Is it technically possible for them to see it: yes

Does Telegram let them see it: I don't think so. That seems to be the core issue around Durov being arrested.

They probably should implement E2EE for everything. Then they will have a good excuse not to cooperate, because they simply don't have the data.

This is exceptionally naive. Even if he was arrested for not sharing with the French, what about for other countries? Was he arrested for not ever sharing or not sharing enough? Even if he, personally, has never shared, that doesn’t say anything about his employees who have the same access to these systems.

Your data is not private with Telegram. You are trusting Telegram. It is a trust-based app, not a cryptographically secure app.

If you trust telegram, that’s your choice, but just because a person says the right words in interviews doesn’t mean your data is safe.

So from a broad perspective, they probably behave better than comparable services.

I think Telegram should not be trusted, but I also do not trust the alternatives, that readily share information with states. A special focus for me is that my own jurisdiction does not have access to my social media content. Other countries are secondary at first.

By who?

Simplex especially or even Signal are far better.

...

... Pavel Durov, Telegram’s founder, called on Russian authorities on June 4 to lift the ban. He cited ongoing Telegram efforts to significantly improve the removal of extremist propaganda from the platform in ways that don’t violate privacy, such as setting a precedent of handing encryption keys to the FSB.

https://www.atlanticcouncil.org/blogs/new-atlanticist/whats-...

In the US case, there was a phone where data was encrypted at rest. Though Apple was capable of creating and signing a firmware update that would have made it easier for the FBI to brute force the password, Apple refused to do so.

In the Russian case, the FSB must have already had access to the suspect's phone because if it did not then Telegram would not be in any position to help at all.

So, the FSB must have already had access. And therefore, by having access to the phone they also had complete access to the suspect's chats in plaintext, regardless of whether or not the suspect used Telegram's private chat. There would have been no keys to ask Telegram for copies of.

Alternatively, the FSB might have had access to some other user's chats with the suspect, and wanted Telegram to turn over the suspect's full data. Telegram is 100% able to do that if they want to.

As the specific part of the article you have quoted is definitely bullshit, I suspect the rest of it is bullshit too and that despite what Roskomnadzor states in public, the real fight with Durov was over censorship.

Also, you could just send a notification instructing the app to fetch a new message from your server.

From the docs:

Encryption for data messages

The Android Transport Layer (see FCM architecture) uses point-to-point encryption. Depending on your needs, you may decide to add end-to-end encryption to data messages. FCM does not provide an end-to-end solution. However, there are external solutions available such as Capillary or DTLS.

https://firebase.google.com/docs/cloud-messaging/concept-opt...

https://www.schneier.com/blog/archives/2023/12/spying-throug...

> Wyden’s letter cited a “tip” as the source of the information about the surveillance. His staff did not elaborate on the tip, but a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.

Signal could modify the application so a remote flag in the Play store binaries could be triggered to exfiltrate data as well. But the key distinction is the normal path of Signal gives them absolutely nothing they can tell anyone other then the bits they've put in the disclosure reports (namely: date and time an account ID used Signal I believe).

At any rate, the discussion going on here is about how Durov has been arrested because Telegram refuses to respond to law enforcement requests, when they do have the ability to do so; and if they were to actually implement E2EE by default (and for group chats), Durov would likely not be in trouble, since Telegram would be unable to provide anything when requested.

I suspect that isn’t the motivation. GDPR says that you have to give users choices about data stored like this (including right to be forgotten, how it’s processed and used and so on), and this becomes a technical, legal and commercial nightmare very quickly. The easier route is just to get rid of it if you can.

This saves Google money (it likely wasn’t that useful to sell to advertisers), makes legal compliance a lot easier and de-risks them from very large fines.

I suspect that the EU lawmakers didn’t think about second order effects like making it harder for law enforcement to access this data in scenarios like this.

They just dont implement E2EE since almost no one uses it on Telegram.

And if they are so off base on this, they must either be incompetent or liars. Neither of which builds trust.

I’d rather developers issue cautionary warnings than give a false sense of perfect security

The UAE requires decryption keys as part of their Telco regulations.

If Telegram can operate in the UAE without VPN (and it can), then at the very least the UAE MoI has access.

They (and their shadow firms like G42 and G42's shadow firms) were always a major buyer for offensive capabilities at GITEX.

On that note, NEVER bring your personal phone to DEFCON/Blackhat or GITEX.

Edit: cannot reply below so answering here

Cybersecurity conferences.

DEFCON/Blackhat happen during the same week, so you have a lot of script kiddies who lack common sense trying to pwn random workloads. They almost always get caught (and charged - happens every year), but it's a headache.

GITEX is MENA and Asia's largest cybersecurity conference. You have intelligence agencies from most of the Middle East, Africa, Europe, and Asia attending, plus a lot of corporate espionage because of polticially connected MSSPs as well as massive defense tenders.

I'm genuinely interested.

Also, u/reissbaker's answer is correct.

They know what is being said and that’s what they want to arrest, that information can be sent and received. And by “they” I mean more than just the French. That was just coincidental and pragmatic.

The French state does not operate that quickly on its own, to get an arrest warrant five minutes after he landed and execute on it immediately. That has other fingerprints all over it in my view.

Certainly not because then Telegram would lose alot of its functionality that makes it great. One thing that I really enjoy about Telegram is that I can have it open and synched across many independent devices. Telegram also has e2e as an option on some clients which cant be synched

To enable synched e2e conversations accross many devices you also need to synch private keys, which is a security nightmare.

