News: 1727129414

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Telegram will now hand over IP addresses, phone numbers of suspects to cops

(2024/09/24)


In a volte-face, Telegram CEO Pavel Durov announced that the made-in-Russia messaging platform will become a lot less cozy for criminals.

"We have updated our Terms of Service and Privacy Policy, ensuring they are consistent across the world,” Durov [1]said . “We’ve made it clear that the IP addresses and phone numbers of those who violate our rules can be disclosed to relevant authorities in response to valid legal requests.”

A glance at current and past terms and conditions for the service, which offers private and public instant messaging, finds that the [2]original fine print reads, "If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities. So far, this has never happened."

[3]

This has now [4]changed to:

[5]

[6]

"If Telegram receives a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities."

As you can see, a shift from cooperating with terror investigations to criminal probes in general. This is fairly significant as Telegram pretty much billed itself as a haven for those avoiding government surveillance and investigations. It offer a degree of end-to-end encryption for its users – more on that below – and organized its IT infrastructure around the world to effectively resist handing over information about its users to the authorities, which made it a destination for all kinds of netizens, good and bad.

[7]

"We have disclosed zero bytes of user data to third parties, including governments" as the biz would put it in its documentation.

ProtonMail, another internet service that promotes itself as highly private, updated its Ts&Cs [8]in 2021 after it handed over a suspect's IP address and other info to the cops upon request, which led to the arrest of a French climate activist.

[9]Telegram founder and CEO arrested in France

[10]France charges Telegram CEO with multiple crimes

[11]Telegram CEO was 'too free' on content moderation, says Russian minister

Durov also described how the business was attempting to clean up Telegram-hosted content that was discoverable via its search function – think people having conversations about and sharing media of highly illegal stuff that others can find and join. Over the "last few weeks," a team of moderators, supported by AI tools (of course) has been going through posts to find and block scumbags up to no good, Durov said, and he urged people to report illegal behavior on the service.

The phrase "last few weeks" could be telling here. In August, Durov [12]was arrested in France after landing at Le Bourget airport. The multi-billionaire was held for days in jail before [13]being charged with failure to cooperate with French law enforcement and allowing the use of his platform to facilitate trading in drugs and child sex abuse material, online harassment, and other crimes.

Durov – who co-founded the Russian social network VK with his brother; the pair left the service in 2014 to [14]set up Telegram – was released on bail of €5 million, and he is not allowed to leave the country until the charges are settled one way or another.

[15]

And a week after his arrest, the South Korean government's telecom regulators approached the French for advice in dealing with the flood of deepfake porn that has become epidemic in the Asian country - and Telegram [16]promptly apologized and began to curb that very content on its network.

Telegram, an LLC registered in the British Virgin Islands, does allow for full end-to-end encryption but only in so-called secret chat messages, not by default, and these can only be opened on specific devices. ®

Get our [17]Tech Resources



[1] https://t.me/durov/345

[2] http://web.archive.org/web/20240915160933/https://telegram.org/privacy?setln=ar#:~:text=To%20improve%20the%20security%20of,history%20of%20username%20changes%2C%20etc.

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZvI5Zyonb2P5fVKwFPc4VQAAAdI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://telegram.org/privacy?setln=ar#:~:text=To%20improve%20the%20security%20of,history%20of%20username%20changes%2C%20etc.

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvI5Zyonb2P5fVKwFPc4VQAAAdI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvI5Zyonb2P5fVKwFPc4VQAAAdI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvI5Zyonb2P5fVKwFPc4VQAAAdI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2021/09/07/protonmail_hands_user_ip_address_police/

[9] https://www.theregister.com/2024/08/26/telegram_ceo_pavel_durov_detained/

[10] https://www.theregister.com/2024/08/30/french_telegram_ceo/

[11] https://www.theregister.com/2024/09/02/russias_foreign_minister_claims_telegram/

[12] https://www.theregister.com/2024/08/26/telegram_ceo_pavel_durov_detained/

[13] https://www.theregister.com/2024/08/30/french_telegram_ceo/

[14] https://www.theregister.com/2016/02/24/telegram_messaging_app/

[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvI5Zyonb2P5fVKwFPc4VQAAAdI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[16] https://www.theregister.com/2024/09/04/telegram_south_korea_deepfake_apology/

[17] https://whitepapers.theregister.com/



Will this make a difference?

