Is Telegram safe for drug users?

Thursday, 26 September, 2024.

• Telegram is a messaging app 

• Recent changes to Telegram’s FAQs suggest the app may not be secure 

• Security experts have had concerns about Telegram’s “privacy” for years 

• Other apps may offer a higher level of security 

• No messaging app is 100% secure 

Last month, Telegram founder and CEO, Pavel Durov, was arrested in Paris for allegedly allowing criminal activity to run rife on the messaging app. 

Telegram’s promise of secure messaging undoubtedly made it attractive to those operating outside the law, including people who sell and buy drugs. 

However, since Durov’s arrest Telegram has been quietly making changes to how the company moderates content on the platform.  

A recent change to their FAQ language suggests Telegram can now view, and review, content shared in “private” chats, making them not-so “private” after all.  

So, should you be using Telegram? 

What is Telegram? 

Telegram was initially launched on iOS devices (think Apple products like iPhones and iPads) in August 2013. An Android version followed in October that same year. 

Prior to creating Telegram, Durov and his brother created a social media site called VKontakte (VK) which remains popular in Durov’s native Russia.  

Durov’s reputation as a defender of free speech emerged during his time at the helm of VK. 

In 2012, he ignored requests from Russian authorities to shut down groups using the platform to organise anti-Putin protests. Two years later he found himself again at loggerheads with the Kremlin when he refused to hand over the data of Ukrainian protestors.  

The idea for Telegram came about during this turbulence when Durov was looking for a way to communicate safely with his team. After its launch it became clear there was a much broader appetite for encrypted messaging services. 

In March 2014, Telegram announced it had 35 million monthly users. A decade later the company claimed it was on track to hit 1 billion monthly users – then Durov was arrested. 

On September 6, in his first public statement since his arrest, Durov blamed the exponential growth in users as the reason why the organisation couldn’t properly moderate content.  

“Telegram’s abrupt increase in user count to 950 [million] caused growing pains that made it easier for criminals to abuse our platform,” Durov wrote. 

“That’s why I made it my personal goal to ensure we significantly improve things in this regard. We’ve already started that process internally, and I will share more details on our progress with you very soon.” 

Some of these ‘improvements’ may have already taken place.  

According to tech publication, The Verge, the company has removed language from its FAQ page saying private chats were protected. 

Under a question asking “There’s illegal content on Telegram. How do I take it down?” the answer previously said, “All Telegram chats and group chats are private amongst their participants. We do not process any requests related to them.” 

That line has been removed and replaced with, “All Telegram apps have ‘Report’ buttons that let you flag illegal content for our moderators.” 

A Telegram spokesperson told The Verge the change was simply clarifying language as to how users could report content but didn’t address why the phrase “chats and group chats are private amongst their participants” was removed. 

Are chats private or not? Can Telegram see the content shared in private chats? And if so, is this new or has it always been able to see users’ conversations?  

While the recent wording change is alarming, it shouldn’t be all that surprising. According to experts Telegram’s promises of privacy have always been overblown. 

Telegram and the myth of security 

The biggest concern centres on Telegram’s lackadaisical approach to end-to-end encryption.  

End-to-end encryption ensures only the sender and intended recipients can see the contents of a message. If anyone intercepts it, the message should appear as meaningless characters.  

It’s a bit like sending a coded message. To anyone else it looks like gibberish, but if you have the key or cypher you can make sense of it.  

Telegram offers two types of chat functions: regular and secret.  

Regular chats are not encrypted, only secret chats are. Regular chats are the default function, meaning users need to select ‘secret chats’ on each of their conversations to ensure they’re encrypted. 

Even if a user has selected the ‘secret’ function on all their conversations, if someone outside your contact list writes to you and, say, asks about illicit substances, that chat is not automatically encrypted.  

This is a baffling design choice for a supposedly ‘secure’ platform. By contrast, conversations on messaging apps like Signal, WhatsApp and iMessage are encrypted by default.  

Additionally, Telegram’s ‘secret chat’ function doesn’t work on group chats.  

The argument could be made that this is due to the technical complexities of implementing end-to-end encryption when there are multiple recipients involved. But, again, Signal and WhatsApp already have this feature by default on group chats, so what’s stopping Telegram from doing the same? 

Telegram can’t keep a secret  

Users should be concerned about Telegram’s bizarre encryption procedure because investigations by journalists have shown that authorities can, and do, listen in to un-encrypted chats.  

In 2016 Motherboard revealed German police were intercepting un-encrypted Telegram messages to monitor terror suspects. In 2021, security researchers alleged hackers were using Telegram to spy on Iranian dissidents for Tehran authorities. 

This isn’t just an international issue. Since 2020, there have been several cases in Western Australia of police targeting suspected drug dealers using Telegram and other “encrypted messaging apps”. 

Even without authorities directly monitoring the platform your information still isn’t safe on Telegram.  

Back in 2016, experts discovered a flaw that meant hackers could easily access the app’s metadata to determine when a user was online. This information could then be used to determine who the users had been communicating with and when.  

It isn’t much of a leap to see how police could use this kind of information to track drug deals. 

The limitations of end-to-end encryption 

End-to-end encryption stops people from ‘listening in’ to your conversation. With good encryption even the messaging app itself can’t read your messages. 

End-to-end encryption can be used on messages, calls (video and voice), email, and file transfer.  

However, end-to-end encryption only protects the content of your communication, not information such as who you’re communicating with, when you’re communicating and where you are at the time. 

Even without knowing the content, piecing this information together can tell a story. For example, you received a call from a local hospital, you called a series of family members, then you called a funeral home.  

End-to-end encryption also cannot stop someone reading your messages if they have your phone or the phone of the person you’re communicating with. This is where self-destructing or disappearing messages can be useful. 

The Surveillance Self-Defense (sic) website has a detailed breakdown of end-to-end encryption if you want to learn more.

Alternatives to Telegram 

Thankfully there are several other options available if you’re looking to move away from Telegram.  

No app will be 100% secure so choosing which to use will come down to what level of security you’re willing to settle for. 

(Listed in alphabetical order, not by rank or rating) 

Briar  

Cost: Free 

Platform: Android  

Features: 

• Default end-to-end encryption 

• Anonymous sign up 

• Decentralised server 

Concerns: 

• Only on Android (iOS version unlikely) 

• Complex mailbox system that requires a second app 

Session 

Cost: Free 

Platforms: Android, iOS 

Features: 

• Default end-to-end encryption 

• Anonymous sign up 

• Self-destructing messages 

Concerns: 

• No perfect forward secrecy 

• Company based in Australia which could heighten risks for local users, however the organisation is taking steps to prevent this 

Signal 

Cost: Free 

Platforms: Android, iOS 

Features: 

• Default end-to-end encryption 

• Self-destructing messages 

• Funded by a non-profit  

Concerns: 

• Cannot sign up anonymously 

• Mandatory mobile number sent to third party 

Threema 

Cost: $10 

Platforms: Android, iOS 

Features:  

• Default end-to-end encryption 

• Optional anonymous sign up 

• Ability to connect with other users without sharing names or phone number  

Concerns: 

• No self-destructing messaging 

• Not fully open-source 

Wire 

Cost: Free 

Platforms: Android, iOS 

Features: 

• Default end-to-end encryption 

• Self-destructing messages 

Concerns: 

• Cannot sign up anonymously 

• Collects metadata 

Keep in mind, messaging apps only work if both parties are using them . You can’t send a Facebook message to someone who doesn’t have Facebook , so the choice may ultimately be out of your hands.  

But it’s worth knowing what the possible security liabilities are before agreeing to discuss anything compromising over the internet.