I don't see anywhere saying he's been arrested for anything to do with encryption or cooperating with investigations.

eg https://www.bbc.co.uk/news/articles/ckg2kz9kn93o but pretty much all the sources I have read say the same

To me it's a good tradeoff, of course I wouldn't use Telegram for anything illegal or suspect.

Yet, Apple tries to create an image that iPhone is a "secure" device, but if you use iCloud, they can give your contact list to government any time they want.

Apple by default doesn't use E2E for cloud backups, and Telegram doesn't use E2E for chats by default. So Telegram has comparable level of security to that of the leaders of the industry.

[1] https://support.apple.com/en-us/102651

Worse, iPhones immediately start backing up to iCloud when set up for a new user - the only way to keep your network passwords and all manner of other stuff from hitting iCloud servers is to set the phone up with no network connection or even a SIM card installed.

Did I mention there's no longer a SIM slot, so you can't even control that?

And that iPhones by default if they detect a 'weak' wifi network will switch to cellular, so you can't connect the phone to a sandboxed wifi network?

You shouldn't have to put your phone in a faraday cage to keep it from uploading plaintext versions of your private communications and network passwords.

right on their front page in giant font they declare “private” and “secure” when they’re neither. it’s telegram’s own fault they receive this criticism repeatedly—and they strangely constantly complain every time they’re publicly spanked and taken to task. theyre heavily insinuating (i call it it lying) to their users and then over and over crying because they get called out.

if they don’t want to be called out then they should quit insinuating those things, it’s dangerous af. they know they’re lying though, obviously they won’t stop. but omg i wish their users would run fast and run far—it’s like watching an abused person who keeps going back to their abusive partner “oh they mean well”… pffft, no, they really dont.

https://support.apple.com/en-us/102651

The default for many categories is that your keys are in iCloud so Apple can recover them for you. With Advanced turned on, the keys are only on your personal devices. A few categories, like the keychain, are always only on your devices.

Specifically, see Note 3: "If you use both iCloud Backup and Messages in iCloud, your backup includes a copy of the Messages in iCloud encryption key to help you recover your data." Under normal protection, Apple has the key to your backups, but with Advanced they don't.

I thought MDM was only for enterprise businesses and schools and universities, but I may very well be mistaken about that.

No way to add a WiFi profile, thus no way to use an iPhone as a remote. No ethernet available either.

Configured a WiFi profile, uploaded to the Apple TV and could finalize the setup.

It’s quite a powerful too for initial setup.

If you're threat actor has the resource to break that, get a CC or a good lawyer on retainer I guess.

Besides Slack and Discord and Teams and whatever the heck Google has these days and iMessage and...

I think you mean it's the only messaging app that purports to have a focus on security where messages are stored in the cloud, which is true, but also sus. There's a reason why none of the others are doing it that way, and Telegram isn't really claiming to have solved a technical hurdle that the E2E apps didn't, it's just claiming that you can trust them more than you can trust the major messaging apps.

Maybe you can and maybe you can't, the point is that you can't know that they're actually a safer choice than any of the other cloud providers.

Granted it can be clunky at times, but the properties are there and decentralised end to end encrypted messaging is quite and incredible thing. (Yes, Matrix nerds, it's not messaging per se it's really state replication, I know :))

All the cool kids in the block eliminated the need to trust the provider decades ago. PGP: 33 years ago, OTR 20 years ago, Signal 14 years ago.

Signal evangelicalism needs to halt, you mean the Whisper protocol.

So, yes, trust is needed.

That said, what I would love to see ( and likely won't at this point ) is the world where pidgin could exist again, because everyone is using some form of sensible standards that could be used.. right now it is mostly proprietary secret mess of things.

And don't get me started on convincing anyone in group to moving from one ecosystem to another. Fuck, I just want email for chat that is not owned by one org.. Is it really so much to ask ( it is rhetorical, I know the hurdles are there and only some deal with human nature )?

So it's not as much as trade-off, as it is half-assed security design.

I basically participate in hundreds of chats and message history doesn't take 10 of GBs. And I also know that search in history of such chats isn't so snappy on older Android phone.

And if you just run client on device without a lot of this history cached search wouldn't be anywhere as fast as you expect. So I pretty sure there no server-side magic there, but instead very good UX.

Also I can tell for certain that with right index grepping tons of JSONs can be very effective on any modern devices.

But to run local search you need to download the conversations to device first which might require lot of (expensive) traffic.

It's not enough you know how to design a cipher that is actually secure, you need to know how to implement it so that the calculator you run it on consumes exactly the right amount of time, and in some cases power, per operation.

Then you need to know how to use the primitives together, their modes of operation, and then you get to business, designing protocols. And 10% of your code is calling the libraries that handle all that stuff above, 90% is key management.

There's a good amount of misuse resistant libraries available, but Nikolai was too proud to not look into how the experts do this, and he failed even with trivial stuff: He went with SHA-1 instead of SHA-256. He didn't implement proper fingerprints. His protocol wasn't IND-CCA secure. He went with weird AES-IGE instead of AES-GCM which is best practice. He used the weird nonces with the FF-DH, instead of going with more robust stuff like x25519.

One thing you learn early in academia, is that expertise is very narrow. I bet he knows a lot about geometry. Maybe even quite a bit about math in general. But it's clear he doesn't know enough to design cryptographic protocols. The cobbler should have stuck to his last.

