Dear Hong Kong Activists, Please Stop Telling Everyone Telegram is Secure - Global Voices Advocacy

A civic group, Citizen Data, urged protesters to download Telegram and activate its geolocation function so that we could “check-in” to the protest. As we passed the booths of various political and civil society groups on the road, they told us to befriend Telegram bots (automated Telegram accounts that perform simple functions, like image searches or RSS-like updates.) One bot allowed attendees to signal their participation at the march. Another polled voters about their top picks in the upcoming Legislative Council elections.

• Only “New Secret Chats” in Telegram are secure. By default, conversations on Telegram are not protected by end-to-end encryption. This is only guaranteed if you turn on “New Secret Chat” before beginning a conversation. Many people we spoke with were not aware of this discrepancy – they think that all communication within Telegram is “automatically” secure.

• Group chats have no end-to-end encryption support. There is no “secret chat” option for conversations involving more than one person.

• Conversations with bots are not end-to-end encrypted either. There’s no indication that any conversations or interaction with bots is end-to-end encrypted.

Researchers also have confirmed that the app collects users’ metadata — information about who they communicate with, and when — making it relatively easy for Telegram users to monitor each other’s communication habits.

Signal is open source from top to bottom — they are entirely transparent about the technology they use for encryption, and everything else. But because it's a not-for-profit, open source project, it lacks the bells and whistles (such as stickers), and the user base of commercial chat apps like Telegram and WhatsApp. For many Hong Kongers, Signal doesn’t appeal for these reasons. Many choose instead to use WhatsApp, which is a safer alternative to Telegram. While it lacks some of the privacy protections of Signal, it is the only widely-used chat app that uses an open and peer-reviewed encryption protocol.

Telegram was not wrong in promoting its security features back in 2013 – end-to-end encryption in mobile chat apps was rare back then. Since then, however, other chat apps have caught up and in many cases surpassed its security features. This isn't to say Telegram doesn't have its merits – neither Whatsapp nor Signal have support for channels (public groups) or bots, and Telegram does have a handy, Snapchat-like, self-destruct feature for conversations. But to recommend Telegram, without reservation, to protesters and activists is simply irresponsible.