Telegram is Giving Data to German Feds in Certain Cases

~5 min read | Published on 2022-06-05, tagged FEDSTelegram using 1075 words.

Telegram has provided the German Federal Criminal Police Office with user information in several cases, contradicting the company’s statements about complying with law enforcement.
Telegram, which is not an encrypted messaging application by default, released user data to the Federal Criminal Police Office (BKA) in several cases, according to a report from Spiegel. According to the news outlet, Telegram handed over subscriber information for the suspects in “child abuse and terrorism” investigations.


The company claims that they have disclosed “0 bytes of user data” to law enforcement:
Do you process data requests?<br>“Secret chats use end-to-end encryption, thanks to which we don’t have any data to disclose.”

“To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.”

“Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people’s privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.”

To this day, we have disclosed 0 bytes of user data to third parties, including governments.

If the Spiegel report is accurate, Telegram will likely change this statement quietly.

According to Spiegel, “it is still difficult for German investigators to obtain information from Telegram” when investigating crimes outside of the scope of purported “terrorism” or child abuse. Since 2018, if not earlier, the company has been moving towards a state of functional compliance with various Western governments. A privacy policy change in 2018 allowed for the disclosure of IP addresses and phone numbers if required by a court.
The paragraph below appears under a section titled, “Who Your Personal Data May Be Shared With” in the company’s privacy policy.
Law Enforcement Authorities

“If Telegram receives a court order that confirms you’re a terror suspect, we may disclose your IP address and phone number to the relevant authorities. So far, this has never happened. When it does, we will include it in a semiannual transparency report published at:"

Governments have historically used the “terrorism loophole” to justify invasive measures. Since the United States spies on Americans for counterterrorism purposes, there is no reason to believe Germany would not use the same excuse.
Germany already surveils opposition parties. I know that a court ruled that the BfV intelligence service could not put the entirety of the Alternative for Germany (AfD) party under investigation until further notice. AfD, which is basically a “right-wing” platform that opposes mass immigration, is still under investigation regionally.
Although Germany is perhaps one step ahead of the United States in legally restricting speech and surveilling innocent citizens, you can be sure all “our values” governments do the same things. (The United States conducts mass surveillance of innocent Americans under the guise of fighting terrorism. Canada expanded its terrorism and money-laundering laws due to excessive honking. Australia. etc.)

Five examples of “thinking of the children” from U.S. lawmakers.

Something else worth pointing out is that the United States has also repeatedly appealed to emotion with “b-but think of the children” when pushing for a new form of regulation without broad support from voters. (I believe children’s interests need to be protected, but the U.S. government does not care about most people’s children.)

In the thread on Twitter, someone linked to a thread by Moxie Marlinspike, the creator of Signal. Darknetlive’s official position on Marlinspike is suspicion. But the points in the thread stand regardless.
It’s amazing to me that after all this time, almost all media coverage of Telegram still refers to it as an “encrypted messenger.” Telegram has a lot of compelling features, but in terms of privacy and data collection, there is no worse choice. Here’s how it actually works:

Telegram stores all your contacts, groups, media, and every message you’ve ever sent or received in plaintext on their servers. The app on your phone is just a “view” onto their servers, where the data actually lives. Almost everything you see in the app, Telegram also sees

Here’s a simple test: delete Telegram, install it on a brand new phone, and register with your number. You will immediately see all your conversation history, all of your contacts, all the media you’ve shared, all of your groups. How? It was all on their servers, in plaintext

The confusion is that Telegram does allow you to create very limited “secret chats” (no groups, synchronous, no sync) that nominally do use e2ee, even if the security of the e2ee protocol they use is dubious. There’s no e2ee by default, but they talk about it like there is

FB Messenger also has an e2ee “secret chat” mode that is actually much less limited than Telegram’s (and also uses a better e2ee protocol), but nobody would consider Messenger to be an “encrypted messenger.” FB Messenger and Telegram are built almost exactly the same way.

Some may feel okay letting Telegram have access to all of their data, msgs, images, contacts, groups, etc. because they “trust Telegram.” However, the point of an “encrypted messenger” should be that you don’t have to trust anyone other than the ppl you’re communicating with

Actual privacy tech is not about trusting someone else w/ your data. It’s about not having to. A msg you send should only be visible to you & recipient. A group’s details should only be vis to the other members. Looking up your contacts should not reveal them to anyone else.

Privacy tech is really about making the tech consistent with the UI. But if Telegram’s UI were consistent with the way the tech worked, every chat would be a group chat with everyone that works at Telegram + everyone that hacks Telegram + every gov that accesses Telegram, etc

For the folks writing about this space, my request is that when you write “encrypted messenger,” it should at [em]minimum[/em] mean an app where all messages are e2ee by default. Telegram and FB Messenger are built exactly the same way. Neither are “encrypted messengers.

Telegram is pretty neat but I would certainly register with a burner number and access it with a VPN. Sending “private” messages through the app seems like a mistake though.