Iranian Client Apps Are Violating Telegram’s Terms of Service by Failing to Protect User Data
December 17, 2018 – In response to a rising chorus of concerns by internet security experts, Telegram, the widely used instant messaging app, has issued a warning to users of the Iranian-made versions of Telegram (known as “client apps”), Telegram Talaeii and Hotgram, which reportedly have 30 million users between them, that the apps are “unsafe.”
“Warning! The app you are using was not made by Telegram and is unsafe. We can only guarantee your safety if you use official Telegram apps,” said a message that appeared when users first logged on to the apps on December 15, 2018.
The Center for Human Rights in Iran (CHRI) welcomes this move by Telegram. Five months before the company issued the warning, and again a week before the advisory was issued, CHRI had reached out to Telegram urging it to inform users that the Iranian government can access and monitor private user activities on the modified Telegram Talaeii and Hotgram apps.
“Now that Telegram has deemed these apps ‘unsafe,’ the natural next step would be discontinuing their access to Telegram’s servers since they violate Telegram’s own Terms of Service,” said Amir Rashidi, an internet security researcher at CHRI.
According to the “Privacy and Security” section of Telegram’s Terms of Service, all client apps must “guard their users’ privacy with utmost care” and comply with its security guidelines. Telegram also reserves its right to “discontinue” the apps’ access to Telegram’s Application Programming Interface (API) if those terms are violated.
Other big social media companies including Facebook have blockedclient apps in the past for violating their terms of service, including in 2018 when Facebook suspended Cambridge Analytica’s access to its API following revelations that it was harvesting private user data.
Not only can the Iranian government access private user data on the two client apps according to research by CHRI and the internet freedom organization Article19, the apps also censor content that the Iranian government has deemed inappropriate.
In the following paragraphs, CHRI outlines what these apps are, why they’re unsafe and why Telegram’s important warning merits follow-up action.
What Are Telegram Talaeii and Hotgram?
The Telegram app is a cloud-based, mobile and desktop messaging app with a free and open API that enables developers to legally build clone or “client” versions of the app. In technical terms, the app operates on “open source” code.
There are currently only two Iranian-developed versions of the Telegram app— Telegram Talaeii(“Telegram Gold”) and Hotgram—available on the Iranian app store, Cafe Bazaar. The original Telegram app had a reported 40 million monthly users in Iran before the Iranian government banned it in April 2018.
Iran’s order to block Telegram came after months of unsuccessful pressure on the company by the Iranian Judiciary and state officials to move its servers to Iran and comply with Iranian censorship policies. Hostility to Telegram also increased after protestors used the messaging app during the unrest that broke out across Iran in December 2017/January 2018 to spread word of the street gatherings.
After the original Telegram was banned, many people in Iran began using the two Iranian-made client apps, Telegram Talaeii and Hotgram. As of July 2018, they had a combined 30 million users in Iran, according to Assistant Prosecutor General Abdolsamad Khorramabadi.
Telegram Talaeii and Hotgram pull data and communicate with the original Telegram’s servers based outside the country. However, because the two apps’ servers are based in Iran, their data and traffic are open to monitoring and hacking by state actors and agencies that can access the apps’ servers at any time.
Due to the fact that citizens in Iran can be arbitrarily arrested and imprisoned for their peaceful online activities, CHRI had called on Telegram to clarify that the client apps—Telegram Talaeii and Hotgram—are not owned, operated or regulated by the Telegram company, and to warn users about the apps’ potential security risks.
This warning became all the more necessary after some Iranian officials stated on the record that the client apps were developed by an Iranian security agency.
On November 25, 2018, ultra-conservative Member of Parliament Mojtaba Zolnour told Iran’s parliamentary news agency that “Hotgram and Telegram Talaeii have been developed by a domestic security agency and naturally a copy of their information is stored inside the country.”