Privacy

46649 readers

1406 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

642

Signal Founder Moxie Marlinspike: Telegram is not private. There is nothing private about it. They've done a really amazing job of convincing the world that this is an encrypted messaging app (cdn.imgchest.com)

submitted 14 hours ago* (last edited 14 hours ago) by Wudi@feddit.uk to c/privacy@lemmy.ml

237 comments fedilink hide all child comments

“Telegram is not a private messenger. There’s nothing private about it. It’s the opposite. It’s a cloud messenger where every message you’ve ever sent or received is in plain text in a database that Telegram the organization controls and has access to it”

“It’s like a Russian oligarch starting an unencrypted version of WhatsApp, a pixel for pixel clone of WhatsApp. That should be kind of a difficult brand to operate. Somehow, they’ve done a really amazing job of convincing the whole world that this is an encrypted messaging app and that the founder is some kind of Russian dissident, even though he goes there once a month, the whole team lives in Russia, and their families are there.”

" What happened in France is they just chose not to respond to the subpoena. So that’s in violation of the law. And, he gets arrested in France, right? And everyone’s like, oh, France. But I think the key point is they have the data, like they can respond to the subpoenas where as Signal, for instance, doesn’t have access to the data and couldn’t respond to that same request. To me it’s very obvious that Russia would’ve had a much less polite version of that conversation with Pavel Durov and the telegram team before this moment"

you are viewing a single comment's thread
view the rest of the comments

[–] yogthos@lemmy.ml 6 points 8 hours ago (1 children)

You have to trust the people that wrote the code.

There's a big difference between having confidence in open source code that has been audited by many people, and knowing for a fact that the service collects specific information. In the former case, you can never be absolutely sure that the code is not malicious so there is always a risk, but in the latter case you know for a fact that the service is collecting inappropriate information and you have to trust that people operating the service are not using it in adversarial ways. These two scenarios are in no way equivalent.

Which is fine, but it’s a choice to trust them.

It's a choice to trust the entire open source community around the project and all the security researchers who have been looking at the code.

Frankly, I have trouble believing that you don't understand the difference here and are making your argument in good faith.

[–] daychilde@lemmy.world -1 points 8 hours ago (1 children)

Frankly, I have trouble believing that you don’t understand the difference here and are making your argument in good faith.

Let's back up to what I replied to in the first place:

You don’t have to trust anybody

I even took the time to quote that, because it's important.

Of course there are different levels of trust. But what you said is flatly wrong and misinformation, if you want to get technical about it. Arguing in bad faith? I beg your fucking pardon, friend.

Just becuase it's less likely to find nefarious code in open source doesn't mean it doesn't exist. There ahve been multiple cases of it found in open source code. Blindly trusting something because it's open source or you host it on your own server is a very very false sense of security, especially in the context of the larger discussion, which came about in regard to what information is exposed by certain messaging clients.

It's also a matter of the importance of what you're doing.

I wrote a little CRUD app a while back to track me giving my cat medication. I sanitized inputs, but I left it open without a login on my server, just an obscure URL that didn't get published anywhere. All you could do was click a button to indicate the cat had been medicated, or another button to delete the latest entry. That was plenty of security for that. If I was writing a banking app, I'd use a bit more.

So yes, in the same way as that, hosting something you use to chat with friends about whatever is one thing; trying to communicate secretly from a country where your comms might lead to being put to death is quite another. And in the latter case, it's important to know that no matter what you use, unless you wrote it or read all the source code, you are trusting others with your life. Perhaps you feel comfortable doing that, but you should be aware of it.

So no, this is not a discussion in bad faith at all, it is valuable on multiple levels.

[–] yogthos@lemmy.ml 2 points 7 hours ago (1 children)

I even took the time to quote that, because it’s important.

What's important is that you're quoting me out of context, and that makes all the difference. The actual statement you're replying to is:

You don’t have to trust anybody when you run your own server, or you use a server that doesn’t collect information it has no business collecting.

The fact that you proceed to quote me out of context and then accuse me of being wrong shows that you lack even a modicum of intellectual integrity. Then you proceed to make a straw man arguing against something I never claimed.

Just becuase it’s less likely to find nefarious code in open source doesn’t mean it doesn’t exist.

So yes, this is very clearly a discussion in bad faith, where you're arguing against a straw man while ignoring what I actually wrote. It's especially incredible since I even followed up with a more detailed explanation which you just ignored:

There’s a big difference between having confidence in open source code that has been audited by many people, and knowing for a fact that the service collects specific information. In the former case, you can never be absolutely sure that the code is not malicious so there is always a risk, but in the latter case you know for a fact that the service is collecting inappropriate information and you have to trust that people operating the service are not using it in adversarial ways. These two scenarios are in no way equivalent.

Do better.

[–] daychilde@lemmy.world -2 points 6 hours ago (1 children)

You can take your rudeness and bugger off. I'm done with you.

Make all the accusations you want. You think you're smart, but you are not.

[–] yogthos@lemmy.ml 2 points 6 hours ago

Ah yes clutching them pearls, when called out on outright lying.

Bye!