Side Note.

If you don’t care about your privacy and want to continue using Windows 11 with Telegram, this isn’t for you. If this is correct, please do not respond to the post. If you use Windows 11 and Telegram and are concerned about your privacy, I highly urge that you read this post. Thank you. If there is any incorrect information linked in this post, please let me know so that it can be updated consistently.

What’s been going on with Microsoft and Telegram?

Microsoft and Telegram collaborated, and Telegram is now a component of Copilot, which is extremely bad news for privacy. Microsoft is almost becoming another Facebook, given what they are doing with their copilot, which is being included in recent Windows 11 updates. More information about Copilot will be down below this post.

Telegram consistently claims to be “the best and most secure chatting app for privacy” and much more. We all know it’s a lie given the number of strange incidents that occur there and the association with Microsoft Copilot. Not only that but they have openly stated multiple times that “They need your data to ensure a secure experience”. Which is very suspicious. If you use Telegram on a daily basis, it might be time for you to switch.

What is Microsoft Copilot?

Microsoft Copilot is an artificial intelligence function that, like Alexa, can assist you, but it is built into the Windows 11 operating system. It can communicate with you, hear you, and observe and hear everything you do. It can hear you ask a question, browse the internet, listen to your voice calls unless you turn off your computer, recording and monitoring everything you do. It knows everything. It also sends all of this data to Microsoft and the CIA. Which is extremely bad news for privacy. Microsoft is almost becoming another Facebook, given what they are doing with their copilot, which is being included in recent Windows 11 updates.

What do I need to do to get actual Privacy from now on?

Before you do anything else, I highly recommend that you buy a USB stick and switch to Linux. You have four distribution options to select from.

Linux Mint (2 gigs of ram, NIVIDIA and AMD supported)

Debian (2 gigs of ram, NIVIDIA and AMD supported)

Kubuntu (2-8 gigs of ram, NIVIDIA and AMD supported)

Pop OS (8 gigs of ram, NIVIDA and AMD supported)

Ubuntu (4 gigs of ram, AMD Supported)

  • I will say this about Ubuntu: it doesn’t work very well if you want to play games on it and you use NIVIDIA drivers. With NIVIDA drivers, it can work well for general use such as watching videos, making documents, and editing photos. However, gaming performance is not very good when using NIVIDA drivers on Ubuntu. My friend tested it out for me. Going all RED (AMD) is definitely the best option if you want to play games on Ubuntu.

These are definitely the best distributions for a beginner, however if you thoroughly understand linux and know how it works once you get used to it, you can finally try something like Arch, Fedora or NixOS.

If you want a alternative to Telegram, you have two options

Signal (Best Option)

Signal is the best alternative to Telegram, it has great end to end to end encryption, it’s open source, amazing screen sharing and voice calling, privacy, and it’s extremely private compared to telegram.

The only thing that Telegram has that’s better than Signal is better built in customization. However, aside from that, it still can’t beat Signal. If you have an Android phone, you can install custom clients with it, making it incredibly customizable, or you can even develop your own because the source code is open source; even at that point, Telegram cannot surpass Signal.

Telegram-FOSS (Maybe?) Telegram-FOSS is a Telegram fork that aims to remove Telegram’s spyware and data collection while increasing your privacy. However, it is only available on Android through the FDROID App Store, and keep in mind that I am not 100% certain that it will provide you with the finest privacy; use at your own risk.

Matrix (Not Recommended) I suppose Matrix is an additional choice for a Telegram substitute; but, in my opinion, it’s more of a messenger alternative. Although it’s fantastic for privacy, I don’t think it’s ready in terms of usability or user friendly. Matrix isn’t ideal for communities and isn’t very user-friendly. It’s more for corporations/software development teams who want a self hosted slack. Yes, Matrix is more private & secure then Telegram, and you don’t need to setup your own matrix server to use it. You can register on the public matrix server and message friends etc that way. Matrix just doesn’t advertise, it relies on clients & servers to do the advertising. The issue with that is the main client (Element) is only trying to appeal to corporations/non-tech savy people who can’t setup their own matrix server so the messaging is based around that. I still think Signal is easily your best alternative

My point is, if you value your privacy, you should quit Windows 11 and Telegram while you still can and try Linux and Signal; it will be well worth it. If there is any wrong information in this post, please notify me so that it can be changed, and if you have any questions, please contact me and I will gladly assist you.

