Updated: Durov boasts that Telegram employs «about 30 engineers» ─ security experts call this a «red flag» for users

Last weekend, X (formerly Twitter) posted a video of a recent interview with Telegram founder Pavel Durov. In the video, Durov tells Tucker Carlson that he is the only product manager in the company and that he only employs «about 30 engineers».

Updated on 26.06, 09:00 — a comment from a Telegram representative was added

Security experts say that while Durov was bragging about his company being «super-efficient», what he said was actually a red flag for users.

«Without end-to-end encryption, a huge number of vulnerable targets and servers located in the UAE? That seems like it would be a security nightmare»,” said Matthew Green, a cryptography expert at Johns Hopkins University.

Green was referring to the fact that Telegram chats do not have end-to-end encryption by default, like Signal or WhatsApp. A Telegram user has to start a «Secret Chat» to enable end-to-end encryption, which will make messages unreadable to Telegram or anyone other than the intended recipient. Many people also question the quality of Telegram’s encryption, given that the company uses a proprietary encryption algorithm created by Durov’s brother.

Lemme guess, none of these 30 staff include privacy or compliance people, and zero third-party audit is ever done to review potential security controls restricting access to users' data. "Please trust us" is not how security works. https://t.co/w7PBkU0TJR

— JP Aumasson (@veorq) June 22, 2024

“Let me assume that none of these 30 employees include privacy or compliance specialists, and no third-party audits are conducted to verify potential security measures that limit access to user data. «Please trust us» — security doesn’t work that way.”

At the same time, Eva Halperin, Director of Cybersecurity at the Electronic Frontier Foundation, said that it is important to remember that Telegram, unlike Signal, is much more than just a messaging app. It is also a social media platform, and it is based on a huge amount of user data.

«Thirty engineers» means that there is no one to deal with legal requests, no infrastructure to deal with abuse and content moderation problems»,” says Eva Halperin.

«Besides, if I were a threatening actor, I would definitely consider this encouraging news. Every attacker loves an opponent who is very short-staffed and overworked,» she added.

In other words, it is unlikely that Telegram will be very effective in fighting hackers, especially state hackers, with such a small staff.

Telegram did not respond to a request for information on whether the company has a chief security officer and how many of its engineers work full time to ensure the platform’s security.

Telegram comment

In a comment to ITC.ua, a Telegram representative clarified that the original TechCrunch article “is largely based on a misunderstanding of what Mr. Durov meant”:

“Telegram has 30 developers building the apps and its infrastructure, but Telegram’s core team is approximately 60 people. This team is intentionally small and filled with experts in their fields. As a result, Telegram can respond much faster than companies with huge teams and long chains of command”.

In addition to these 60 core team members, Telegram allegedly has separate moderation and abuse teams.

Also, a representative of Telegram specified that “they do not have data centers in the UAE, and user data is not stored there”, and anyone who has doubts about the encryption of the messenger can check it.

“Telegram’s encryption protocols are fully documented and its apps are open source. Any researcher can verify the integrity and implementation of Telegram’s encryption.”

Source: techcrunch