Should you stop reading Gizmodo right now?
Markus RaSome users asked me about a Gizmodo article that claims everybody should stop using Telegram because we don't encrypt chats. Unfortunately, this article is based on incorrect and misleading statements.
1. Always encrypted
The author confuses encryption and end-to-end encryption and claims that some data on Telegram is sent and stored unencrypted. This is not true.
All data is encrypted. Secret Chats use end-to-end encryption, Cloud Chats use server-client encryption in transit and are of course encrypted in storage as well. There's more:
To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure that is unique among messengers. Cloud Chat data is stored encrypted in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. Thanks to that, several court orders from different jurisdictions are required to force Telegram to give up any data.
This structure ensures that no single government or block of like-minded countries can intrude on people's privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.
2. Open and documented
Further in the article, a professor mentions "security by obscurity" and claims it's "not possible to analyze Telegram's encryption scheme." Security by obscurity is a term used to describe systems that rely on the secrecy of the design or implementation as the main method of providing security. This has nothing to do with Telegram:
- Telegram's protocol specification is open.
- Our app code is also open, which together with the docs allows to fully evaluate the end-to-end encryption implementation.
Many security researchers have looked at our code, and we offer bounties and periodic contests to attract scrutiny and attention to what we do. It appears that the professor whom the author quotes was either mislead about Telegram's encryption or didn't bother to study it at all.
See also:
- Detailed specification of the MTProto protocol
- MTProto overview and FAQ
- Links to repositories with open source code for Telegram apps
3. Control over metadata
The part about metadata and seeing other users online is also not true. Unlike in WhatsApp, you actually have control over who exactly sees you online/offline in Telegram. It doesn't matter which app is used since the setting is on the server side.
See also:
Seriously?
As you can see, the Gizmodo article is full of erroneous statements, some of them based on comments by people who seemingly didn't know what they were talking about.
But the worst part of the piece is its conclusion where the author recommends switching to closed-source proprietary messengers like WhatsApp and iMessage. These messengers claim to enable end-to-end encryption by default – but immediately invalidate this encryption due to the way they handle backups and key changes.
Let me tell you about 'unencrypted'
If you want an example of a messenger that didn't use any encryption at all, you actually need not to go further than WhatsApp. As late as in 2012, all WhatsApp messages were still being sent unencrypted, in clear text, so that any network administrator or even any user on the same WiFi network could read your messages. [1] Yep, "privacy is coded into our DNA" alright. But you would think this is ancient history now that every chat in their app has a box saying "neither WhatsApp, nor other third parties can read your chats." Well, think again.
At the time when the Gizmodo piece was published, WhatsApp didn't encrypt any of your backups and sent the plaintext of all your messages to Google's and Apple's servers [2]. They seem to have silently added encryption for the iOS backups early this year – but WhatsApp still holds the keys for those backups! [3] (Apple's iMessage backups to iCloud operate on the same principle.)
So WhatsApp generates a backup from your messages, encrypts it with a key that is known to WhatsApp – and has the audacity to claim that they can't read those chats. What is more, WhatsApp aggressively pushes users to enable backups. Even if you don't backup your messages, it is extremely likely that your chat partners are doing this. WhatsApp is actively working on convincing more people to turn the feature on. [4]
A key to end all encryption
This question of keys brings us to another problem that is relevant even if your messages are technically encrypted end-to-end: who has control over your keys? By default, WhatsApp can change your encryption keys without as much as notifying you. I covered this in detail in Why the WhatsApp Backdoor is Bad News.
Key management is also the area where iMessage fails to deliver on their end-to-end encryption promise. Apple controls the central server that is used to distribute public keys and connect new devices, which may be convenient but is also very vulnerable. [5] Apple doesn’t have your private keys, but they can “connect” another “device” to your account so they can read your messages without your knowledge and send copies of messages that were meant for you to anyone who has the power to make them do this (e.g., a US government agency).
By definition, end-to-end encryption allows you to communicate over a potentially monitored channel and be sure that only your recipient can read the messages. Both WhatsApp and iMessage violate their end-to-end encryption promises because of their handling of backups and key changes.
On true end-to-end encryption
The following four conditions must be true if you're looking for actual end-to-end encryption without reservations and fine print:
- You can verify keys to make sure you're talking to the people you think you're talking to and not to an eavesdropper. In iMessage you can't, so you might as well be sending your messages directly to the FBI. [5] Telegram secret chats and calls allow you to verify keys.
- You know when the keys change for some reason. By default, your WhatsApp key that you previously verified can be changed without your consent or knowledge – you need to turn on a special setting to prevent this, despite claims to the contrary in the WhatsApp FAQ. [6] In contrast, Telegram secret chats are session-specific. When you log in on a new device, starting a secret chat creates an entirely new chat, visibly separated from the old one in the recipient's chat list. This serves as a much more prominent indicator that a key change has taken place, and more importantly, this is the default behavior. There's no need to turn on any extra settings.
