CPJ notes security risks for Iranian journalists using Telegram

by Sam Berkhead
Oct 30, 2018 in Digital and Physical Safety

For Iranian citizens and journalists alike, Telegram is a popular way to share information as access to other social media outlets like Twitter and Facebook tends to be limited. The mobile messaging app boasts some 20 million users in Iran, making it a valuable resource for journalists to find and communicate with sources.

However, according to a recent article by the Committee to Protect Journalists (CPJ), journalists who use Telegram could be putting themselves at “severe risk” of data compromise.

Despite its branding as a more private, more secure messaging app, Telegram lacks both the default end-to-end encryption and Signal encryption protocol that Whatsapp uses, the CPJ reported. Security experts have called Telegram’s encryption “poorly designed and implemented,” according to the CPJ. 

In a country like Iran, which is included on the CPJ’s list of the world's 10 most censored countries, and where journalists have been arrested for social media posts, such lapses in cybersecurity are especially risky. Yet the U.S.-based Iranian blogger known as Vahid Online said Iranians don’t have many alternatives.

"If social media sites were not filtered in Iran, instant messaging applications would have been used at the same rate as other countries,” he told CPJ. “Iranian users would have probably preferred to use Twitter or Facebook.”

Vahid Online, who has more than 44,000 followers on Telegram, said he mainly uses the platform to post summaries of current events and share tweets, Facebook posts or blog posts that would otherwise be blocked for Iranians.

The blogger said Telegram's Channel feature — a one-way communication feature that lets users instantly share content with large audiences — has been key in bringing Iranian users to the platform, building a space for information exchange that otherwise wouldn’t exist.

"There is a big population in Iranian cities and towns that have never had access to computers and don't even have email accounts, but they have now connected to the online community through Telegram," he said. "Many of the YouTube videos that for years were blocked for Iranians have been shared on Telegram and many Iranians are able to see them for the first time."

While Telegram has helped bring information and conversation to many Iranians, its security flaws ultimately make it unsafe for journalists to use, security experts told CPJ.

"Normal chats, which is the default option, are not end-to-end encrypted, meaning Telegram and anyone they share your data with, can read, store, analyze, manipulate or censor users' conversations,” Nima Fatemi, a U.S.-based independent security researcher, told the CPJ.

Telegram does offer a Secret Chat option that lets users send messages protected by end-to-end encryption. And while the platform doesn’t disclose its data to third parties, it’s still possible for accounts to be compromised. In late April, for example, third parties hacked into the Telegram accounts of two Russian activists.

Nate Cardozo, senior staff attorney at Electronic Frontier Foundation, echoed Fatemi’s concerns, calling Telegram’s lack of end-to-end encryption and its use of non-standard MTProto encryption protocol “critical flaws.”

Ultimately, the CPJ recommends that journalists — especially those in Iran — use WhatsApp or Signal as more secure alternatives to Telegram. Both apps use a type of encryption protocol which has been endorsed by many tech security experts.

via the Committee to Protect Journalists.

Main image CC-licensed by Flickr via Sean Tiernan.