EDIT, to add, the real work with cryptographic protocols starts with designing everyday things that seem easy on the paper, with cryptographic assurance. Take group management that the server isn't controlling.

For Telegram it's a few boolean flags for admin status and then it's down to writing the code that removes the user from the group and prevents them from fetching group's messages.

For Signal it's a 58 page whitepaper on the design of how that is done properly https://eprint.iacr.org/2019/1416.pdf

This is ultimately what separates the good from the bad, figuring out how to accomplish things with cryptography that first seem almost impossible to do.

Wrong, Matrix does it too, but fully e2ee.

> and allows you to access your chats from any device.

No it doesn't, because it is possible withh e2ee as well

Of course you can send your backup to Google for WhatsApp and signal but that's optional. You can keep it locally too. And it's encrypted too. With WhatsApp you can even choose to keep the key locally only.

I upload encrypted backups to a cloud service provider (AWS, Google Cloud). I go to another computer, download them, use a key/password to decrypt them.

Sure, I get it, you're typing in something that decrypts the data into their app. That's true of all apps including WhatsApp, etc... The only way this could really be secure is if you used a different app to the encryption that you wrote/audited such that the messaging app never has access to your password/private key. Otherwise, at some point, you're trusting their app to do what they claim.

> use a key/password

The previous poster intentionally mentioned password recovery flow. If you can gain access without your password, than law enforcement can too. If you could only gain access with your password, you could consider your data safe.

You can't assume the negation.

If you can get access without your password then you have proven that law enforcement or the hosting company can to.

If you can't get access then you haven't proven anything. They may be securely storing your data end-to-end encrypted. Or they may just have a very strict account recovery process but the data is still on their servers in the clear.

Once that’s set, after the SMS code, then (assuming you don’t have access to an existing logged in device because then you are already in…), you can either reset the password via an email confirmation _or_ you can create a new account under that phone number (with no existing history, contacts, etc).

If you set a password and no recovery email, there is no way for them to get access to your contacts or chat history barring getting them from Telegram themselves.

Client creates a Public Private key pair used for E2EE.

Client uses the 'account password (raw)' as part of the creation of a symmetric encryption key, and uses that to encrypt and store the SECRET key on the service's cloud.

NewClient signs in, downloads the encrypted SECRETKeyBlob and decodes using the reconstructed symmetric key based on the sign in password. Old messages can then be decoded.

-- The part that's insecure. -- If the password ever changes the SAME SECRET then needs to be stored to the cloud again, encrypted by the new key. Some padding with random data might help with this but this still sounds like a huge security loophole.

-- Worse Insecurity -- A customer's device could be shipped a compromised client which uploads the SECRET keys to requesting third parties upon sign-in. Those third parties could be large corporations or governments.

I do not see how anyone expects to use a mobile device for any serious security domain. At best average consumers can have a reasonable hope that it's safe from crooks who care about the average citizen.

You can't use your password as input to the mud puddle test.

- locally create a recovery key and use it to wrap any other essential keys

- Split that or wrap that with two or more keys.

- N - 1 goes to the cloud to be used as MFA tokens on recovery.

- For the other, derive keys from normalized responses to recovery questions, use Shamir's secret sharing to pick a number of required correct responses and encrypt the Nth key.

You can recover an account without knowing your original password or having your original device.

Edit: Actually, yeah that proves your point.

It's unreasonable to expect most people to intuit the distinction you describe.

However, you don't see wealthy people communicating on insecure devices, because they have people to take care of that stuff.

* White-collar crime prosecutions decreased 53.5% from 2011 to 2021.

* Annual losses from white-collar crimes as of 2021 are anywhere from $426 billion to $1.7 trillion. The wide range here is due to the lack of prosecutions.

* There were 4,180 white-collar prosecutions in 2022.

* It’s estimated that up to 90% of white-collar crimes go unreported.

Etc.

- https://www.zippia.com/advice/white-collar-crime-statistics/

***

Responding by edit due to rate limit:

Guys the connection is clear if you think about it.

High-net-worth individuals use encrypted messaging apps more than the general population, without doubt.

They also have far more resources and abilities to fight a subpoena. It's all distinctively unfair and highly misleading to normal people; for very little real reason and with great potential for abuse.

I found it interesting that countries like Singapore haven’t introduced requirements for backdoors. They are notorious for passing laws for whatever they want as the current government has a super majority and court that tends to side with the government.

Add on top Telegram is used widely in illegal drug transactions in Singapore.

What’s the reason? They just attack the human factor.

They just get invites to Telegram groups, or they bust someone and force them to handover access to their Telegram account. Set up surveillance for the delivery and boom crypto drug ring is taken down. They’ve done it again and again.

One could imagine this same technique could be used for any Telegram group or conversation.

We should also not forget that, in the time when all social media (Reddit, X, Instagram etc.) close their APIs, Telegram is one of the only networks that still has a free API.

Telegram would be fine if it advertised itself as a public square of the internet, like Twitter does. Instead, it lures people into false sense of security for DMs and small group chats, which is what Green's post and thus this thread is ultimately about.

Free API doesn't mean anything until they fix what's broken, i.e. provide meaningful security for cases where there's reasonable expectation of it.

Do you want to say that social networks must implement E2E? Personally I think it is a good idea, but existing social networks and dating apps do not implement it so Telegram is not obliged to do it as well.

