this post was submitted on 26 May 2026

216 points (98.6% liked)

Technology

84938 readers

3453 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

216

Telegram is lying to you about privacy (donald.cat)

submitted 20 hours ago by columbus@lemmy.world to c/technology@lemmy.world

43 comments fedilink hide all child comments

top 43 comments

sorted by: hot top controversial new old

[–] SethTaylor@lemmy.world 6 points 7 hours ago (1 children)

So it's not selling all my information to the Kremlin?

[–] columbus@lemmy.world 1 points 7 hours ago

Russia is a toothless tiger.

[–] Treczoks@lemmy.world 11 points 10 hours ago (1 children)

As long as the keys are handled via a closed source app and server system, e2ee is potentially broken.

Even if you generated the key, keep the private part locally and submitted only the public part to your communication partner, you can never be sure that the intransparent app does keep your private key private.

With WhatsApp I'm quite sure that they somehow can retrieve the private key. Certain events point to that. But I see no reason to consider signal or telegram any more trustworthy - they are all prone to governmental influence.

And as open source and closed app infrastructure are incompatible, I would not handle anything important on an Android or Apple device.

[–] punkisundead@slrpnk.net 3 points 9 hours ago (2 children)

With WhatsApp I’m quite sure that they somehow can retrieve the private key. Certain events point to that.

What events point there?

[–] adhdsergio@lemmy.world 1 points 3 hours ago

I've no proof of this, but technically the whatsapp app is closed source so they could push an update that collects the private keys, if they don't do this already

[–] Scrollone@feddit.it 3 points 9 hours ago

I don't know about WhatsApp, but macOS backups your keys on iCloud by default, so...

[–] esc@piefed.social 6 points 10 hours ago

It was made by m*scovites in m*scovia with fsb money, by the same guys that tried to copy facebook.

[–] morto@piefed.social 23 points 14 hours ago

I try not to be repetitive with the astronaut meme, but they don't help. Here we go:

[–] magnue@lemmy.world 7 points 11 hours ago (1 children)

Better than WhatsApp at least

[–] Treczoks@lemmy.world 3 points 10 hours ago (1 children)

As in "with WhatsApp we know, with others we cannot exclude the possibility"?

[–] magnue@lemmy.world 8 points 10 hours ago

As in "fuck the zucc"

[–] SnotFlickerman@lemmy.blahaj.zone 86 points 19 hours ago (2 children)

More people need to understand this, Telegram was never trustworthy to begin with.

[–] Natanael@slrpnk.net 44 points 19 hours ago (1 children)

They spent years lying about their encryption algorithms too acting like they're more secure than Signal when they never were

[+] timewarp@lemmy.world -23 points 18 hours ago (2 children)

Signal cares so much about your privacy that they need your phone number.

[–] KingKong33@lemmy.ml 12 points 12 hours ago

Privacy ≠ anonominity.

[–] atrielienz@lemmy.world 13 points 18 hours ago (1 children)

Supposedly to combat spam (which makes sense) and some BS about bringing your social network.

But let's think about this logically. What can they do with your phone number when they don't know who you are?

Let's say they receive a subpoena from a government law enforcement entity. That would have to include your phone number and even then what can they give that entity? The date you registered the number and the last time your account was active?

At best my guess is that you and others who bring this up are worried about the information that you can buy from data brokers that would include a phone number and allow someone with the phone number to link it to a person.

But at that point law enforcement already knows the number, already has likely used to same services to link that number to a human, and since most people haven't de-googled or use an iPhone they likely know what apps are installed. Including signal.

What is the threat profile that should be worried about this?

Please note that I don't think they should need to require a phone number and if you don't want that you can use a different service.

But I'd like someone to elaborate on their reasons for objecting to this.

[–] chameleon@fedia.io 3 points 13 hours ago

I ended up wanting an online pseudonymous identity as well as an offline real-life identity, which leads to needing multiple phone numbers when things are tied to said number. That's extremely annoying to manage, especially with Signal's current activity and update policies that essentially require you to keep a phone in a drawer, charge it and log into it every so often or risk losing your entire account due to inactivity, as only the mobile device counts for that purpose (this might supposedly be changing).

In that particular scenario, I don't really care if my least-favorite three-letter-agency or law enforcement can link my identities. It's a nice bonus if they can't, but not an absolutely required feature. The main worry is the person on the other end trivially learning it. But the person on the other end might have a different set of worries that makes Signal one of the few available options for them.

That said, Telegram also requires a phone number and has exactly the same issue, so this is a rather weird thread to bring that up.

[–] Treczoks@lemmy.world 1 points 10 hours ago (1 children)

In the same class as any app store based communication software.

[–] Natanael@slrpnk.net 2 points 6 hours ago

Signal can be installed from an apk from their site

https://signal.org/android/apk/

[–] wuffah@lemmy.world 42 points 18 hours ago (1 children)

Every since the CEO of Telegram was basically lured to Paris, arrested, then read the riot act for Telegram’s non-cooperation with French authorities, the company has been responding to warrants and downplaying its “E2EE” features. Expect them to have a fully accessible backdoor for LE.

