Comment by wkat4242

1 year ago

> If the answer is yes then law enforcement can too.

Is it technically possible for them to see it: yes

Does Telegram let them see it: I don't think so. That seems to be the core issue around Durov being arrested.

They probably should implement E2EE for everything. Then they will have a good excuse not to cooperate, because they simply don't have the data.

71 comments

wkat4242

Reply
schmichael  1 year ago

> Does Telegram let them see it: I don't think so.

This is exceptionally naive. Even if he was arrested for not sharing with the French, what about for other countries? Was he arrested for not ever sharing or not sharing enough? Even if he, personally, has never shared, that doesn’t say anything about his employees who have the same access to these systems.

Your data is not private with Telegram. You are trusting Telegram. It is a trust-based app, not a cryptographically secure app.

If you trust telegram, that’s your choice, but just because a person says the right words in interviews doesn’t mean your data is safe.

  • raxxorraxor  1 year ago

    You cannot be sure and yet Telegram often gets mentioned for being the only platform where states do not have easy access to user information or the ability to censor certain messages/content.

    So from a broad perspective, they probably behave better than comparable services.

    I think Telegram should not be trusted, but I also do not trust the alternatives, that readily share information with states. A special focus for me is that my own jurisdiction does not have access to my social media content. Other countries are secondary at first.

    • ParetoOptimal  1 year ago

      > Telegram often gets mentioned for being the only platform where states do not have easy access to user information or the ability to censor certain messages/content.

      By who?

      Simplex especially or even Signal are far better.

      1 reply →

  • po  1 year ago

    Following the St. Petersburg attack, the Federal Security Service (FSB), in an event that may ring somewhat familiar to many in the United States and Europe, asked Telegram for encryption keys to decode the dead attacker’s messages. Telegram said it couldn’t give the keys over because it didn’t have them. In response, Russia’s internet and media regulator said the company wasn’t complying with legal requirements. The court-ordered ban on accessing Telegram from within Russia followed shortly thereafter. Telegram did, though, enact a privacy policy in August 2018 where it could hand over terror suspects’ user information (though not encryption keys to their messages) if given a court order.

    ...

    ... Pavel Durov, Telegram’s founder, called on Russian authorities on June 4 to lift the ban. He cited ongoing Telegram efforts to significantly improve the removal of extremist propaganda from the platform in ways that don’t violate privacy, such as setting a precedent of handing encryption keys to the FSB.

    https://www.atlanticcouncil.org/blogs/new-atlanticist/whats-...

    • Canada  1 year ago

      This doesn't make any sense. Either the author of the article is confused, lying, or is drawing conclusions from source material that is untrue.

      In the US case, there was a phone where data was encrypted at rest. Though Apple was capable of creating and signing a firmware update that would have made it easier for the FBI to brute force the password, Apple refused to do so.

      In the Russian case, the FSB must have already had access to the suspect's phone because if it did not then Telegram would not be in any position to help at all.

      So, the FSB must have already had access. And therefore, by having access to the phone they also had complete access to the suspect's chats in plaintext, regardless of whether or not the suspect used Telegram's private chat. There would have been no keys to ask Telegram for copies of.

      Alternatively, the FSB might have had access to some other user's chats with the suspect, and wanted Telegram to turn over the suspect's full data. Telegram is 100% able to do that if they want to.

      As the specific part of the article you have quoted is definitely bullshit, I suspect the rest of it is bullshit too and that despite what Roskomnadzor states in public, the real fight with Durov was over censorship.

sroerick  1 year ago

Telegram is the only messaging app that I know of which brought attention to the fact that your messages go through Google/Apple notification APIs, which seems like it would utterly defeat any privacy advantage offered by E2EE

  • qwertox  1 year ago

    Why? I think Google suggests that you send the payload encrypted through the notification. Google then only knows which app to send the message to, they don't know from whom the message originates (only "a Telegram server") nor what the content is.

    Also, you could just send a notification instructing the app to fetch a new message from your server.

    From the docs:

    Encryption for data messages

    The Android Transport Layer (see FCM architecture) uses point-to-point encryption. Depending on your needs, you may decide to add end-to-end encryption to data messages. FCM does not provide an end-to-end solution. However, there are external solutions available such as Capillary or DTLS.

    https://firebase.google.com/docs/cloud-messaging/concept-opt...

    • sroerick  1 year ago

      Assuming an adversarial relationship, what sort of metadata could Google capture simply knowing which app was sending the notifications and who was receiving them?

      4 replies →

  • bonoboTP  1 year ago

    If the text appears on your screen I'm pretty sure there are ways for Google to capture it. I don't need to know how android's API works, knowing it probably just makes one blind to the big picture. You have to trust your OS/phone maker not to do a MITM.

