Over the weekend, a clip from a recent interview with Telegram’s founder Pavel Durov went semi-viral on X (previously Twitter). In the video, Durov tells right-wing personality Tucker Carlson that he is the only product manager at the company, and that he only employs “about 30 engineers.”
Security experts say that while Durov was bragging about his Dubai-based company being “super efficient,” what he said was actually a red flag for users.
“Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch.
Green was referring to the fact that — by default — chats on Telegram are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user has to start a “Secret Chat” to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient. Also, over the years, many people have cast doubt over the quality of Telegram’s encryption, given that the company uses its own proprietary encryption algorithm, created by Durov’s brother, as he said in an extended version of the Carlson interview.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a longtime expert in the security of at-risk users, said that it’s important to remember that Telegram, unlike Signal, is a lot more than just a messaging app.
“What makes Telegram different (and much worse!) is that Telegram is not just a messaging app, it is also a social media platform. As a social media platform, it is sitting on an enormous amount of user data. Indeed, it is sitting on the contents of all communications that are not one-on-one messages that have been specifically [end-to-end] encrypted,” Galperin told TechCrunch. “‘Thirty engineers’ means that there is no one to fight legal requests, there is no infrastructure for dealing with abuse and content moderation issues.”
“And I would even argue that the quality of those 30 engineers isn’t that great,” Galperin continued. “Also, if I was a threat actor, I would definitely consider this to be encouraging news. Every attacker loves a profoundly understaffed and overworked opponent.”
In other words, it’s unlikely for Telegram to be very effective fighting hackers, especially government-backed ones, with such a small staff.
Lemme guess, none of these 30 staff include privacy or compliance people, and zero third-party audit is ever done to review potential security controls restricting access to users’ data. “Please trust us” is not how security works. https://t.co/w7PBkU0TJR
— JP Aumasson (@veorq) June 22, 2024
Telegram did not respond to a request for comment, which included questions on whether the company has a chief security officer, and how many of its engineers work full time on securing the platform.
Last week, the well-known cybersecurity expert SwiftOnSecurity wrote on X that “the cost to run a company that has all the right cyber security tools and staff is absolutely obscene.”
“It’s hard to describe the numbers I’ve seen. Even saying this is a gray area. But it is [an] incredible headcount and spend,” SwiftOnSecurity wrote.
All to say, even the biggest companies on the planet probably don’t spend enough money, time, and energy on securing themselves. Telegram has almost one billion users, according to Durov. It’s one of the most popular platforms for people working in crypto (who move millions of dollars), extremists, hackers, and disinformation peddlers.
That makes it an incredibly interesting target for both criminal and government hackers. And it has — at most — just a handful people dedicated to cybersecurity.
For years, security experts have warned that people should not see Telegram like a truly secure messaging app. Given what Durov said recently, it may be even worse than experts thought.
