Every once in a while I recommend Telegram to my Facebook friends, mostly as a privacy-​centric alternative to Facebook Chat /​ Messenger. Recently a friend of mine pushed back against this recommendation, and suggested that I try out Signal instead. Incidentally, I use both, so here are some ramblings on Telegram vs. Signal.

Update 2023-​03-​25: After recommendations by the Norwegian Police Security Service and stories like this, I am no longer using Telegram and have instead migrated to Signal.

Update 2016-​01-​11: Wire seems to be close to the perfect text/​voice/​video chat service. Thanks to Wolfgang Bremer for letting me know of Wire in the comments. If you’re interested you can read a review of Wire’s whitepapers by by a security researcher at the University of Waterloo, with responses by Wire. My original blog post follows.

Keep in mind that 1) while I’m a bit of an idealist when it comes to privacy, I’m pragmatic above all,1 and 2) I have no idea what I’m talking about. If I’m wrong, or if I have overlooked significant aspects, please leave a comment.

What is Signal?

Signal screenshot

Signal is an app for Android and iOS by the non-​commercial organization Open Whisper Systems. It’s basically an SMS app which, when you chat with someone who also uses Signal, sends an encrypted message over the Internet instead of a normal unencrypted SMS.2 This means that it’s not possible to naively think of it as an SMS app, because the message will not be received until the recipient connects to the Internet. Since you don’t know whether or not your friend is online when you send the message, you can’t count on it being delivered instantly, like you can with SMS.

Signal is completely open source. Open Whisper Systems are funded by a combination of donations and grants.

What is Telegram?

Telegram screenshot

Telegram is a non-​commercial chat service with apps for mobile devices (iOS, Android and Windows Phone) as well as desktop and web. Messages are encrypted in transit and on their server, but unless you specifically start a “Secret Chat” it’s not zero-​knowledge (i.e., end-​to-​end encrypted with no possibility of Telegram seeing the message contents).

Telegram’s clients, API, and protocol is open source. They haven’t open-​sourced their server back-​end (yet). Telegram is funded by a significant donation from a guy named Pavel Durov.

What’s the issue with Telegram?

Well, that depends on your reasons for using it. My friend highlighted the closed source back-​end, and the fact that end-​to-​end encryption is turned off by default (as previously tweeted by Snowden himself, though it’s incorrect that the messages are stored in plain text on Telegram’s servers). In addition to that, Telegram once held a cryptography contest which was criticized for being little more than a play to the gallery ([1], [2], [3]). They are also closing down known terrorist-​related chats/​channels, which IMHO is a good thing, but not philosophically unproblematic given that “terrorism” is a rather vague term.

If you’re the next Snowden, I’m sure you’ll have several other problems with it. I’m not and I don’t.

Why I don’t recommend Signal to my friends

I have two main gripes with Signal:

First, it’s only on mobile. I want something on desktop too, because I don’t see a reason to awkwardly type on a smartphone if I’m in front of a PC anyway (which I am most of the time). They do have a kind of desktop client they’re working on, but it’s a Chrome app and connects with your Android phone. I want something I can use to communicate even without my phone,3 not to mention a solution which doesn’t lock me into a specific browser. Update 2017-​04-​26: You don’t need Chrome running in order to use it. Still, I’d still like not to be forced to install software I’m not using.

Second, Signal’s SMS/​web identity crisis is not particularly user friendly. “Hey, why isn’t my secure SMS delivered”, I hear the potential users yelling before heading back to the warm embrace of Facebook Messenger. The question of an SMS fallback has been discussed several times on the Signal issue tracker; see #3220 and referenced issues for more information on why we won’t see it.

I started using Signal because I was curious how it worked, and I’ve only continued using it because it delivers a better SMS experience than my stock SMS app (literally none of my contacts are using Signal).

Privacy vs. Security

When I recommend Telegram to friends, it’s mostly out of privacy concerns, not security. There’s a difference between privacy and security. Highly simplified, security is confidentiality of your data, while privacy is appropriate use of your data. Of course, without confidentiality (encryption), your data can be intercepted and used inappropriately (e.g., collected by the NSA et al.), so entirely unencrypted transmissions are always susceptible to privacy violations. But Telegram’s protocol is encrypted, so the security is not a big issue for me here.

The only remaining “problem” then is the fact that Telegram technically has access to your messages. I don’t like that, but hey, I’m using Facebook Chat (and Facebook in general, though I’ve had it with the Messenger app), and Facebook is confirmed to both have access to my messages AND analyze/​use that data for commercial purposes (also they have backdoors for the NSA, if I remember the PRISM thing correctly).

