Side Note.
If you don’t care about your privacy and want to continue using Windows 11 with Telegram, this isn’t for you. If this is correct, please do not respond to the post. If you use Windows 11 and Telegram and are concerned about your privacy, I highly urge that you read this post. Thank you. If there is any incorrect information linked in this post, please let me know so that it can be updated consistently.
What’s been going on with Microsoft and Telegram?
Microsoft and Telegram collaborated, and Telegram is now a component of Copilot, which is extremely bad news for privacy. Microsoft is almost becoming another Facebook, given what they are doing with their copilot, which is being included in recent Windows 11 updates. More information about Copilot will be down below this post.
Telegram consistently claims to be “the best and most secure chatting app for privacy” and much more. We all know it’s a lie given the number of strange incidents that occur there and the association with Microsoft Copilot. Not only that but they have openly stated multiple times that “They need your data to ensure a secure experience”. Which is very suspicious. If you use Telegram on a daily basis, it might be time for you to switch.
What is Microsoft Copilot?
Microsoft Copilot is an artificial intelligence function that, like Alexa, can assist you, but it is built into the Windows 11 operating system. It can communicate with you, hear you, and observe and hear everything you do. It can hear you ask a question, browse the internet, listen to your voice calls unless you turn off your computer, recording and monitoring everything you do. It knows everything. It also sends all of this data to Microsoft and the CIA. Which is extremely bad news for privacy. Microsoft is almost becoming another Facebook, given what they are doing with their copilot, which is being included in recent Windows 11 updates.
What do I need to do to get actual Privacy from now on?
Before you do anything else, I highly recommend that you buy a USB stick and switch to Linux. You have four distribution options to select from.
Linux Mint (2 gigs of ram, NIVIDIA and AMD supported)
Debian (2 gigs of ram, NIVIDIA and AMD supported)
Kubuntu (2-8 gigs of ram, NIVIDIA and AMD supported)
Pop OS (8 gigs of ram, NIVIDA and AMD supported)
Ubuntu (4 gigs of ram, AMD Supported)
- I will say this about Ubuntu: it doesn’t work very well if you want to play games on it and you use NIVIDIA drivers. With NIVIDA drivers, it can work well for general use such as watching videos, making documents, and editing photos. However, gaming performance is not very good when using NIVIDA drivers on Ubuntu. My friend tested it out for me. Going all RED (AMD) is definitely the best option if you want to play games on Ubuntu.
These are definitely the best distributions for a beginner, however if you thoroughly understand linux and know how it works once you get used to it, you can finally try something like Arch, Fedora or NixOS.
If you want a alternative to Telegram, you have two options
Signal (Best Option)
Signal is the best alternative to Telegram, it has great end to end to end encryption, it’s open source, amazing screen sharing and voice calling, privacy, and it’s extremely private compared to telegram.
The only thing that Telegram has that’s better than Signal is better built in customization. However, aside from that, it still can’t beat Signal. If you have an Android phone, you can install custom clients with it, making it incredibly customizable, or you can even develop your own because the source code is open source; even at that point, Telegram cannot surpass Signal.
Telegram-FOSS (Maybe?) Telegram-FOSS is a Telegram fork that aims to remove Telegram’s spyware and data collection while increasing your privacy. However, it is only available on Android through the FDROID App Store, and keep in mind that I am not 100% certain that it will provide you with the finest privacy; use at your own risk.
Matrix (Not Recommended) I suppose Matrix is an additional choice for a Telegram substitute; but, in my opinion, it’s more of a messenger alternative. Although it’s fantastic for privacy, I don’t think it’s ready in terms of usability or user friendly. Matrix isn’t ideal for communities and isn’t very user-friendly. It’s more for corporations/software development teams who want a self hosted slack. Yes, Matrix is more private & secure then Telegram, and you don’t need to setup your own matrix server to use it. You can register on the public matrix server and message friends etc that way. Matrix just doesn’t advertise, it relies on clients & servers to do the advertising. The issue with that is the main client (Element) is only trying to appeal to corporations/non-tech savy people who can’t setup their own matrix server so the messaging is based around that. I still think Signal is easily your best alternative
My point is, if you value your privacy, you should quit Windows 11 and Telegram while you still can and try Linux and Signal; it will be well worth it. If there is any wrong information in this post, please notify me so that it can be changed, and if you have any questions, please contact me and I will gladly assist you.