    • AmaryllisBlues [she/her]@hexbear.net
      link
      fedilink
      English
      arrow-up
      20
      ·
      6 months ago

      So I read both articles and I’m still unsure as to why people are very anti signal? I get the it was/is funded by the US government. So was tor but that doesn’t make the network any less secure/bad for privacy. The code is open source so if it was phoning home it would be noticed. I understand that they did not release their source code for some time, and yeah that really is scummy and does not look good. As far as message content, there have been several warrants for signal data, but signal has been unable to provide your message’s content.

      I get that it requires a phone number and you can use metadata to determine who you talk to. Signal is very much not anonymous and if you are a journalist/activist who deals with sensitive content, Signal is a bad option. But from a privacy/security standpoint it looks fine?

      Not trying to be antagonistic. I am hoping for someone to elaborate on the articles more.

      • bumpusoot [any]@hexbear.net
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        6 months ago

        For the record TOR’s funding by the US government is problematic. They fund a large number of TOR exit nodes, which though (like Signal) they can’t track 100% of what everyone does, they’re still able to gather a disgusting amount of information and use it against you.

      • Optimus_Subprime [he/him, they/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        The part that is problematic seems to be this one: https://dessalines.github.io/essays/why_not_signal.html#a-single-centralized-us-based-service

        A Single, Centralized, US-based service
        National Security Letters (NSLs)

        The US has an interesting law that applies to any US company operating within its borders: it is illegal to tell your users that the the US government has asked your company to spy on their behalf. This is called a key disclosure law, and the US’s version of it, called National Security Letters, underwent an expansion with the PATRIOT act; by 2013, President Obama’s Intelligence Review Group reported issuing on average, nearly 60 NSLs every day.

        Companies that don’t comply with this law, such as Lavabit, are forced to shut themselves down in protest, in order to avoid prison time, or remain open, and funnel user communications to the US government. The Signal foundation is a US domiciled company, and must comply with this law.

        Signal also notably isn’t self-hostable: there’s no way to run your own signal server, and control your data. Marlinspike ruthlessly shuts down anyone attempting to build alternate clients or servers that could communicate with the main one. 2

        This means that all of Signal’s data is centralized and controlled by a single entity: a giant and easy target for US surveillance.

        The centralization of Signal’s data, means that it most likely has been issued an NSL letter, along with every other centralized messaging company domiciled in the US. While it’s impossible for us to know for certain, its also illegal for the founders to disclose that. For a threat analysis, we should assume the worst, especially for such a popular app.

        There is more in that section, but that seems to be the jist of it.

        • AmaryllisBlues [she/her]@hexbear.net
          link
          fedilink
          English
          arrow-up
          4
          ·
          6 months ago

          Buy that only applies to data signal collects correct? So we’re looking at metadata? The content of your message wouldn’t be compromised because signal doesn’t have access to it.

          I guess the point I’m trying to make is signal isn’t good for anonymity, but is fine for privacy. As other people have mentioned you should be using a decentralized service if you’re organizing activism or whatever else your threat model demands. But as far as talking to friends/family about day to day stuff, it looks fine? So I think the question I’m really getting at is why isn’t signal good as a privacy friendly messaging service to replace what people were using telegram for? It’s been a minute since I used matrix, but I think the self hosting issue still applies there. Not many people are going to self host a matrix server to talk with friends.

          • Optimus_Subprime [he/him, they/them]@hexbear.net
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            6 months ago

            Buy that only applies to data signal collects correct?

            No. The main rejection is due to key disclosure law. “Key disclosure laws, also known as mandatory key disclosure, is legislation that requires individuals to surrender cryptographic keys to law enforcement.

            If a company operates on US soil and employs any encryption features in their software, they must give up the cryptographic keys or risk fines or closure. That’s what happened to Lavabit. They had to shut down because they wouldn’t provide their keys. So it’s not just that Signal is bad for anonymity, it’s also bad for privacy. All the US spy agencies would have to do is go “Hey look! We’re seeing a lot of activity on Signal. Must be due to those protests against Gaza genocide. These messages are encrypted. Let’s open up Signal and see what’s inside.” With Signal being centralized and having to follow key disclosure law for being based in the US, it’s a trivial matter for the spies to get your now-not-secure messages.

            Even if you’re not using Signal for protesting, and only day-to-day stuff, that’s still of interest to the spies since you are using a communication app with encryption in it. And hey who knows? Maybe learning your speech and communication patterns might be helpful in impersonating you to get info from someone you communicate with that is suspected to be involved in “radical” activities. Never think of yourself as a “small fish”.

