Communication in Times of Russian Invasion: Telegram, Viber or Something Better?
Українська версія
Making an informed choice among the wide variety of digital apps available to communicate with family, friends and co-workers can be daunting. Communities and individuals often seem to make their choices guided by available features, capabilities and communication fashion trends. In wartime though, security has to be taken into account as a top priority.
For example, maybe you are one of the volunteers delivering medications or food to territorial defense forces (teroborona). If FSB (Russian Federal Security Service) can read or listen to your communications with other volunteers, they could have an idea about the location of the Ukrainian soldiers as well as the locations of the civilians helping the army.
Maybe you have been creating barricades and sending photos to your friends with the results of your work. That data, if seen by the occupiers, could be used to plan their attacks.
Maybe you are living under occupation, coordinating or participating in demonstrations in your region. Your digital footprint could get you identified and arrested, with locations strategic to your resistance disclosed to the orks.
This article is not meant to scare you away from organizing and communicating, but to help you understand the risks and make a security-informed choice of which app to use. We are comparing Viber, Telegram and Signal. Viber and Telegram are very familiar to all of us, Signal may only be familiar to those communicating with the Ukrainian army.
In all of the above scenarios, FSB managed to see the content of your communication. If the orks haven’t physically taken your phone away (here is how to prepare your phone for such a scenario), when would they have a chance to access your messages? There are two likely vulnerability points.
- A message can be intercepted as it is traveling among the digital channels while being delivered.
- A message can be read by accessing the messaging app servers (like Telegram or Viber), as some of them store all your communications!
Many messaging apps are trying to avoid both scenarios by using end-to-end encryption, however some are using only encryption in transit, thus protecting only against the first vulnerability. Below is the visual representation of the difference.
As you can see, in order for the message you send to reach the recipient, it first has to go through the app servers, this is true for practically all modern messengers that rely on the internet. All three applications (like a majority of messaging apps) encrypt the data while it is being transferred. This means that even if the data is intercepted, it can’t be deciphered.
Thus using all three messaging services generally protects us from the first vulnerability type.
Services start to differ quite a bit when we start looking at the second vulnerability type. Unfortunately, some apps store all the conversations and data surrounding the conversations (location, duration, frequency) on their servers. This information can be acquired by hackers or by workers that are pressured or are willingly cooperating with the Russian government.
As you can see in our depiction of the Telegram servers, they do store quite a bit of information about you as well as all your conversations from the last 10 years. Generally, just because the messages are stored on the server, doesn’t mean they are readable. They are only readable if unencrypted. Unless you enabled “secure” chat on Telegram (which in our experience no one does for 1–1 communications and this option is unavailable for group chats), all the communications are unencrypted and available to hackers or Telegram employees with the access to the server database. Considering that “a fair amount can and has gone wrong on Telegram” (see also 1, 2, 3), our concerns are further heightened by the announcement of the “compromise” between Telegram and FSB, which according to Russian Deputy Chairman of the Committee on Information Policy Oleg Matveychev, will allow Telegram to continue operating in Russia. All Ukrainain chats conducted on Telegram just might be available for Russian government inspection and data mining in their “terrorist” hunt.
Turning to Viber and Signal, both apps store messages encrypted and for as little time as needed for the messages to be delivered to the recipients. Once messages are delivered, they are deleted from the server. For undelivered messages, Viber will attempt redelivery for 14 days and Signal for 3 months, after which both apps will delete the message data if it still has not been delivered. Both Viber and Signal encrypt the content of your communications with end-to-end encryption, which means that even if their employees hack the code and check the queue, they won’t be able to read your messages. Signal goes one step further and encrypts the sender identifier as well! However, there is a big difference between Viber and Signal in how much extra data is stored about you. As we can see, Viber stores far more information about you, which it then uses to target ads. This extra information is less secure and can be more easily accessed.
Another significant difference among the three apps compared in this article is that Signal is the only app that is fully open source, so that anyone can inspect the application code. This means that only Signal has had its security guarantees continuously verified by external security researchers. Telegram and Viber are private companies that allow very limited inspection of their code and security protocols so, unfortunately, even with the occasional external reviews of parts of their code, there is no guarantee that the code would not change immediately after being inspected.
We agree with the Electronic Frontier Foundation explanation of different security needs which render the most “secure” recommendation situation-dependent, and suggest reading their guide in case your situation is different from the scenarios we assessed. That being said, given the situation in Ukraine and our app comparison, we strongly advise the use of Signal for secure communication during this war. If you are using Telegram or Viber and are not yet ready to switch to Signal, we recommend against Telegram in favor of Viber. Please do not use regular cell phone calls or SMS (see Note 1)!
We do hope you take your security seriously. Even if your current communications do not present much interest to the Russian government, with almost all the population on the ground and abroad at least occasionally volunteering to support the fight against the invasion, helping refugees, or resisting the occupation, we still think that it is prudent to switch all 1–1 and group conversation to a well-regarded app like Signal. You can download Signal through their website.
NOTES
(1) On an off-chance we have scared you off of using messenger apps and you instead are picking up your phone to make a call through Kyivstar or Vodafone, or even getting ready to pay them for the SMS service, we would like to remind you that it would be the least secure way to communicate since regular cellular calls and texts are not end-to-end encrypted and can be easily read/listened to if intercepted. Just think of the Russian general, dead because of a phone call.
(2) Signal is very well-regarded by the global security community, but if you want to check out other hard-core secure communication apps, Threema and Wire from Switzerland are getting excellent reviews as well. However, those options are available for a small fee.
SOURCES
For this article we relied on and linked to a number of independent reputable non-profits, the most prominent being the Electronic Frontier Foundation and the Mozilla Foundation’s *privacy-not-included project. For further reading, on the latter site you can find reviews of Telegram, Viber and Signal as well as other popular apps like Facebook Messenger and WhatsApp.
Originally published at http://docs.google.com.
Ten articles before and after
Should I buy fake followers for my NFT/Web3 projects Twitter/Telegram accounts? – Telegram 中文版
Understanding Telegram’s ecosystem of far-right channels in the US – Telegram 中文版
️🎊Celebration of 100,000 members mark in KDG Telegram group 💯💯 – Telegram 中文版
H8. Un experimento para ayudarme a… – Telegram 中文版
11 Tools for Managing Chats and Channels in the Telegram – Telegram 中文版
7 Builders For No-Code Creation of Chatbots in Telegram – Telegram 中文版
Sending CloudWatch Alarm Status To Telegram – Telegram 中文版
Cómo crear un Bot de Telegram?. Hola 👋 soy YOSS, en este post te… – Telegram 中文版
Telegram channels amplified document falsely justifying Russian invasion – Telegram 中文版
