Pavel Durov, one of the founders of Telegram answered that question back in 2017. In a long post, in response to criticism received in an article that advised users not to use the messenger, Durov put his point of view on security and privacy and, incidentally, accused WhatsApp of misleading advertising.
“I’ve been getting this question more often this year (I just knew, poor thing …). It is based on the misguided assumption that other popular messaging applications, such as WhatsApp, are ‘encrypted end-to-end by default’ while the Telegram is not. This post is intended to disprove this myth that was so carefully crafted by the Facebook/WhatsApp marketing efforts, “Durov begins, sparing no criticism.
So-called “Secret Chats” use client-client, end-to-end, end-to-end encryption, or whatever you want to call it. While common chats, which are stored in the cloud for backup and multi-device access, use another type of encryption that passes through messenger hosting, client-server encryption.
Note that both are encrypted environments. The first one stores messages only and only on the device of those who are exchanging messages. The second stores messages in the Telegram cloud – not Google Docs, or Apple’s iCloud.
The Telegram chat backup issue
For Durov, how the popular messaging applications (we call here WhatsApp) deal with backups is where the problem lives. Each offers a different way of backing up messages to recover accounts and so on.
“Applications that ignore backups (such as Wickr/Signal) never reach 1 million DAUs (daily active users) and remain in the niche. […] As for popular applications like WhatsApp, Viber and Line, they rely on iCloud and Google Drive to store their message history and prevent the loss of their users’ data if they lose their smartphones. These backups are not encrypted as end-to-end and are decrypted [from the common cryptography, that of the cloud] when the user buys a new phone and restores the history [with his own key]”, he says.
To clear the question, here’s WhatsApp’s own statement: “Important: Messages and media files you include in your backup will not be protected by WhatsApp end-to-end encryption while on Google Drive.”
It is true that you can always choose not to take backup. But who does it?
For Durov, this creates a complicated situation where messages sent and received are not encrypted by end-to-end when they go to the cloud, all without the user realizing the choices he has made.
“You have zero transparency about what’s actually encrypted by end-to-end and what’s backed up. You rely on end-to-end encryption and rely on the mantra ‘no one can access my messages’, but your private data is in fact vulnerable to hackers and governments who can gain access through the cloud”, he says.
In 2013, when Durov and Brother Nikolai were launching the Telegram, they considered the two approaches: cloud and end-to-end. “We knew we did not want to violate the privacy of our users by transferring responsibility for their data to third-party backups, such as WhatsApp or Viber. Nor did we want to deprive our users of functionality they liked in other applications and condemn the Telegram to join the ranks of niche applications. So, after some research, we decided to introduce two types of chats: secret chat and in the cloud”.
Pavel financially and ideologically supports the Telegram, while Nikolai’s contribution is technological (he developed the data protocol).
What did that result? Let us recapitulate, in Pavel’s words, what differentiates one from another, once and for all (!!).
“Secret chats are encrypted end-to-end messages that are never, under any circumstances, stored in backups. Chats in the cloud are encrypted in the same way, but have a backup in the built-in cloud. Cloud chats are designed for most users – and most of them in another application, such as WhatsApp, would depend on a less secure, third-party backup”.
With this mixed approach, where encryption is the same in both cases, but in chats that get clouded from their own servers, the Telegram has access to the encryption key, secret chat is the only guarantee if you have something to hide.
This means that if your Google or Apple account were compromised, you could have access to your unencrypted WhatsApp backup in the cloud.
Why did the Telegram make that decision?
The Telegram gave four main reasons for using the mixed approach.
I will summarize:
- Unlike WhatsApp, we do not provide user data to third parties through backups (read Google and Apple). Instead, they rely on their own cloud storage encrypted and distributed by servers worldwide. With this, the Telegram gives the user the chance of not having private data informed by Apple and Google after requests from governments judged by law.
- Unlike WhatsApp, they allow users to access the Telegram message history of multiple devices at once, it’s multi-device.
- Unlike WhatsApp, in Telegram you do not have to store all the history (with messages, photos, videos and documents) all the time on the phone and make downloads on demand, saving space.
- Unlike WhatsApp, Telegram is able to provide users with group chats or channels with thousands members. Technologies that can not be implemented using third-party backup and/or end-to-end encryption.
As such, Telegram chats are not all secret because, in Durov’s view, it would become impracticable to offer popular features and get out of the niche apps world.
But safe on the problem …
Because Telegram does not enable secure chat by default, it is the user’s responsibility to understand how everything works and to activate it. In addition to secure chat, there are other security measures, easy to adopt that prevent identity theft and improper account access. Infinitely easier blows than hacking to hack into the Telegram cloud and decrypting messages stored in a user’s backup.
It’s not just the Telegram that works like this …
Pointed by Pavel as imitators, Facebook Messenger and Viber also offer the “secret chat” with end-to-end encryption and no backup in the cloud. In both cases, you must choose a contact and activate it.
It is worth noting that even with intercept protection, the person you are talking to can share the chat with other users by capturing or recording the screen with another phone. So do not stick to cryptography as the only factor.
Playing in the fan
“Every year, Facebook – the WhatsApp-owned company – spends millions of dollars on marketing, influencing journalists and bloggers. In contrast, Telegram has spent $0 on marketing since we started in 2013”, Durov argued, pointing fingers at specific sites that criticized the absence of standard security.
How to deal with these choices?
Right or wrong, you need to understand how to deal with both approaches.
In apps that offer secret chat, use. In addition to that, also apply other safety and privacy recommendations that have been linked here and that do no harm to anyone. Secret chat requires your contact to use secret chat as well.
If you need full privacy, consider turning off automatic backup of your data in the Google Drive or iCloud cloud because they are not protected by end-to-end encryption. Your contacts, however, need to do the same thing.
In Signal, “the private messenger,” there are other rules that we can compare later.
With information: Telegram