- You can check the code of the apps. Both iMessage and WhatsApp are closed source proprietary apps, we have to take their word on everything they say they do. Independent researchers can't verify their end-to-end encryption implementation or point out errors in their apps. As already discussed above, Telegram's app code is open source which allows to fully evaluate the end-to-end encryption implementation.
- You lose your data if you didn't prepare in advance. If you can log in on a fresh device, connect to the service and get your chats back by simply confirming your phone number, your data was not encrypted end-to-end. Both iMessage and WhatsApp backups violate this principle. By contrast, if you log out of Telegram, all your secret chats are lost and can no longer be recovered.
Why backups?
The problem of losing data and connecting new devices when you no longer have access to your previous phone is central to the user experience in messaging. As you can see, this problem is acute enough to make big companies like Apple (iMessage) and Facebook (WhatsApp) completely compromise their end-to-end encryption solutions.[7]
It is impossible for a mass market messaging app to ignore the question of backups. At the same time, the end-to-end encryption paradigm doesn't offer any backup solutions that can "just work" for a user who lost their device together with their old keys – the keys that nobody else is supposed to have.
The Telegram way
To satisfy the people's need for backups and syncing in a safe manner, Telegram's Cloud Chats offer server-client encryption and secure in-house backups. The data centers and the relevant encryption keys are spread across different jurisdictions to protect them from government requests.
For the most sensitive data, Secret Chats guarantee end-to-end encryption. Unlike on iMessage or WhatsApp, when you send a message into a secret chat, you can be 100% sure that nobody, including the Telegram server, knows the contents of that message.
This hybrid solution was pioneered by Telegram in 2013 and has since been emulated by Kakao (2014), Line (2015), Google Allo (2016), and Facebook Messenger (2016). All these services introduced their own versions of end-to-end encrypted chats in addition to basic cloud-based messaging. Unlike the services that followed in its wake, Telegram protects its cloud data in a way that no US company (or any country-dependent company) can.
As a result, Telegram users enjoy seamless syncing on phones, tablets, and computers, immediate availability on newly connected devices, and the option to pick up where they left off (cloud drafts) in their secure Cloud Chats. At the same time, the separate entity of end-to-end encrypted Secret Chats is specifically excluded from backups, which allows users full control over the data they deem sensitive.
Notes
[1] Sniffer tool displays other people's WhatsApp messages (Heise Online):
"WhatsApp messages are transmitted in plain text, meaning that curious eavesdroppers, along with the intended recipient, can read them."
[2] Where WhatsApp went wrong (Electronic Frontier Foundation):
"..We have advised users to never back up their messages to the cloud, since that would deliver unencrypted copies of your message log to the cloud provider. In order for your communications to be truly secure, any contact you chat with must do the same."
[3] "WhatsApp currently seems to both generate and backup the key data. This means they have key access and subsequently can access user data." (The Telegraph)
[4] WhatsApp and Google Drive: The story of our integration, (Google I/O 2016)
“About 75% of WhatsApp users are on Android, and of our Android users, we have about 40% of them opted into Google Drive backups today. That will likely continue to increase over time, as people get prompted.” Product Manager Randall Sarafa, one month after Google Drive backups were introduced to WhatsApp.
[5] Apple explains exactly how secure iMessage really is (TechCrunch)
"..Because Apple is encrypting messages/data once for each device and has control over the key infrastructure, they may (if, say, by court order) be able to throw another public key into the mix— thereby allowing messages sent to you after that point to be read by whoever has the corresponding private key."
"Only you and the person you're communicating with can read what is sent, and nobody in between, not even WhatsApp. [...] All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages."
[7] Signal, another alternative mentioned by the Gizmodo author, does not offer any automated backups at all. This may be acceptable for tech savvy users who know what they are doing, but is clearly not enough for mass market users who are not prepared to lose their entire chat history together with a stolen phone. These mass market users also need privacy and protection from advertisers and snoops. Signal fails to address their needs and enjoys a marginal existence as a result: used by privacy geeks but ignored by the hundreds of millions of mass market users despite heavy marketing.
Addendum: on iCloud backups
(back to 'Let me tell you about unencrypted')
Apple pushes everyone to use iCloud for the sake of usability since this allows “enable and forget” backups.[8],[9] There is no way of knowing whether your chat partners are backing up your data even if you aren't.
While automated iCloud backups may sound convenient, you should never forget that Apple has full access to any data in these backups. They encrypt your iCloud data in storage, but they encrypt it with their own key, not with your passcode key, which means that they can decrypt anything to comply with government requests – despite end-to-end encryption claims. [10]
Apple actively encourages all users to use iCloud, making it rather difficult to opt out. [9] In 2015, Apple complied with ~80% of government data requests covering more than 16,000 devices. [11]