~/Simon's Blog ❯

Never will I ever recommend Telegram again.

I've been around the block in terms of messaging services, privacy, and what else belongs to that topic as a whole. Recently, I've been seeing a lot more people shilling for Telegram in the Beeper Community chat.

I used Telegram from March 2019 up until new year's eve from 2023 to 2024.

I've left despite the good user experience, existing users, existing communities (especially the Android community) and much more because Telegram has failed me and potentially thousands of others in delivering what they have stated on their website, official channels and many more places.

Let's run down some of my main pain points:

Telegram is (Not) Open (Source)

Telegram prides itself on "being open" in the sense of having an open API and being Open Source. Notably that last part isn't true.

For Telegram to be Open Source, they would be missing:

Telegram is (Not) Private

Telegram also prides itself for being exceptionally private compared to the rest, but this is only trust-based. The technical measures that they build into the protocol and platform are not sufficient to call Telegram a reasonably private solution.

Infact, the lack of end-to-end-encryption on all platforms and by default already makes even WhatsApp a stronger contender in terms of (theoretical) privacy.

They simply do not employ any measures to make sure that the data you're sending is only readable by those supposed to read it. Even in secret chats they leak lots of metadata, like whom you talk to, when, message sizes, and more.

Additionally, Telegram has started selling your data to advertisers. A complete No-Go for any service that calls itself private.

And if you don't care about them selling data to advertisers, you may be interested in them giving your data to governments directly, instead.

Telegram is (Not) Secure

All you need to get access to someone's Telegram account with default settings is their phone and phone password. There is no sort of lock before accessing the "login by QR" function and there are no existing measures (last time I checked) to convince users to enable 2FA.

Phone Passwords can also be Social-Engineered to hell as many people use things like their birthday, day they got into a relationship, and so on for their PINs. This also applies to Telegram's 2FA passwords.

Not to mention Telegram is vulnerable to SIM-Swaps and SIM-Jacking because of the fact that it relies on a phone number and SMS for signup and signin.

The claim that "Telegram safeguards your data against hackers" is laughable at best when applying the most basic of the basic user-facing security principles. The weakest link sits in front of the screen.

Even if we say Telegram is not responsible for this, and that it is user error, it does not excuse Telegram's weak cryptography that is used for Secret Chats.

More info on Telegram's cryptography

The Bigger Picture

Overall, this is not surprising. Telegram has never been profitable and as such has employed several tactics to try and become profitable. In vein of that they've also added Discord-esque channel boosting and other ways to gain revenue. But that isn't even my issue.

I get it, these services need to cover their costs and Durov's magical pockets aren't infinitely deep, they have an end somewhere (probably). However, what has happened to Telegram (and is still happening) is a prime example of Enshittification. And somehow, users are on-board.

Somehow, despite the fact that their experience is actively getting worse, both directly noticeably but also in the background, users do not seem to care. Or at least I assume they won't care unless essential features become paywalled. The paywall is almost inevitable as especially Telegram is a platform that tries not to depend on things like VC funds or else that would put their platform in jeopardy of return on investment, ultimately requiring Telegram as a platform to become more aggressive over time depending on how many people actively pour money into the platform.

What should we change?

There's a couple of things that we as a community of users should look out for a bit more than we have in the past:

There is probably more critical questions that I should be asking; more critical questions everyone should be asking, too. But I'll leave this here as a baseline to start with.

My Proposal

Maybe, just maybe, we should decentralize just a bit. Get back into the community instead of the profit. Maybe add a bit of federation in there. Kind of like, yknow, [Matrix].

If you couldn't tell, despite its technical flaws, I love Matrix and see a lot of potential in it. Recent changes to Matrix - however small - have improved the platform significantly and especially if it can re-gain funding I can definitely see it going places with their ambitous goals (like Peer To Peer Matrix or Matrix 2.0).

Going to a more federated web entails many nice things, like fighting network effect and often also with more tight-knit but welcoming communities that emerge over time. It can also help communities in creating safe-spaces.

"You use Signal, that's hypocritical given your Matrix advocacy!"

I see where you're coming from, but I don't think so. I don't use Signal because I think centralization is fine, I use it because they provide a genuinely good product that is truly Open-Source and has a community of millions behind it. Same for why I use Matrix, just that Matrix got the Federation and Decentralization aspect to it that I love.

Additionally, Signal has some of the best cryptography on the market that is used by various other products and projects, ironically including Matrix's megolm, which can almost (almost) be called a fork of the Signal Protocol's encryption.

And to top it off, Signal is properly open source.

Update 09.01.2024:

Thanks for reading! I wish you a good rest of the day, evening, night, or whatever other time you're reading this!

If you're on the Fediverse / Mastodon, comment here: Mastodon Post

#messaging #open source #social media #telegram