Signal vs. Telegram: a balanced point of view

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

Many of you have almost certainly read some diatribes, mainly sparked by Durov (the CEO of Telegram), among Telegram And Signal. In short Durov made some serious accusations against Signal both regarding funding and security, here is the discussion on our forum if you want to participate. We've read everything and more out there and most of the time we've only seen clickbait headlines and slightly rambling articles. with some exceptions.

Frankly speaking, Durov's accusations seemed rather senseless to us, especially given that they come from him, and do nothing but fuel the climate of indecision and tension that is often present when it comes to privacy and security. A bit like we had seen recently with Proton.

Signal vs. Telegram: a balanced point of view

However, we found a nice and rather balanced point of view in a post published by Threema. That's right, one of alternatives to WhatsApp and Signal wanted to have his say on this clash and we must admit that he did it with elegance and clarity.

You probably already know our point of view: Telegram is a cloud messaging application, there is almost nothing end-to-end encrypted it is not even to be considered an alternative to WhatsApp and Signal but something completely different and which can coexist with these. For this reason we recommend it and for this reason we use it: as a social network for Le Alternative, as public group and little else. It should not be used for private conversations except with private chats which however are uncomfortable and difficult to use.

Threema is instead a real alternative to WhatsApp and Signal. She also has flaws, as does Signal, but she is definitely a safe and private competitor. Signal is more community-based and it is easier to find people who use it, Threema is paid for and convincing someone to use it can be very complex.

Threema's point of view

But let's go back to the central point of the article, namely the post that Threema published recently.

Some of the accusations seem to be so far-fetched and outlandish that most people probably dismiss them as conspiracy theory or FUD tactic right away. And while it's certainly wise to remain skeptical towards implausible claims, it's still worth bearing in mind that there are, in fact, multiple instances where supposedly secure communication services were infiltrated or run by government agencies without users noticing it. For example, ANOM, Crypto AG, and EncroChat.

Threema

We very much agree with one of the points of the article, we translate it for you:

As anyone familiar with secure communications should be able to understand, Telegram cannot be considered even remotely secure by current industry standards. It is primarily a cloud messenger, meaning that messages are permanently stored on a server, are not end-to-end encrypted, and can be read by Telegram at any time.

You can activate the End-to-end encryption only in individual chats. Signal, on the other hand, is widely respected for its encryption (and was the second cross-platform messaging app to offer End-to-end encryption coherent, after Threema). However, Durov claims that Signal messages from “important people” he spoke to have been exploited in courts or in the US media (he is likely referring to Tucker Carlson, who recently interviewed Durov and who previously stated that the NSA had accessed his Signal account).

However, such stories circulate on almost every secure chat app. In actual cases, authorities were most likely able to gain physical access to a mobile device, which could even be the device of one of the target's chat partners. In high-profile cases, it is of course possible that the target's device has been infected with spyware at the operating system level, in which case the entire device is compromised and the security of any apps running on it (including Signal, Telegram and Threema) goes to hell. Durov's claims about the safety of Signal should therefore not be taken seriously. However, the author raises two other points that are worth mentioning.

Threema

The points raised by Durov

The interesting points raised by Durov are the fact that the same encryption as Signal is implemented in WhatsApp, Facebook Messenger, Google Messages and Skype. In the United States, there are virtually no messaging applications that use different encryption other than Apple iMessage, which Durov casually forgot. Threema points out that this type of monoculture is not entirely ideal but at the same time “launching your own encryption” is not entirely recommended by experts either and relying on stable, certified and valid encryption makes more sense than reinvent the wheel.

The second point is playable builds on Android and iOS. Signal only has them on Android while Telegram has them in both operating systems. The problem, however, is that iOS does not allow reproducible builds like Android and Telegram has invented its own way which only works on certain devices. You can essentially say that it has hacked the Apple system to be able to do this thing, so hats off to Telegram on this but you can't accuse Signal of not doing it because trivially it's not allowed on iOS.

Signal vs Telegram: messaging services compared

However, when it comes to comparing messaging services, the cases are rarely as clear as in this case. As any messenger comparison demonstrates, there is a wide range of aspects that impact the overall security and privacy protection of a communications service. And even the most comprehensive comparison can only list a relatively small selection of relevant aspects.

Furthermore, it is the combination of some factors that makes the difference in practice. For example, reproducible builds suddenly play a very important role if a service is based in a country where developers could be forced by the government to introduce backdoors into their software without disclosing it.

Threema

Government ties and transparency reporting

Here is perhaps one of the most interesting parts of the letter of Threema. Durov claims that Signal received $3 million from Open Technology Fund. But this is in no way relevant today even considering the fact that Brian Acton, co-founder of WhatsApp and Signal, has invested over $100 million in Signal.

Likewise, it is not clear what Whittaker, the CEO of Signal who responded to Durov, is referring to when she says that "Telegram routinely works with governments behind the scenes“. Whether he only means situations where Telegram had to comply with existing laws is not a relevant topic to discuss. However, if you have confidential information about it, it would be important to share it with the community.

The interesting part is that, according to Threema, however, neither provides transparency reports worthy of the name. Telegram's is regional, only accessible through their application and does not return results for Switzerland or other countries.

Signal instead has a publicly accessible transparency report but it seems very incomplete and out of date. It contains only five entries, the latest of which dates back to 2021. When compared with that of Threema (170 requests in 2023) or Proton (6,378 requests in 2023) makes it clear that it is simply impossible that there have been only five government requests in ten years.

According to Threema since Signal is based in the United States, it is possible that it has received an order preventing it from disclosing or publishing certain information. This, we add, does not mean that they are in possession of confidential information as Durov claims but only that they may simply not be able to publish information.

What if there is no relevant data to share?

An easy objection is that it is of little importance to reveal cases if there is no data to be obtained. In fact, Signal has almost no data available but according to Threema even this statement may not be entirely acceptable as even the simple sharing of push notification logs even if they are encrypted can be very useful. But this, we add, is something that Google should share (as has already happened in the past (Archive) and should have nothing to do with Signal.

This tag @loyal alternatives is used to automatically send this post to Feddit and allow anyone on the fediverse to comment on it.

Join communities