Pluralistic: 05 Mar 2022

Today's links

EFF's mobile security banner, featuring black silhouettes of people walking back and forth with white icons of mobile phones in their pockets. The phones are joined by white lines.

How to be safer while using Telegram in Russia and Ukraine (permalink)

Those of us with roots in Ukraine and Russia have a somewhat different picture of events as they unfold. In addition to viral videos, OSINT, pundits, and even sensible commentary, we're also part of heartbreaking conversations with our families.

My own roots are in Russia, Ukraine, Poland, Belarus and Romania. The messages I've received from my cousins aren't for public consumption, but suffice to say they've been haunting and frightening.

I'm hardly unique. The post-Soviet diaspora sent people from the region all over the world. My EFF colleague Eva Galperin is one such person. As someone with roots in the conflict zone who is also EFF's Director of Cybersecurity with a long history of fighting for the digital rights of vulnerable people, there's no one I pay more attention to when it comes to personal security and digital technology in this conflict.

Eva has just published EFF's guide to "Telegram Harm Reduction for Users in Russia and Ukraine." It's extremely timely, given the central role that Telegram channels have played in both the domestic discussions in Ukraine and Russia, and the international picture of events as they unfold:

As with any security discussion, this one begins with understanding what a user might want to be secure from, and what they want to be secure to do. Telegram has some strengths in the regional context, but also some significant weaknesses.

If you're a Ukrainian in Ukraine, your first priority is often physical security. You might decide to trade off perfect secrecy – including from Telegram itself – for access to news and communications with the people you care about.

But some Ukrainians are in more sensitive contexts and need to know that their telecoms are secure from insider threats (hypothetical untrustworthy Telegram employees), government warrants, or Telegram itself.

If that's your worry, Telegram has some significant problems, some of which you can address by overriding its defaults, and others that can only be addressed by using a more secure alternative like Signal or Whatsapp.

What are those problems? Telegram channels and groups (including private groups) aren't encrypted "end to end," which means Telegram itself has access to messages in those groups. Telegram might be compelled to reveal those messages (though they have an admirable history of standing up to Russian orders to do so). What's more, there's no way to set group/channel messages to auto-delete after a fixed interval, which means the data will linger on Telegram's servers and on group participants' devices, which might be seized or hacked.

Telegram's private, one-to-one chats are not encrypted by default. To turn this on, users must select "secret chat" in the app when they start a conversation (you should do this). Even with encryption on, Telegram can see "metadata" about the chat: who is talking to whom and when. That may seem low-risk, but figuring out the contents of chats from metadata is easier than you think:

Another important risk to Ukrainians is account takeover attacks. This is especially salient if you're running a high-profile group/channel or participating in a private group with sensitive information.

Securing a Telegram account involves many of the same steps we should all use for all our accounts:

  • Use strong passwords that are different for every service, and use a password manager to track all those passwords:

  • Use two-factor authentication to protect your account, and make sure you have a different strong password for the email address used for that 2FA:

If you are concerned about having your phone seized by hostile parties who might coerce you into unlocking it, you should set your private chat messages to "self-destruct" (auto-erase) within a short timeframe. Again, this is not available for Telegram channels or group chats, be they private or public.

Russians using Telegram need to consider that communications breaches could lead to arrest, violence or state intimidation. Russians practicing independent journalism and/or opposing the war (especially in public demonstrations) face significant risk. These people need to guard against device seizures, account takeovers, and other hack attacks.

Because Russians in Russia are further from the immediate physical peril of the conflict, they may have the time and resources to secure their communications, especially group communications. The best way to do that is to switch to apps with more group security than Telegram, like Signal/Whatsapp or Threema/Wire, which don't require a phone number to sign up and don't link your account to your phone number.

Russians who are worried about device seizures can use disappearing messages (which are available for group comms on some of these other apps) to mitigate this risk.

Eva notes that due to sanctions and Russian state censorship, it can be hard for Russians to install some of these apps. Russians who must use Telegram, or choose to do so, can refer to the advice for the Ukrainian context.

Remember that security compromises can come from your counterparties. Your device might be secure, but if the people you communicate with are compromised, the messages you send to them might also be exposed. Or, as Eva puts it: "Security is a team sport and it only works when we look out for one another."

(Image: EFF, CC BY 3.0)

Hey look at this (permalink)

This day in history (permalink)

#15yrsago Cheap Laffs: the history of the gag

#10yrsago UK police/spies colluded with giant construction firms to build illegal blacklist database of whistleblowers, trade-unionists

Colophon (permalink)

Currently writing:

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Friday's progress: 508 words (69712 words total).

  • Vigilant, Little Brother short story about remote invigilation. Friday's progress: 286 words (4032 words total)

  • A Little Brother short story about DIY insulin PLANNING

  • Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

  • Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: The Internet Heist (Part II)
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin, nonfiction/business/politics, Beacon Press, September 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Medium (no ads, paywalled):

(Latest Medium column: "All (Broadband) Politics Are Local: A Chance for Individuals to Make a Difference"

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla