According to research conducted by the KIIS and commissioned by the Civil Network OPORA on media consumption of Ukrainians during the war, Telegram first became the most popular social network for news consumption in Ukraine.
Thus, 76% of Ukrainians receive news from social networks, and 66% of them prefer this messenger, although Facebook has occupied a prominent place since 2015. In general, this mobile application is the third most popular among Ukrainians and gives way to only two gas station applications.
A global study by Statista confirms this trend: in general, users around the world choose Telegram primarily as a source for news updates. Other, less important factors for being attracted to the messenger, include the user friendliness, personal communication options, a.o.
Thus, Telegram became a space for prompt information about the course of hostilities, for announcements of air alerts, for official communication of central and local authorities in Ukraine, for self-organization of the volunteer movement, etc. In this coverage, OPORA has figured out what pitfalls and potential risks come from this popularity, how Telegram differs from other messengers in terms of security, and whether it should be trusted at all.
Telegram and political life
According to Statista, Telegram is developing quite dynamically. Compared to other technogiants, it is a fairly young company, and since 2018, the number of active users has been growing by 100 million every year. In 2022, the total number of users reached half a billion:
According to the latest data published by the Telegram in June, 2022, it has already reached 700 million.
According to Similarweb, Telegram occupies 4% of the global messenger market and is the most popular online communication app in Belarus, Kazakhstan, Moldova, Azerbaijan, Kyrgyzstan, Jordan, and Cambodia. Thanks to the options to remain anonymous, create group chats for up to 200,000 users and channels with an unlimited number of subscribers, it is becoming more popular when there is a need for organized collective action, such as, during protests. Thus, Telegram was the main platform for coordinating protests in Belarus and Hong Kong. Similarly, it was this social network that Ukrainians turned to after the beginning of the full-scale invasion — for example, to coordinate security issues and organize the volunteer movement.
Telegram also attracts users due to minimal, almost invisible content moderation. Thus, unlike most social networks, here you can use any wording, distribute erotic content or images of violence, buy and sell illegal things and services, etc. For example, Telegram became a haven for supporters of US President Donald Trump when other platforms denied them access to their platforms after the Capitol's assault. That is why, unlike Facebook, Instagram, or Twitter, Telegram makes it almost impossible to provoke the network to block your content or profile.
The spirit of freedom also attracts users from undemocratic states where censorship prevails. In fact, Telegram cannot be completely banned in a particular country. In combination with another app, Psiphon, this social network can still be used despite any blocking on the national network. According to The Guardian, this is how users from Iran and Belarus continued to use this messenger during the banning attempts. Telegram also declares that it does not cooperate or will not cooperate with governments or law enforcement agencies of any countries. This led to an attempt to ban Telegram in russia after the company refused to provide access to user chats at the request of russian law enforcement officers.
Is Telegram secure then?
Short answer: There is no safety guarantees.
Safety, privacy, and freedom of expression are key aspects of the Telegram brand. Firstly, Pavel Durov assures that he was forced to sell the social network Vkontakte and leave russia following his refusal to cooperate with the russian FSB and provide security forces with access to private data of users, in particular Ukrainians, who took an active civil stance during the Revolution of Dignity. One of the first questions that usually arises about Telegram is about who pays the piper? The usual online revenue model that most social media, messengers, and other apps use is that if you don't pay for a product, then you are the product that someone else pays for. Durov posits himself as Robin Hood in the digital world: he creates a high-quality and absolutely free product, in no way earning from it, inspired by a righteous commitment to the ideas of digital freedom, security, privacy and disgust for other large technology corporations. From 2013 until present, the project, according to the founders, has lived at the personal cost of Durov himself. It was not until late 2021 that Telegram launched in-app advertising, and recently, in June 2022, a premium subscription option was introduced. In addition, according to Durov, advertising on a social network is and will only be contextual in specific channels, that is, without the targeting feature based on personal user data. Therefore, the app now depends on the goodwill and sincere ideation of one person — Pavel Durov. Reliable, isn't it?
Secondly, users are attracted by the security of their data — from their phone number to the secrecy of private communication. The issue of security should be divided into two aspects:
a) protection of data from transfer by the company to third parties (like to russian security forces)
b) protection against theft of user data by third parties
With regard to the first option, attention should be paid to the jurisdiction of the country where the messenger company falls under. In this context, Telegram is very opaque — neither the address nor the contact details are publicly available. According to the company itself, its office operates in the UAE; it is legally registered in the British Virgin Islands, and Telegram has registered a legal entity in the United Kingdom to serve users in the European Economic Area. The network is reluctant to disclose any information about itself: who is part of the team, except for the Durov brothers, where the servers and the office are located, etc. The only information available about the company's servers is a 2014 tweet, where the official Telegram profile replied to one of the users that their servers are hosted in London — for European users, in Singapore — for Asian countries, and in San Francisco — for users from the US. It is not possible to verify the validity of this data at this time. However, according to the privacy policy, user data from the UK or the European Economic Area is stored on servers in the Netherlands. As previously rightly mentioned by Liga.net journalists, the only thing we can rely on is the word of honor of the Telegram team and Durov himself, as well as the data of the US Securities Commission published in the report on the ban on the issue of Telegram cryptocurrency. In fact, the company's opacity makes it impossible to monitor compliance with user data security, especially in undemocratic countries and in conflict situations. Again, the only guarantee that Telegram does not share data about Ukrainian users with, for example, the government of the aggressor country comes from the ideological beliefs and words of honor of Pavel Durov (or other decision-makers of the company, about which the public is not aware). Moreover, according to the investigation of the Wired, even Telegram employees often have to rely on Durov's words alone.
