Telegram Loses Supreme Court Appeal In Russia, Must Hand Over Encryption Keys (bloomberg.com) 217
Telegram has lost a bid before Russia's Supreme Court to block security services from getting access to users' data, giving President Vladimir Putin a victory in his effort to keep tabs on electronic communications. Bloomberg reports: Supreme Court Judge Alla Nazarova on Tuesday rejected Telegram's appeal against the Federal Security Service, the successor to the KGB spy agency which last year asked the company to share its encryption keys. Telegram declined to comply and was hit with a fine of $14,000. Communications regulator Roskomnadzor said Telegram now has 15 days to provide the encryption keys. Telegram, which is in the middle of an initial coin offering of as much as $2.55 billion, plans to appeal the ruling in a process that may last into the summer, according to the company's lawyer, Ramil Akhmetgaliev. Any decision to block the service would require a separate court ruling, the lawyer said.
Putin signed laws in 2016 on fighting terrorism, which included a requirement for messaging services to provide the authorities with means to decrypt user correspondence. Telegram challenged an auxiliary order by the Federal Security Service, claiming that the procedure doesn't involve a court order and breaches constitutional rights for privacy, according to documents. The security agency, known as the FSB, argued in court that obtaining the encryption keys doesn't violate users' privacy because the keys by themselves aren't considered information of restricted access. Collecting data on particular suspects using the encryption would still require a court order, the agency said.
Putin signed laws in 2016 on fighting terrorism, which included a requirement for messaging services to provide the authorities with means to decrypt user correspondence. Telegram challenged an auxiliary order by the Federal Security Service, claiming that the procedure doesn't involve a court order and breaches constitutional rights for privacy, according to documents. The security agency, known as the FSB, argued in court that obtaining the encryption keys doesn't violate users' privacy because the keys by themselves aren't considered information of restricted access. Collecting data on particular suspects using the encryption would still require a court order, the agency said.
This is chilling... (Score:5, Insightful)
Telegram wasn't properly secure anyway. (Score:2, Interesting)
Telegram is not secure by default, but requires you to start a secure chat separately. Which requires both users to be online and enable it at the same time. Something that I never got going with anyone. So it was already pretty useless, as compared to Signal.
Also, its own custom security protocol was more than a little sketchy to me. I don't trust any random person to get security properly right. There are far too many caveats for me to trust somebody with their custom solution. It would have to be proper
Re: Telegram wasn't properly secure anyway. (Score:2, Insightful)
Signal is no more secure.
Still passes through their servers, controlled by them, single point of failure, single target to ddos, single target to take hack and inject mitm.
We need decentralization. It's actually quite easy to do with cryptographic whitelists, and offline methods for keysharing.
Been working on my own solution to this problem over the past year or so.
Wrong. Signal is the gold standard (Score:5, Insightful)
To say Signal is equal to default Telegram is ridiculous. Telegram uses a master key by default; Signal uses ephemeral keys and forward secrecy.
Saying that it is not secure because it "passes through their servers" is like saying Tor isn't secure because it passes through someone's servers. Everything passes through someone's servers; that's how the internet works. The point of having FOSS in your client and encryption protocol is so that it doesn't matter that it's passing through someone else's servers.
You are confusing encryption/security with centralization/federation; they are NOT the same thing.
Everyone should use Signal.
Re: (Score:2)
Everything passes through someone's servers; that's how the internet works.
That is nonsense.
The only "server" would perhaps be a DNS request.
You are confusing encryption/security with centralization/federation; they are NOT the same thing.
That is correct.
Re:Wrong. Signal is the gold standard (Score:5, Funny)
Yeah, all those socalled "hops" are just a hoax put forth by conspiring internet providers.
Re: (Score:2)
Only if you consider a "server" to be the same as a "router" (which may be reasonable when talking about security).
Re: (Score:2)
Re: Telegram wasn't properly secure anyway. (Score:4, Funny)
Blockchain! Blockchain! Blockchain!
Re: (Score:1)
Congratulations, you just invented a chain of blockchains. I suggest you name it blockchainchain.
Re: (Score:2)
Re: (Score:3)
You still have to worry, even outside of Russia.
How long until Telegram users start to receive messages offering _not_ to expose the messages they thought were private to their [boss/partner/police] in exchange for a small sum? Don't have those sorts of message? For only as little extra you do, now.
Re: (Score:3)
So you trust a private for profit corporation, with it's for profit executive team and the cheapest staff they can possibly find, more than the Russia government, kinda of foolish don't you think. At least you sort of know where you stand with the Russian government, although the world has never experienced a technocracy before and it should be interesting (democratic among the technocrats, not quite so democratic for the rest, Putin and Co created it, most of the corruption was in local government and less
Re: (Score:2)
So you trust a private for profit corporation
Who? Telegram is a non-profit company.
