“Telegram is not a private messenger. There’s nothing private about it. It’s the opposite. It’s a cloud messenger where every message you’ve ever sent or received is in plain text in a database that Telegram the organization controls and has access to it”
“It’s like a Russian oligarch starting an unencrypted version of WhatsApp, a pixel for pixel clone of WhatsApp. That should be kind of a difficult brand to operate. Somehow, they’ve done a really amazing job of convincing the whole world that this is an encrypted messaging app and that the founder is some kind of Russian dissident, even though he goes there once a month, the whole team lives in Russia, and their families are there.”
" What happened in France is they just chose not to respond to the subpoena. So that’s in violation of the law. And, he gets arrested in France, right? And everyone’s like, oh, France. But I think the key point is they have the data, like they can respond to the subpoenas where as Signal, for instance, doesn’t have access to the data and couldn’t respond to that same request. To me it’s very obvious that Russia would’ve had a much less polite version of that conversation with Pavel Durov and the telegram team before this moment"
Why don’t we all just truly go FOSS and use matrix?
Matrix results in way more meta data and through federation those meta data could be stored jn way more places.
Besides their main developer (element messenger) are cop / military boot lickers.
Those are some examples for why you might not use it, but depending on you use case you might still prefer it over signal.
Because it’s not p2p.
I don’t understand his point about restoring your messages to a new phone. How does that prove it isn’t encrypted? Couldn’t Telegram store the encrypted data on their server, send the encrypted data back to you and then you automatically decrypt it because you have the key?
With my limited knowledge of cryptography, this is how I understand it:
The distinction to make is that the user’s password is not the encryption key - it only gives access to the key. So even if the user has the same password on a new device, there would be no way to decrypt the data without the original key.
In order to maintain full privacy, data has to be encrypted on device before sending it through any server (whether to another participant in a chat, or for backup). This means that the encryption key has to be on device.
If that key was copied over to a location not controlled by the user (e.g. Telegram server), then that location would have access to the key and can decrypt any data encrypted by that key. In the same vein, if a user loses their phone then that encryption key must be lost, so encrypted data cannot be decrypted on a new phone.
Which means that the only way that Telegram can provide the chats on a new phone (when the user has no access to the old phone) is if they have access to the encryption key and can provide it to the new phone.
From my experience with that: Telegram restored all unecrypted chats when I swapped phones without asking me for any passwort / key. I literally just confirmed my phone number and all my chats / groups / contacts appeared.
I assume you still had access to your old phone and could approve the transfer from it. If not, then your phone number is your password, which is even worse, in my opinion (it’s basically public information).
I got a one time password via SMS to confirm I am the one with access to this phone number.
That’s absurd coming from the founder of a FOSS messaging app who actively decided not to let Signal federate and rejected any other open source Signal client. Not only that, even now you can’t truly use Signal’s new “username” feature. If any of the recipients have your number stored in their phonebook, irrespective of whether you know them or not, the username goes for a toss. This was/is the problem with Telegram’s username feature. Signal knew this and still decided to go ahead with it. Not to mention never doing anything about completely removing the phone number from the account after its creation. This has been, by design, a privacy and hence safety threat, and even after the username feature was implemented, this not getting implemented is very concerning.
I’m sorry your free messaging app isn’t perfect. /s
And I always assumed that nicknames was just as much to prevent screenshots from becoming a liability.
you can’t truly use Signal’s new “username” feature. If any of the recipients have your number stored in their phonebook, irrespective of whether you know them or not, the username goes for a toss.
Hm. I haven’t interacted with a new Signal user in a while… but I do see in settings two knobs: “who can see my phone number” and “who can find me with my phone number”. Both of these settings can be set to “nobody”.
I’m guessing if I set “who can find me with my phone number” to “nobody”, then even if someone has my phone number in their contacts, they wouldn’t know I’m a Signal user?
Don’t forget not allowing you to sync historical messages between your phone and PC. Apparently somehow that’s just too complicated.
What are you talking about?
I literally installed Signal on my Linux laptop yesterday and it automatically downloaded all my messages from my phone.
Last time I did that, it would only sync new messages
You mean the messenger that requires you give them your phone number to make an account? Yeah, fuck that.
What is a Moxie Marlinspike?
She’s pretty hot for a programmer.