If you want a alternative to Telegram, you have two options
Signal (Best Option)
Signal is the best alternative to Telegram,
Please don’t recommend Signal. https://yasha.substack.com/p/signal-is-a-government-op-85e See also: https://dessalines.github.io/essays/why_not_signal.html
So I read both articles and I’m still unsure as to why people are very anti signal? I get the it was/is funded by the US government. So was tor but that doesn’t make the network any less secure/bad for privacy. The code is open source so if it was phoning home it would be noticed. I understand that they did not release their source code for some time, and yeah that really is scummy and does not look good. As far as message content, there have been several warrants for signal data, but signal has been unable to provide your message’s content.
I get that it requires a phone number and you can use metadata to determine who you talk to. Signal is very much not anonymous and if you are a journalist/activist who deals with sensitive content, Signal is a bad option. But from a privacy/security standpoint it looks fine?
Not trying to be antagonistic. I am hoping for someone to elaborate on the articles more.
For the record TOR’s funding by the US government is problematic. They fund a large number of TOR exit nodes, which though (like Signal) they can’t track 100% of what everyone does, they’re still able to gather a disgusting amount of information and use it against you.
The part that is problematic seems to be this one: https://dessalines.github.io/essays/why_not_signal.html#a-single-centralized-us-based-service
A Single, Centralized, US-based service
National Security Letters (NSLs)The US has an interesting law that applies to any US company operating within its borders: it is illegal to tell your users that the the US government has asked your company to spy on their behalf. This is called a key disclosure law, and the US’s version of it, called National Security Letters, underwent an expansion with the PATRIOT act; by 2013, President Obama’s Intelligence Review Group reported issuing on average, nearly 60 NSLs every day.
Companies that don’t comply with this law, such as Lavabit, are forced to shut themselves down in protest, in order to avoid prison time, or remain open, and funnel user communications to the US government. The Signal foundation is a US domiciled company, and must comply with this law.
Signal also notably isn’t self-hostable: there’s no way to run your own signal server, and control your data. Marlinspike ruthlessly shuts down anyone attempting to build alternate clients or servers that could communicate with the main one. 2
This means that all of Signal’s data is centralized and controlled by a single entity: a giant and easy target for US surveillance.
The centralization of Signal’s data, means that it most likely has been issued an NSL letter, along with every other centralized messaging company domiciled in the US. While it’s impossible for us to know for certain, its also illegal for the founders to disclose that. For a threat analysis, we should assume the worst, especially for such a popular app.
There is more in that section, but that seems to be the jist of it.
Buy that only applies to data signal collects correct? So we’re looking at metadata? The content of your message wouldn’t be compromised because signal doesn’t have access to it.
I guess the point I’m trying to make is signal isn’t good for anonymity, but is fine for privacy. As other people have mentioned you should be using a decentralized service if you’re organizing activism or whatever else your threat model demands. But as far as talking to friends/family about day to day stuff, it looks fine? So I think the question I’m really getting at is why isn’t signal good as a privacy friendly messaging service to replace what people were using telegram for? It’s been a minute since I used matrix, but I think the self hosting issue still applies there. Not many people are going to self host a matrix server to talk with friends.
Buy that only applies to data signal collects correct?
No. The main rejection is due to key disclosure law. “Key disclosure laws, also known as mandatory key disclosure, is legislation that requires individuals to surrender cryptographic keys to law enforcement.”
If a company operates on US soil and employs any encryption features in their software, they must give up the cryptographic keys or risk fines or closure. That’s what happened to Lavabit. They had to shut down because they wouldn’t provide their keys. So it’s not just that Signal is bad for anonymity, it’s also bad for privacy. All the US spy agencies would have to do is go “Hey look! We’re seeing a lot of activity on Signal. Must be due to those protests against Gaza genocide. These messages are encrypted. Let’s open up Signal and see what’s inside.” With Signal being centralized and having to follow key disclosure law for being based in the US, it’s a trivial matter for the spies to get your now-not-secure messages.