Mark Zero

Not a user of the service but if I was some sort of nefarious person then I’d be reconsidering it’s merits.

compromising position

Michael

It's really only an issue if you've already been identified either by publishing publicly or from standard police/military investigations. If you are stupid enough not to hide you IP and use a mobile phone to register for a service then you will be identifiable to governments eventually. If you thought otherwise you are blissfully ignorant. Equally most secure systems and methods of hiding your actions are under attack from government agencies on a daily basis.

Want a secure system? Setup a server with SSH access establish keys write a message to a log that's deleted hourly on empherial storage. Want to improve it? Generate a one time pad and encrypt your data and delete it as soon as it is read. Only perform the encryption /decryption locally or on a machine created for that action. Hell, trash the server and spin up a new one after each exchange, perform the the decryption on a separate drive/server and erase the drive/servers between decryptions.

Ultimately you will still potentially get caught by increasing the number of people you are talking to or are stupid and keep copies or reuse keys or someone finds they key or most likely someone realises what you are up to and monitors your computer/room/actions.

The reality is, for the police the best thing that can happen is people believe the system they are using is secure. They publish all the information needed to capture them and you catch them in the act and not tell anyone. If you are doing something illegal and have money or knowledge you can build a secure system to communicate until the first person that knows the system is caught and confesses. If nobody keeps copies and no originals exist then you are safe. Although in the UK if they can prove you have a password you won't hand over you could still go to jail.

Re: compromising position

An_Old_Dog

What makes you think SSH, in whatever incarnation and version, is:

* Not already backdoored by state-level actors

* Free of exploitable bugs

* Containing exploitable bugs, yet not exploited by state-level actors

Re: compromising position

Anonymous Coward

> What makes you think SSH, ..., is:

OpenBSD. That's what makes me believe it.

Re: compromising position

An_Old_Dog

Yeah, I run OpenBSD, too, thinking its focus on security will make it less-likely to contain careless errors.

But, with crypto, a back door doesn't necessarily look like a back door. It can be as simple as a mathematical weakness, or a subtle (intentional) error in an implementation.

I don't have the math knowledge to spot such a thing in OpenSSH (or any other version). I trust Theo to do the right thing, but OpenSSH has many contributors, some of whom are either rabid nationalists ("patriots", if you will) who would voluntarily insert a back door at their government's request, or have loved ones vulnerable to government-sponsored Bad Things™.

Durov finds mainstream acceptance

Phil Koenig

Pavel Durov positioned Telegram as a maverick from the start, making it clear that they didn't have much time to worry about moderation or cooperation with law-enforcement bodies.

Unsurprisingly, that led to a lot of criminal and other questionable groups utilizing the platform because the other major platforms were much more diligent about cracking down on such activities.

Despite many media organizations apparently falling for Telegram's hype about some sort of "superior encryption", Telegram is one of the few major messaging platforms these days that does not include end to end encryption of all chats by default.

And even though the client software is open-source, the server-side software has never been so and is closely guarded. Which makes it nearly impossible for an outside 3rd-party to actually ascertain how secure and privacy-respecting Telegram as a platform actually IS.

Given the features like caching and syncing chat data between multiple clients per user, it's long been assumed by technically savvy users that Telegram had the ability to snoop on user data, despite Telegram implications to the contrary. Now their promise to share user IP addresses and the mobile #'s associated with each account with law enforcement upon request, the hype about user privacy that Telegram built is starting to fall apart.

That may be the cost of mainstream acceptance, but it was also a large part of what made the platform popular in certain places around the world, especially in places like Iran and Russia where the local government is notorious for snooping on its citizenry.

Now we see that since Durov's detention, Ukraine has banned the usage of Telegram within government agencies as a precaution against Russian snooping that they say may be due to some sort of special access to Telegram content the Russian govt may have. As a result, I imagine that the platform's growth will turn negative for some time going forward.

Oh well.

C:\WINDOWS>DEL *.*
I feel better now.