As for promises of security, everybody misleads users. Take Apple. They advertise that cloud backups are encrypted, but what they don't like to mention is that by default they store the encryption keys in the same cloud, and even if the user opts into "advanced" encryption, the contact list and calendar are still not E2E encrypted under silly excuse (see the table at [1]). If you care about privacy and security you probably should never use iCloud in the first place because it is not fully E2E encrypted. Also note, that Apple doesn't even mention E2E in user interface and instead uses misleading terms like "standard encryption".

This is not fair. Apple doesn't do E2E cloud backups by default and nobody cares, phone companies do not encrypt anything, Cloudflare has disabled Encrypted Client Hello [2], but every time someone mentions Telegram, they are blamed for not having E2E chats by default. It looks like the bar is set different for Telegram compared to other companies.

[1] https://support.apple.com/en-us/102651

[2] https://developers.cloudflare.com/ssl/edge-certificates/ech/

Most social media platforms doesn't support e2ee.

Some chat apps do support e2ee but also requires a god damn phone number to login (yeah so does telegram), this makes "encryption" useless because authorities just ask the teleco to hand out the login SMS code.

For instance 2 days ago my partner wanted to show me a message her friend sent, went to whatsapp and couldn't find it then realized said friend had used instagram DM for that. Most people don't care enough.

There is even that freqtrade bot that runs on telegram, even RSS bots. It really is amazing. So easy to use for chat ops.

I don't know what else you would use the API for.

Telegram is fast, responsive, gets frequent updates, has great group chat, tons of animated emojis, works flawlessly on all desktop and mobile platforms, has great support for media, bots, and a great API, allows edits and deleting messages for all users, and I really like the sync despite it not being e2e.

I use both on desktop for different people and the desktop Signal client doesn’t hold up well in comparison. In some ways it feels more clunky than the iMessage ancestor iChat did 20 years ago.

13 people on iOSes, iPhones from 11s to 15 Pro; 2 Androids.

It does require a phone number to create an account. That’s the reason I do not consider it being private because at least in Germany a phone number can only be activated by using a personal ID card which it is connected to.

Really? I don't see any real difference between the UX of WhatsApp and Signal for example. And they're really on-par feature wise.

The only things in your list that are not available on Signal are "tons of animated emojis" and "bots". Recently they also introduced usernames to keep your phone number private. And Signal have had all the other things for a few years now, and with actual security.

It no longer doesn't. It took them a while because you can't just slap features like that. It's not a string in a database like with Telegram.

Telegram has great UX because you can build things fast and easy when you don't have to give two shits about the security side of things. You can cover that part with grass-roots marketing department and volunteering shills.

Signal is excellent for tiny groups of known participants. I prefer it over anything else for this use case. The group permissions Signal introduced a few years ago are well suited for that purpose. I've recently started running small groups on Signal with about 100 participants who mostly know each other, but not tightly. The recent addition of phone number privacy makes this feasible.

Once you start moving up in scale you really need moderation tools, and Signal doesn't do so well there. When you have thousands of people and it's open to the public you need to moderate or else bad actors will cause your valuable contributors to leave. Basic permissions like having admins who can kick people out and restricting how new members can join only gets you so far.

The issue is that in Signal there is no group as far as the server is concerned: The state of the group exists only on client devices and is updated in a totally asynchronous manner. As a consequence it is more difficult for Signal to provide such features. For example, Signal currently has no means to temporarily mute users, to remove posts from all group members, easy bots to deal with spam, granting specific users special privileges like ability to pin messages, transferable group ownership as opposed to a flat "admin" privilege, etc.

Think about the consequences of Signal's async nature with no server state: What does it mean to kick someone out? An admin sends a group update message that tells other clients to stop including that user in future messages. Try this: Have a group member just delete Signal and then re-register. Send a message to the group. They're still in the group. You get an identity has changed message. These are really only actionable with people who you know... that is, in tiny groups.

And then, the biggest strengths of Signal, which are its end to end encryption and heroic attempts to avoid giving the server metadata, are less valuable in the context of a large public group: Anyone interested in surveilling the group can simply join it, so you have to assume you're being logged anyway. Signal lacks strong identities as a design choice, so in big groups it's harder to know who you're really talking to like you know that "Joe Example, founder of Foo Project" is @Foo1988 on Telegram and @FooOfficial on X and u/0xFooMan on Reddit.

# No smooth animations - that's makes Telegram stand out from everything else here, but maybe not everyone is happy when 6-core phones can deliver something more than 60fps in 2024...

That's what I remember and yes - mostly those are probably easy to fix UI/UX features/bugs, but even being open-source - they aren't.

What's the difference between a fiat and a ferrari? What's the difference between CentOS and Linux Mint? What's the difference between a macdonalds and a michelin burger?

I have friends and groups on both platforms. On Signal, I'm basically just sending messages (and only unimportant one, like, when are we meeting. Sending media mostly sucks so I generally only have very dry chats on Signal).

Whereas on Telegram, I'm having fun. In fact it's so versatile, that my wife and I use it as a collaborative note-taking system, archiver, cvs, live shopping list, news app (currently browsing hackernews from telegram), etc. We basically have our whole life organised via Telegram. I lose count of all the features I use effortlessly on a daily basis, and only realise it when I find myself on another app. This is despite the fact that both Signal and whatsapp have since tried to copy some of these features, because they do so badly. A simple example that comes to mind: editing messages. It took years for whatsapp to be able to edit a message (I still remember the old asterisk etiquette to indicate you were issuing a correction to a previous message). Now you can, but it's horrible ux; I think you long press and then there's a button next to copy which opens a menu where you find a pencil which means edit, or sth like that. In telegram I don't even remember how you do it, because it's so intuitive that I don't have to.