Even if you’re not using Signal for protesting, and only day-to-day stuff, that’s still of interest to the spies since you are using a communication app with encryption in it. And hey who knows? Maybe learning your speech and communication patterns might be helpful in impersonating you to get info from someone you communicate with that is suspected to be involved in “radical” activities. Never think of yourself as a “small fish”.
Don’t you need the private key to decrypt messages? Those never leave the device. That’s what happened with lavabit. They were forced to disclose the private key. But if that key isn’t leaving your device, you need a compromised device/person on the other end to decrypt your messages.
Don’t you need the private key to decrypt messages? Those never leave the device.
Right, and you would need a compromised person/device on the other end to decrypt a message but how hard is it to acquire that, especially for the US spy agencies?
I am getting into the more extreme circumstances for sure, but I am seeing it from the worst case scenario(s) when it comes to having a centralized server based in the US, under key disclosure law (called National Security Letters here) and Signal being very slow to update their open source code (https://dessalines.github.io/essays/why_not_signal.html#abandonment-of-open-source). It’s not worth it to me.
So a compromised device is not unique to a US based company. A warrant can be issued to seize the device and that could happen with any other messaging service. It is fine to not like signal, and there are several reasons not to do so.
What I do have an issue with is the idea that signal is insecure or that federal agencies can very easily peek at your messages. Because that is not how encrypted messaging works. Signal does not have access to your private key. Your private key never makes its way to the signal server. Which even if the server was not running the code they have published, a NSL still wouldn’t let the government decrypt your message. Signal can be forced to disclose your public key, time stamps of your message, who you are texting, etc. But not the content of your message. Nor can they be forces to disclose anything that would give someone access to said content. Again because signal does not have access to that information. If you are concerned that signal could be publishing binaries that don’t reflect the source code, you can build the published source code and use that. But when your threat model is at that point you are beyond the scope of the original post.
The difference between signal and lavabit when it comes to key disclosure laws is how the services were set up. Lavabit required encrypted communication with the server to access, send, etc your emails. Which means the server side needed a private key that a NSL could force them to disclose. Signal is a little different. Private keys are held by the users and never make it to the server. Where yes a user could be forced to disclose that key, but again that could happen with any messaging server. It is not unique to the service you’re using being based in the US.
And this is also completely ignore the fact that signal utilizes double ratcheting which provides some inherent protection for compromised private keys (assuming you and the other person are deleting messages automatically). I would also like to mention that the signal protocol/double ratcheting/how signal does messaging is not unique to signal. It is utilized by a large number of services including matrix.
Love my completely secure, untraceable communications system funded by checks notes Radio Free Asia. /s
(Signal is bad. Do not use signal. Speaking out loud on the phone is way more safe than typing in Signal.)
Speaking out loud on the phone is way more safe than typing in Signal
I have my concerns about signal too but this is just over the top. what could possibly lead you to believe that»
doing my online drug deals via carrier pigeon because tor is funded by the US govt
if a Tor connection needed to be deanonymized then it would be. your drug deals are not that interesting to the govt in the grand scheme of things
This tinfoil hat statement you made is not at all true, Signal provides a stronger E2EE chat service than WhatsApp and Telegram ever will, refusing to add backdoors and only cooperating with law enforcement if it’s the only option to keep Signal alive. Regardless of this unfortunate fact (that they do have to cooperate in some, extremely rare cases) they would never send over chat logs or images because they DON’T log your conversations. Messages are stored locally on your device so they have nothing to send. Stop spreading FUD just because Signal is a project you don’t like due to political views.
“Signal is a government” says website with multiple trackers from Google, Datadog, and Cloudflare. Get better sources before talking about anything privacy related.
Doing a bit of “I am very smart”, aren’t you? Well two can play that game.
You do know that DDG gets it’s search results from Bing, which is Microsoft, right? Also, I linked 2 sources in my comment. Had you actually read (and comprehended) my comment, you would have seen that.
Also, this: DuckDuckGo Isn’t as Private as You Think
And after all of that, your comment still doesn’t change the fact that Signal is a US government op from the CIA.
