Should it really be Telegram?
Telegram has done a remarkable job convincing people that it is the privacy-friendly alternative to WhatsApp. Open source. Encrypted. Founded by people with a story about defying state surveillance. The branding writes itself. But take it apart for a minute and most of it doesn’t really hold up.
I should say up front: I’m not a security researcher. I’m a CS student who reads about this stuff because privacy is a thing I care about. The points below are not insider knowledge, they’re a reading-comprehension problem on Telegram’s own marketing copy. Anyone can verify them by clicking through their FAQ.
It’s open source. Right?
Telegram states the following on their website:
Telegram apps are open source and support reproducible builds. Anyone can independently verify that Telegram apps you download from App Store or Google Play were built using the exact same code that we publish.
This is technically true. It is also possibly the most carefully phrased two sentences in their entire FAQ. The clients are open source. The server code is not. So the part that handles your messages, your metadata, your contact graph, your group memberships, all of it runs on closed code that nobody outside Telegram can audit. Calling this “open source” without that asterisk is, charitably, misleading.
No encryption, no peace of mind
This is where it gets worse. People hear “Telegram is encrypted” and assume that means encrypted by default, the way Signal and WhatsApp are. It isn’t. Telegram only end-to-end encrypts so-called “Secret Chats”, which you have to opt into per conversation, and which aren’t available in group chats at all. Regular chats are encrypted between your client and Telegram’s server, but the server holds the keys. Which means Telegram has technical access to the contents.
It also matters that Telegram designed its own encryption protocol (MTProto) instead of using something well-vetted. Signal’s protocol has been hammered on by the wider crypto research community for over a decade. MTProto hasn’t, and what scrutiny it has gotten has not been kind. Without that scrutiny, “encrypted” is more of a marketing word than a technical claim.
The thing that actually frustrates me about all this isn’t that Telegram is bad on privacy. It’s that Telegram positions itself as the privacy-friendly option while quietly being one of the worst of the popular messengers on exactly that axis. WhatsApp at least uses the Signal protocol for actual content. Telegram just markets like it does.
So what should we use instead
Plenty of options that don’t require this much hedging.
Signal: the obvious one. End-to-end encryption by default for everything. Protocol has been independently audited multiple times. The only friction is convincing other people to use it.
Threema: the OG, oldest of the bunch. The interesting part is that it doesn’t require a phone number to sign up, which solves a privacy issue Signal still hasn’t really fixed.
Element (Matrix): an open-source, decentralized network running on the Matrix protocol. More setup work, but you don’t have to trust a single company.
None of these are perfect. Signal is centralized. Threema costs money. Matrix has a learning curve. But all three are honest about what they are, and the honesty is the part Telegram skips.
Comments