Dear Hong Kong Activists, Please Stop Telling Everyone Telegram is Secure


Written by Jason Li and Lokman Tsui. The original version of this post, written in Chinese, was published on on 4 August 2016. English version is published on Global Voices under a content partnership agreement.

At this year's annual July 1 march in Hong Kong, protest leaders made a big push for mobile chat app Telegram, but for all the wrong reasons. The rally has taken place every year since the UK relinquished power over Hong Kong to China in 1997.

While we marched across Hong Kong Island, voices on a megaphone kept shouting, “download Telegram, it is more secure than WhatsApp!”

A civic group, Citizen Data, urged protesters to download Telegram and activate its geolocation function so that we could “check-in” to the protest.

As we passed the booths of various political and civil society groups on the road, they told us to befriend Telegram bots (automated Telegram accounts that perform simple functions, like image searches or RSS-like updates.) One bot allowed attendees to signal their participation at the march. Another polled voters about their top picks in the upcoming Legislative Council elections.

While we marched across Hong Kong Island, voices on a megaphone kept shouting, “download Telegram, it is more secure than WhatsApp!”

While these new grassroots-organizing tools can seem exciting, they were misleading protesters about one piece of crucial information: Telegram is not more secure than Whatsapp. In many circumstances, it's worse.

Telegram first made waves on the tech scene as a fast, user-friendly “free and secure” messaging app way back in 2013. Data security, specifically its encryption features, were highlighted by tech media as one of its big selling points

Despite its reputation, many conversations on Telegram are not end-to-end encrypted — in other words, not secure. And to make matters worse, the company has developed a reputation for problems with its technology that have led some users to have their information and messages exposed, in some cases to other users.

Over the past year, Global Voices has reported on multiple instances of Telegram users running into serious trouble with the app's security. Telegram users in Russia — some of them journalists and activists — have reported that their accounts were hacked. Another user in Ukraine reported receiving private group messages through her Telegram app for a group that she was not part of. And there has been concern in Iran about the company's compliance with government requests for certain material — bots mainly — to be blocked on the platform.

What's the problem with Telegram?

Telegram's encryption technology is not entirely open source — this means that security experts outside the company can’t see all the details of how it was made. Industry best practices hold that encryption technology should be open source and fully accessible to the public, so that they can be independently tested and verified by other programmers and security researchers. So even though Telegram says their messaging technology is secure, there's no way to know this for sure. You just have to trust them.

In contrast, apps like Signal and ChatSecure have published their code online, so that anyone with technical know-how can review (and critique) it publicly.

Even if you do trust Telegram, its security features are limited.

  • Only “New Secret Chats” in Telegram are secure. By default, conversations on Telegram are not protected by end-to-end encryption. This is only guaranteed if you turn on “New Secret Chat” before beginning a conversation. Many people we spoke with were not aware of this discrepancy – they think that all communication within Telegram is “automatically” secure.
  • Group chats have no end-to-end encryption support. There is no “secret chat” option for conversations involving more than one person.
  • Conversations with bots are not end-to-end encrypted either. There’s no indication that any conversations or interaction with bots is end-to-end encrypted.

Researchers also have confirmed that the app collects users’ metadata — information about who they communicate with, and when — making it relatively easy for Telegram users to monitor each other’s communication habits.

Returning to Hong Kong, it's easy to see how these problems could be exacerbated in a protest situation. If an app is easily hackable, all of the information that promoters were urging protesters to share — including their locations — could potentially be exposed to the wrong person, or to government authorities. Location data is very sensitive as it can be traced back to a particular user and jeopardize personal safety.

Anyone doing political activism in Hong Kong knows that the consequences of this kind of breach can be severe.

Ironically, WhatsApp, which was criticized at the march, automatically applies end-to-end encryption to all of its conversations, including its group chats. (This feature was only rolled out earlier this year in April.)

Not only does WhatsApp encrypt all of its messages, it does so using the open source, publicly documented Signal protocol developed by a non-profit groups called Open Whisper Systems. Unfortunately, WhatsApp itself is not open source, so there is no guarantee that the protocol has not been tampered with during implementation. So far though, there is no evidence of foul play, and the team from Open Whisper Systems have written publicly about their partnership and implementation process. But it is certainly no worse than Telegram, which has not made its technical code public.

For maximum, assured security, we recommend using Open Whisper System’s Signal Private Messenger app. Signal is open source from top to bottom — they are entirely transparent about the technology they use for encryption, and everything else. But because it's a not-for-profit, open source project, it lacks the bells and whistles (such as stickers), and the user base of commercial chat apps like Telegram and WhatsApp. For many Hong Kongers, Signal doesn’t appeal for these reasons. Many choose instead to use WhatsApp, which is a safer alternative to Telegram. While it lacks some of the privacy protections of Signal, it is the only widely-used chat app that uses an open and peer-reviewed encryption protocol.

Telegram was not wrong in promoting its security features back in 2013 – end-to-end encryption in mobile chat apps was rare back then. Since then, however, other chat apps have caught up and in many cases surpassed its security features. This isn't to say Telegram doesn't have its merits – neither Whatsapp nor Signal have support for channels (public groups) or bots, and Telegram does have a handy, Snapchat-like, self-destruct feature for conversations. But to recommend Telegram, without reservation, to protesters and activists is simply irresponsible.

Thank you to Citizen Lab and Professor Jedidiah Crandall for helping us out with some background research for this article.

1 comment

Join the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.