Telegram Privacy Nightmare: Don’t Opt In to P2PL

Avoid Telegram’s new “Peer-To-Peer Login” program if you value your privacy or your cellular service.

The Telegram messaging service has a new feature in testing: P2PL is a way for people to avoid the expense or exposure of SMS verification. Some countries charge an arm and a leg for text messages—and others block Telegram entirely.

And you can help people in those places! In today’s SB Blogwatch, we think we might not want to.

Your humble blogwatcher curated these bloggy bits for your enter­tainment. Not to mention: Steamed Hams as you’ve never heard it before.

Scary SMS Shenanigans

Did someone say, “privacy nightmare”? Hadlee Simons sure did—“It’s a privacy nightmare”:

“A privacy nightmare, right there”
Telegram is probably the most popular alternative to WhatsApp. … Now, it looks like the company is giving away Telegram Premium to a few users. … We’re glad to see a service offering users a way to gain access to a premium subscription, but it seems like the reward doesn’t outweigh the very serious downsides.
…
A so-called Peer-To-Peer Login program (P2PL) … sees Telegram using your phone number as a relay to send one-time PINs (OTPs) to fellow users via SMS so they can log in to the messaging app. … Unfortunately, you’ll be responsible for all SMS costs incurred, … including international texting costs. [Plus] recipients can see your phone number and you can see the recipients’ numbers. That’s a privacy nightmare, right there.

A privacy nightmare, you say? Ivan Mehta rolls with it—“SMS login service is a privacy nightmare”:

“Massive issue of privacy”
Telegram has introduced a controversial new feature … raising concerns about potential privacy risks and the exposure of personal information. [And] you might end up paying more through your phone bill than the value of Telegram’s premium membership.
…
There is a massive issue of privacy: [It] allows strangers to look up your number and use it for spam and fraud. Telegram allows users to hide their phone numbers from strangers, but [this] could allow them to look up your Telegram account.
…
Telegram Premium [has] features like transcription, exclusive stickers, reactions, and … Stories for paid users. However, users opting into the peer-to-peer login system have to think if giving out their phone number to strangers to save a few bucks is worth the hassle.

OK, OK, I got it: It’s a privacy nightmare. Manuel Vonau digs deeper—“Telegram wants to use your phone”:

“Dangerous political climates”
People who join the P2PL program … could also face problems with their mobile service providers. It’s likely that most carriers forbid subscribers from sending automated messages, [so] participants could face being banned by their cellular service.
…
Given that Telegram is often used by the opposition and protesters in dangerous political climates, leaking users’ phone numbers to other random people can have grave consequences. … It looks like Telegram will soon no longer protect its users from being detected as Telegram users, which could already give adverse actors enough information to act against them.

But but but … free stuff! @AssembleDebug is what he is:

What could go wrong? … The only good thing about it is that it’s opt-in.
…
Anyone who is aware of privacy won’t opt-in for this. Many others who opt-in won’t be aware of the risks it might bring, if they don’t read Ts&Cs.

Are there no other bad things here? danpalmer is his own special creation:

SMS auth fraud, where malicious users aim to receive auth codes to premium rate numbers, is a huge problem. This pushes that problem on to users.
…
[Telegram’s] terms of service do say explicitly that they are not responsible for charges. Are they going to get it right in every region? In every number range? Is it even possible to distinguish between premium rate and regular rate in all parts of the world? It’s really quite high risk for users.

Yikes—interesting point. eighty_one’s world is not a place they have to hide in:

I read this article twice to make sure I wasn’t misunderstanding what Telegram is doing here. I’m sitting here in shock with my mouth wide open because of how wild an idea this seems to be.

Wait. Pause. Perhaps it’s actually genius? baybal2 tries to see things from a different angle:

SMS authentication is … a giant gift to repressive states, making it extremely easy to:
1. Deanonimise users,
2. Block logins,
3. Intercept logins,
4. Provide information on usage.

Peer-to-peer SMS authentication makes interception much less reliable, hopefully to the point of making it not practically useful.

And so what if Rikonardo loves each sparkle and each bangle?

They are doing this to bypass government SMS filters in some countries, and this isn’t that bad of a fix. Obviously, ditching phone number verification completely would be a better solution, but that would lower threshold for spammers, making experience for users worse.

That’s life. bjord thinks it’s a sham:

It’s a really creative solution to SMS delivery issues and high costs. But I think it’s pretty clear that the issues here outweigh the benefits.

Meanwhile, rubysapphire23 shouts out:

It could be an early April Fools? That would probably be more logical.

And Finally:

Turn up the volume

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Oxana Melis (via Unsplash; leveled and cropped)