Private Telegram, Public Strife

The precarious future of messaging apps.

Jacob Silverman | Longreads | July 2018 | 10 minutes (2,418 words)

Telegram, a messaging app with more than 200 million users, is a company known for its rakish independence. Pavel Durov, who created the app with his brother, Nikolai, is a 33-year old from St. Petersburg, Russia, with a taste for dark suits and tax-free municipalities. In 2006, he founded VKontakte (VK), Russia’s answer to Facebook, which quickly became the country’s largest social network and a target of its security services. Durov, who identifies as a “part-time troll” in his Twitter bio, earned a reputation as a sort of maverick entrepreneur, a persona that has come with both free-speech absolutism and immature antics. His most notorious stunt took place in May 2012, when he stood at his office window and tossed paper airplanes made of rubles down onto the street below. He later explained that he had been talking to a vice president at his company who had been awarded a large bonus, and when the VP said that he didn’t care about money, the two decided to throw cash out the window—until bystanders started fighting over the windfall.

Durov launched Telegram the following year, aiming to provide a means to communicate unhindered by government snooping. Dissidents around the world took to it in order to bypass censorship, as did some jihadist groups—which the company, with its free speech ethos and light touch of moderation, tolerated, at least for a time. Durov’s determination to go his own way is reflected in Telegram’s method of encryption, the code that keeps its messages private; Telegram’s system eschews a popular open protocol in favor of a closed, proprietary technology.

In 2014, after a series of legal disputes and government pressure to hand over information on opposition activists, Durov was forced to sell VK to a pair of Kremlin-friendly oligarchs. Ejected from his company, he packed up and fled overseas, with stops in Buffalo, Berlin, Switzerland, and eventually Dubai, where he and Telegram are now based. (Around the time of his VK ouster, Durov acquired a passport from St. Kitts and Nevis by donating a quarter-million dollars to the islands’ Sugar Industry Diversification Foundation; according to a Moscow Times report, he now has a residency permit in the United Arab Emirates.) Durov’s decision to leave Russia was viewed by many as an understandable act of conscience, given the country’s dubious legal system, and it didn’t diminish Telegram’s popularity back home: Kremlin ministers have used the app’s public channels feature to talk with constituents, and it found fans among members of the political opposition, like Alexei Navalny, an anti-corruption campaigner. Russian media outlets have come to rely on it, too.

But in April, in the name of fighting extremism, the Russian government ordered Telegram to hand over its encryption keys, which would allow state security services to potentially decrypt and read all Telegram communications. Durov publicly refused. A Russian court ordered that the app be banned. Telegram responded by cycling its service through various IP addresses, hoping to stay a step ahead of any block. The company also threw its support behind a free-speech protest in Moscow—which, in an ironic callback to Durov’s act of hooliganism when he ran VK, urged protestors to throw paper planes through the air. Later, Durov posted a shirtless selfie on Instagram with the hashtag #putinshirtlesschallenge, ostensibly as an act of defiance.

Then the Kremlin did something drastic: it cut off as many as 19 million IP addresses associated with Amazon Web Services and Google Cloud. This meant that any websites, stores, banks, or other entities that relied on those addresses suddenly found themselves unable to operate in Russia. The move was like blockading an entire port to stop one ship from entering. Besides blacking out a swath of the Russian internet—and sending savvy users to Virtual Private Networks (VPNs) to bypass the restrictions—the takedown affected Telegram’s competitors, including Gmail and Viber, the most popular messaging app in Russia, with more than 100 million users. Officials followed up by blocking dozens of VPN services and asking Apple and Google to remove Telegram from their Russian app stores. As of now, it’s still available, but Russia’s court may force an end to that.

So far, by relying on alternative cloud services and urging its users to try VPNs, Telegram has mostly stayed ahead of its censors. The company is filing challenges in Russian courts and, hours after the government began trying to block the app, Durov announced that he would give out bitcoin grants to VPN and proxy providers—all as part of something he called “Digital Resistance–a decentralized movement standing for digital freedoms and progress globally.” Like much tech sloganeering, it’s hard to know exactly what that means or whether it amounts to more than a vague commitment to laissez faire economics. (Telegram did not respond to requests for comment.) The question for Durov, and Telegram, remains whether he can refine his crude political mischief into something more and, just as important, whether he can resist following the well-paved road of tech entrepreneurs who trade in their civic idealism for a fat paycheck.

