CHRI – Iranian Client Apps Are Violating Telegram’s Terms of Service by Failing to Protect User Data
December 17, 2018 – In response to a rising chorus of concerns by internet security experts, Telegram, the widely used instant messaging app, has issued a warning to users of the Iranian-made versions of Telegram (known as “client apps”), Telegram Talaeii and Hotgram, which reportedly have 30 million users between them, that the apps are “unsafe.”
“Warning! The app you are using was not made by Telegram and is unsafe. We can only guarantee your safety if you use official Telegram apps,” said a message that appeared when users first logged on to the apps on December 15, 2018.
The Center for Human Rights in Iran (CHRI) welcomes this move by Telegram. Five months before the company issued the warning, and again a week before the advisory was issued, CHRI had reached out to Telegram urging it to inform users that the Iranian government can access and monitor private user activities on the modified Telegram Talaeii and Hotgram apps.
“Now that Telegram has deemed these apps ‘unsafe,’ the natural next step would be discontinuing their access to Telegram’s servers since they violate Telegram’s own Terms of Service,” said Amir Rashidi, an internet security researcher at CHRI.
According to the “Privacy and Security” section of Telegram’s Terms of Service, all client apps must “guard their users’ privacy with utmost care” and comply with its security guidelines. Telegram also reserves its right to “discontinue” the apps’ access to Telegram’s Application Programming Interface (API) if those terms are violated.
Other big social media companies including Facebook have blockedclient apps in the past for violating their terms of service, including in 2018 when Facebook suspended Cambridge Analytica’s access to its API following revelations that it was harvesting private user data.
Not only can the Iranian government access private user data on the two client apps according to research by CHRI and the internet freedom organization Article19, the apps also censor content that the Iranian government has deemed inappropriate.
In the following paragraphs, CHRI outlines what these apps are, why they’re unsafe and why Telegram’s important warning merits follow-up action.
What Are Telegram Talaeii and Hotgram?
The Telegram app is a cloud-based, mobile and desktop messaging app with a free and open API that enables developers to legally build clone or “client” versions of the app. In technical terms, the app operates on “open source” code.
There are currently only two Iranian-developed versions of the Telegram app— Telegram Talaeii(“Telegram Gold”) and Hotgram—available on the Iranian app store, Cafe Bazaar. The original Telegram app had a reported 40 million monthly users in Iran before the Iranian government banned it in April 2018.
Iran’s order to block Telegram came after months of unsuccessful pressure on the company by the Iranian Judiciary and state officials to move its servers to Iran and comply with Iranian censorship policies. Hostility to Telegram also increased after protestors used the messaging app during the unrest that broke out across Iran in December 2017/January 2018 to spread word of the street gatherings.
After the original Telegram was banned, many people in Iran began using the two Iranian-made client apps, Telegram Talaeii and Hotgram. As of July 2018, they had a combined 30 million users in Iran, according to Assistant Prosecutor General Abdolsamad Khorramabadi.
Telegram Talaeii and Hotgram pull data and communicate with the original Telegram’s servers based outside the country. However, because the two apps’ servers are based in Iran, their data and traffic are open to monitoring and hacking by state actors and agencies that can access the apps’ servers at any time.
Due to the fact that citizens in Iran can be arbitrarily arrested and imprisoned for their peaceful online activities, CHRI had called on Telegram to clarify that the client apps—Telegram Talaeii and Hotgram—are not owned, operated or regulated by the Telegram company, and to warn users about the apps’ potential security risks.
This warning became all the more necessary after some Iranian officials stated on the record that the client apps were developed by an Iranian security agency.
On November 25, 2018, ultra-conservative Member of Parliament Mojtaba Zolnour told Iran’s parliamentary news agency that “Hotgram and Telegram Talaeii have been developed by a domestic security agency and naturally a copy of their information is stored inside the country.”
In August 2018, CHRI had reported that the two apps also block content on the original Telegram’s servers deemed inappropriate by the Iranian government, including channels belonging to CHRI, the BBC Persian Service, Paskoocheh (which offers virtual private networks) and dozens of other channels banned by Iran for their political and independent news content or for offering information and tools that can be used to circumvent online censorship.