Re: (Score:2)
So you trust a private for profit corporation
Where in anything I said, did I say or even imply that?
I warned friends off Telegram from the outset, because a) messages went through their servers and b) their closed source encryption and/or implementation was home grown. Private company or government run, centralised and closed source are deal breakers if what you want is an encrypted communication tool. I pointed out that it would be too easy for old messages to be recovered and decrypted, either by a third party or the company itself, should it go thr
Re: (Score:2)
Hopefully she'll be authorized to bribe me with actual sex if my wife doesn't believe her story!
Assumed immunity (Score:2, Interesting)
Re: (Score:1, Insightful)
Lord Acton almost got it right.
Impunity corrupts, and absolute impunity corrupts absolutely.
Re: (Score:1, Insightful)
Re:Assumed immunity (Score:5, Interesting)
Re: (Score:2)
Not with Telegram or its current implementation. It's a cloud based IM which has a single encryption key. All your data is stored in the cloud. P2P chats in Telegram are ostensibly end-to-end encrypted but they are so inconvenient, few people actually use them. You cannot backup them, you cannot save them.
Re: (Score:1)
They probably already do and have been doing it for a while. But since the Russian government has a much firmer grip on everything below them than what you'll usually find in the West, these measures are not equally effective. Spending 'proportionate' resources would probably not even scratch the surface.
Next Step (Score:5, Informative)
Remember Blackberry? (Score:1)
Looking at what Paypal and Facebook are doing, you wonder if the brothers haven't already sold it many many times over in private. There seems to be a big market in private data and no consequences for selling it.
Remember Blackberry and it's FBI friendly backdoor into its own encryption?
In their heads they thought the good guys would only get access for catching terrorists. Yet here Putin gets it for catching protestors, witnesses, interfering in elections worldwide, finding the location of people to nerve
Re: (Score:2)
Seems like they're kind of late for that. there are some decent options out there like TOX and many others.
Re: (Score:1)
Our president just congratulated Putin (Score:5, Interesting)
It genuinely frightens me that we're so quick to support dictatorships. Everybody's looking the other way because they want Russia's gas & oil. Then again I've got to drive to work every day the same as everybody else...
Re: (Score:2)
Re: (Score:2, Troll)
It genuinely frightens me that we're so quick to support dictatorships
Ever since the US began empire building in the 19th century, your government has been creating and supporting dictatorships, because they're easier to manage.
Have a quick read up on the history of Guatamala, the country where it was illegal for local people to own land, in case it interfered with the profits of United Fruit.
Then the CIA overthrew the democratically elected government in 1954 because they gave unused land to peasants to farm, which smelt like communism to Ike.
Re: Our president just congratulated Putin (Score:1)
Yes, the United Fruit Company besides exploiting the people of Guatemala did seize property at gun point as well.
They were kicked out for good reason.
The US sponsored coup continued the abuses.
Re: (Score:3)
You think the US got involved in Guatamala because of fruit?
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: Our president just congratulated Putin (Score:2)
Thanks, I stand corrected; the rallying cry of these particular idiots isn't "no war for pineapples" but rather "no war for bananas".
Re: (Score:2)
Now you pointed out that you are an complete idiot ... ...
God save america
Re: (Score:2)
Re: (Score:1)
Two things: :P the two countries you are currently trying to start shit with. Russian does not make the top 10.
1) The biggest oil and gas suppliers to the usa are: https://www.eia.gov/dnav/pet/pet_move_impcus_a2_nus_epc0_im0_mbblpd_a.htm [eia.gov]
I'll save you some time and tell you that its saudi arabia, canada and mexico
2) As a Canadian, I pay $1.55/L for gas today and i still drive, the world didn't end, etc.
Gas in your car has nothing to
Re: (Score:2)
It genuinely frightens me that we're so quick to support dictatorships....
Yes #metoo. You guys voted in Trump. And you seem to have given your president the power to kick out everyone in his government that disagrees with him or his views, and replace them with others more to his liking.
In most western countries, if the prime minister/president/supreme overlord would kick out ministers and other people in the government because he does not like their opinions, or they disagree with him, or whatever, and nominate his pals instead, iterate until happy, well people might say that lo
Re: (Score:2)
It genuinely frightens me that we're so quick to support dictatorships....
Yes #metoo. You guys voted in Trump. And you seem to have given your president the power to kick out everyone in his government that disagrees with him or his views, and replace them with others more to his liking.
