Telegram Russia Ukraine|
moshed-03-16-9-59-34|Screen-Shot-2022-03-16-at-9.49.58-AM

How Telegram found itself in the middle of the war between Russia and Ukraine

When Russia invaded Ukraine late last month, Dasha Tkachuk, like many Ukrainians, found herself relying on one app in particular: Telegram.

“It is impossible not to be on Telegram [right now] — everyone uses it,” said Tkachuk, a 23-year-old sociologist living in Kyiv.

Before the invasion, Tkachuk operated a channel on the app — which features instant messaging, public or private community-like channels, massive group chats and other social features — that shared studying opportunities for students. “We had a small audience of nearly 15,000 people, and advertisers were willing to pay nearly $30 for one post,” she said.

Her revenue from the app dried up on Feb. 24, when Russian troops first entered the country and her clients stopped placing ads. But Tkachuk quickly found a new way to use the app — she got to work setting up several Telegram channels explaining what was happening in Ukraine for Russian-speaking users.

“In Russia, people use Telegram to get the latest news just like Ukrainians do,” she said.

The app’s popularity in the region was strong even before the ongoing war, with it serving as among the most popular sources of news among Ukrainians between the ages of 18 and 24.

Telegram was used locally for sharing pandemic information, for example, and Ukrainian and foreign media often cite posts from the app as their first source of information about local events.

Amid the war, Telegram has become a lifeline to many in the country — it’s often the earliest warning about potential air raids, or the easiest guide to the nearest bomb shelter.

Its local importance during this crisis is also resurfacing concerns about the security risks facing people communicating online during conflicts and in their everyday lives. 

“Telegram has a lot of compelling features, but in terms of privacy and data collection, there is no worse choice,” Moxie Marlinspike, creator of the rival messaging app Signal, wrote on Twitter last December. 

Having a secure communication channel is vital during the war, especially for journalists, human rights activists, and other individuals handling sensitive information. But confusion about Telegram and just what it means for an app to be “encrypted” is leaving some Ukrainians unclear about the best ways to organize securely during the current conflict, cybersecurity experts warn.

“Creating a false sense of security around communications that are not in fact fully protected can encourage people to expose highly sensitive information they would have otherwise directed through other channels,” Carolyn Tackett, the Deputy Advocacy Director at Access Now told The Record.

Meanwhile, the Russian invasion of Ukraine is pushing rapid changes to people’s access to online services and the protections they offer, setting up the next stage of the decade’s long series of policy debates over access to secure communications technology known as the “crypto wars.” 

That debate is now already being redefined by corporate actions being met by Russian crackdowns on digital rights — including Meta’s (previously Facebook’s) decision to rush with a release of a more secure instant messaging feature in Instagram in Russia and Ukraine, Twitter’s decision to launch a way to access their services via the web traffic obscuring tool Tor, and Telegram’s own efforts to navigate a complex and constantly shifting policy landscape.

That same landscape leaves Ukrainians and Russians alike caught not only in physical war, but also navigating misinformation and disinformation about how to securely communicate at a critical moment.

Organizations such as Access Now have rushed to share guidance about current best practices — including local language guidance for those in Ukraine as well as in Russia and Belarus. However, some on the ground remain unsure of what digital services to trust even as the country’s online networking infrastructure is struggling to withstand physical and digital assaults.

Encryption, explained

There are two basic ways information can be digitally encrypted — in transit, when it’s moving between places, and at rest, or when it's stored somewhere. Either way, the information is secured by a “key,” a bit of code that allows it to be unlocked. 

The most secure way to encrypt something is end-to-end, which means it is only accessible to the people in the conversation. The current standard across much of the web and with many free online services is that data is encrypted end-to-end between you and the service, but not between you and the other people in the conversation. 

This actually represents a shift towards encrypting nearly all web traffic that has mostly happened over the last decade in response to civil society campaigns. Before, a lot of general web traffic was vulnerable to surveillance or cyberattacks because the links between a person and the site they were visiting was not protected.

This structure — also commonly known as “cloud” encryption — is convenient for a lot of things, including ease of managing access to data across devices and making sure people can still get your data if they lose access to the key. But it also means that the service provider holding the key could be compelled to unlock the information in certain cases, such as at the request of law enforcement — a practice commonly noted in tech company transparency reports. 

