Investigation by investigative journalism outlet IStories (EN version by OCCRP) shows that Telegram uses a single, FSB-linked company as their infrastructure provider globally.
Telegram’s MTProto protocol also requires a cleartext identifier to be prepended to all client-server messages.
Combined, these two choices by Telegram make it into a surveillance tool.
I am quoted in the IStories story. I also did packet captures, and I dive into the nitty-gritty technical details on my blog.
Packet captures and MTProto deobfuscation library I wrote linked therein so that others can retrace my steps and check my work.
I hate how 50% of ‘news’ is literally like “1 equals 1” to me. It’s fucking obvious.
Well, it was obvious to you. I’m a casual user, who tries to “do his best” and consider himself “somewhat informed” - obviously not by your standard. It was all news to me, and I find tremendous value in this article.
Thank you, that means a lot. For people working in information security it really feels sometimes that a). a lot of stuff is obvious, b). people just don’t listen and don’t care.
Your comment shows how incorrect this is. That really helps keep motivated.
No, I can’t stress enough how much I appreciate it. What I do right now is sending this article with TLDR to all my friends and family.
I know, right? That’s why investigative journalism is such a thankless, frustrating job. You need to prove beyond any doubt things that are often pretty obviously true.
Roman Anin and the rest of the IStories team did an absolutely amazing job. Found court documents going years back. Dug up signed statements and contracts. They did something nobody in the infosec community seemed to have done: actually looked at the IP addresses used by Telegram and followed that lead to its logical conclusion. And then published all of the receipts!
And still people will say this is “unsubstantiated” or find other ways to wave this off.
And yet this does move the needle. There is now proof of things we kinda sorta knew was probably true for years. It doesn’t sound like much perhaps, but it’s really important.