***

Telegram is one of many tech companies locked in combat with a powerful regime. Ever since Edward Snowden leaked classified information from the National Security Agency, governments around the world have been emboldened to establish control over the data flowing through their borders. Sensible calls for data sovereignty include the consumer-friendly policies enacted in the European Union’s General Data Protection Regulation. On the authoritarian end, however, data sovereignty rules help prop up a digitized police state like China’s, with its Great Firewall, mass surveillance, behavioral monitoring, and personalized social credit scores. In some countries, laws require that servers be maintained inside their borders if foreign internet companies hope to do business there—a benign measure, perhaps, in a western European nation with a credible court system, but far more pernicious in a place such as Russia, with its reputation for corrupt authoritarianism and ruthless secret police force.

A lesson of the Snowden revelations was that few tech companies, especially those that collect vast amounts of personal information, can achieve any scale without intelligence agencies knocking on their doors—or hacking into their networks. Even under democratic governments, companies have little ability to evade so-called lawful requests, like the FBI’s compulsory National Security Letters, which come bearing gag orders. In 2013, Lavabit, a privacy-focused email service favored by Snowden, shut down entirely rather than comply with an order to turn over its cryptographic keys to the U.S. government.

Telegram’s fight with Russia stands out among clashes between tech companies and government agencies for the sheer array of tactics being used by Putin’s censors.

To help protect against prying eyes, Telegram, Signal, WhatsApp, and most other secure communication apps deploy end-to-end encryption, but that’s far from a panacea. Because Telegram’s system is closed, and therefore unavailable for public scrutiny, some cryptographers argue that it isn’t the best choice for private messaging; among other vulnerabilities, Telegram leaks a fair amount of metadata, offering spies a look at who is talking to whom and when. And as Michael Cohen, Donald Trump’s erstwhile personal attorney, recently found out, if investigators have direct access to a phone, they might be able to read a person’s chats in the original plain text. To paraphrase an industry saying: encryption is usually bypassed, not broken.

Telegram’s fight with Russia stands out among clashes between tech companies and government agencies for the sheer array of tactics being used by Putin’s censors: court orders, pressure on app store owners and VPNs, blocks on vast portions of the internet associated with certain cloud providers. According to Bruce Schneier, an expert in cybersecurity, that last method can work only if the internet—contra popular rhetoric about decentralization and distributing power to the masses—is highly centralized, with power and data confined to a few major platforms. Indeed, the course of today’s internet is largely determined by a handful of American monopolies, along with Chinese behemoths such as Alibaba and Sina Weibo. (Telegram is blocked in China, as well as Iran.) “This new centralization radically tips the balance between those who want to censor parts of the Internet and those trying to evade censorship,” Schneier argued recently in an analysis for Harvard University’s Belfer Center. “When the profitable answer is for a software giant to acquiesce to censors’ demands, how long can internet freedom last?”

Increasingly, “internet freedom” simply means an ability to communicate in private, and the Telegram battle shows how precarious that freedom is. At the moment, Telegram’s users benefit from the company’s defiant attitude toward Russian censors, but not every app-maker is so resolute. From Hong Kong to the occupied West Bank, companies like Facebook and YouTube often find themselves pressured to comply with censorship requests or risk losing access to an entire market. And of course, beliefs over what constitutes censorship versus legitimate moderation can vary widely. Palestinian activists, for instance, have charged that Facebook, submitting to Israeli government pressure, is far too aggressive in deleting posts and pages from Palestinians who are accused of violating the site’s guidelines.

And that is only to account for government threats to privacy and free expression. Like the intelligence services they fight to keep out of their networks, most tech companies remain reliant on bulk data collection. Chats that are supposedly private may be filtered through some tech giant’s analytical engine to improve ad targeting or to train a machine-learning algorithm—a practice that seems far more malevolent in the wake of the Cambridge Analytica scandal and other reports of data being used to discriminate against consumers. Even WhatsApp, a service frequently lauded for its end-to-end encryption, has given user data to Facebook—which, of course, is its own surveillance and advertising machine. In 2014, WhatsApp sold itself for $19 billion in Facebook shares and cash, only to have its founders depart earlier this year in a storm of disappointment, reportedly over data mining practices; the founders left $1.3 billion in unvested stock options on the table, and one tweeted his support for an anti-Facebook campaign.