Since Telegram has access to your messages (although they swear they’re not looking at it), you are required to trust Telegram, which may or may not be a problem for you. Let’s discuss that.

On trusting Telegram

Consider their closed-​source back-​end: Even if Telegram had an open-​sourced their back-​end,4 you could never be 100% certain that they were actually running that version. Some trust is required anyway. ProtonMail recently mentioned this in an article on spam protection. In fact, the only way to be 100% certain that no-​one can see your unencrypted data is to use a service which does full end-​to-​end encryption, verify their client source code (years of cryptography experience required)5, download the source and compile it, and only use the client you have compiled yourself. And of course, vet the changes to each new update (which may be required in order to continue using the service, what with it being a service and all) and repeat the process. No-​one does that. Or close enough to no-​one as to make no difference.

I’m no security expert, and maybe I’m gullible, but I did read quite a bit on about Telegram before I started using it. Based on that I trust that Telegram does not do anything inappropriate with my data (i.e., anything else than sending it to me and to my friends when needed). Telegram is non-​profit and I trust them to not have any interest in my data. I trust that they adhere to their Privacy Policy, and I don’t see any red flags in their “business model” or anywhere else in Telegram’s FAQ which indicates that they might be lying to me. If Telegram really were lying to their users, that would be nothing short of a well executed conspiracy. Even though I can see why you might be skeptical if you’re the next Snowden, I think it would be a bit too paranoid for “normal people” like me to doubt the sincerity of Telegram.

Security vs. user-friendliness

There’s a good reason for Telegram not enabling encrypted chats by default: It would be significantly less user-​friendly, since messages could only be read on the device from which they were sent. From their FAQ:

The idea behind Telegram is to bring something more secure to the masses, who understand nothing about security and want none of it. Being merely secure is not enough to achieve this — you also need to be fast, powerful and user-​friendly. This allows Telegram to be widely adopted in broad circles, not just by activists and dissidents so that the simple fact of using Telegram does not mark users as targets for heightened surveillance in certain countries.

I respect that decision and think it is a good move. I have lots of friends who are not that technically proficient, or care enough about privacy and security to suffer through using an unintuitive app. These days, user’s expectations of ease of use are out of this world. Apps and services should “just work” out of the box, with all the essential stuff being immediately clear even without tutorials. Telegram is massively better than Facebook Messenger and other apps from companies who are commercially invested in obtaining, analyzing, and exploiting as much data about you as possible.

The real battle is with Facebook Messenger

Now, don’t get me wrong. I’m not defending Telegram’s particular choices as much as I am defending my using and recommending Telegram to my friends and acquaintances. Naturally, the ideal solution would be a service which is as easy to use as Telegram, which allows you to chat and access your chats from an arbitrary number of devices, and which is completely zero-​knowledge. Unfortunately I fail to see any such candidates (please let me know if they exist).

So let’s take a step back: Most of my instant communication presently occurs on Facebook, because that’s where all my friends are. That means I’m up against Facebook Chat and Messenger when I’m recommending an alternative. Looking at this pragmatically, I want (and I want my friends to use) a messaging app that doesn’t eavesdrop on my real-​life conversations or analyze my chat messages in order to show me more relevant ads (assuming that’s everything Facebook does with my data).

With that perspective, I think Telegram is a great alternative.

Header image: Made it myself, SVG and more info here.

  1. At least when pragmatism seems to be the right approach. Oh, the meta.

  2. Yes, I realize that’s turning Signal on its head, but it’s a very accurate description when you mostly communicate with people who don’t use Signal.

  3. You need your phone to set up the desktop app, though I’m not sure whether you actually need your phone present to use it. I can’t test since it’s set up by scanning a QR code, and my phone camera doesn’t work.

  4. According to their FAQ, they intend to do at some point. Sure, words are wind, but I think Telegram would be hurt in the long term by lying to their users. As for not having open-​sourced it already – open-​sourcing a back-​end is not necessarily trivial, something the ProtonMail post linked to in this paragraph shows.

  5. Alternatively, you can trust that the organizations having vetted the source code have done their job well and have your best interests at heart, and make sure to use the exact revision of the source that they vetted. Or trust/​check that the recent changes to the source code are safe.

Posted byChrister van der Meeren 7 minutes to readPosted inRamblings

Join the Conversation

43 Comments

Your email address will not be published. Required fields are marked *

Notify me of via e-mail. You can also subscribe without commenting.

Your email will not be published. It may be used to look up your Gravatar, and is used if you subscribe to replies or new comments. The data you enter in this form may be shared with Akismet for spam filtering.