            • AmaryllisBlues [she/her]@hexbear.net
              link
              fedilink
              English
              arrow-up
              3
              ·
              6 months ago

              Don’t you need the private key to decrypt messages? Those never leave the device. That’s what happened with lavabit. They were forced to disclose the private key. But if that key isn’t leaving your device, you need a compromised device/person on the other end to decrypt your messages.

              • Optimus_Subprime [he/him, they/them]@hexbear.net
                link
                fedilink
                English
                arrow-up
                1
                ·
                5 months ago

                Don’t you need the private key to decrypt messages? Those never leave the device.

                Right, and you would need a compromised person/device on the other end to decrypt a message but how hard is it to acquire that, especially for the US spy agencies?

                I am getting into the more extreme circumstances for sure, but I am seeing it from the worst case scenario(s) when it comes to having a centralized server based in the US, under key disclosure law (called National Security Letters here) and Signal being very slow to update their open source code (https://dessalines.github.io/essays/why_not_signal.html#abandonment-of-open-source). It’s not worth it to me.

                • AmaryllisBlues [she/her]@hexbear.net
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  5 months ago

                  So a compromised device is not unique to a US based company. A warrant can be issued to seize the device and that could happen with any other messaging service. It is fine to not like signal, and there are several reasons not to do so.

                  What I do have an issue with is the idea that signal is insecure or that federal agencies can very easily peek at your messages. Because that is not how encrypted messaging works. Signal does not have access to your private key. Your private key never makes its way to the signal server. Which even if the server was not running the code they have published, a NSL still wouldn’t let the government decrypt your message. Signal can be forced to disclose your public key, time stamps of your message, who you are texting, etc. But not the content of your message. Nor can they be forces to disclose anything that would give someone access to said content. Again because signal does not have access to that information. If you are concerned that signal could be publishing binaries that don’t reflect the source code, you can build the published source code and use that. But when your threat model is at that point you are beyond the scope of the original post.

                  The difference between signal and lavabit when it comes to key disclosure laws is how the services were set up. Lavabit required encrypted communication with the server to access, send, etc your emails. Which means the server side needed a private key that a NSL could force them to disclose. Signal is a little different. Private keys are held by the users and never make it to the server. Where yes a user could be forced to disclose that key, but again that could happen with any messaging server. It is not unique to the service you’re using being based in the US.

                  And this is also completely ignore the fact that signal utilizes double ratcheting which provides some inherent protection for compromised private keys (assuming you and the other person are deleting messages automatically). I would also like to mention that the signal protocol/double ratcheting/how signal does messaging is not unique to signal. It is utilized by a large number of services including matrix.

    • KurtVonnegut [comrade/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      13
      ·
      edit-2
      6 months ago

      Love my completely secure, untraceable communications system funded by checks notes Radio Free Asia. /s

      (Signal is bad. Do not use signal. Speaking out loud on the phone is way more safe than typing in Signal.)

      • Chronicon [comrade/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        15
        ·
        6 months ago

        Speaking out loud on the phone is way more safe than typing in Signal

        I have my concerns about signal too but this is just over the top. what could possibly lead you to believe that»

      • PurpleCreation [they/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        5
        ·
        6 months ago

        This tinfoil hat statement you made is not at all true, Signal provides a stronger E2EE chat service than WhatsApp and Telegram ever will, refusing to add backdoors and only cooperating with law enforcement if it’s the only option to keep Signal alive. Regardless of this unfortunate fact (that they do have to cooperate in some, extremely rare cases) they would never send over chat logs or images because they DON’T log your conversations. Messages are stored locally on your device so they have nothing to send. Stop spreading FUD just because Signal is a project you don’t like due to political views.

    • PurpleCreation [they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      “Signal is a government” says website with multiple trackers from Google, Datadog, and Cloudflare. Get better sources before talking about anything privacy related.

      • Optimus_Subprime [he/him, they/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 months ago

        Doing a bit of “I am very smart”, aren’t you? Well two can play that game.

        You do know that DDG gets it’s search results from Bing, which is Microsoft, right? Also, I linked 2 sources in my comment. Had you actually read (and comprehended) my comment, you would have seen that.

        Also, this: DuckDuckGo Isn’t as Private as You Think

        And after all of that, your comment still doesn’t change the fact that Signal is a US government op from the CIA.