Another thing that wasn't pointed out: Du Rove said "Signal messages have been exploited against them in US courts or media."
This would be the same case for Telegram as well, if someone has your phone. I believe that Signal can have a lock on the client, and the database is encrypted.
The other part that Du Rove conveniently left out: Signal went against the US courts and won [0]. When subpoenaed to give all user information they gave them all that had: the unix timestamp of when the account was created, and the last date you connected to the signal service. That was in late 2021. I'm really curious as to what Telegram has told the FSB.
[0]: https://signal.org/bigbrother/cd-california-grand-jury/
Telegram iirc moved it's lead developers to Dubai specifically because the FSB was demanding info from them, so you could argue that's an unfounded concern.
The bigger problem with Telegram is that it by default has insecure encryption settings (as opposed to Signal, where encrypted is the default, you need to manually activate it with Telegram + I think it's not possible to enable for all chats and clients) and to my knowledge, Telegram will outright co-operate with law enforcement agencies to just hand over unencrypted communications. I'd personally argue that's a security dark pattern - make privacy a big selling point, but then don't activate the security by default
pretty similar to whatsapp. they boast end to end encryption, but business account (all of them now) uses the facebook server's key, so that the business can give access to several other clients to answer customers. they still call it end to end encryption, and this was actually the last crap the original founder accepted before leaving with lots of money on the table.
“All of them” in what sense?
I use WhatsApp dozens of times a day, and interact with business accounts every couple months at most.
Good for you, you probably do not live in a country under digital colonialism where the gov allowed facebook et al to force internet providers to tax the pop with absurdly low and expensive data limits and then "not count" things like facebook and whatsapp and one music app.
In most of the global south, 100% of business have a whatsapp. In those places it pretty much replaced telephone and the green whatsapp icon is now what the current young generation recognize as the we did the black telephone outline on a business front next to a number.
and if you own a business, or is self employed, it is even worse: you live by that app.
Are you saying this is a worse alternative to other communication methods with businesses? What would you use with them that has better encryption?
The lack of encryption between myself and a business is less offensive than replacing an open standard (plain old telephone systems, eMail) with a proprietary and closed one, backed by a single, private corporation
I don't think they've been replaced, though?
De jure or de facto?
Neither.
i completely agree with your sentiment, but i will also say this.
As an expat, this feature has enabled me to transact with locals from the convenience of my phone, even though i don't have any local line and i will not bother to get a local SIM card, nor do i want to have a US SIM and a local one interchangeably.
It also enables me to be very effective when requesting services on demand, and cutting thru the on-hold time, disconnected calls, or the needless chitchat.
I have many bad things to say about WA, but making living more difficult in a foreign country is not one of them.
But they gave the FSB info they asked for -- the vk.com website (facebook clone, at that time it had way more massive amounts of user data than telegram). They could have deleted the data, but no, they handed it over to FSB.
vk.com and telegram have nothing in common, except the founder. Durov was forced to sell his part in the vk.com and telegram development started after that as a response.
This is a deeply funny sentence.
"Other than that, Mrs. Lincoln, how was the play?"
You conveniently forgot about the second part of that comment. Durov was forced out of the country and had to cell vk.com for peanuts because of his refusal to cooperate with the government. He is still pissed off at the country at large (not just the government) and refused to add the Russian translation for years, for example, despite it having absolutely nothing to do with Putin.
Since he is Russian in origin, it's okay to throw baseless accusations at him and spout nonsense like "maybe they're FSB agents" or "maybe they hired an FSB agent without knowing it". You see it here everywhere, and HN is one of the better sites in that regard. Well, maybe Signal has hired an NSA agent and doesn't know about it either? How does that sound?
It wouldn't be the first time a cover story was ever used.
You should presume they're trying. I, frankly, presume they've succeeded, either in placing an agent or by compromising something, in virtually every prominent messaging platform.
I will point out, in their defence, they handed it over to an organisation that has a habit of assisting people in learning how to fly from windows. This isn't to say Telegram is secure but that it's unlikely they "could have deleted the data" and remained alive.
FSB mostly wanted to prevent people organizing, and that would serve it well. They already had another popular service (odnoklassniki.ru) where to direct people.
I think it's a great approach instead: the secure, end to end encryption is there and it's ready to be used.
You can easily activated it but you aren't burdened by it for 99% of the time when e2e encryption is not needed.