Perhaps that's why I find the whole "Telegram encryption" discussion baffling to be honest. For me, it's just one of Telegram's many extra features you can use. You don't have to use it, but it's there if you want to. I don't feel like Telegram has ever tried to mislead its users that it's raison d'etre is for it to be a secret platform only useful if you're a terrorist (like the UK government seems to want to portray it recently).

I get the point about "encryption by default", but this doesn't come for free, there are usability sacrifices that come with it, and not everyone cares for it. Insisting that not having encryption by default marrs the whole app sounds similar to me saying not having a particular set of emojis set as the default marrs the whole app. It feels disingenuous somehow.

It’s more like they implemented it to check a box …

All those little things combined and when you switch from Telegram to Signal or WhatsApp it feels like going a couple of decades back, or something like that.

Honestly I don't know how much I can trust Telegram and its founder Pavel Durov (I probably shouldn't), but in terms of the quality of software it's unmatched.

The first feature that comes to mind for me is being able to use multiple devices. Signal only allows using it with one phone. If you add a second device, the first one stops working. You can use a computer and a phone, but not multiple phones. Telegram supports this without any issues. I still struggle to understand this limitation.

E2EE is not important to me. Continuity of chats and lack of friction in accessing them is important to me.

>When you create a so called private chat on telegram, this chat is also only available on the device you created it on.

Signal is able to do this with my phone and my computer. The one-phone limit seems arbitrary.

Honestly it would be better if Telegram dropped the facade of having E2EE. It's generally very low on the priority list of most people anyway, as much as it would hurt anyone reading this, but that's the truth. People are not using it for secure messaging, but for a better UX and reliability.

EDIT: Telegram does require a phone number to sign up.

I was using telegram for one single usage, which was a group organizing local meetups events for expats. When I switched smartphone I really didn't want to install an app just for one group and would have preferred using telegram web to consult it occasionnally. Every time I tried logging in on a computer/smartphone it told me to validate the login from telegram on my original, now wiped clean, smartphone. I just gave up.

Then why is a phone number needed to register? If PII is "not shown to anyone in any way" then it should be completely unecessary to provide it to the service. Do not let that particular wool be pulled over your eyes.

That said, such high-tech operation is just a geeks fantasy about spies. When you cross the line where it becomes reality, you’re either a very big name with a sudden drug/rape history or a subject for waterboarding which is the most effective cryptoanalysis tool invented.

Yes, burner sims definitely help evade investigations, but they are harder to get nowadays, depending on jurisdiction. For instance you can't pay cash for a SIM in North America. It has to be a credit card or a bank transfer and that's a form of ID.

It's only on HN I ever see people set up Telegram as some supposed uber-secure private app for Tor users and then demolish that strawman gleefully.

Today, on the same topic, another tech site which generally gets a lot of things right (but whoever is responsible for writing about Telegram, or maybe their internal KB, is consistently wrong and doesn't care about feedback) wrote that it is an encrypted chats service: https://tweakers.net/nieuws/225750/ceo-en-oprichter-telegram... ("versleutelde-chatdienst" means that for those fact checking at home)

Also, people tend to state they have nothing to hide, when they feel they have nothing to fight with. But I can't count the number of times I've seen a stranger next to me on a bus cover their chat the second I sit next to them. Me, a complete random person with no interest in their life is a threat to them.

Christo Grozev shared screenshots of a few CSAM channels yesterday, but if you search for them, they do not seem to exist.

Telegram clearly does less pre-moderation than Facebook, but they are smaller and have less computing and they do not seem to rely on the masses of Nigerian moderators that work for 5$/day as Facebook does.

My speculation is that he set a too high price to share the private data with france or USA.

There is so much misinformation around telegram that alone made me trust it more (if a known liar tries to discredit something, it increases chances of it being good--it is about comments here on HN).

https://telegram.org/faq#q-do-you-process-data-requests

> To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.

> Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people's privacy and freedom of expression.

> Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.

> To this day, we have disclosed 0 bytes of user data to third parties, including governments.

This is incorrect. The construction for group chats in Telegram is not e2e at all. The construction for dm’s is considered dubious by many cryptographers.

It does not matter if you can reproduce a non-e2e encrypted message scheme, you must still trust the servers which you have no visibility on.

Trustworthy e2e is table stakes for this for that reason. Reproducible builds aren’t because we can evaluate a bunch of different builds collected in the wild and detect differences in implementation. This is the same thing we’d do if reproducible builds were in effect.

There are lots of reasons splitting jurisdictions makes sense but you wrote a whole bunch of words that fall back to “hope Telegram doesn’t change their protections in the face of governmental violence”.

I didn't claim it encrypted "group chats". I said "things". If you want me to be specific, the "things" are individual 1-1 end-to-end encrypted chats.

Software auditors use deployed binaries as a matter of course.

They’d do so even if reproducible builds are on offer because the code and the binary aren’t promised to be the same even with reproducible builds and validating that they are can be more problematic than the normal case of auditing binaries.

What does this mean? How can "we" move away from centralized states to "a free market of agencies"? How can there be a "market" of police forces, even in principle? Who are the customers in this imagined market? Who enforces the laws to keep it a free market?