***

What tools can we trust? Perhaps the only chat app to retain its independence and its reputation for security is Signal, which is open-source, has the best encryption in the industry, and is backed by the Signal Foundation, a well-heeled nonprofit. Telegram’s spunky autonomy is refreshing, but the company is practically stateless at a time when large platforms depend heavily on the infrastructure and cooperation of state telecom authorities. Last year, The Outline reported that Telegram appeared to have employees in St. Petersburg—in a building also used by VK—which would possibly leave the company open to Russian government pressure or infiltration.

Such is the confounding paradox inherent to many of today’s big tech companies, which promise private, free communication tools while monitoring everything their users do.

If Telegram decides to make Dubai its permanent home, users should be discouraged: the United Arab Emirates is known for its ubiquitous state surveillance and minimal civil liberties. It’s not clear that the company would be any safer in the west, either: Durov claims that, on visits to the United States, FBI agents have approached him with questions about Telegram’s operations, and on other occasions they have tried to recruit his employees as informants. “I can’t imagine myself or anyone else running a privacy-oriented app in that environment,” he told the journalist Yasha Levine. (The FBI declined to comment.)

If the future of communication is messaging apps duking it out with nation states, the tech industry has bungled whatever utopian designs it once had. Beneath the rhetorical veneer of consumer empowerment one finds the petty tyranny of choice: freedom is reduced to deciding which app to trust with your dearest information. Rather than redistributing power, these platforms have concentrated it, all while seeming ever more vulnerable to outside manipulation and data breaches. Your digital life is at once permanent, etched in ones and zeros, and perilously insecure, capable of being leaked in the next devastating hack.

Such is the confounding paradox inherent to many of today’s big tech companies, which promise private, free communication tools while monitoring everything their users do. Giving away their product for free, the companies must scale at all costs, which makes them likely to fall under the temptations of surveillance capitalism. Mining their users’ personal information for profit in turn attracts the attentions of state regulators and intelligence agencies also in the business of mass surveillance—and on the cycle goes.

Users continue along quietly. Some endeavor to practice good digital hygiene—or operational security, known as “opsec”—by locking down privacy settings or minimizing their data trail. Yet the disappointing truth is that, in our digital economy, such caution doesn’t matter. Some of us are less interesting, which is to say less vulnerable, than others, but we all attract scrutiny, if not from an intelligence agency than from a free email service parsing our messages for market indicators. Ever-more granular data collection has become the base condition of using today’s internet, and there’s no end to the number of shadowy actors willing to trade on it.

Will Telegram go this way? If it prevails in Russia, it’s less likely to be an agent of change than another social network, like Facebook in the U.S., mired in accusations that its poor content moderation abets the spread of dangerous misinformation. (After a couple years of apparent indifference to the problem, Telegram began hacking away at a thicket of pro-ISIS and other jihadist channels on its service.) Earlier this year, seeking to raise funds and establish itself as more than just another messaging app, Telegram threw its lot in with the cryptocurrency movement. Initially, Durov promised an ICO—an IPO for digital currency—as part of a larger blockchain-based project designed to leverage its popularity into a system of decentralized payment and publishing tools. But in May, with some controversy, Telegram decided instead to sell $1.7 billion in shares to a select group of private investors, some of whom then sold their holdings for handsome returns on the secondary market. The move alienated a number of hardcore Telegram watchers, but the company marches on, its coffers now filled to the brim.

In its most important battle, against authoritarian censors, Telegram deserves our support. Durov and Telegram would surely find security under the aegis of an established platform like Facebook or Google, but it will be far more interesting to see it continue to bluff and feint its way past geopolitical obstacles. Durov has said that the company isn’t for sale for any price. Should Telegram continue to rise, however, and one day emerge with the kind of pseudo-governmental clout exercised by the largest tech powers, there will be something bittersweet in its success. The tech industry could use more of Durov’s puckishness, but it doesn’t need another platform grasping toward monopoly.

***

Jacob Silverman is the author of Terms of Service: Social Media and the Price of Constant Connection.

Editor: Betsy Morais
Fact-checker: Ethan Chiel