So, in those 1% of the cases when you actually need it, you're instantly flagging yourself as doing something fishy? Because if it ever comes down to it, good luck proving otherwise in a court.
That's like the whole point of why it should be on by default. Not because me making dinner plans is something super-secret that needs to be e2e-encrypted, but because those two scenarios need to be indistinguishable from each other for e2e to be effective.
Yes. Additionally you are at bare minimum signalling that the metadata of the encrypted comms is worth further analysis.
For exactly the same reason if you have a paper shredder, you don't only shred confidential material, you shred a bunch of junk as well to make it harder to find which pieces to reconstruct.
I'd argue it's not giving us any certainty. They could've moved away to escape. They could've moved away to a nice FSB-sponsored location while making good publicity. Ideally the tech should be good enough for this issue to not matter.
To add to this: and they may have hired a FSB agent without knowing it.
EDIT: Disregard below. I'm an idiot when it comes to maps. The statement regarding if the developers are still Russian I believe is still relevant.
Considering the state of Saudi Arabia, having it there is marginally better, but still problematic.
And if the developers are still Russian, there's nothing saying they aren't being squeezed unless their families came with them to Dubai.
Dubai is in the UAE, not Saudi Arabia
Telegram has moved to Dubai long ago so no idea where you get the idea that FSB can strong-arm them from.
As I stated in a sister comment, Dubai is marginally better, but not significantly better. If it's the same original developers, they could be squeezed through their family.
Same goes for Signal devs, or any devs really. You're only stating the obvious: humans can be forced and coerced given enough motivation and resources.
Singling out Telegram, or Signal, or any other service's devs is not advancing any argument forward.
There is more reason to be concerned about Telegram than most other similar services.
Partly because it’s insecure by default, which makes a large percentage of conversations vulnerable.
And also because the team behind it is very susceptible to pressure from the Russian government, which is especially bad when it comes to these things. Even if some of them are based out of Dubai now, it doesn’t mean that they aren’t still at risk of coercion, either directly or through for example threats against family members who remain in the country.
If you don’t trust Russia, which you shouldn’t, then don’t trust Telegram with anything sensitive.
Whom should we trust then? Have we already forgotten about Snowden?
Can we trust some more than others without trusting anyone completely?
I for one trust that there are more Americans who would say no to the NSA when they have a legal basis for doing so than there are Russians saying no to the FSB.
The state of the rule of law is certainly not great anywhere in the world right now. But it's far worse in some places than in others. The difference still matters to some degree.
Not to mention there's not much reason to trust UAE any more than there is to trust Russia.
No, telegram is especially concerning given how insecure it is by default.
Durov travels freely to and from Russia and several of their employees are still based in Russia. So yeah, the FSB have leverage if they need to use it.
You say it like it's a fact, so I assume you have proof? Durov is very vocal about being in exile so this looks doubtful.
That's the tune of every Russian oligarch that doesn't want to get caught up in a sanctions regime that makes their Paris/Milan shopping trips a pain.
This is incorrect. Check your facts. They're made up.
Ah yes, Dubai the bastion of integrity, equality and human rights.
True, they aren't. Whether they're friends with Russia is another thing though.
They don't have to be friends to turn a blind eye.
If Dubai had to pick between letting some nobody foreign national living on their soil get squeezed by a foreign secret police, or pissing off the Russians, what do you think they would do?
(This isn't a knock on Dubai specifically, substitute them for almost any non-NATO country in the world).
Hardy har har har. How quaint.
Guess you never heard of polonium either.
https://www.theguardian.com/world/2016/mar/06/alexander-litv...
I heard. Your point?
They have a long reach and like to be brutal for effect.
Did you hear about a russian pilot who defected to Ukraine and then was killed in Spain?
https://www.nytimes.com/2024/02/20/world/europe/russian-pilo...
If russia wants to find and kill you they will.
Okay, and your concussion in relation to the topic is...?
If whatever State/Government wants to find and kill you they will.
"Winning" would mean not having to comply with the subpoena...
The winning in this case was they had to fight to be allowed to release what they provided.
As nice as it would be to not have to provide that information, Signal proved that the only information they have to give is largely useless to law enforcement.
The database is encrypted, and the password is right next to the database in a json file.
On desktop, on Android and iOS it uses the OS keystore. It really should do on desktop as well, Windows, Mac and Linux (through freedesktop standard) all have APIs for that, there really isn't much excuse. Desktop Signal has always had terrible security, unfortunately.