At first glance, this sounds like libertarian fan fiction, to be honest, but I am curious.

Since the parent post was flagged, I do not see any sense to continue, since no one will really see this conversation.

I do interviews with the top people. I build solutions. I give it away for free. I discuss the actual substance. And in the end it's just flagged before a serious conversation can be had. HN is not what it once was.

That's true.

You need to run your own platform people. XMPP is plenty simple, plenty powerful, and plenty safe -- and even your metadata is in your control.

Just self host. There's no excuse in 2024.

Wake up people!

Why should the arrest of someone else affect YOU?

I'm someone who's been on the business end of a subpoena for a platform I ran, and narcing on my friends under threat of being held in contempt is perhaps the worst feeling I'm doomed to live with.

"XMPP is ..." not the solution I'd recommend, even with something like OMEMO. Is it on by default? Can you force it to be turned on? The answer to both of those is, as it turns out, "no," which makes it less than useful. (This is notwithstanding several other issues OMEMO has.)

This is not true, it depends on the client. Conversations has OMEMO enabled per default.

What this means in practice is that you shouldn't focus on whether XMPP (or Matrix, or whatever) protocols are encrypted, but whether the applications enforce it. Just as there are many web browsers to choose from, there are many messaging apps. Use (and recommend) apps that enforce encryption if that's what you want.

So far, I'm not seeing that same consensus from the XSF and client vendors. If the capital investment can be made to encourage that same culture, the comparison can perhaps be a little closer.

There are even apps like Quicksy which have a more familiar onboarding experience using the mobile phone number as the username, while still being federated with other standard compliant servers. There is little reason to use walled garden apps like Signal these days.

Gung-ho evangelists rarely convert like a reasonable take on the subject does

  > Just self host. There's no excuse in 2024.

May I remind you what the average person is like with this recently famous reddit post:

https://archive.is/hM2Sf

If you want self hosting to happen, with things like Matrix, and so on, the hard truth is that it has to not be easy for someone who can program, but trivial for someone who says "wow, can you hack into " if they see you use a terminal

Self-hosting is terrible in that it gives Mike, the unbeknownst creepy tech guy in the group 100% control over the metadata of their close ones. Who talks to whom, when etc. It's much better to either get rid of that with Tor-only p2p architecture (you'll lose offline-messaging), or to outsource hosting to some organization that doesn't have interest in your metadata.

The privacy concern Green made was confidentiality of messages. There is none for Telegram, and Telegram should have moderated content for illegal stuff because of that. They made a decision to become a social media platform like Facebook, but they also chose not to co-operate with the law. Durov was asked to stop digging his hole deeper back in 2013, and now he's reaping what he sow.

Simply not cooperating with law enforcement is technically moderately difficult, but politically and legally impossible.

Between a difficult and an impossible option, the rational decision is to pick the difficult one.

IIRC Signal just has each group member send each group message to each recipient with the standard pair-wise encryption keys. It's the message's headers that lets the recipient know it's intended for the group and not the 1:1 group.

Additionally the key is regularly updated to provide some degree of perfect forward secrecy and avoid encrypting for people who left the group chat

You ask the authors how they solved the problem of server needing to know to which client connection an incoming ciphertext needs to be forwarded, and they'll run to the hills.

They're lying by omission about their security, and misleading about what constitutes as a permanent identifier.

You understand the design quite well, from our past conversations, you simply don't like the fact that we don't recognise user IP address as a permanent user identifier on the protocol level. It is indeed a transport identifier, not a protocol-level identifier that all other messaging networks have for the users (in addition to transport identifiers).

Message routing protocol has anonymous pairwise identifiers for the connections between users (graph edges), but it has no user identifiers - messaging servers have no concept of a user, and no user accounts.

Also, recently we added a second step in message routing that protects both user IP addresses and transport sessions: https://simplex.chat/blog/20240604-simplex-chat-v5.8-private...

In general, if you want to meaningfully engage in the design criticism, I would be happy too, and it will help, but simply spitting out hate online because you don't like something or somebody, is not a constructive approach – you undermine your own reputation and you also mislead people.

> You ask the authors how they solved the problem of server needing to know to which client connection an incoming ciphertext needs to be forwarded, and they'll run to the hills

This is very precisely documented, and this design was recently audited by Trail of Bits (in July 2024), we are about to publish their report. So either you didn't understand, or your are lying.

> They're lying by omission about their security, and misleading about what constitutes as a permanent identifier.

You would have to substantiate this claim, as otherwise it is slander. We are not lying about anything, by omission or otherwise. You, on another hand, are lying here.

That you are spiteful for some reason is not a good enough reason.

Factually, at this point SimpleX Chat is one of the most private and secure messengers, see the comparisons of e2e encryption properties in SimpleX Chat and other messengers: https://simplex.chat/blog/20240314-simplex-chat-v5-6-quantum...

Given that users can access their messages without interaction with people at Telegram, automatic aggregation of the cloud data for single end points is in place.

In consequence the data can be accessed from a single jurisdiction anyways.

Centralization means that it's very easy to trust that whoever implements and operates the crypto is smart. Do I trust them? I don't know. I trust myself, but I don't think I am independently capable of operating or implementing crypto - if I want to make assertions like "this is end-to-end-encrypted" and ensure those assertions remain true, I will need a several million dollar a year budget, at a minimum. "Decentralized" means you've got tons of endpoints that need securing, and they can share crypto implementations, but the operations are duplicated. Which means it's more expensive, and you're trusting more operators, especially if you want resiliency.