Telegram does collect and store user data. Private chats are encrypted using the “server-client” method — just as you see private messages in your smartphone, they are seen by those who have access to the server where they are stored. And only when you choose the secret chat function, your message can be seen by a recipient only, because they are encrypted using the "client-client" method. On the contrary, in WhatsApp and Signal messengers, this encryption method is automatically applied to all messages and calls. However, as stated in Telegram's privacy policy, user data and its access key are stored on servers under the jurisdiction of different states, so access to the local server is not sufficient to receive this data. Instead, the creator of the Signal messenger Moxie Marlinspike says: the real data security is not to believe that the company will protect data but to have no need to protect data at all because the company does not have data. Also, regardless of where the servers are located, Telegram reserves the right to share private user data with a group of Telegram companies operating in the UAE and the British Virgin Islands. It is the regulation of these countries that allows or prohibits Telegram from using the data in one way or another. The specific offices of the same company and the jurisdictions countries they fall under are not well known.
When it comes to stealing user data by third parties, Telegram is so confident in the security of the code that it even runs hacking competitions and offers a reward of $300,000 to those who manage to steal private data. However, there is evidence that it is still possible to obtain data on participants in group chats and channels. VICE Germany outlet, which cited these arguments in their article last year, approached Telegram for comment on the identified “holes” in data security but the company ignored the journalists' request. Also, digital security experts have repeatedly expressed doubts about the advertised security of the social network, because Telegram uses its own copyright and relatively new data encryption protocols, which over time may reveal new vulnerabilities. For example, the German police managed to break the profiles of users accused of neo-Nazism.
Telegram Risks for Ukraine
The Telegram problem has repeatedly emerged in the Ukrainian public discourse. First of all, this concerns the issue of anonymity, which creates ideal conditions for information injects and misinformation. Thus, Telegram does not just provide its own platform for the potential dissemination of disinformation — the very architecture of the application stimulates the creation and dissemination of disinformation messages. This is the least transparent network for external monitoring. For example, anonymous channel administrators can usually only be found out what they publish themselves. Also, no information is available about subscribers of public channels, coverage of posts, chains of content reposts, etc. Anonymity and the possibility to post files of various formats and large sizes allows you to safely create injects without revealing your identity — for example, in 2019, it was in the anonymous Telegram channel "Truba-leaks" that the records of conversations of the then head of the SBI, Roman Truba, were published. Similar “injects” safely enter the information space, protecting their source effortlessly. Back in early 2020, a study of the Liga.net publication showed that in this way, russian propaganda attacks enter the Ukrainian information space, concealing traces of the source of their origin. Anonymity allows russians to easily create Telegram channels, disguising them as Ukrainian. Last year, the SBU exposed a network of channels directly administered by the russian agents. Some of them were popular among MPs of Ukraine.
During the full-scale war, the information field is also the scene of hostilities. The Ministry of Internal Affairs warns that the russians continue to use the above tactics, multiplying their efforts. Moreover, previously discovered channels working for the russian intelligence services continue to function and gain popularity of users. In addition, russians actively monitor what Ukrainians post in public channels. That is why the Ukrainian authorities are so active to ask not to publish any information about enemy missile strikes, the movement of the Armed Forces of Ukraine, etc. The lack of content moderation and the company's closeness to cooperation with the government and law enforcement agencies in Ukraine make it impossible to find any scenarios of a strategic solution to this problem, or legal regulation in general.
With regard to the security of Ukrainian data, we have a situation similar to that described in the previous section: the only guarantee that Telegram does not share private user data with russian security forces is Pavel Durov's word of hounour: he would never do so, given his Ukrainian roots. Moreover, the Ukrainian government, state authorities and local governments legitimized the Telegram, also choosing it as one of the main channels of public communication, increasing the loyalty of citizens to this platform.
In addition, Telegram has a favourable infrastructure for recruiting and coordinating collaborators. Again, the company does not cooperate with Ukrainian law enforcement agencies to identify and investigate such cases.
How Could These Risks be Mitigated?
First, you should avoid using Telegram to share sensitive information, even in private online communication. We recommend that you read the tips of the cyber police on how to use this social network more safely. Secondly, if possible, it is necessary to avoid the consumption of information from anonymous channels and not to help their promotion, that is, to observe information hygiene.
As mentioned above, blocking Telegram will be an inefficient step. So, the only possible option is the communication with the company at the government level. The presence of a modern and online-adapted legislative regulation of social networks and the protection of personal data could significantly strengthen the negotiating positions. To a large extent, Telegram's policies depend on the ideological libertarian positions of its founder. However, the European GDRP, among others, has also influenced the network's policies. Telegram agreed to cooperate with public authorities for the first time, at least on some terms. They agreed to provide access to private data of persons accused of terrorism under a court order, as well as to take into account the regulation of GDRP in the user policies of the network. Therefore, the Telegram case reiterates the need to create high-quality legal tools for regulating the online space in Ukraine.
Original article: Ukrainska Pravda