And with a name like that she was destined for greatness.
Moxie is the guy
Hmm. Looks more like a Bill
deleted by creator
I’m not sure what you mean? I’m pretty sure moxie identifies as a guy. I think the person i was replying to was trying to talk about the interviewer, Sabrina Halper.
Unlike Signal, Telegram is successful in getting people to move away from Meta’s Whatsapp.
Idk about that. Signal is the main alternative to WA in some parts of europe.
Telegram has approximately 1 billion global users. Signal only has around 100 million. Telegram is about 10x the size of Signal.
they definately installed signal and fucked afterward
Telegram had a good PR from Mr. Robot.
I predict yet another Signal-related hack within the month.
Could you maybe resfresh my memory a bit and share a few previous signal hacks? Thanks
And it will again be about someone added to the wrong group. Meaning - not a hack.
See this is why I’m reluctant to start listing them because I don’t want to get dragged into an interminable discussion about how hacks like https://thehackernews.com/2025/02/hackers-exploit-signals-linked-devices.html?m=1 somehow “don’t count” because it was the user’s fault, or https://support.signal.org/hc/en-us/articles/4850133017242-Twilio-Incident-What-Signal-Users-Need-to-Know doesn’t count because it didn’t include chat messages.
The irony is I very carefully chose my words when I said “Signal-related hack” instead of “Signal hack” because I knew fanbois would show up to argue that anything short of a central database leak isn’t really a hack.
It’s a thread about comparing Signal to Telegram of all things. In comparison to Signal as anything secure Telegram doesn’t exist in any quality.
At the same time Signal doesn’t have mass group chats and is not intended for that purpose.
The first link does count, it’s a valid failure from Signal devs. Humans err.
The second link does not, it’s an unofficial centralized aggregator, not from Signal devs, and the “hack” was a direct consequence of how it worked. It’s absolutely something that no sane person would use.
It’s a thread about comparing Signal to Telegram of all things
The relevance is that it’s not some unaligned security professional talking in the article, it’s literally the guy that runs Signal having a pop at his competition.
yet another? what dou mean?
It should be the law that any information a online service collects about it’s users should be given to the government immediately and unconditionally, then suddenly people will start really caring about how much information a service has access to.
then suddenly people will start really caring about how much information a service has access to
I sincerely doubt it. The majority of people will accept that this is just “how it is” and will move on with life. After all, they’re not doing anything wrong.
I agree, if majority of people would care, Linux PCs would be the most popular option. They care about convenience only, but not even that much. Instead of researching the best they are just ok with the advertised options. They eat what they get.
What is not mentioned… there’s no privacy when the device itself is compromised. For instance, Android phones can read and phone home data from your notifications. In that case, any messenger app wouldn’t be private from Google’s eyes.
There’s a commonly used Russian metaphor “to not see the forest behind the trees”.
What you are calling a device is in fact a system. It’s a local system, that you are carrying in your hand, but it’s functioning due to a very complex global system which is not. That device in itself is like a 1960s’ town in complexity. In itself, but there’s also the global system.
And these are a result of quite a lot of people employed by various organizations with hierarchies and dependencies. And most of the power in those organizations doesn’t want you to have privacy and autonomy as much and when you want. If you want those, you should produce your own hardware and everything above it. Or build organizations interested in your full privacy and autonomy which will do that. It’s about structure, so just creating a few of them (a goal hardly reachable in itself) with manifests saying “we want to be good” won’t change anything.
So, if you were wondering why contemporaries of Stalin’s regime were reluctant to divorce it with Marxism and call it something else, - that’s similar to this. They really wanted to believe there’s a Marxist superpower, just like some people wanted to believe Google is a good corporation, and before that some people wanted to believe Apple is a counterculture corporation, and so on. And, at various moments in time and space, in various dimensions, sometimes these were. Just like in some ways the British Empire was really bringing civilization to the world.
The more life and diversity there is, the likelier we are to have good things. That doesn’t mean we’ll ever have full privacy, full autonomy, fully civilized, peaceful and honorable world, and so on. We won’t.
I think that metaphor is quite universal because it’s also used very commonly in English and Estonian at the very least.
It’s common in Russia. It’s common a lot of places, but it’s common in Russia
But yeah, I’ve used that and the inverse depending on the context plenty of time.