  1. Hi there! I’m an active user of Signal Private Messenger. The messenger is awesome because it offers me full control over my messages. The best part is that it has a lot of advanced features like ‘disappearing messages’, ‘screen lock’, ‘incognito keyboard’, ‘read receipts’, ‘message trimming’ etc. 

    Reply

  2. When you are through with all the nonsense, you’ll realize that the only messenger that is on the right track is Jami (used to be called Ring). Tox is ok too though.

    I’m not saying Jami is perfect, because it needs polish, but it’s by far the best (according to my own very strict crieria) I ever tried. As always, YMMV of course.

    Reply

  3. I’ve been using telegram for almost four years now together with my family and close friends. It’s been a joy and I’ve always been a fan. Simplest analogy I can give is “it’s almost like whatsapp but way better privacy, way better stickers and seamless syncing across multiple devices.” I barely use Facebook (have only three friends there and log in only every few months) and I don’t use messenger. I sacrifice some of my personal data to use viber, line and whatsapp for friends who are somewhere else in the world without telegram. My other friends have long stopped insisting I join them on messenger and i’m happy I never got sucked into the Facebook vortex to begin with. I’ll probably give Signal a try too.

    Reply

  4. This is so well thought out, and very much mirrors my thinking. I’ve converted a handful of friends to telegram, mostly selling them on the stickers. (and also selling them on my relectance to use Messenger, I guess) People aren’t typically concerned with security, or even privacy, and personally, privacy is far more of a concern for me. The recent Facebook privacy controversies also make it an easier sell, I think.

    Reply

    1. Yes, the wide variety of high-​quality stickers definitely help the adoption. :P

      Reply
  5. Reply

  6. Hei i´ve been using both for the last two years. It seems that since the GDPR i suddenly see 5 contacts a day popping over to either one. Would you i´ve been discussing a lot with my friends and family in the last 2 weeks which one is better. I also noticed that I can use the same telegram account on 3 devices (laptop, 2 phones) all the msgs syng which i like – how come signal can´t do that?
    – now signal even has a desktop app – what are your thoughts almost 2 yrs after you wrote this one first?
    – be gentle I´m not a techie but I´m very curious.…

    Greetings from the Arctic – its midnight sun time =)

    Reply

    1. Greetings from 60°N! (So I’m not that far away, globally speaking.) I don’t really have much new to add. I’m still using Signal as my SMS app. I haven’t tried the desktop app, because I don’t really have many friends using Signal. I still use Telegram as my preferred chat app for those of my friends who are there. While I would in many respects prefer Wire, I simply don’t have any contacts using it actively.

      Reply

  7. There are a workarounds for logging into Telegram without a smartphone or a phone number. It is far less convenient than the confirmation text to your phone but it is possible. This is from their FAQ:

    Once you’ve set up a username, you can give people a t.me/username link. Opening that link on their phone will automatically fire up their Telegram app and open a chat with you. You can share username links with friends, write them on business cards or put them up on your website.
    This way people can contact you on Telegram without knowing your phone number.

    Reply
  8. Reply

  9. What about Riot/​Matrix? https://riot.im, https://matrix.org

    They open source everything including the server. Use webrtc for chat. Works in the browser (firefox/​chorme)

    I know the front end is not matured yet, how does wire compare to Riot?

    Reply

    1. Haven’t looked into them and probably won’t. There’s a steadily increasing amount of secure or privacy-​centric chat apps out there, and I have no intention of trying each one and continually persuading all my friends to switch to what currently is the best one (which is, after all, the main problem).

      Reply
  10. Reply

  11. Hi I’m using signal over telegram for a year or so.
    In the meantime all my contacts switched to Signal as well. 

    Signal:
    The good:
    – Their purpose is security a for everyone and they are serious about it. That’s all they have to sell, unlike growing competition that just adds security as frequently requested feature to refrain some users leaving for other secure chat system.
    – The desktop client depends of chrome, too bad. But that’s wrong to say you need to open chrome too access it. It creates a shortcut in the start menu that allows to start the client independently from chrome, you even do not make the difference with an other native application.
    – Openwhisper made a technical choice that I didn’t like initially with the chrome app. But now that I use it one KDE at home and in a Citrix published Chrome on Windows on a large office deployment, the chrome app choice is just fantastic. Whatever you have a small office of 3 PCs or 3000 computers, this justs ensures a lightweight deployment and instant updates. This later point is mandatory for a secure app. Especially on Windows that still suffers from a late coming central app repository that cost Microsoft so much market share loss. What else? Java Web Start? No, good job OpenWhisper.
    – Secure voice and video calls are working great for more than 2 months. Nothing to envy to the usually unsecure alternatives.
    – Advantageously replaces the default SMS app, so you even do not need yet an other application for the secure chat. In order to send a good old unsecure SMS to a Signal registered contact, its just a matter of long press.
    – It’s wrong to say the desktop client has no history. History just works from the time it’s configured.
    – Unlike other secure chat solutions, Signal does not store unencrypted data on disk. That makes a significant security improvement.

