Photothek via Getty Images
In a significant reversal, the secure messaging platform Telegram has reportedly bowed to pressure from Hong Kong protesters and made a fundamental change to its system. And that change will impact the app for all its 200 million users worldwide.
Telegram had been accused of leaking identities through a "bug" where users were unable to hide their phone numbers from security agencies. Now, according to Reuters, Telegram has changed its mind and will allow users "to cloak their telephone numbers" after all, "safeguarding protesters against monitoring by authorities."
If the vulnerability was something of a shock in the first place, the speed of the reversal is arguably even more so.
Last week I reported that a number of Hong Kong's pro-democracy protesters had accused Telegram of leaking identities to the authorities. The issue surrounded public groups in which users had selected to hide their phone numbers. Unfortunately there was a loophole. If another device had the number stored and synced with Telegram, it became visible.
Related: Telegram bug ‘exploited’ by Chinese agencies, Hong Kong activists claim
According to reports, security agencies immediately started adding thousands of potential protester numbers to devices and checking Telegram. With a phone number in hand, a quick call to the phone company and a number became a name.
Citing someone "with direct knowledge of the effort," Reuters claims the update is "planned for release over the next few days," and is intended to "allow protesters to prevent mainland Chinese and Hong Kong authorities from discovering their identities in the app’s large group chats."
What's interesting here is how defensive Telegram were when I published my initial report. I described this as a bug—it seemed inconceivable that an app promoting privacy and security could be this open to attack. And Telegram didn't like that. "Just to clarify," a spokesperson for the messaging platform told me, "your headline mentions a Telegram 'bug'. But being able to see your contacts who are using the app is not a bug—it's a fundamental feature for any messenger based on phone contacts."
Chu Ka-cheong, director at Internet Society Hong Kong Chapter, had told ZDNet that the privacy of a phone number used with Telegram "has always been an issue," given that Telegram uses phone numbers as identifiers. "But not until today have we been aware that setting [who can see a phone number] to 'Nobody' will still allow users who saved your phone number in address book to match phone number to public group members. This surprised every one of us."
Telegram had described the "bug" as necessary functionality. The spokesperson telling me that it is "a documented feature of the system—like other contacts-based apps (WhatsApp, Facebook Messenger), Telegram must allow you to find your phone contacts who are also using the app. Unlike other messengers, we offer additional privacy settings that can shield your number in groups and elsewhere—but the interface expressly states that this setting does not affect the ability of people who know your number to recognize you."
The platform also claimed that defences prevented a mass sync of thousands of numbers as had been claimed. "We continue improving both our interfaces and the algorithms used to counter mass-importing attempts. For example, the engineers whom you are quoting attempted to sync 10,000 numbers for their example but were stopped after only 85."
I pointed out that an open door would be an invitation for nation state agencies to get around such a restriction. The claims by protesters that identities had been cracked would suggest this had been done, or they had been very lucky with the 85 numbers they happened to add first.
"We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters," Chu warned. "In some cases posting immediate dangers to the life of the protestors."
Despite assurances that the authorities would be fettered in exploiting the bug or feature, the change will be seen as an acknowledgement that it has either already been exploited or might be exploited after all.
There are major side effects to this change, if the reports are accurate. The bug fix will "disable matching by phone number." Unfortunately, that "optional security setting" would make it much harder "for the vast majority of its more than 200 million consumers... to identify friends and family members on the app."
Not an easy balance to strike. But if you promote an app based on security and privacy, then one would assume those considerations come first.
This move is to be applauded. I have approached Telegram for any additional comments relating to Hong Kong and the wider use of the app.
"It's a constant battle of wits," the Telegram spokesperson had told me, "and we keep adapting and improving our algorithms. The next update will also include a new setting for those looking for an extra level of privacy and don't mind sacrificing some usability."
Now the meaning behind those words has become clear.