And in recent years there’s also been a rise of easy to use tools and apps that do provide end-to-end encryption between users — led by Telegram, Signal and Meta-owned WhatsApp, which relies on Signal’s open source protocol for end-to-end encryption.

The Signal app was first released in 2014 and evolved out of projects led by Marlinspike, an anarchist and longtime security researcher, who announced he was leaving the CEO role at the app’s LLC in January, but would remain on its board. WhatsApp co-founder Brian Acton left his company — after it was bought out by Meta and it began using Signal’s code — then started the nonprofit Signal Foundation to support Signal open source code with Marlinspike in 2018, and now serves as interim CEO of Signal Messenger.

Telegram and Signal gained a massive boost in users in January 2021, when WhatsApp updated its privacy policy to allow the app to share certain user data with its parent company Meta.

WhatsApp’s downloads fell by more than 2 million in a one-week period early last year, according to data from Sensor Tower, reported by Reuters.

Signal, in turn, saw 17.8 million new downloads during that week, and Telegram received 15.7 million downloads, surpassing 500 million active users globally — despite warnings that Telegram was not as secure as the public seemed to believe.

Amidst rising regional tensions in the run-up to the most recent Russian invasion of Ukraine, both Marlinspike and Telegram co-founder Pavel Durov — who some view as the Russian Mark Zuckerberg for his role founding the local social media giant VK (previously called VKontakte) before being pushed out by pro-Kremlin interests — have vocally promoted their tools.

Telegram was founded in 2013, a year before Nikolai and Pavel Durov left VKontakte. The following year, In 2014, Pavel said he came under pressure from the Russian security services after refusing to reveal data on VKontakte users. He eventually lost his stake in the company and fled the country.

Durov publicly criticized WhatsApp and its technical team for “incompetency” in a Telegram post on Feb. 3, citing past security issues with the messaging app. 

In Nov. 2019, Durov warned WhatsApp users of a backdoor that allows hackers to access their data on any phone running the app. At that time Facebook said a vulnerability could be abused by criminals to take control over users’ smartphones by creating a special MP4 file.

2022-03-Screen-Shot-2022-03-16-at-9.49.58-AM-1024x599.png

WhatsApp fixed the issue, but it didn’t convince Durov. 

“Some could say that, as a founder of a rival app, I may be biased when criticizing WhatsApp,” he wrote. “I am. Of course, I consider Telegram Secret Chats to be significantly more secure…why else would I be developing and using Telegram?” 

However, cybersecurity experts question Durov’s claims about Telegram’s commitment. 

The app’s main problem, according to Runa Sandvik, a longtime security researcher who previously helped secure journalists at The New York Times, is that not all of Telegram’s services encrypt data end-to-end — and that option isn’t the default, it’s something users must turn on. 

WhatsApp and Signal use end-to-end encryption on all their chats and calls by default. Telegram has end-to-end encryption for direct and group calls, but only for direct chats between those using the “Secret chats” feature, per its FAQ.

This means that the app’s key organizing feature — large groups — are not secured end-to-end, EFF cryptographer Jon Callas said. 

However, Callas also said that the risk of exposure increases when communicating to large groups regardless of technical security protections.

“There’s an old aphorism that three people can keep a secret if two of them are dead,” Callas said, explaining that the risks of interlopers or disagreements that could lead to leaks increases with the size of conversations.

Data belonging to most European users are stored in the Netherlands, according to Telegram’s privacy policy, which also says the data is “heavily encrypted” so that local Telegram engineers or physical intruders couldn’t get access to it. The company’s FAQ says it also uses a distributed architecture so that unlocking the data stored in the cloud requires legal requests from multiple jurisdictions around the world.

Durov has justified Telegram’s encryption policy in the past by pointing to technical limitations, including in a 2017 blogpost when he wrote that it was impossible to build the feature-rich app his team envisioned “on an obsolete architecture like WhatsApp that has to rely on third-party backups instead of relying on its own built-in cloud accessible in real-time.”

However, alternatives — including Signal and WhatsApp — have added end-to-end encryption for group text messaging since then, although not at the scale that runs on Telegram’s platform.

Digital rights experts say using end-to-end encryption between users as the default is important for those most at risk. 

“End-to-end encryption is a vital tool for civil society,” according to Tackett. 

