Every government involved in today’s cyberwars has some interest in surveilling the users of messenger apps; but more oppressive states don’t bother to hide it. Telegram, the encrypted messenger in Russia, recently received a letter from the country’s domestic intelligence service, the FSB, that highlights this disparity—and the dangers of trusting tech companies’ privacy-related assurances.

Pavel Durov, the founder of Telegram, published the FSB letter on Vkontakte, the popular Russian Facebook clone that he also founded but no longer controls. In the document, helpfully translated into broken English because the company behind Telegram is registered in the UK, the intelligence service tells the messenger that it is obliged under a Russian law passed last year to hand over keys allowing the government to decrypt any communications transmitted over it—and is already in violation of the law for not having done so.

This is the same law that threatens Facebook and Twitter with closure in Russia next year until they start storing Russians’ personal data inside the country; Twitter has promised to localize its operation by mid-2018, Facebook hasn’t told the Russian authorities anything yet.

The FSB is taking the legal route, which is likely to lead to a court case against the quasi-Russian entity, as a warning for the likes of Facebook and Twitter. It must let them know they can’t get away with flaunting the draconian information security law. Telegram, with its claims of extra security and neutrality, is the ideal target for such a demonstration.

Durov, who set up Telegram with his brother Nikolai, is Russian, though he has also acquired the citizenship of St Kitts and Nevis, which allows visa-free travel to most Western nations. He has taken pains to put a distance between Telegram and Russia; the messenger’s official FAQ (frequently asked question) says the service’s headquarters is in Berlin. “While the Durov brothers were born in Russia, as were some of the key developers, Telegram is not connected to Russia—legally or physically," the FAQ says.

But a disgruntled former employee recently asserted that much of the development work was being done out of St Petersburg, a claim Durov has denied. If part of the team does work in Russia, the developers—and through them the company—are open to legal and extrajudicial risks.

Geography matters to users a lot; it has to do with trust. Telegram, which has more than 100 million monthly active users, enjoys outsize popularity in the Middle East, where US products are often distrusted. According to App Annie, it’s the most downloaded communication app on Android devices in Iran, while WhatsApp comes second.

In a way, that’s understandable: it wasn’t so long ago that Iran tried to ban WhatsApp because of Mark Zuckerberg, calling the chief executive officer of WhatsApp owner Facebook “an American Zionist". To many Iranians, a Russian connection is safer, but that doesn’t mean the Iranian government won’t go after Telegram as well: Tehran prosecutors have filed charges of child pornography and extremist propaganda against Durov.

To Americans or, for example, to protesters in Hong Kong, the probable compromise of China-based messengers such as WeChat and QQ (the Chinese government being the obvious culprit) is a strong reason not to use them. In 2014, now-impeached South Korean president Park Geun-hye had prosecutors trail the local messenger app, Kakao Talk, for insulting comments about her, inducing a mass migration to Telegram, which promised end-to-end encryption.

In Russia, the encryption promise without either a US or any noticeable local presence, has brought Telegram about 10 million users. The messenger’s “channel" capability, which allows a user to broadcast content to subscribers, has attracted anonymous commentators with inside knowledge of Russian politics, as well as talented entertainers.

People know by now not to put too much of their lives on social networks such as Facebook, Instagram or Twitter. These services are too easy for employers and governments to track; in Russia and other countries with authoritarian regimes, people have been jailed for comments on public social networks. The risks of putting too much on email is obvious to anyone who has followed the US scandals during the 2016 election campaign. Messengers have projected a sense of greater security by claiming they use end-to-end encryption (which doesn’t necessarily mean they are much safer) and simply by not putting our interactions out in the open where everyone can read them, the way social networks do.

But the Russian security services’ interest in Telegram—like the WeChat case in China or the UK government’s persistent attempts to have a backdoor built into WhatsApp—is a sign that each of these systems is likely to be penetrated. Spy services are persistent, and they have a lot of power to both demand entry and gain entry illegally.

This poses a danger for anyone using messenger apps developed by any corporate entity. These are easy targets for open and covert government pressure anywhere, but especially in authoritarian countries such as Russia. For the highest possible level of privacy and security, an app needs to be open-source and constantly watched over by an engaged, distributed developer community; Signal, the app Snowden recommends, fits that description most closely. For Telegram, the game may well be up soon. Bloomberg View

Leonid Bershidsky is a Bloomberg View columnist. Comments are welcome at views@livemint.com

My Reads Logout