In most western countries, if the prime minister/president/supreme overlord would kick out ministers and other people in the government because he does not like their opinions, or they disagree with him, or whatever, and nominate his pals instead, iterate until happy, well people might say that looks a lot like dictatorship.
Trump can be voted out. Putin can't be voted out. You don't get the difference?
Re: (Score:2)
Trump can be voted out.
Maybe. But what happens when the next election comes up, Trump calls his opponent a crook, claims the whole election is rigged and most Democrat voters are undocumented immigrants etc.
Be very, very vigilant.
Re: (Score:2)
Trump can't be voted out.
He can lose the next election, just like Putin can. And thats it.
Re: (Score:2)
It genuinely frightens me that we're so quick to support dictatorships....
Yes #metoo. You guys voted in Trump. And you seem to have given your president the power to kick out everyone in his government that disagrees with him or his views, and replace them with others more to his liking.
In most western countries, if the prime minister/president/supreme overlord would kick out ministers and other people in the government because he does not like their opinions, or they disagree with him, or whatever, and nominate his pals instead, iterate until happy, well people might say that looks a lot like dictatorship.
I'm no big fan of the American government system, but this isn't equivalent at all. Most western countries don't have the strict branches separation that the US has, so the POTUS shaping his team (badly) as he sees fit is not affecting the other branches, which if they had a backbone, could stand up to it. Other countries have internal teams that are shaped by the guy in charge too, the US executive is just very visible.
Re: (Score:2)
How does it work in a parliamentary system? The prime minister can't hire and fire as he pleases? On a side note, there is exactly one person in the executive branch who the president cannot fire, and that is the vice president.
Re:Our president just congratulated Putin (Score:4, Interesting)
Where was your outrage when Obama did the exact same thing?
Re: (Score:2, Flamebait)
Where was your outrage when Obama did the exact same thing?
That was before the invasion and annexing of Crimea, as well as other aggressive acts from Putin. That's not going to matter to you of course, because you're a dickhead incapable of nuanced thought.
Re: (Score:2)
Only, it's not a dictatorship. Not yet.
The election wasn't rigged, the results truly represent what the average Russian believes in and voted for. Does it suck? of course it does. Is there anything you can do to change it? Nope. I mean, hell, look at the other candidates. Jirinovski is an extremist nutcase. Ksenia is a run-of-the-mill TV-star-turned-politician using the election process and her candidacy for further boosting her personal career, everything-be-damned.
You really need to research and find out
Re: (Score:3)
The election was obviously rigged, just as the previous one. There are enough videos that show it.
There is no doubt that Putin would have won the election either way, but the real numbers wouldn't be nearly as impressive.
There is actually a Russian meme about election rigging, called "146%", which was the voter turnout for the Rostov region for the 2011 parliament elections. A few other regions also had their voter turnout higher than 100%.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
It genuinely frightens me that we're so quick to support dictatorships. Everybody's looking the other way because they want Russia's gas & oil.
Congratulating someone on their victory does not equate to support. That's the kind of thing people who hate each other do in public to give the pretense that everything is okay. The USA doesn't give a shit about Russia's oil and gas. They have their own. What the USA (and much of the rest of the world who congratulated Putin on his farce yesterday) does give a shit about is not souring relationships with a large foreign power. The world is better for fake smiles than it was from the 50s to the 90s.
That is
Re:Obama congratulated Putin in 2012 (Score:2)
http://foreignpolicy.com/2012/... [foreignpolicy.com]
That's what Presidents do. You don't burn bridges unnecessarily.
Re: (Score:2)
Re: (Score:2)
"President Barack Obama has now officially endorsed..."
But you know that isn't the same. You're being disingenuous.
Re: Our president just congratulated Putin (Score:2)
But you know that isn't the same.
Of course not. Obama was a democrat. That makes it like 100% different.
Re: (Score:1)
But it wasn't the same thing when Obama did it. Obama did it because it was diplomatic. Trump did it because he had to thank them for forcing Facebook to make people vote for him.
Re:Our president just congratulated Putin (Score:4, Insightful)
This is why perfect forward secrecy is needed (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
A properly designed secure messaging app would make this impossible. The protocols to implement this are not difficult.
If that is true, why does not one exist? Or, if one or more do, can you provide a link?
They do exist. OTR [cypherpunks.ca] is an example, but it is a plug-in for desktop computer based messaging systems. I'm not as familiar with what is available in the mobile world. It should, in theory, not be difficult to implement.
