Telegram is often advertised as a safer WhatsApp alternative. The c’t-3003 video shows why this is complete nonsense.
Transcript of the video:
In this video I’ll give you at least one very good reason why Telegram is definitely more insecure than other messengers. I try to keep the whole thing as simple and understandable as possible. And of course I’ll give you recommendations on what to use instead.
I have already done several very detailed messenger tests at c’t in the last few years and have learned several things in the process: Messenger have very loud fan girls and boys, so you always get pissed off in comments when you make any evaluative statements power. I also learned: somehow everyone wants to get away from WhatsApp, but in the end it doesn’t work out because of grandpa, aunt or friends of the handicraft group. And one more important finding: If you want to compare all messengers in detail and objectively, you can dig in for several weeks and then get very, very many results – and still have not worked out the really essential differences. In this video I do it differently than in the c’t magazine: I only focus on the fundamental differences and don’t dig into functional details. If you still want to compare the functions in the small and small, you can now press pause: Here is the complete table from our messenger test in c’t edition 8/2021 – that was a few months ago, small details could arise have changed, but nothing fundamental.
In this video I will go into Telegram, Signal, Whatsapp, Facebook Messenger and Threema because these are the most popular in this country. Yes, I know, there are also Ginlo, Element or Matrix, Wickr, Wire and other messengers – but we concentrate on those who have at least some of the potential to break the quasi-monopoly of Whatsapp. Because one thing is clear: the greatest messenger is useless if there is no one to mess with.
And so that we can make our work easy, I’ll start with a very basic argument: Any messenger that finances itself through the display of personalized advertising; falls out for me – simply because messengers are used for very intimate and personal communication and for me that just bites off with advertising. Mainly because there are alternatives. Facebook Messenger has thus already disqualified itself – not only because of the advertising, but also because the Facebook parent company Meta has probably caught the attention of all Silicon Valley giant companies with the most problematic practices in recent years.
Whatsapp also belongs to Meta or Facebook, but Whatsapp has been around very strangely when it comes to advertising for ages. For years it has been said that you want to start advertising, but you still haven’t really done it. Also intransparent: Which data goes where? From Instagram to Quest VR headset to Whatsapp and back? Not only the Federal Cartel Office has therefore initiated an investigation, data protection officers across the country are also criticizing Whatsapp. So: there is definitely no rose from c’t 3003 for Whatsapp or Facebook Messenger.
That leaves Telegram, Signal and Threema. I have heard Telegram mentioned a lot lately as a safer and better alternative to Whatsapp. Spoiler: IN NO CASE THAT IS. First of all, my already mentioned no-advertising-in-messenger rule disqualifies Telegram, because Telegram has recently been showing advertisements for the first time. Initially only in channels with over 1000 subscribers, not in 1: 1 communication, but still. After all, Telegram does not want to evaluate user data, only the topics of the channel – so if a channel is about health, there are advertisements for vaccinations. [“LOL” einblenden.] What is a bit embarrassing: Telegram writes in the FAQ: “In addition, Telegram is not a messenger to make a profit. Commercial interests will therefore never get in the way of our aim of offering a messenger for everyone.”
So, now the killer argument against Telegram: unlike all the messengers mentioned here so far, messages in Telegram are not end-to-end encrypted by default. What is that? It’s actually quite simple: every message that I write on my device is encrypted there and then makes an encrypted journey through the Internet – if it is tapped somewhere, it cannot be read. It is only decrypted where it is supposed to arrive, namely on the device of the person for whom the message is intended.
Telegram can encrypt end to end, but you have to switch it on manually and it has a lot of disadvantages: For example, the encryption does not work in groups and the encrypted messages do not even appear in the Telegram browser web app – I get it So in case of doubt, I don’t even notice when I’m at the computer (I’m not looking at the cell phone then).
Conversely, this means: an indefinable number of people can theoretically read the communication of normal messages in Telegram. Telegram also says this through the flower in the FAQ: When asked “What if I am more paranoid than normal users?” it says: “Telegram offers particularly secret chats, which are based on end-to-end encryption and do not leave any traces on our servers.” In other words: All non-secret chats leave traces on the Telegram servers. And not too close, have a look here: I just recently installed the Telegram desktop client – so, and now I log in with my phone number; and bang, I have instant access to every chat and every photo ever sent. I can download everything Telegram has in terms of communication from and with me on the servers under “Settings / Advanced / Export data”. Bäm – that’s an easy 5.8 GB, I’ve been using it for a bit longer.
The thing is: This server storage function makes Telegram incredibly practical, I don’t have to fiddle around with any backups like with the other messengers, which are then not interchangeable between Android and iOS, for example – it’s all on the server and there immediately, even if my cell phone accidentally falls into the blender. In general, Telegram is my favorite messenger in terms of usability; For example, you can do surveys very quickly, make bots, it’s all really great. BUT: The thing is an absolute nightmare in terms of security, because everything is really readable somewhere on servers. Telegram uses transport encryption, in other words in such a way that nobody can snorkel the data so easily on its journey back and forth; but they are just on servers that Telegram or other people have access to. Telegram also uses wordlessly to avoid the problem in the FAQ; then there is talk of “different keys and servers in different countries and several court orders”.
But the thing is, if the stuff were simply encrypted end-to-end, as is the standard with all other relevant messengers, the servers could even all be confiscated; you couldn’t do anything with the data because it is hard-encrypted. Well, not with Telegram. And yes, as I said, I know that there is a manual function for secret chats. But that doesn’t work, for example, in the scenario I mainly used, namely in groups of friends, family and neighborhood. And who would have thought: Even WhatsApp, which is rightly considered problematic for a number of reasons, encrypts group chats by default.
So to finish with Telegram: This is a very comfortable messenger, but it should not be used for private, intimate things. But maybe to meet up for Pokemon Go or for a bit of small talk … Uh, ok, so maybe I better not start with the various channels. I want to focus on the technical aspects here.
So there is still Signal and Threema: Neither do they sell advertising or user data, are cleanly end-to-end encrypted – both of them definitely get the c’t 3003 seal of approval. Signal is free (it is financed through donations), Threema costs 3.99 euros. Because there are (unfortunately) an astonishing number of people who do not want to pay for software and therefore do not even have a payment source stored in the app store, I trust Signal to have greater potential for distribution; therefore, if I had to recommend either, Signal would be my choice. Edward Snowden too, by the way, and he knows a bit about IT security.
Signal has been REALLY smooth since the last update; it has all the features that I want in a messenger and yes, that is also the communication channel that the 3003 team uses for the video planning here. Hardliners often criticize Signal for using US servers. But I don’t think that’s particularly problematic because everything is encrypted end-to-end. The only thing I would still like: That the account is not necessarily linked to the phone number. Threema can do better than that. But as I said: Signal or Threema – you can use both well, you should try to get away from the others. At least if you really want to communicate about it privately.
c’t 3003 is the c’t YouTube channel. The videos on c’t 3003 are independent content and independent of the articles in c’t magazin. Editor Jan-Keno Janssen and video producers Johannes Börnsen and Şahin Erengil publish a video every week.
(jkj)