Your point about Signal has no evidence, funded by doesn’t mean that it’s lead by the CIA, if it was, why would Edward Snowden use it, and why would they constantly share no real information with the authorities? DDG is still much more private than Google, although it can be questioned for it’s censorship of “Pro-Russian” search results. Also, you sent yet another link with Google trackers, well done, source dismissed.
Startpage gets it’s search results from Google
SearX gets it’s search results from any search engine you choose
How is this a valid point?
SearX is a privacy front end that blocks all trackers.
Meanwhile, Duckduckgo has been caught not blocking trackers from Microsoft, who they have partnered with for search results. https://www.theregister.com/2022/05/25/duckduckgo_browser_microsoft_privacy/
Signal requires a phone number right. How could that possibly be anonymous
Telegram requires a phone number as well. If that is a problem, use a burner phone. Additionally, Signal introduced the ability to use a username instead of your phone number. Yes, you need to put up a phone number to make a Signal account, but once your account is created. You can actually activate “Hide your phone number” and utilize the username feature
Sigh because, as a wise man, kenny, aka Mental Outlaw, once explained, you can use a burner phone if this is an issue. You can optionally provide Signal with a username/nickname of choice but what you do with that is up to you. You can also hide your phone number from everyone and refuse to let people add you via your phone number. Unless you’re a dumbass that has everything linked to one phone number or email, I don’t see how this would be a problem.
After some very cursory research I see that copilot is just a chatbot on telegram. Copilot is not built-into telegram, but you can interface with Microsoft’s servers running copilot by “starting a conversation” with it. That does not mean Telegram now ships with Copilot. Believe you me, I have written chatbots for telegram and your installation of it does not ship with my crapware, telegram also doesn’t pay for my server costs, lmao.
Telegram is still unsafe but for a lot of other different reasons. Others have already pointed out the problems Signal has. Matrix is simply not there yet, and it might never be. In reality very little of this matters because your friends will just continue using whatever spyware they were before, your chatgroup will not use your bespoke xmpp solution just to chat with you. Idk, send sensitive stuff over e-mail or something.
Matrix is simply not there yet, and it might never be.
Citation Needed
It’s pretty damn good and element (the most popular client)is highly polished. At least it doesnt require a phone number or have ties to the NED (however small) like signal
Matrix is an incredibly bloated protocol trying to do far more than it should. Try running a Matrix server, you’ll understand.
Matrix’s “everything and the kitchen sink” problem feels like an overreaction to XMPP’s problem of optional extensions that not every client implements properly (if at all).
I do run a matrix server. I have some qualms with it for sure, the resource consumption can be pretty crazy, and federation has some issues that other models don’t, and I wish the protocol were simpler, but saying it’s “simply not there yet/maybe never will be” doesn’t really capture any of my concerns. Its usable now, as a viable alternative to discord, telegram, signal, etc. regardless of issues. If there is a better alternative I’m open to that too. I’ve been meaning to try XMPP again but in the past I haven’t been a huge fan
Well I for one have had nothing but trouble. The matrix.org instance is massive and laggy. The few private instances I tried weren’t federated as far and wide as I needed it to be. Self-hosting Synapse was miserable with federation turned on.
I wish it was better
laggy? how would you even know? my most used account is on matrix.org and I’ve never noticed lag. I guess most of my communication is relatively asynchronous, not lightning speed back and forths with people, so I’d have no way of knowing if there was a second or two of lag. But typing notifications seem to be prompt.
And self-hosting idk, besides not being able to host it on a super resource constrained machine, and the disk usage ballooning if you have users that join a bunch of massive public rooms or whatever, it’s been fine for me.
I guess its probably highly dependent on your use case
This is a good rundown on some of the issues
I see some things I have thoughts on, but most of this is “not an issue for users/maybe not even an issue for admins”
- untrusted homeservers or clients running modified software might not honor deletions. This is a legitimate issue but its inherent to the federated model, and is just as bad or (actually) worse on Lemmy than it is on matrix, for example. They could do a better job of setting expectations for users regarding deletes, but it’s not like centralized, or worse proprietary, messaging systems don’t have deletion issues too, if somewhat reduced in scope.
- compatibility issues between different homeserver implementations. This is a fuckup for sure, but it will eventually get worked out, and already is getting better as alternative homeservers get more development and usage
- High profile public rooms subject to novel attacks. This seems bad but it seems like something that is getting better over time.
