Over the weekend, a clip from a recent interview with Telegram founder Pavel Durov went semi-viral on X (formerly Twitter), in which Durov told right-winger Tucker Carlson that he is the only product manager at the company and that it only employs “around 30 engineers.”
Security experts say Durov boasted that his Dubai-based company was “highly efficient,” but his comments were actually a red flag for users.
“Without end-to-end encryption, you have a ton of vulnerable targets and the servers are going to be located in the UAE? That would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch.
Green was referring to the fact that Telegram chats are not end-to-end encrypted by default like Signal and WhatsApp. Telegram users must start a “secret chat” to turn on end-to-end encryption, making their messages unreadable to anyone but Telegram and the intended recipient. And for years, many have questioned the quality of Telegram's encryption because it uses a proprietary encryption algorithm. The algorithm was created by Durov's brother, Durov said in the extended interview with Carlson.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a longtime expert on at-risk user security, said it's important to remember that, unlike Signal, Telegram is more than just a messaging app.
“What makes Telegram different (and worse!) is that it's not just a messaging app, it's also a social media platform. And as a social media platform, it retains a huge amount of user data. In fact, Telegram retains the content of all communications outside of one-to-one messages exchanged with specific contacts. [end-to-end] “30 engineers” means no one to defend against legal challenges and no infrastructure to deal with abuse or content moderation issues,” Galperin told TechCrunch.
“And you would argue that the quality of those 30 engineers is not that great,” Galperin continued, “and if I were a threat actor I would definitely consider this encouraging news. Every attacker loves an adversary that is severely understaffed and overworked.”
In other words, it's unlikely that Telegram can be effective at fighting hackers, especially government-sponsored hackers, with such a small staff.
My guess is that the 30-person staff does not include any privacy or compliance officers, and there has never been a third-party audit to review security controls that potentially limit access to users' data. “Trust us” doesn't make security work. https://t.co/w7PBkU0TJR
— JP Omason (@veorq) June 22, 2024
Telegram did not respond to requests for comment, including questions about whether the company has a chief security officer or how many engineers work full-time on securing the platform.
Last week, well-known cybersecurity expert SwiftOnSecurity wrote to X that “the cost of running a company with proper cybersecurity tools and staff is simply prohibitive.”
“The numbers I saw are hard to explain. I would even say it's a grey area. But [an] Incredible manpower and expenditure,” SwiftOnSecurity wrote.
This means that even the biggest companies on the planet are likely not investing enough money, time and energy into securing their companies. According to Durov, Telegram has nearly 1 billion users. It is one of the most popular platforms for people working in the cryptocurrency industry (who move millions of dollars), extremists, hackers and disinformation disseminators.
That makes China an extremely interesting target for both criminal and government hackers, and it has few, if any, dedicated cybersecurity resources.
Security experts have been warning for years that Telegram shouldn't be considered a truly secure messaging app, and given Durov's recent comments, the situation may be even worse than experts thought.