Why Telegram's security flaws may put Iran's journalists at risk - Committee to Protect Journalists

Vahid Online said that Telegram's Channel function, a one-way communication method that allows users to share content with large audiences, has been instrumental in attracting Iranian users. "There is a big population in Iranian cities and towns that have never had access to computers and don't even have email accounts, but they have now connected to the online community through Telegram," he said. "Many of the YouTube videos that for years were blocked for Iranians have been shared on Telegram and many Iranians are able to see them for the first time."

Vahid Online said that Telegram's Channel function, a one-way communication method that allows users to share content with large audiences, has been instrumental in attracting Iranian users. "There is a big population in Iranian cities and towns that have never had access to computers and don't even have email accounts, but they have now connected to the online community through Telegram," he said. "Many of the YouTube videos that for years were blocked for Iranians have been shared on Telegram and many Iranians are able to see them for the first time." 

Nate Cardozo, senior staff attorney at Electronic Frontier Foundation, told CPJ. "Version 1.0 of the scorecard does not reflect EFF's current thinking on encryption, nor does EFF encourage anyone to use it for practical advice."

Cardozo pointed out "critical flaws" with Telegram, including its lack of end-to-end encryption and its use of non-standard MTProto encryption protocol, which has been publicly criticized by cryptography researchers, including Matthew Green, an assistant professor of computer science at the Johns Hopkins Information Security Institute and a leading expert on applied cryptography.

Seemingly arcane details such as an app's encryption protocol and implementation can directly impact the lives of the journalists who use those apps. CPJ recommends that journalists should use WhatsApp or Signal as a more secure way to communicate, a recommendation echoed by Cardozo. Both apps use the Signal encryption protocol, which is based on open, well-tested cryptographic algorithms. The Signal protocol, which CPJ staff use for our most sensitive work, has been reviewed and endorsed by leading security experts.