- unauthenticated media downloads. I would be fine losing unauthenticated HTTP downloads of media, though it can be convenient for users ig (the amount of times I’ve gotten a discord attachment image link/embed is easily thousands, even when none of the conversations were happening on discord. though personally I always copy images themselves rather than just sharing the link).
- The stuff about media “verification” (scanning) is something that applies to basically any self hosted anything that allows any uploads even incidentally, and is not a standard we hold other software to, except I guess commercial services of a certain size. CSAM scanning isn’t something you can really do as an individual selfhosting, and virus scanning is pretty heavy, though I’d ofc appreciate better integration of tooling for instances that need it. And liability for proxied content is a tradeoff, because if you don’t proxy content, you reduce privacy for users significantly by allowing any participating server to track them, not just their own homeserver. In practice I’m sure it could be a hazard, but if you aren’t actually storing the material just proxying, and respond to takedown requests if they are made, IMO you’re doing all that can be expected.
The question is, are these bad enough issues to abandon Matrix, and what alternatives exist that solve these issues and don’t have other unacceptable tradeoffs?
ldk, send sensitive stuff over e-mail or something.
PGP ftw.
Ubuntu sucks lol remove it from the recommendations and put Fedora in instead.
Fedora isn’t a beginner distribution
My first real daily drive distro was Fedora and it was fine for daily use. Although I’d still recommend Mint over Fedora to absolute beginners who are not tech savvy.
The biggest challenge personally, is a lot of softwares (CAD, 3D rendering) I need for work and school don’t work on Linux or I need to install a windows virtual machine which the only good one is proprietary, VM ware, I install Linux old devices for my family tho
You can always set up a dual parition of both Linux and Windows.
install a windows virtual machine which the only good one is proprietary, VM ware
You mean the only one you’re comfortable with. QEMU/KVM/VFIO + secondary GPU passthrough with clients like looking glass are far superior while also being libre.
Telegram has always been sus from a privacy perspective, because they use an oddball homemade cryptographic system instead of open and proven standards. I treat Telegram like I do Tiktok. A useful source of information that I assume is tracking everything I see and say.
I would love to run my main machine off Linux, but none of the software I need in the day-to-day runs seamlessly on it, unfortunately. That’s still a pretty big obstacle for me.
I never liked/used telegram because it needs my phone number so it’s not anonymous. Idk why it’s used as a discord alternative, it’s not really better except for lower moderation.
If signal had group chats it’d be perfect for my purposes.
Idk what I’d use to text/have voice anonymously to other Hexbearians/feds, there’s probably some IRC spinoff useful for that idk.
Signal does have group chats, and has had them for at least 10 years.
Idk what I’d use to text/have voice anonymously to other Hexbearians/feds, there’s probably some IRC spinoff useful for that idk.
it’s called matrix. pretty sure hexbear has a server though registration isnt open
Are there are downsides to AlmaLinux? From my research it seems like one of the best all-round options but I never see it recommended in discussions like this, unlike Ubuntu which has actual privacy concerns and is owned by a for-profit.
It’s Red Hat Enterprise Linux with the serial numbers filed off. It’ll be rock stable, but you may be on your own for cutting edge versions of software packages with new and shiny stuff. Probably not the best choice for gaming video card drivers either.
AlmaLinux is one of the spiritual successors of CentOS, a previously popular distro tailored for servers before Red Hat axed the project. You’re better off using Fedora unless you really value stability and don’t want to use Debian for some reason.
deleted by creator
Telegram requires a phone number to use it and should therefore be considered utterly non-private.
Before you do anything else, I highly recommend that you buy a USB stick and switch to Linux. You have four distribution options to select from.
Linux Mint (2 gigs of ram) Ubuntu (4 gigs of ram) Debian (2 gigs of ram) Pop OS (8 gigs of ram)
Are you saying that if I boot Linux Mint off of a flashdrive, it’ll occupy 2gigs of RAM from my computer while in use (even without programs open)?
Considering 8 gigs is the recommended amount of RAM to have when running Pop_OS!, I think it’s more like minimums.
If you use XFCE, you probably can