9 Errors Wired Chose to Make

9 Errors Wired Chose to Make

Telegram

Wired published an article by a freelance journalist who doubted the safety of Telegram due to a lack of understanding about how Telegram's API and Secret Chats work.

Below is an explanation of why these doubts are unfounded.

1. Secret Chats

Contrary to the journalist's implications, "messages erroneously marked as read" can't mean that a third party is accessing Telegram's Secret Chats. Had an intruder somehow been able to intercept messages from a Secret Chat, they could have also prevented read receipts (messages are not marked as read automatically – to do this, apps need to send a special request). But such a hack is impossible.

Telegram is the only popular messaging application that allows any researcher to independently confirm that its open-source code is identical to the code of apps that its iOS and Android users download from the AppStore and Google Play. Thanks to this, independent experts can fully evaluate the integrity of Secret Chats. In the almost 10 years of Telegram's existence, no security flaws that would enable a third party to intercept or decrypt Secret Chats have ever been found.

No issues with read statuses can affect the security of Secret Chats. However, it is not even clear whether these issues existed. The journalist claimed that Yana Teplitskaya "noticed that many of her secret chats were erroneously marked as read," but she told Telegram she never had any issues with Secret Chats. Yana says she only ever saw regular cloud chats erroneously marked as read.

2. Marina Matsapulina’s story

Contrary to the journalist's misconceptions, there is no evidence that law enforcement had access to politician Marina Matsapulina's messages before her arrest. Her location was established based on her mobile network usage and not by reading her messages. This is mentioned in the conversation with an investigator she published: "...the FSB has very good equipment that shows your location based on your phone [usage] accurate up to 1 meter."

Marina's devices had been in the hands of law enforcement for 3 hours by the time her messages were first quoted to her. According to independent experts, these messages were physically extracted from her confiscated devices using Cellebrite tools which are regularly used by Russian special services – this has nothing to do with Telegram's security, as no app can defend against direct access to a device.

3. Access to Location Data

The article misleadingly claims that the location of any Telegram user "who turned on their location" could be accessed via the API (application programming interface for developers or third-party apps). This was never the case.

The Telegram API can only be used to receive the locations of users who agreed to publicly broadcast their location in the optional section 'Find People Nearby'.

Less than 0.01% of users have ever opted into this feature – and they did it knowingly, with the exact intention of sharing their location with the world. This optional feature is not a vulnerability.

4. "Monitoring" via the API

The article portrays the Telegram API for developers as a tool that allows "authorities to monitor users."

In reality, the Telegram API only allows one to obtain the same data that is accessible to all users via regular Telegram apps. Even if you know somebody's phone number, there are no guaranteed ways for you to find messages they left in publicly accessible groups – let alone receive confidential data of any kind, like which channels you follow.

The source of the author's confusion most likely lies in the fact that the Telegram API is used by third-party Telegram apps and bots with which users often voluntarily share their data (for example, by adding bots to chats as administrators or by using unofficial Telegram apps.) 

5. Bond sale and VTB

The article claims that a Russian bank, VTB, played an important role in Telegram’s fundraising efforts by selling bonds to investors in 2020. In reality, Russia overall accounted for a smaller part of the bond issuance and the VTB bank was not instrumental – even within Russia. Of the banks involved with Telegram’s bond issuance the most significant role was played by the global investment bank JP Morgan. Telegram sold its bonds directly to investors. 

It is also untrue that Telegram “hired VTB to estimate the company’s value” – this has never been the case.

6. Bond investors

The article’s claim that Telegram sold bonds to a partnership between an Abu Dhabi state fund and a Kremlin sovereign fund is false and has been refuted, as Telegram performed a rigorous KYC check on all buyers of its bonds at the time of their issuance and made sure no Russian state funds were included. Two Abu Dhabi funds participated in the primary bond sale, each in their own right, not as part of any joint ventures.

Later it was reported the Russian RFPI fund bought an insignificant stake ($2M of the total $1.7B) in Telegram bonds from a third party on the secondary market the day after the bonds were issued. Even if this really took place, Telegram had no involvement – as it was not party to the transaction. Given that the rights of the bondholders are limited and bonds do not give the power to influence the values or the strategy of the company, transactions in Telegram bonds on the secondary market are not an issue.

As far as Telegram is aware, the vast majority of its bonds are currently held by major global funds based in the US and the UK.

7. TON token investors

The article contains a long-refuted rumor that Roman Abramovich invested $300 million in TON. It is a matter of public record that this was never the case. Documents published during the Telegram–SEC court proceedings indicate a $10 million investment, which is less than 1% of the funds raised by Telegram for the development of TON.

8. The Lobushkin "bluff"

The article erroneously quotes a Russian media manager, Georgy Lobushkin, as saying that Pavel Durov’s claim to never share data with Russia and his readiness to leave the market in case of pressure “might be a bluff” due to the significance of Russia for Telegram.

Lobushkin was interviewed for the article over Zoom and disputed the depiction of his words when Wired reached out to him before publication. He explained that he intended to say “I hope that Pavel wouldn’t leave the Russian market because Telegram is so important for the Russians”, and that “bluff” was not representative of his meaning.

Wired chose to publish the misquoted passage, disregarding their source’s attempts to clarify.

9. Elies Campo, the "volunteer executive"

The article mentions Elies Campo, a former volunteer, as "saying he directed Telegram’s growth, business, and partnerships”. Wired previously refused to introduce corrections into their coverage of Campo's unrealistic claims due to his having “provided copies of email correspondence” in which “Durov was also included” – as well as “copies of contracts” between Telegram and unnamed “companies with Campo’s signature”.

Telegram never entered into any kind of contractual relationship with Elies Campo, he never received any compensation from Telegram and was never authorized to sign anything on Telegram’s behalf.

This list is being expanded.


Unfortunately, the article's author, freelancer Darren Loucaides, decided to ignore comments from Telegram and other sources in his article.

The text was eventually corrected, but many mistakes still remain – as does the flawed premise of the article.




Report Page