this post was submitted on 20 Feb 2024

31 points (89.7% liked)

Privacy

31974 readers

370 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Telegram releases Peer-to-Peer Login Program (telegram.org)

submitted 8 months ago by clot27@lemm.ee to c/privacy@lemmy.ml

20 comments fedilink hide all child comments

What do you think of this from privacy POV?

all 22 comments

sorted by: hot top controversial new old

[–] viking@infosec.pub 17 points 8 months ago (2 children)

Terrible, of course. Especially since they are aiming the service to improve sign-up reliability in countries that block telegram, acting as a relay exposes yourself. Carriers in China (where I live) and other questionable countries are actively snooping around, and since SMS are generally unencrypted, the simplest heuristic would figure out what you're involved in and start a very serious investigation.

On top of that, phone numbers in many countries are also unique logins to a number of services (again, here in China you need it for literally everything, it's THE number one digital footprint), and attackers could use the information for bruteforce/wordlist attacks on known services, or use them for social engineering.

As much as I like the idea of helping others sign up who don't have the means to acquire a foreign phone number, I would never willingly commit to that.

[–] LWD@lemm.ee 6 points 8 months ago

There's some incredible insight here.

On top of that, phone numbers in many countries are also unique logins to a number of services (again, here in China you need it for literally everything, it's THE number one digital footprint)

This is one reason I particularly dislike companies that require phone number "verification" either immediately when registering, or sometime after. Services like Microsoft, Twitter, Discord, Facebook, all find a reason to request it at some point. And that request often seems to be related to whether or not they can pin down your actual identity or not...

[–] riccardo@lemmy.ml 2 points 8 months ago* (last edited 8 months ago)

Especially since they are aiming the service to improve sign-up reliability in countries that block telegram

It's mainly to offload the cost of sending verification codes via sms to users, which is one of the costs that Telegram wants to cut. As far as I remember, it amounts to, like, 7% of all their annual expenses (I will source this later). A couple of years ago they decided not to send sms verification codes when you sign in from a third-party app, and just send the code to active session. This sounds like recipe for moderation headaches and privacy disasters, but also good way to boost their premium metrics :)

[–] RobotToaster@mander.xyz 17 points 8 months ago (1 children)

They could just stop requiring phone numbers, which would be a lot more privacy friendly.

[–] GolfNovemberUniform@lemmy.ml 9 points 8 months ago (2 children)

But unfortunately it would make spamming much easier

[–] RobotToaster@mander.xyz 12 points 8 months ago

It's doing an absolutely terrible job of stopping spammers.

[–] Cheradenine@sh.itjust.works 7 points 8 months ago

Isn't that an inherent fault of Telegram though?

I use SimpleX, and unless I join one of the large discussion groups there cannot be any spam. You cannot just join anything except open groups. If you spam you get booted by whoever started the group.

[–] LWD@lemm.ee 5 points 8 months ago (1 children)

Can somebody explain in simple terms with this is even supposed to do? Do you end up sending an SMS message on Telegram's behalf to random phone numbers that request it?

I'm pretty sure this practice, no matter how lightweight it might be, would be considered against many carriers' TOS. And I wasn't aware Android now allowed people to send text messages in apps besides the default one, suppressing that ability was considered a huge deal a while back.

[–] umami_wasbi@lemmy.ml 7 points 8 months ago* (last edited 8 months ago)

For whatever reason, ppl need SMS OTP. While Telegram is using SMS operators (like Twilio), it can't covers all users globally (which the truth is more about cost and regulations), thus this program is born to cover (bypass) it.

It uses your number to sent the OTP code to random numbers on Telegram behalf, up to 150 per month including international SMS, where you bear the cost and aknowledging your number will be seen by who recieve it. In return, if your monthly send SMS reaches the quota, Telegram will reward you with a monthly Telegram Premium Subscription (which cost almost nothing to them).

What a joke program.

Edit: express in more clarity (they -> Telegram)

[–] jet@hackertalks.com 5 points 8 months ago (1 children)

Crazy. Become a telegram sms relay.... Doesn't seem like a great idea for the user.

[–] clot27@lemm.ee 0 points 8 months ago (2 children)

They are rewarding you with premium (i.e. some extra features in the app) for relaying sms and exposing your phonenumber to strangers ig?

[–] jet@hackertalks.com 1 points 8 months ago* (last edited 8 months ago) (1 children)

For now... Giving this capability to a app seems foolish.

If you value premium enough, I'm sure lots of people will agree to it.

[–] clot27@lemm.ee 3 points 8 months ago (1 children)

I think if its opt-in, then kinda fine..., else it's a nightmare.

[–] riccardo@lemmy.ml 3 points 8 months ago (1 children)

It's opt-in, of course

[–] ReversalHatchery@beehaw.org 2 points 8 months ago (1 children)

Opt-in for the SMS recipient too?

[–] riccardo@lemmy.ml 2 points 8 months ago

I'm still trying to figure it out, but I guess not. The only thing I'm sure about is that you will know whether the OTP code has been sent by Telegram or a P2PL relay

[–] southsamurai@sh.itjust.works 3 points 8 months ago

At least it's opt in. But fucking hell, that's a horrible idea

[–] GolfNovemberUniform@lemmy.ml 3 points 8 months ago

Such feature should never be in a consumer IMS because it can be activated accidentally. If you want to let your users become relays, do it at least like the registration for Ubuntu Pro