    • XorNot  1 year ago

      Yes, but Google cannot be compelled to turn over data they don't actually have on their servers because the users encrypted it before it arrived with keys Google don't control.

      Signal could modify the application so a remote flag in the Play store binaries could be triggered to exfiltrate data as well. But the key distinction is the normal path of Signal gives them absolutely nothing they can tell anyone other then the bits they've put in the disclosure reports (namely: date and time an account ID used Signal I believe).

      3 replies →

    • xorcist  1 year ago

      Google (and Apple) has remote root over their message bus. This is reflected in the fact that they can remove spyware from people's phones remotely at any time.

      Should they have to comply with law enforcement they have much more straightforward ways of doing so than capturing messages off screen.

  • fsflover  1 year ago

    And yet Telegram doesn't allow to have e2ee chats on a Linux desktop or phone. You must rely on Google/Apple.

    • SXX  1 year ago

      Most of Telegram clients except initial mobile apps was actually open source projects that was choosen by company to become "offcial" ones.

      They just dont implement E2EE since almost no one uses it on Telegram.

  • pcl  1 year ago

    This claim is what really makes me skeptical of Telegram's privacy story. Their assertion is completely incorrect. (Source: have implemented end to end encrypted payload delivery over APNs / GCM.)

    And if they are so off base on this, they must either be incompetent or liars. Neither of which builds trust.

    • sroerick  1 year ago

      I’m old enough to remember when Signal first implemented cross-device sync using a Chrome plugin.

      I’d rather developers issue cautionary warnings than give a false sense of perfect security

alephnerd  1 year ago

> Does Telegram let them see it: I don't think so. That seems to be the core issue style Durov being arrested

The UAE requires decryption keys as part of their Telco regulations.

If Telegram can operate in the UAE without VPN (and it can), then at the very least the UAE MoI has access.

They (and their shadow firms like G42 and G42's shadow firms) were always a major buyer for offensive capabilities at GITEX.

On that note, NEVER bring your personal phone to DEFCON/Blackhat or GITEX.

Edit: cannot reply below so answering here

Cybersecurity conferences.

DEFCON/Blackhat happen during the same week, so you have a lot of script kiddies who lack common sense trying to pwn random workloads. They almost always get caught (and charged - happens every year), but it's a headache.

GITEX is MENA and Asia's largest cybersecurity conference. You have intelligence agencies from most of the Middle East, Africa, Europe, and Asia attending, plus a lot of corporate espionage because of polticially connected MSSPs as well as massive defense tenders.

  • mubu  1 year ago

    Sorry, but as someone who's completely out of the loop with these things. What's DEFCON/Blackhat or GITEX about and why shouldn't you bring your personal phone?

    I'm genuinely interested.

    • jijji  1 year ago

      defcon and blackhat are hacker/computer security conferences started by Jeff Moss (aka DT or Dark Tangent) in 1993 and held at the end of July or early August every year in Las Vegas.... The reason you don't bring your phone is it might get hacked

      6 replies →

kaba0  1 year ago

AFAIK this current case has absolutely nothing to do with any form of chat features, it’s about telegram’s public channels that more or less work like reddit/twitter/any other news channels, except it refuses to censor content.

highcountess  1 year ago

All the encryption stuff is just a red herring to a larger degree. It’s not the technical access to the information that is the issue, it is that people can share and exchange information that the various regimes do not want shared that is the primary issue. They want censorship, i.e., control of thought and speech, arresting the information flow.

They know what is being said and that’s what they want to arrest, that information can be sent and received. And by “they” I mean more than just the French. That was just coincidental and pragmatic.

The French state does not operate that quickly on its own, to get an arrest warrant five minutes after he landed and execute on it immediately. That has other fingerprints all over it in my view.

medo-bear  1 year ago

> They probably should implement E2EE for everything

Certainly not because then Telegram would lose alot of its functionality that makes it great. One thing that I really enjoy about Telegram is that I can have it open and synched across many independent devices. Telegram also has e2e as an option on some clients which cant be synched

immibis  1 year ago

Either Telegram will let them see it, or Telegram's CEO will go to jail. Telegram's CEO doesn't want to go to jail, so Telegram will let them see it.

victorbjorklund  1 year ago

they probably share it with russian authorities. Just look now. russia is allowing protests in favour of him (they only allow protest they support) and they arrested a french citizen on fake drug charges right after

empath75  1 year ago

Will they let _US_ law enforcement see it? No. Will they let Russian? Of course.

seanhunter  1 year ago

Do you have some info about Durov being arrested for not letting law enforcement see encrypted messages? The public info says he was arrested for "...lack of moderation, ...[and] failing to take steps to curb criminal uses of Telegram."

I don't see anywhere saying he's been arrested for anything to do with encryption or cooperating with investigations.

eg https://www.bbc.co.uk/news/articles/ckg2kz9kn93o but pretty much all the sources I have read say the same