“Having end-to-end encryption available by default eases the security burden for people operating in volatile situations like the one unfolding in Ukraine, where capacity is limited to double check security settings for each individual conversation,” she said.

However, end-to-end encryption isn’t a cure-all: it still leaves the content of your messages vulnerable if the devices people are using to access the conversation are compromised, or if someone you’re communicating with is forced to unlock their device. 

That’s why other tactics, such as using entirely new burner devices and pseudonyms unconnected to your normal identity could be important for those organizing against the invasion, Callas said.  

Similarly, setting messages to automatically disappear or expire — a feature available in Signal — is important for protecting vulnerable populations such as journalists and their sources from persecution by authoritarian regimes. 

This has also become an issue for everyday Russians during the war, who are living in a heavily-monitored digital ecosystem where dissent is harshly punished — and recent reports suggest police are stopping individuals on the street to visually inspect messages in Telegram.

The crypto wars continue

The tension between law enforcement access to communications versus individual rights to privacy and the collective civil right to organize have been at the center of the policy debates known as the “crypto wars” over who should have access to the most secure ways to digitally encrypt data and communications for decades — even as experts warned that building so-called “backdoors” into encryption also compromised the security of the internet infrastructure much of the world now relies on for critical tasks.

In recent years, civil liberties advocates have pushed for technical tools as a way to circumvent censorship and organize against authoritarian governments while those same regimes gained increasing access to sophisticated surveillance tools that can allow them to target political dissidents, activists, and journalists.

While Twitter was the focal point of many early discussions about organizing during the Arab Spring protests in the early 2010s, Telegram has since climbed in popularity. It was used to organize 2018 anti-government protests in Iran, 2019 Hong Kong protests against a new extradition bill, and 2020 protests in Belarus against dictator Alexander Lukashenko.

The app helps activists to coordinate in groups of up to 200,000 people, while WhatsApp’s limit is 256 members and Signal currently maxes out at 1000 users.

Telegram’s social media-like architecture also allows people to publish news, film videos, or send geographic locations on the spot.

Belarusian Telegram channel Nexta, for example, became the biggest Telegram channel in Belarus during the country’s 2020 protests and is now used by 1.7 million people.

“Amid the protests, Telegram was the only platform with real news — everything else was infused with propaganda,” said Tatsiana, a human-right activist from Minsk, who asked to go by her first name because “protecting human rights in Belarus under Lukashenko’s regime is equal to a crime.”

Apart from activists, Telegram has also gained a reputation for use by terrorists, criminals, and disinformation campaigns. Its popularity was, in part, due to the same reputation for security that is creating uncertainty for Ukrainians now.

The app was used to spread propaganda during the 2015 Paris attacks, to recruit criminals responsible for the massacre at the Christmas market in Berlin in 2016, and by right wing extremists in the U.S. — including some associated with the January 6, 2021 attacks on the U.S. Capitol.

Concerns about similar misuse and debates over the future of Signal Messenger — including its expansion into cryptocurrencies — stewed internally in recent years, as The Verge reported following the post-WhatsApp policy change surge.

Today, Ukrainians rely heavily on Telegram during the war, not just for news updates, but for what has now become practical safety advice on how to do things such as make a Molotov cocktail, spot Russian saboteurs, or behave during a shelling.

On the first day of the invasion, Telegram experienced “an unprecedented traffic” spike, according to Durov. Some users had problems accessing the app.

But days later on Feb. 27, Durov wrote that if the war escalates, Telegram will consider restricting access to the app “in the countries involved in a conflict.”

Users were outraged and later that day Durov crossed out this sentence and said that Telegram will continue working as usual. However, he also encouraged users from Russia and Ukraine to be suspicious of any data that is distributed in Telegram.

“We do not want Telegram to be used as a tool that aggravates conflicts and incites ethnic hatred,” Durov said.

Rumors and misinformation spread over social media have had tragic outcomes in the past, including in Myanmar, where The New York Times reported that the Rohingya genocide was inflamed by false information spread via Facebook.

People in Russia and the region were also bombarded with Pro-Kremlin propaganda and misinformation before the latest campaign against Ukraine and the Russian government has cracked down more aggressively on dissent as the invasion progresses.

