Russia took another step in its campaign against online privacy today, by banning the highly popular encrypted messaging app Telegram, which is owned by Russian entrepreneur Pavel Durov.
A Moscow court ruled that the app, which says it has 200 million users worldwide, should be shut down after the company refused to give state security services access to user data. The Iranian government took a similar step on New Year’s Eve, which Telegram argues was motivated by the fact that Iranian political opposition were using the platform to communicate.
The app is much-loved among Russia’s elites and top officials, who use it to both to message each other and to contact journalists. Its closure led to a slightly surreal situation, in which Kremlin spokesman Dmitry Peskov arranged a press conference call using the app and then announced that they would start using a different app to contact reporters. People claiming to be Kremlin insiders often publish anonymous leaks—whose reliability varies—using channels on the app.
It’s not clear how authorities will actually enforce the shutdown. Durov has responded defiantly, saying Telegram will try to bypass the ban, though he couldn’t guarantee users could keep accessing it without a Virtual Private Network (VPN). Durov left Russia in 2014 after years of clashing with authorities and being forced out of his Facebook-like social network VKontakte, which is now owned by Kremlin-linked figures.
Telegram itself has been widely criticized by security researchers for using a cryptographic protocol that no one else uses. A cryptographic protocol is generally more secure the longer it has been in use, and the more people use it. Fewer researchers have a chance to test a new, custom-made protocol like Telegram’s, which is only used in one app—though students at MIT have already found flaws (pdf) in Telegram’s MTProto.
Another issue with Telegram is the way it advertises its privacy standards. It claims that “Telegram is more secure than mass market messengers like WhatsApp and Line.” However, unlike WhatsApp, it doesn’t automatically encrypt messages, meaning its default privacy settings are less private.