Russian roulette

Image from Pixabay

Sometimes you catch a news item on the radio that makes you think, “Huh? I must have misheard that.” Like the report that Pavel Durov is leaving his fortune to all of his onehundred children.

The man turns out to have two 'real' children; for the remaining 104, he was only involved as a sperm donor. Fortunately, those children need not fear missing out, even with that many half-siblings. Each of them can expect over 160 million dollars, based on their father/donor’s current bank balance. They’ll probably have to wait a while, though, as Durov is only forty and very much alive. His name appears on impressive lists: the 120th richest person in the world, the richest expat in the United Arab Emirates, the most powerful entrepreneur in Dubai—those kinds of things.

Durov’s portfolio includes no fewer than four passports: he is a citizen of Russia (born in the Soviet Union), Saint Kitts and Nevis (islands in the Caribbean Sea where he supported the sugar industry with a quarter million dollars), the United Arab Emirates, and France. According to Paul du Rove, as he calls himself in that country, the application for the latter passport was an April Fool’s joke that was accidentally approved via a special procedure. But it did make him an EU citizen as well.

All these facts (and many more) can also be found on Wikipedia, but why am I bringing them up here? Because Pavel Valeryevich Durov is also the spiritual father and founder of Telegram, the messaging service akin to WhatsApp and Signal. And Telegram is not exactly a service beloved by security and privacy experts. I’ll explain why. Keep in mind that the term cryptography, as used here, has nothing to do with cryptocurrencies like Bitcoin.

When you exchange messages with someone, you generally don’t want others—people, companies, or governments—to be able to read along. That’s why messages are encrypted. This encryption ensures that only you and your conversation partner can read the messages, because only you two have the corresponding keys (this is called end-to-end encryption). The mechanism that handles the encryption is called a cryptographic protocol, which in turn uses cryptographic algorithms. Typically, internationally recognized standards are used, which have been extensively reviewed by many different experts. That makes them reliable. At Telegram, they thought it better to create their own crypto protocol. In cryptography, that’s considered a cardinal sin, because it’s likely you’ll overlook your own mistakes. Their protocol is also not fully public, making it difficult to scrutinize. Moreover, encryption is not enabled by default. With other messaging apps, it is.

Telegram and its founders have a turbulent history. Durov left Russia after disputes over his previous company, VKontakte (the Russian Facebook). In short: he had refused to hand over personal information about protesters to the authorities. In 2014, he left Russia and founded Telegram. According to Durov, Telegram turned a profit for the first time ten years later, with revenues exceeding one billion dollars. How Telegram was funded in the meantime remains unclear.

Despite the disputes in Russia, we don’t know whether backdoors have been built into Telegram. From what I can tell, Durov has a decent track record of resisting grasping authorities. On the global stage of espionage, however, you can never be sure whether that’s just for show and whether deals have been made behind the scenes. The platform is popular among criminals for conducting business, perhaps because Durov and co. don’t stand in their way. In this context, France arrested him last year (and released him on bail). In any case, the lack of transparency and, frankly, the Russian roots make Telegram a platform I strongly advise against using. Use Signal instead—it has a strong reputation in both cryptography and privacy. That said, it’s an American product and thus subject to U.S. law, which gives law enforcement various powers to demand data. However, they can only hand over data they have; the content of your messages is end-to-end encrypted and therefore reasonably safe. WhatsApp works the same way but has a poorer reputation for privacy because it monetizes your profile and behavior.

Even if you have a hundred children and an above-average bank balance, that doesn’t make you a diligent father. I see too many red flags to trust Durov and his Telegram.

And in the big bad world…

• Even the U.S. House of Representatives has banned WhatsApp.
• The continent of the Nigerian prince is now suffering from cybercrime itself.
• AI manipulation is sometimes difficult to detect even for experts.
• Iran has blocked its internet access to protect the country from cyberattacks, according to Iran.
• Iran has already lost tens of millions in cryptocurrency to hackers.
• Hacked airlines are always quick to report that flight safety has not been compromised.
• Even printers can be vulnerable.
• Some servers are even vulnerable when turned off.
• The UK’s NCSC promotes the use of password managers and especially passkeys.