Iran has a long history, documented by the UN and international rights organizations, of accessing messaging app data to conduct online surveillance, unlawfully enter accounts, and retrieve private user information despite the fact that such privacy is ostensibly protected in Iran’s Constitution. This content is then used to prosecute critics of the state on various national security-related charges in judicial proceedings lacking any semblance of due process.
Intelligence and security agencies work hand-in-hand with Iran’s judiciary to conduct such operations, and individuals have been imprisoned in Iran on the basis of such unlawfully obtained online content.
Telegram Talaeii and Hotgram’s Ties to Security Agencies?
Little verifiable information is available about the Iranian company that claims to have developed the two client apps, Rahkar Sarzamin Houshmand (“Smart Land Solutions,” or SLS). But recent statements by Iranian officials indicate they were developed by or with the support of Iranian security agencies.
In November 2018, the secretary of Iran’s Supreme Cyberspace Council (SCC) stated that the Ministry of Information and Communications Technology (Telecommunications Ministry) was planning on buying hardware to enable the apps to function in Iran without communicating with Telegram’s servers based outside the country.
“The report we have received is that they claim they can operate independently in a testing environment but of course in order to implement them it requires certain data centers and for that, the Telecommunications Ministry has issued a tender to buy the necessary hardware,” Firouzabadi told the Fars News Agency, which is affiliated with the Islamic Revolutionary Guard Corps (IRGC), on November 19.
Firouzabadi also told Fars that the apps had received support from the government of President Hassan Rouhani, who has publicly suggested that he is opposed to the ban on the original Telegram app and who had made statements in support of limited internet freedom during both his election campaigns.
But according to Firouzabadi, the Telecommunications Ministry, which operates under Rouhani, has provided operational assistance to both the apps and offered tenders to create a data center for them.
The SCC secretary’s statement contradicts an earlier statement by Telecommunications Minister Mohammad Javad Azari Jahromi who stated on the record in August 2018, “We have not supported or helped Hotgram and Telegram Talaeii.”
The highest level of the Iranian government has also approved Telegram Talaeii and Hotgram. SLS has an operational license from the National Cyberspace Center, a branch of the SCC, the top internet decision-making body in Iran which is controlled by Supreme Leader Ali Khamenei.
Documented Security Flaws
Researchers inside and outside Iran have written about the client apps’ inherent security flaws.
In 2018, three Iranian internet security researchers reported in statements that were cited by Iranian media—including by the mainstream newspaper Hamshahri and tech site Digiato—that Telegram Talaeii is capable of various security violations.
These include: stealing Telegram identity verification codes that could be used to access users’ Telegram accounts, expelling admins and deleting their channels without the user’s knowledge and sending and receiving lists of all the people users communicate with along with their usernames.
Digital security experts at the Talos Security Intelligence and Research Group, which is owned by US tech giant Cisco, have also pointed out security flaws in both the apps.
“Once installed, some of these Telegram ‘clones’ have access to mobile devices’ full contact lists and messages, even if the users are also using the legitimate Telegram app,” said five Cisco Talos experts in a jointly-authored blog post published November 5, 2018.
“We declare with high confidence that these apps should be classified as ‘greyware.’ It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP),” they added.
Now that Telegram has publicly acknowledged that the Iranian-made client apps are “unsafe,” discontinuing their access to Telegram’s servers would help ensure that the Iranian government does not use Telegram to spy on Iranian citizens.
“The onus remains on the Iranian government to lift its ban on the original Telegram app, a ban that was imposed because the company refused to allow Iranian state agencies to access Telegram’s data as well as refused to bow to Iranian censorship policies,” said Rashidi.
“Telegram should follow through on its warning message by discontinuing these apps’ access to Telegram servers,” he added. “Doing so will send a message to the Iranian government that even big tech companies will not engage in business as usual while the state violates the rights of its citizens,” he added.