Moxie Marlinspike was one of the creators of the Signal messaging service, which is considered to be the 'gold standard' for encryption.

Moxie Marlinspike@moxie23 Dec 2021

It's amazing to me that after all this time, almost all media coverage of Telegram still refers to it as an "encrypted messenger." Telegram has a lot of compelling features, but in terms of privacy and data collection, there is no worse choice. Here's how it actually works: 1/

Moxie Marlinspike@moxie23 Dec 2021

Telegram stores all your contacts, groups, media, and every message you've ever sent or received in plaintext on their servers. The app on your phone is just a "view" onto their servers, where the data actually lives. Almost everything you see in the app, Telegram also sees 2/

Moxie Marlinspike@moxie23 Dec 2021

Here's a simple test: delete Telegram, install it on a brand new phone, and register with your number. You will immediately see all your conversation history, all of your contacts, all the media you've shared, all of your groups. How? It was all on their servers, in plaintext 3/

Moxie Marlinspike@moxie23 Dec 2021

The confusion is that Telegram does allow you to create very limited "secret chats"  (no groups, synchronous, no sync) that nominally do use e2ee, even if the security of the e2ee protocol they use is dubious. There's no e2ee by default, but they talk about it like there is 4/

Moxie Marlinspike@moxie23 Dec 2021

FB Messenger also has an e2ee "secret chat" mode that is actually much less limited than Telegram's (and also uses a better e2ee protocol), but nobody would consider Messenger to be an "encrypted messenger." FB Messenger and Telegram are built almost exactly the same way. 5/

Moxie Marlinspike@moxie23 Dec 2021

Some may feel okay letting Telegram have access to all of their data, msgs, images, contacts, groups, etc. because they "trust Telegram." However, the point of an "encrypted messenger" should be that you don't have to trust anyone other than the ppl you're communicating with 6/

Moxie Marlinspike@moxie23 Dec 2021

Actual privacy tech is not about trusting someone else w/ your data. It's about not having to. A msg you send should only be visible to you & recipient. A group's details should only be vis to the other members. Looking up your contacts should not reveal them to anyone else. 7/

Moxie Marlinspike@moxie23 Dec 2021

Privacy tech is really about making the tech consistent with the UI. But if Telegram's UI were consistent with the way the tech worked, every chat would be a group chat with everyone that works at Telegram + everyone that hacks Telegram + every gov that accesses Telegram, etc 8/

Moxie Marlinspike@moxie23 Dec 2021

For the folks writing about this space, my request is that when you write "encrypted messenger," it should at *minimum* mean an app where all messages are e2ee by default. Telegram and FB Messenger are built exactly the same way. Neither are "encrypted messengers." 9/

Tweetstorm is an occasional series bringing you the best threads that we see, sometimes informative, educational, amusing and/or controversial...

😃
We publish a daily dose of decentralization here every day (UTC+8), for additional daily updates follow us on Mastodon, Twitter, Telegram or Element (Matrix). Please like & share all our output. We rely on User-Generated Content so why not write for us and since we try to avoid ads and sponsorship, why not donate to help us continue our work - all major cryptos accepted. You can contact us at decentralize.today and at blog@decentralize.today