Re:This is why perfect forward secrecy is needed (Score:5, Informative)
Signal has had perfect forward secrecy since at least 2013 https://signal.org/blog/asynch... [signal.org]
https://en.m.wikipedia.org/wik... [wikipedia.org]
Given that WhatsApp uses the same signal protocol as signal itself, I would expect it to have perfect forward secrecy as well. But being owned by facebook, I don't trust WhatsApp anyway.
Re: (Score:2)
Threema.
But Threema is extremely unreliable in sending/receiving messages. Sometimes it takes days till a message is delivered. Completely worthless in day to day communication.
Re: (Score:1)
A properly designed secure messaging app would make this impossible. The protocols to implement this are not difficult.
If that is true, why does not one exist? Or, if one or more do, can you provide a link?
Are you asking why the protocol does not exist, or why no easy-to-use service exists that makes use of them?
The protocols do exist. Other comments link to them.
No easy-to-use service exists because there is no way to profit from it. The service provider can't target ads if they can't see the content. They can't charge to use the service, because people use whatever service their friends are on. That will be the service that grows fast, and charging people an entrance fee slows growth.
Re:This is why perfect forward secrecy is needed (Score:4, Interesting)
Re: (Score:3)
GP's reasons are exactly why I haven't heard of it.
Re: (Score:2)
No easy-to-use service exists because there is no way to profit from it.
Well there services, but like WhatsApp they aren't very popular. /sarcasm
Re: (Score:2)
If that is true, why does not one exist?
Because business can't monetize the content of users' secure communications.
Re: (Score:2)
Businesses are not interested in putting money into services that they would not be able to control completely. Secure communication protocols exist, but no one would invest enough money to push them into mass usage.
On top of that, any such service would be seen as a national security threat by US TLAs and by other Western nations' security agencies and pressure would be applied to either compromise it or kill it.
Strat
Re: (Score:1)
(even though it is pointless there, as the tunnel is between a closed-source app made by Facebook employees and Facebook-owned servers).
Don't say it's 'pointless'. Just like Google's strident advocacy of "https everywhere", this prevents third parties from doing MITM stuff and injecting content that Facebook doesn't profit from.
Vladimir Putin keeping tabs on electronic communic (Score:2)
Is this anything like the FBI taking Apple to court to hack a suspects iphone. The whole thing being most probably a scam as the FBI already has a backdoor into Apple and Microsoft and Dell
Obviously (Score:3)
That's what I'm thinking. The FBI makes this big show of going to court in an effort to secure the right to do what? Get access to Apple's key? No, to try to force Apple to build decryption tools. The FBI said it could ask for Apple's signing key... but they didn't. Obviously they already have that? Why would you assume Apple can keep their key secret from agencies that can put insane pressure on any employee they decide to?
No. Assume that all the three letter agencies already have the keys, they just don't
Re: (Score:2)
A signing key only signs.
It is in no way relevant for the encryption itself.
Re: (Score:2)
If you want to load software on the phone, you need to sign it with the key. If you can do that, you can switch the boot loader so that it compromises the encryption.
Re: (Score:1)
The whole thing was a marketing scam by Apple. "Look, we have secure phones. The FBI rants about them."
Re: (Score:2)
Putin's victory (Score:2)
Telegram has lost a bid before Russia's Supreme Court to block security services from getting access to users' data, giving President Vladimir Putin a victory in his effort to keep tabs on electronic communications. Bloomberg reports
This is Putin's victory, because of course, Putin took care of the case on its own. Perhaps he even did it without an attorney.
Re: (Score:2)
Re: (Score:2)
I was going to say you should try arguing against real points of view
Well, I tried to point with some irony that we are presenting a whole country as being just its leader, which is of course evil
When an allied country win over its opponents in court, we do not call it a < insert leader's name > victory.
Step forward and read the lines -- in English (Score:3)
Hand me the keys, you F**king c**ksucker
Distributed messengers is the way to go (Score:5, Insightful)
Most (all?) commercial messengers have a problem of being centralized. Block a few servers and the messenger is dead. Compare Telegram or Whatapp to generic email. A dictator can easily block messengers, but can't block email in general. It can block can block say Gmail or Yahoo mail but blocking individual email servers is much harder. Messengers need to move to the same model. We need something like https://github.com/tinode/chat [github.com] to run our own servers. We need 1000s of telegrams and whatsapps running a distributed federated messaging network.