By the way, don’t forget about that Bitlocker backdoor that “mysteriously” doesn’t affect Windows 10.

The EU and US digital surveillance states have been tightening their grip on encryption and online anonymity for years now. “Age verification” is just the latest push.

[–] wizardbeard@lemmy.dbzer0.com 15 points 18 hours ago

I can only assume there's a different backdoor for 10 that just hasn't been published. Even if there isn't, Windows defaults to backing the key up to the attached Microsoft account. You think they'd ever tell intelligence agencies to come back with a warrant for that?

Just use Veracrypt folks.

[–] OhVenus_Baby@lemmy.ml 5 points 12 hours ago

Security doesn't equal private.

[–] redsand@infosec.pub 3 points 13 hours ago

https://simplex.chat/

[–] kungen@feddit.nu 15 points 18 hours ago (1 children)

Why not mention that "Secret Chats" aren't that safe either?

[–] Treczoks@lemmy.world -2 points 10 hours ago

Just like any app-store based software.

[–] aeronmelon@lemmy.world 16 points 19 hours ago (4 children)

Signal (assuming you live in a country that hasn’t blacklisted them for refusing to install backdoors).

[–] lepinkainen@lemmy.world 4 points 11 hours ago (1 children)

Signal still doesn’t support bots and is shit for bigger groups

Good for 1-10 friends and 1on1 chats tho

[–] Coldcell@sh.itjust.works 2 points 8 hours ago (1 children)

Are these negatives?

[–] graynk@discuss.tchncs.de 4 points 7 hours ago

yes

[–] Treczoks@lemmy.world 1 points 10 hours ago

Same. Any non-verifyable app in an app store is at least suspect.

[–] SnotFlickerman@lemmy.blahaj.zone 10 points 19 hours ago (2 children)

Matrix, Session, SimpleX chat, Tox chat, Jami... and so on.

[–] REDACTED@infosec.pub 6 points 18 hours ago

Clash of Clans

[–] unitedwithme@lemmy.today 6 points 18 hours ago

Session EoL this July.

[–] Ricaz@lemmy.dbzer0.com -3 points 8 hours ago

Signal is legitimately one of the worst messaging apps I've tried

[–] melfie@lemmy.zip 3 points 13 hours ago

Tried to sign up once, but it wanted my real phone number and a fake one from a temp SMS site wouldn’t work. Private messaging? Sure, Jan.

[+] flamingleg@lemmy.ml -15 points 19 hours ago (3 children)

it is not hosted in the US or a country affiliated with the US, which makes it infinitepy more secure from the point of view of sovereign risk

[–] Treczoks@lemmy.world 2 points 10 hours ago

No, it does not. There is a different primary actor, but that does not exclude anything.

[–] Zedstrian@sopuli.xyz 19 points 19 hours ago (2 children)

The Telegram servers are in Miami, Amsterdam, and Singapore, so some data is still stored in the U.S.

In any case, it wouldn't be any better to have data stored in a country like China or Russia.

[–] flamingleg@lemmy.ml 3 points 9 hours ago

this is very disturbing to learn, thanks for sharing

[–] OccasionallyFeralya@lemmy.ml -2 points 14 hours ago (1 children)

Chinese and Russian authorities can’t steal me from my home and imprison and torture me for the rest of my life

[–] Zedstrian@sopuli.xyz 2 points 14 hours ago

No, but they do that to plenty of their own citizens.

Better something from a non-authoritarian country that doesn't also happen to be in the Five Eyes intelligence network.

[–] SnotFlickerman@lemmy.blahaj.zone 10 points 19 hours ago* (last edited 19 hours ago) (1 children)

Oh, you mean the guys who were obviously such criminals they were run out of Russia and Europe and had to settle on being headquarted in Dubai?

Oh the guys who instead of doing something thoughtful like Mullvad and having RAM only servers with no logs, they just hide all their datacenters behind shell companies to avoid complying with legal subpoenas? That's not completely shady at all, nope.

I mean, it's not like Matrix or SimpleX chat or others that actually are secure (-ish, even Matrix leaks metadata!) and thoughtfully designed and open source that you can self host or don't need servers or are incorporated in Europe (like Telegram tried to incorporate initially before settling on Dubai).

Oh and don't forget France had very good reasons to arrest Pavel Durov, co-creator of Telegram. He went on Tucker Carlson to defend himself, which says it all, really.

[–] flamingleg@lemmy.ml 1 points 9 hours ago

pavel not complying with russian or french requests gives me some confidence that if some agency subpoena'd telegram for user records, they might actually have the spine to say no

Isn't signal basically just a honeypot for feds these days like TOR? i didn't know telegram was also hosted in the US, which is kinda heartbreaking but such is life in the imperial core i suppose