Yes, something like Signal or Whatsapp means you've got a single point of failure, but something like Matrix, you've got many points of failure and depending on how it's configured every point of failure can allow a different party to break the confidentiality of the system.

Decentralization is great for resiliency but it actively works against reliable and confidential message delivery.

https://www.npr.org/sections/parallels/2014/04/02/297839429/...

The mistake Moxie makes (and you do as well, you should really click on the links I posted to understand why)

is that "no one wants to run a server". In fact, an entire industry of professional "hosting companies" exists for Wordpress, Magento, etc. It's a free market of hosting.

You can't trust the software they're hosting, that's true. Which is why we have things like Subresource Integrity on the Web, IPFS, and many other ways to ensure that the thing you're loading is in fact bit-for-bit the same as the thing that was just audited by 3 different agencies, and battle-tested over time.

Think UniSwap. I'd rather trust UniSwap with a million dollars than Binance. I know exactly what UniSwap will do, both because it's been audited and because it's been battle-tested with billions of dollars. No amount of "trust me bro" will make me trust Binance to that extent. The key is "Smart contract factories":

https://community.intercoin.app/t/intercoin-smart-contract-s...

In short, when you decouple the infrastructure layer (people running ethereum nodes) from the app layer (the smart contracts) all of a sudden you can have, for the first time in human history, code you can trust. And again, there is a separation of responsibilities: one group of people runs nodes, another group of people writes smart contracts, another group audits them, another makes front-end interfaces on IPFS, etc. etc. And they all can get paid, permissionlessly and trustlessly.

Look at Internet Computer canisters, for instance. Or the TON network smart contracts. There are may examples besides slow clunky blockchains today.

Decentralized protocols have existed for a very long time. Email have existed since the 70s. Telephone is also arguably decentralized and have existed for even longer.

Government split Ma Bell into multiple smaller pieces, but they still operated as a cartel and kept prices high. They had centralized telephone switchboard operators etc.

It is only when authors of decentralized file-sharing networks like Kazaa (who built them to get around yet another government-enforced centralized regime of Intellectual Property, RIAA, MPAA etc.) went clean did we get Skype, and other Voice over IP consumer products. And seemingly overnight, the prices dropped to zero and we got packed-switched networks over dumb hubs, that anyone can run.

That's the key. We need to relegate these centralized platforms (X, Meta, etc.) into glorified hubs running nodes and earning some crypto, akin to IPFS nodes earning filecoin, or BitTorrent nodes earning BTT, etc.

Everything centralized gets enshittified

Clay Shirky gave a talk abot this in 2005: https://www.ted.com/talks/clay_shirky_institutions_vs_collab...

And Cory Doctorow recently: https://doctorow.medium.com/https-pluralistic-net-2024-04-04...

You are not answering my main concern. Again, you snick in crypto into the discussion. Why?

We have decentralized stuff. Email, xmpp, matrix, the fediverse, all this works without this web3/crypto stuff. Those things are not perfect, including their decentralized aspect (sometimes to the point of doubting that decentralization really works well, although I personally think decentralization is a good thing).

I didn't downvote you but I suspect this is exactly why you are being downvoted. Since you asked. Many of us just think cryptos and this web3 stuff is bullshit and gets mentioned totally off topic without any convincing link to the discussion every single time.

Look at FileCoin and IPFS, for instance. Once you automate the micropayments and proofs of spacetime, it becomes a cryptocurrency. And then the providers of services can sell it to the next consumers.

Just because you hear the word "crypto" doesn't mean it's automatically off-topic, when it's literally the thing that is inevitably used by decentralized systems to do proper accounting and reward the providers for providing any services. Without it, you'll still be sitting -- as you are -- with no viable alternatives to Twitter and Facebook.

That doesn't ring true. What is an autonomous network? Those things runs on the internet, largely backed by infrastructure funded by traditional money. Moreover, emails, tor nodes, xmpp servers, matrix homeservers, fediverse hosts... None of those need cryptocoins to fund themselves, and are indeed largely and for the most part funded using traditional money. Micropayments are also not something needed for decentralization.

Decentralization is way more than just about decentralizing money and many of us don't trust crypto coins.

Or just like, advertisement. ActivityPub, Matrix, PeerTube, NextCloud and Urbit are all fully decentralized and let any instance host monetize themselves however they want.

Decentralized services, even for-profit ones, are not synonymous with cryptocurrency. Stop spreading misinformation to promote an unrelated topic.

"Urbit IDs aren’t money, but they are scarce, so each one costs something. This means that when you meet a stranger on the Urbit network, they have some skin in the game and are less likely to be a bot or a spammer." https://urbit.org/overview

Who pays for the hosting of ActivityPub and Matrix instances?

What if one instance abuses other instances too much? How do you prevent it?

What if some spammer abuses Nexcloud? Oh, look at that, Nextcloud and Sia announce "cloud storage in the blockchain": https://nextcloud.com/blog/introducing-cloud-storage-in-the-...

Now we come to your ActivityPub stuff, including PeerTube. The question is, who pays for storage? What are the economics of storage?

I literally go into detail here: https://community.intercoin.app/t/who-pays-for-storage-nfts-...

I met the founders of LBRY / Odysee and other tokens that are actually being used for actual streaming. LBRY is a genuine utility token being used for instance.