Re: (Score:1)
XMPP [wikipedia.org] looked like it was going to be that for a while. Then Google decided to stop federation. There's also Matrix [wikipedia.org] which is a newer project trying to do that. Both support a concept of bridging to other protocols so you can use XMPP/Matrix on your side and set it up to log into your accounts on other IM systems to make the transition smoother (i.e. you don't have to convince all of your contacts to switch at once). Of course, you can also do that part with multi-protocol IM clients like Pidgin [wikipedia.org] to log into mu
XMPP is the way to go (Score:2)
Just because Google and others are too stupid to use it, does not mean we have to be. I force my family to use XMPP apps (there are many) and GPG. They complain. I don't care.
Recently my XMPP service provider disappointed me, so I just moved my domain to a different provider, just like I can do with email. Bam. Done.
Re: (Score:2)
Really? Like blocking TCP port 25? Tell us another joke.
Re: (Score:2)
And how exactly can the government or anyone else block the port 25 on your computer or phone? ...
Idiot
Re: (Score:2)
The can force ISP and cell providers to block it at the router level.
Re: (Score:2)
Based on which law?
And you do know that ports are kinda arbitrary?
Re: (Score:2)
Based on which law?
And you do know that ports are kinda arbitrary?
Your original questions was: "And how exactly can the government or anyone else block the port 25 on your computer or phone?" The answer is the government would pass a law banning the port (or protocol): that's how governments ask people to do things.
Re: (Score:2)
And then I move to another port ... like everyone else.
And that would anyway only affect the country where that government is ruling over.
So no: no one can simply block and arbitrary port on the internet.
Re: (Score:2)
Well said. People making laws often have no clue about the technical details, so some stupid laws get made (thus we have sites everywhere with a "we use cookies" overlay.)
I have decided that the best way to explain to people how difficult it is to control the internet is to point out that people in China use The Pirate Bay. If you can't block a site that most countries want to block even in a country that firewalls their whole internet, the likelihood that your local congress critter or equivalent can fix a
Re: (Score:2)
Do you know of any country which successfully blocked email short of closing down all of internet, like North Korea? I know quite a few countries which blocked WhatsApp, and FB, and YouTube.
Email works on a specific port (25 or 465 or 587) because changing it is a hassle, not because it's technically difficult. Nothing prevents a new protocol from working on a a random port like torrents or to be tunnelled through HTTP(S).
My point is that instant messaging should move away from proprietary walled gardens.
Re: (Score:2)
Re: (Score:2)
They can always do this if they are after you specifically. But they can't go fishing for Enemies of the State. Not unless they want to go kicking in ever door in town.
Snowden (Score:1)
If the British confirm that Kremlin was behind the poisoning of the Russian ex-spy double-agent, I am afraid the CIA will have to poison Snowden in retaliation
can they now crack all messages way back? (Score:3, Interesting)
So assuming the Russians are like the NSA and have recorded much of the traffic for the past few years. How would that go for everyone who discussed Putin and his friends in the past over Telegram "secure" chat? How does Telegram handle the keys, can Putin and friends now just go and get the keys for all the past conversations and send in some accidents to everyone who disagrees with anything?
Re: (Score:1)
Or, they could use them to solve crimes like Bill Clinton's Clipper Chip. He wanted a backdoor into all encryption, and it would have protected the people had paranoid libertarians not stood against it. Things would be much better now if the government could spy on Trump supporters.
Re:Wow (Score:5, Insightful)
I heard Putin meddled in their election. I believe 76% like I believe 239 lbs.
Re: (Score:2)
Re: Wow (Score:2)
Re: (Score:2)
Ashcroft lost a Senate race to a dead man before becoming Attorney General for Bush. That's got to sting.
Re: (Score:2)
He didn't meddle in the election, he meddled in the opponents who were basically buffoons with no presidential campaigns whatsoever and his only real opponent was barred from the election under the illegal premises.
There are only two ways for Putin to stop being a Tzar of Russia: either he will die from natural couses or he will be murdered. Democracy is basically a swear word in Russia. Russia had it just once in 1994 and only by chance.
Re: (Score:2)
See what happens if you question Putin's legitimacy?
If you lived in Russia you could expect worse but then you'd know better than to post such criticism under your username, or even as an a/c.
My understanding is that like so many countries, little guy criticizing is usually ignored.
Re: (Score:2)
It's hard to design a system that's completely lacking in vulnerabilities. It's not hard, however, to design a system where the vulnerabilities are only on the end-user devices. We already have cryptosystems that don't require you to publish anything that's not safely completely public, which makes key exchanges on a single network fairly straightforward. The only complex part is if you want arbitrary parties to be able to make contact without having any data in a central address book that could be used to
Re: (Score:2)
"Microsoft handed the NSA access to encrypted messages" (12 Jul 2013)
https://www.theguardian.com/wo... [theguardian.com]
In Russia they still have to wait and see what brands trend in the market and then ask for decryption.