    Limitations:
    – Voice and Video features not open source. This is to bad, but probably still an inherent limitation when using efficient codecs.
    – Long press option is not (yet) available for mobile voice calls fall back.
    – Not possible (yet?) to link account on a tablet. So do not work on tablets without SIM. Since most tablets now also offers keyboard option, that’s a severe limitation
    – No known way to backup and restore keys. This is a real concern when replacing phone, or flashing a new firmware.
    – No group video calls. It’s probably very difficult to achieve with the cryptography used.

    Telegram:
    Good app but:
    They cannot advertise security for everyone as long as encryption is disabled by default. Even WhatsApp is more secure.
    Enabling encryption disables some cool (but unsecure) features.
    The code is not independently and freely auditable, so all we can say is that it’s probably secure.

    Reply

    1. Where do you all take this nonsense about the lack of encryption in Telegram?

      from Telegram oficial FAQ:

      Q: So how do you encrypt data?

      We support two layers of secure encryption. Server-​client encryption is used in Cloud Chats (private and group chats), Secret Chats use an additional layer of client-​client encryption. All data, regardless of type, is encrypted in the same way — be it text, media or files.
      Our encryption is based on 256-​bit symmetric AES encryption, 2048-​bit RSA encryption, and Diffie–Hellman secure key exchange. ”

      https://telegram.org/faq#q‑so-how-do-you-encrypt-data

      Reply

      1. And what precisely is “Server-​client encryption”? As it’s certainly not Client-​side encryption, or end-​to-​end encryption. It sounds like a made-​up term used by Telegram to try and fool people like yourself into believing it’s more secure than it is to me!

        Reply
  12. Reply
  13. Pingback: What should you think about when using Facebook? – Cloud Data Architect

  14. I agree a lot with what you are saying here. My disappointment with Telegram is it’s based on your phone. I hadn’t logged in since over a year ago. I just entered my cell number, the confirmation text and was in. So anyone who gets my number in the future will see my messages and friends. That’s terrible.

    Also, since it is phone number base, I could not use it to move some of my contacts to it from Facebook Messenger since they don’t have a cellphone! But they do have a computer and internet.

    The annoying thing about Wire is the exact opposite. It doesn’t save your messages centrally at all, only on your device. So when I login to the web I cannot see my history. If I lose or break my phone, I’ve lost any important message.

    I use Hangouts every day. It’s good. But it lacks many features and is slow and clunky. But it’s good enough, has many great features, is multi-​device, multi-​platform, is centrally stored and uses an account.

    Reply

    1. Hi! Actually you can add additional password to your account, so besides SMS code, you have to enter your password​on every device you log on.

      Reply

      1. Thanks. I did not know you could set a password. That is great.

        My main issue was that it’s based on you carrier account. The password solution fixes one reason I am disappointed by apps that require carrier accounts.

        Here is another problem. My wife’s​phone broke and she was without a device for 24 hours. She couldn’t​ contact anyone on WhatsApp. If she was using Telegram she also wouldn’t be able to login.

        My mother in law cannot use it because she doesn’t have a cellphone. She uses Facebook to message me.

        Sadly, I think my friends and I will have to stick with Hangouts, as disappointing as it is. Messenger apps that always require you to have a wireless career subscription and access to a working carrier device are a no go to me.

        All three messengers in this page fit that bill.

        Reply
  15. Reply

    1. Consider my interest highly piqued! I’ll have a look at it. If it’s as good as it seems, that certainly warrants an update to the post. Let me know if you find anything interesting regarding Wire.

      Reply
    2. Reply

  16. I took Facebook messenger off my phone when I made a phone call, and found Facebook recommending the recipient as a friend when I got home that night.

    The phone numbers I call are none of Facebook’s business.

    Reply

  17. The Chrome app doesn’t actually require your phone to be on/​connected while working. It does when you first do pairing, and when you want to import contacts, but otherwise these can be used independently.

    For me Telegram is a better user experience, they have stickers (only slightly important, but hey), and also they have great bot functionality (I’ve set up bots to notify me of activity in various Trello boards). But, Telegram does not have voice, which is something that Signal does. 