…and once you get to “AI” with system level access that is supposed to scan for “bad content” (like with Apple’s supposed “CSAM scanning” and Google’s Android System Safety Core), all bets are off.
All of the major platforms owned by corporations (including Apple) are or will be compromised.
The only way out is degoogled Android (for now) or, better, a true Linux device.
Isn’t Telegram is a Social Media?
As much as I’d like to favor foss and federated messenger apps, telegram isn’t as much garbage as whatsapp:
1.The client is somewhat open source and have forks like Forkgram, Materialgram and unoffical clients like Telegrand.
2. Telegram isn’t E2EE by default but at least it doesn’t lie about it and have E2EE secret chat when nessesary, that means crucial chats stay on your device and the rest stay on their database recoverable and syncable across devices.
(Yes, whatsapp supposedly is E2EE but we can’t know for sure, it’s closed-source.)
3. You can use telegram as a cloud service with only 2GB per file limit, unlike whatsapp.
(There’s even a third-party app that utilise this as a cloud gallery.)
4. Even tho telegram has ads in large channels, telegram isn’t funded by a greedy big-corp and it doesn’t datamine you, ads are based on the channel’s topic.Yes, in terms of privacy, telegram isn’t the best option, Signal, Session, XMPP, Matrix, or SimpleX have better privacy features, less linkability and E2EE by default but telegram is very mainstream and got more publicity, making it the whatsapp alternative it advertises itself as-is.
Publicity doesn’t make a better messenger app, but for what it tries to do, it’s adoptable for simple users, doubles as cloud storage and is more secure than the garbage being whatsapp.Immigrating users to different apps is a headache on it’s own, but if they know of telegram and it’s not privacy invasive, that’s not bad.
Isn’t it possible to verify WhatsApp encryption with packet sniffing?
Yes, but how would you know Meta doesn’t have a copy of your encryption key (ex: when you sign up) and keeps a copy of your encrypted messages somewhere?
AFAIK your encryption key resides as whatsapp’s data folder but since whatsapp is closed-source you can’t guarantee that whatsapp gave the encryption key to Meta’s server at some point when it was created; (or it was created on their servers and sent to your device.)One would just assume the encryption key is made on your device and never sent to Meta and all the E2EE messages aren’t kept on Meta’s server after they are sent.
Again, Meta is a company that is profiting on targeted advetising and selling user data, how would whatsapp be a free service without any profit?
Also, Here’s someone who saw their whatsapp chat used for targeted ads on them in case you have doubt.
- I can’t find a link to this but I’m sure I’ve read an article about what happens when you “report” a message someone sent to you in WhatsApp. In this case some reviewer at Meta will look at your message and determine if it violated the rules. IIRC the article talked about them most likely being added to the chat but not visible.
- There’s a recent lawsuit that shows that Meta can view your messages through internal systems: https://proton.me/blog/whatsapp-encryption-lawsuit
- Meta’s AI assistant in WhatsApp leaves more questions about privacy. How closed-off is the data used in this AI from other parts of Meta’s services?
Again, as I said, whatsapp doesn’t feel like a genuine messenger app as much as an oversimplified garbage made for tracking users on the background for profiting.
Even the deal of “giving” Llama LLMs (Meta AI) to everyone feels sketchy and look abusive the way it is pushed to users.Likewise all of meta’s services, the only catch with whatsapp that it used to be good and it’s a well-spread application, that’s why they bought it instead of improving FB’s messenger, as meta want to benefit of it’s naive userbase who think whatsapp is “As fine as ever”;
To you, publicity is nothing important and it doesn’t make a good product, to meta however, publicity is “everything” and it shall be all-time high, they have more analytical data about their userbase and have a good idea of what they would do and what decision they would take.
Yeah don’t get me wrong, I despise meta and their facade pretending WhatsApp is private. Your example is evidence but not proof but it does not mean I doubt you because it really doesn’t surprise me. Gmail likes to pretend it’s secure and private too because data in transit is supposedly encrypted but they can still just read absolutely everything in your inbox themselves
His NAME is MARLINSPIKE?? Like the ancestral home of Captain Haddock from Tintin?! We really are living in a simulation
It’s not his real name
It’s also the name of a tool for working with braided rope.
