Last weekend, Raphael Mimoun hosted a digital security training workshop via videoconference with a dozen activists. They belonged to one Southeast Asian country's pro-democracy coalition, a group at direct risk of surveillance and repression by their government. Mimoun, the founder of the digital security nonprofit Horizontal, asked the participants to list messaging platforms that they'd heard of or used, and they quickly rattled off Facebook Messenger, WhatsApp, Signal, and Telegram. When Mimoun then asked them to name the security advantages of each of those options, several pointed to Telegram's encryption as a plus. It had been used by Islamic extremists, one noted, so it must be secure.
Mimoun explained that yes, Telegram encrypts messages. But by default it encrypts data only between your device and Telegram's server; you have to turn on end-to-end encryption to prevent the server itself from seeing the messages. In fact, the group messaging feature that the Southeast Asian activists used most often offers no end-to-end encryption at all. They'd have to trust Telegram not to cooperate with any government that tries to compel it to cooperate in surveilling users. One of them asked where Telegram is located. The company, Mimoun explained, is based in the United Arab Emirates.
First laughter, then a more serious feeling of "awkward realization" spread through the call, says Mimoun. After a pause, one of the participants spoke: "We're going to have to regroup and think about what we want to do ..