    I’ll likely continue using both until Telegram gets voice. Or unless and until I decide Telegram security/​privacy is not good enough.

    Reply

  18. A minor note, the part of Signal’s server that is responsible for calls (Redphone) is also not Open-​Source. Also the backend argument in favor of Signal is void.

    Also Signal has a hard requirement on Google Apps on Android, so it may be Open Source itself but it’s not an Open Source solution, since it depends on proprietary technologies.

    Reply
  19. Reply

    1. Yes, I mention both of these in my post. The “desktop app” is just a Chrome app that connects to your Android phone.

      Reply
  20. Reply

    1. Alarmist clickbait. And as I mention in my article, Snowden called that half a year earlier. My whole post is literally about privacy over security. If you have serious security concerns, then use something else, or at the very least use Telegram’s secret chats. I for one would much rather use Telegram, a non-​zero-​knowledge chat app by a company I believe to actually care about privacy, than use WhatsApp, a fully encrypted app from, well, Facebook. Remember, they recently began snooping on people’s real-​life conversions using Messenger. Sure, encryption makes sure the chat contents aren’t visible to Facebook, but they can do so much more when you’ve installed the app anyway.

      Reply

      1. Thanks for your reply. Something that bugs me is how difficult it is for apps like Telegram or Signal to take off compared with Whatsapp. I use the latter because 95% of my contacts use it(they are mostly your average Joe/​Jane, the remaing 5% are stil on SMS). I’ve toyed with Telegram and Signal before but ultimately uninstalled them because I never got more than a handful of my contacts to use them. So, I have to stick with the status quo.

        Reply

        1. Yep, my problem exactly… Though it’s not that much of a practical problem. I don’t have Messenger installed, but I use the Facebook website, so I’m available on the web chat with quite a bit of delay. If someone wants a quicker response, they’ll have to use Telegram or SMS.

          Reply

          1. I was under the impression whatsapp uses singal protocols so is completely end to end encrypted. Unless I missed something.…

            Reply
            1. Reply

  21. Well, Signal is totally open source. So in a security point of view it is way better than any other including Telegram. User Friendly is not a matter of concern when you talk about security…

    Reply

    1. User friendliness is always a matter of concern. Or do you like struggling with usability issues and bugs? In particular, it’s an issue when you have to convince each of your contacts to use the same messaging platform as you, and rely on them continuing to use it. Not everyone will be happy to struggle with usability issues.

      As far as Signal being open source, so what? Are you a cryptography and programming expert, and have you reviewed the code? Nothing magical happens when code is simply made available for review. Something being open source is itself literally meaningless.

      Reply

  22. So what about WhatsApp nowadays with their advertised end-​to-​end encryption?

    Reply

    1. Even Facebook messenger has started rolling out end-​to-​end encryption, but that doesn’t mean there’s no privacy concerns. As I mentioned in the post, Messenger can still gather other kinds of data from your phone, such as using your microphone to eavesdrop on your real-​life conversations. While I haven’t looked into WhatsApp, I know it’s owned by Facebook, and with Facebook being based on selling your information, I don’t trust WhatsApp to be particularly privacy-​friendly. Indeed, a cursory glance at the search results for “whatsapp privacy” revealed a recent TOS change that allows WhatsApp to share your phone number with Facebook (which is not “selling your information”, as WhatsApp said they’d never do, but still something I’d rather they didn’t).

      TL;DR: The content of a conversation is far from the only valuable information a messaging app can get access to.

      Reply

  23. FYI, Signal has a (beta) desktop client now. Combined with disabling SMS in Signal entirely, it seems like a perfect replacement for FB Messenger and WhatsApp.

    Reply

    1. If you’re talking about the Chrome app that connects to your (Android only) phone, I already mention that in the post. As I said there, I want something I can use to communicate even without my phone, not to mention a solution which doesn’t lock me into a specific browser (especially one I don’t normally use).

      Reply

  24. Something to consider down the line:
    https://whispersystems.org/blog/facebook-messenger/

    If this pushes through, then Facebook won’t be able to eavesdrop on your conversations as long as you have secret conversations with your friends. The question is if Facebook will not add a backdoor, a secret key in their possession to decrypt those secret conversations?

    Reply

    1. Well, no matter which way you look at it, it’s always a matter of trust. And it’ll still be a messaging app that can use the microphone to eavesdrop on your real-​life conversations, and which has all kinds of permissions on your device. No matter what Facebook does with regards to encryption, it’s still a company primarily in the information business, and I don’t trust them to have my best interests at heart.

      Reply
      1. Reply