them accounts, many come. You could set up an XMPP server for messaging & a Mumble server for voice coms & folks will be happy to chat with you regardless. My longer-term experience is folks are happy wdth how much lighter weight these 10+-year-old technologies are that they start to prefer it.

[–] gravitywell@sh.itjust.works 1 points 11 months ago (1 children)

Youd be surprised how little its actually needed. I've been free for about a year now, some games complain about not having it but then work anyway.

[–] FarLine99@lemmy.world 1 points 11 months ago

I've been using microG for about a year, but there have been problems here and there with games and apps. and accordingly, I realize how many apps need Google services (especially notifications). so for now, through Root rights and App Ops, I've just restricted Google services access to the camera/microphone etc. this is an acceptable compromise for me.

[–] wincing_nucleus073@lemm.ee 1 points 11 months ago (1 children)

i assume that the official telegram client uses FCM. but the Telegram FOSS client on Fdroid and its forks use a background service.

[–] FarLine99@lemmy.world 1 points 11 months ago

I'm thinking the same way for now, hopefully I'll be reassured)