One of the false rumors and apparent online influence campaigns in the early days of the war involved a Telegram account impersonating Zelensky that urged Ukrainian armed forces to surrender, Agence France-Presse reported.

The account reached 20,000 followers before it was taken down, according to AFP. 

The Signal app, too, said it was targeted by what it believes was a “a coordinated misinformation campaign meant to encourage people to use less secure alternatives” in a Twitter post where it denied rumors alleging it was hacked. 

https://twitter.com/signalapp/status/1498437476058374149

Deciding who to trust 

Some Ukrainians are worried that Telegram could be dangerous because its founders are Russians. 

Durov denied that. 

“I no longer live in Russia, no longer have any companies or employees there. But one thing remains the same — I stand for our users no matter what. Their right to privacy is sacred. Now — more than ever,” he wrote last week.

Durov wrote that his mother’s relatives were born in Kyiv and that he would never betray Ukrainian users.

Russia banned Telegram in 2018 when Durov refused to abide by the so-called Yarovaya law that required Telegram to provide users’ encryption keys to Russia's Federal Security Service, the FSB, upon request.

In a Telegram post last week, he wrote that his removal from VK in 2013 came after the Russian security agency FSB demanded he “provide them the private data of the Ukrainian users of VK” protesting against Ukraine’s then Russian aligned leader, Victor Yanukovych, who was deposed the next year in a popular uprising and later convicted of treason.

“I refused to comply with these demands, because it would have meant a betrayal of our Ukrainian users. After that, I was fired from the company I founded and was forced to leave Russia,” Durov said, referring to his exit from his prior company.

However, Russia lifted a ban in June 2020 because Telegram had reportedly found a way to “catch and delete extremist and terrorist content" on the platform.

Now amid the war, many Ukrainians started to distrust the app and switched to alternatives — Signal for personal communication and Slack, which does not offer end-to-end encryption for communications between users, for corporate chatter. 

“My son was asking me about the bomb shelters and airstrikes, but I was afraid to tell him on Telegram and just sent an SMS,” Oksana Kravchuk, a resident of Kyiv, told The Record. 

Now she and her son use Signal, but Kravchuk said she misses the Telegram experience.

Meanwhile, Meta — which recently saw a drop in overall users — made steps to expand end-to-end encryption availability to users in the region, even as access to its services is increasingly disrupted in Russia.

On March 1, the company made end-to-end encryption available for direct messages on Instagram.

This, along with other moves, led the Russian government to designate Meta as an “extremist organization” and order a ban of Instagram on March 14.

Russia previously blocked Facebook earlier in the month in response to restricted access to local state-controlled media. Although Russians may still be able to use these social networks through censorship circumvention tools like Virtual Private Networks, that may also put them at risk if discovered.

Meta, in turn, “will continue to do everything” to restore its services in Russia, according to Nick Clegg, Meta’s president for global affairs.

Meta doubled down on privacy after the Cambridge Analytica disclosures revealed how its Facebook products exposed user information and could be used to manipulate public opinion with misinformation.

Meta, Telegram, and Signal all also have a financial stake in recruiting users now. Signal integrated in-app payments using MobileCoin — a cryptocurrency with ties to founder Marlinspike — last year. Telegram (which has also experimented with cryptocurrencies) announced plans in November to allow limited ad offerings in certain public channels — not so dissimilar to the small business Tkachuk ran before the invasion.

The reaction to WhatsApp’s policy change and other moves by major tech companies, including Microsoft and Google to incorporate it in products, shows the strong market for end-to-end encryption.

However, the latest push for more secure messaging options in response to the Russian invasion also comes as the world is weighing proposals that raise questions about the legality of technical privacy through encryption, including a law being challenged by Meta in India and the EARN IT Act proposal in the U.S.

But more urgently, people in Ukraine are struggling to stay secure as Russian forces physically take over towns including Kharkiv and Mariupol — at times appearing to cut off the very networks those apps rely on to help Ukrainians stay connected during the crisis and share what is happening with the world. 

“I've never been a fan of social media. But now it is the only window to the world,” according to Kravchuk.

On March 14, Russian troops attacked a TV tower near her town in western Ukraine, leaving the nearby villages without radio or television. Kravchuk learned about it from a news channel on Telegram.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

Andrea Peterson

Andrea Peterson

(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.