War has come for the popular encrypted messaging app Telegram, not for the first time and likely not the last. This week, Thailand banned the app in an effort to slow down protesters. Last week, Belarus banned it. When I shared that article, my replies were flooded with variations of “f*ck Apple.” Surprisingly though – even moreso since I was posting on a decentralized platform – nobody had anything to say about Telegram.
Telegram is notorious in the privacy community for not being the best choice. While the app itself is open source, the servers that run it are proprietary, meaning that we have absolutely no idea what’s going on behind the scenes. Furthermore, Telegram uses their own encryption which experts have notoriously criticized as being weak and easily broken rather than a more robust, pre-existing encryption algorithm.
I don’t want to victim blame, but I think the war on Telegram highlights a very important issue: decentralization. There’s many ways to censor an app, but the one I want to focus on in this article is censoring the traffic. I use many encrypted messengers for different purposes. One of them is Signal (spare me your hate mail, I would rather my mom use Signal than SMS cause there’s no way I can convince her to set up XMPP. She’s not stupid but she’s not that tech savvy either). When setting up Signal on my laptop, the instructions on their website say to allowlist "*.whispersystems.org" and "*.signal.org" among other common ports that one would expect. This means that if ever my country bans Signal for whatever reason, it would be a trivial affair: block those two domains and you’ve now hamstrung my connection.
On the other hand, I use other decentralized messengers like Session, XMPP, and Element. Good luck censoring those. There’s a lot more that goes into making an app hard to centralize, but I think that’s one of the most critical. With XMPP or Riot, we can make a new app that isn’t banned in the app store (or simply spread the binary file around outside the stor). With Tor, we can hide the traffic on Port 443, making it indistinguishable from other TLS (HTTPS) traffic. But if they’re all using the same centralized servers, there’s virtually no way to counter that.
That’s why decentralization is so important. Sure, you can shut down Matrix.org and hamper a huge section of the Riot community, but what about PrivacyTools.io’s server? What about the dozens of other self-hosted servers? Same thing with XMPP. I can’t even count all of those. And many of these servers even reside in other countries. That’s why cybercrime flourishes so much. If someone in Sudan phishes the bank account of someone in France, what are you really gonna do? There’s no existing extradition agreements. There’s really no repercussions for the criminal or incentive to not do it again. So even if the Five Eyes (USA, UK, Australia, Canada, New Zealand) all get together to ban Riot, they can’t shut down the servers that are hosted outside of those countries, which means they’ll forever be playing whack-a-mole with the various servers that pop up and adding them to a blocklist.
So let’s take this opportunity as a learning moment. Telegram probably isn’t going away, which means that in the future it will be banned by someone else. Furthermore, as we speak, the Five Eyes plus India and Japan are calling for an outright ban on end-to-end encryption. Now is the time to arm yourselves against censorship. I’m a big believer in personal responsibility, and that means learning how to defend yourself and take care of yourself. This is the time to be personally responsible for your privacy and security.
Blogpiece for decentralize,today submitted by contributing writer, TheNewOil.