The Arrest of Pavel Durov Is a Reminder That Telegram Is Not Encrypted

Original Article ↗ Hacker News Discussion ↗

Scope of Telegram’s Encryption

  • Core dispute: thread agrees Telegram encrypts traffic to its servers, but most messages are not end‑to‑end encrypted (E2EE) by default.
  • “Secret chats” are E2EE but:
    • Only 1:1, not groups.
    • Tied to specific devices, no cloud history, both users must be online to start.
    • Not available on some desktop/Linux clients.
  • Several commenters call the headline “Telegram is not encrypted” misleading; they prefer “Telegram can read your messages (unless you use secret chats).”
  • Others argue that marketing and UI nudge users into non‑E2EE chats, so portraying Telegram as “secure” is itself misleading.

Security vs. Practical Threat Models

  • Multiple participants stress that app‑level encryption is only one layer:
    • OSes, keyboards, cloud backups, and auto‑updates can exfiltrate data.
    • Commercial spyware (e.g., Pegasus) and 0‑click exploits bypass messaging encryption entirely.
    • Closed firmware and drivers could exfiltrate data before it is encrypted.
  • Others counter that this line of argument quickly leads to nihilism; for most people, strong E2EE (e.g., Signal) is still much better than broken or legacy systems (like some radio protocols).
  • Operational security (device hygiene, compartmentalization, dedicated devices) is repeatedly highlighted as more important than any single app.

Trust, Russia, and Politics

  • Debate over whether Telegram is effectively under Russian state influence:
    • Cited points: past operations from Russia, reported state investment, continued heavy use by Russian military bloggers.
    • Counterpoints: past attempts by Russian authorities to block Telegram; presence of opposition and minority communities on the platform.
  • Some see pro‑Ukrainian use of Telegram as naive; others view it as pragmatic PR on a channel widely used by the adversary.

Usability, Features, and Alternatives

  • Telegram praised for UX: fast, full‑text search across huge histories, multi‑device support, strong web/desktop clients.
  • E2EE everywhere would complicate these features; suggestions include local search indexes or searchable encryption, but practicality and UX at Telegram’s scale are questioned.
  • Comparisons:
    • Signal and Matrix seen as more E2EE‑centric but less convenient (backups, web client, history migration).
    • WhatsApp/iMessage: E2EE by default, but concerns around server‑mediated device management and potential MITM.

Legal and Regulatory Context

  • Discussion of French charges related to providing cryptographic services without proper declarations.
  • Some note similar (mostly formal) export/import crypto controls in other countries and question selective enforcement.