Iran today joined Russia in announcing that it would implement a block on Telegram, the popular encrypted messaging app.
Although it cited Telegram’s use by ISIS terrorists who attacked Tehran last year, the Iranian government has long been unhappy with Telegram’s role in organizing political dissent against the authoritarian regime.
Even before the current ban, the government required Iranian citizens by law to register Telegram channels with more than 5,000 followers with the Ministry of Culture and Islamic Guidance.
Some 2,000 channels were registered in this way, but it was clear that future restrictions were on the way when Supreme Leader Ayatollah Ali Khamenei shut down his Telegram channel and government employees were banned from using the app.
The block
Although ISPs have now been ordered to block Telegram, as of May 1, the app still appears to be working as normal in the region. It, therefore, remains to be seen how serious the government is about banning the messenger app.
Even if it is blocked by ISPs, Telegram is very resistant to such censorship as it can route traffic over the Amazon Web Services (AWS) and Google Compute Engine (GCE) cloud networks. In order to block it effectively, ISPs would also have to block access to these services. This is exactly what Russia has done, resulting in widespread disruption to the internet.
Again, whether the Tehran government is willing to go this far remains to be seen.
In response to the Russian ban, Telegram’s founder and CEO, Pavel Durov, was quick to point out that using a VPN is the only way to guarantee full access to Telegram.
What impact will this block have?
Telegram is extremely popular in Iran, with 40 million users. This is half the number of people in the country, and around 20% of all Telegram users in the world. It is popular because it is perceived to be highly secure and private, a notion no doubt fuelled by its wide-scale use by ISIL.
Iran does not have sophisticated censorship internet systems capable of obstructing the use of VPNs to unblock Telegram, so it is unlikely the ban will be very effective at preventing people from using the messaging app.
Telegram is not as secure as people Think
Telegram users should be aware, however, that the app is not as secure as its reputation suggests. Although all conversations are encrypted, they are not end-to-end (e2e) encrypted by default.
End-to-end (e2e) encryption allows for private and secure conversations, as all messages are encrypted on the sender’s device. The messages can only be decrypted and read on the intended recipient’s device.
e2e encryption for Telegram is only available in the optional Secret Chat mode, which means that most regular conversations can theoretically be accessed by Telegram. Russia is leaning on Telegram to hand over its encryption keys, but founder, Pavel Durov, said that the company fully intends to protect its users’ privacy.
“At Telegram, we have the luxury of not caring about revenue streams or ad sales. Privacy is not for sale, and human rights should not be compromised out of fear or greed.”
This is privacy by choice, not by design.
Telegram’s use of its own non-standard MTProto encryption protocol has also been strongly criticized by cryptography researchers, and its use of closed source binary blobs in its otherwise open source code has drawn criticism.
Iran’s crackdown on Telegram messenger is concerning because it demonstrates a growing authoritarianism on the part of the Iranian government. Even if it is willing to follow Russia’s lead in crippling large sections of the internet in order to enforce its ban, however, use of VPNs will likely ensure that most Iranians will still be able to use the app.
ProPrivacy Analysis
Given the repressive nature of the Iranian government, I do not think Telegram is secure enough to guarantee the safety and privacy of its users there. The open source Signal app, on the other hand, is widely praised by privacy experts as a more secure alternative. I therefore recommend that Telegram users in Iran consider switching to the more secure Signal Messenger instead.