You are totally ignoring the part that people need to get paid for storing stuff, and at the same time the payment needs to happen automatically.

Any other examples?

And

> What if one instance abuses other instances too much? How do you prevent it?

Simple, they get blocked by other instances?

How cryptos change anything to these three questions?

> Oh, look at that, Nextcloud and Sia announce "cloud storage in the blockchain"

That just means Sia wrote a Nextcloud integration for their stuff and somehow nextcloud decided to showcase this integration. That doesn't mean Nexctloud has much to do with blockchain stuff. Nextcloud integrates with anything and its dog.

> What if some spammer abuses Nexcloud?

What kind of spam are you imagining and how do you think crypto coins are going to solve this? You don't use cryptos for this, you use good old system administration and in particular antispam systems, which don't use coins.

> You are totally ignoring the part that people need to get paid for storing stuff, and at the same time the payment needs to happen automatically.

We're not.

First, they don't always need to, some people run stuff out of advocacy for instance.

Second, getting paid with regular money is not an unsolved problem, there are plenty of options, many of which also coming with some builtin guaranties against fraud. It's literally how the whole world works. Now, I can't say I'm a huge fan of our financial system but that's a social issue in need for a social solution, not a technical one.

I'm stopping here, it's pretty clear that I won't get a solid, reasonable argument in favor of cryptos here. And that since your top comment is flagged to death, nobody reads us anyway.

This was a cutting-edge and untested concept in maybe 2011. You missed the boat by a decade and a half.

> LBRY is a genuine utility token being used for instance.

Yeah, last I heard of their brand was when a member of my graduating class became a neo-nazi for six months and incessantly uploaded videos detailing his hallucinations to the internet. You're in good company, it sounds like.

> I could go on for literal days

I believe there should be a way to have a rational discussion about this, point by point, maybe threaded. This ain't it. But whatever.

I am not married to blockchains, I have literally criticized blockchains. I have said that smart contracts and distributed systems are what we need, whether that's Internet Computer canisters, SAFE network datachains, IOTA DAGs, Hashgraphs, or Intercloud (something I designed). I don't know why people on HN love to do this strawman over and over.

Blockchain is a settlement layer. I don't even say it's needed for day-to-day micropayments. I explain how the systems could work, which could use any smart contracts for their settlement layer, I don't care about the underlying technology for those, but the Web2 elements are there: https://qbix.com/ecosystem#DIGITAL-MEDIA-AND-CONTENT

> The last I heard of [LBRY]

Yeah, they got sued by Gary Genzler's SEC even though their coin was one of the few actually being used as a utility token. They were forced to shut down their entire company, and only the network survived. Similarly with Telegram, with the SEC. I will wager that you're reflexively on the side of Gary Gensler and the government "because blockchain". But I would have liked to see this innovation grow, not be killed by governments.

I primarily downvote them because I haven't seen anything come out of that space that seems like it's remotely capable of actually achieving decentralization (for which I also see a dire need in today's structure of the Internet and the applications running on it).

95% of the time, these things are built as a Potemkin village of technical decentralization backed up by complete administrative centralization, with the path to actual decentralization "very high on our public roadmap available here, we promise!!!"

I wish the downvote button would require at least a private message to the person of why they are being downvoted. (Upvote could have an optional message).

Otherwise it's the most toxic feature on HN as it promotes extreme groupthink activism.

We can be null in cryptography, but handing over both the secret and the key to this secret to the very same person is quite a trustful step, even when they say 'I promise I will not peek or let others peek, pinky promise!' - with an 'except if we have to or if we change our mind' in the small prints or between the lines.

Or the CEO and owner, staring down the barrel of a very long time in prison, obtains the keys from his employees and provides them to the authorities.

Would he do this? To me, it matters little how much I trust someone and believe in their mental fortitude. I could instead rely on mathematical proofs to keep secrets, which have proven to be far better at it than corporations.

Also

> To this day, we have disclosed 0 bytes of user data to third parties, including governments.

Didn't they conclude an agreement with Russian gvt in 2021?

Many rooms are not encrypted because they are public rooms, where there would be no point in it. Encryption has been the default for quite a while now.

I doubt that it's very high on that list, as the problem seems a very hard. Very hard as in that do we even know it's possible? "Metadata" includes a lot of stuff, but basically the originator, the destination and the timing of the messages and participants of a room are all quite difficult to hide in a federated system.

I do believe there is a plan for getting rid of the association of one user in multiple rooms, but that's but a small bit of metadata. I think it is part of the puzzle for supporting changing homeservers.

> "Metadata" includes a lot of stuff, but basically the originator, the destination and the timing of the messages

Indeed. AFAIK, sender/recipient correlation cannot actually be protected at the software level, because packet switched networking necessarily reveals it. The common way I'm aware of to mitigate this problem is at the network level, by trying to avoid common routes that would allow monitoring many users' traffic from any one place.

Concretely, that might mean having everyone use Tor (which some folks suggest already) or going fully peer-to-peer (which some messengers do already, and Matrix has been experimenting with).

Signal tries to improve the situation with Sealed Sender, but I'm pretty confident that can't protect against the Signal servers being compromised, nor against network monitoring. When trying to think of how it's useful at all, the only thing that comes to mind is that it might strengthen the Signal Foundation's position when a government demands logs. (And if that is why they implemented it, I suppose they must be keeping logs, at least for a short period.)

Related:

https://www.ndss-symposium.org/ndss-paper/improving-signals-...