Thanks for sharing. Looks like Durov broke yet another promise. Our own experiments proved just how much data 'Telegram' collects - forever.
He promised he'd never give in, not needing to, as his (ill-gotten) billions afford him many legal domiciles. The 'apps' are set up to circumvent common blocks since years. When Russia briefly had it on their blacklist, the shills were exploding from joy. India would not stand a chance today.
Yet he breaks his promises over this triviality. It could hardly be any more mundane than a silly local 'piracy' case. The easiest possible situation he could even exploit for his own marketing. Pretend to fight a little, get infinite PR opportunities, gather all the virtue-signaling internet hordes.
The site the update is from is obviously trying to paint this green:
This means that Telegram sent what it had to send. And if there was nothing, then nothing was sent,
Deliberate confusion. Strongly implying they have nothing.
due to the impossibility of obtaining them by Telegram itself
A direct lie.
In most cases, we can’t even access any user data without specific entry points, and we believe this was the case here. Consequently, we can’t confirm that any private data has been shared in this instance.
More confusion and betting on false hope. It's an empty statement. And a direct lie. They have 'moderation'. To 'moderate' you must have access. They even boast with banning undesirables depending on the Zeitgeist of the day. Remember when they were yapping about the IS? Not only that, we know their 'moderators' can simply access whatever chat they want. Obviously they have to have that access, or they couldn't offer public channels.
'Telegram' is also quite adept at tracking who had an account. You do have legitimate technical need for such data. Pretending it doesn't exist is blatant lying.
A fully E2E blackbox on RAM only servers without any logs, in a safe location without physical meddling, and a set-up ceremony with visible code injection ala ICANN would be an interesting social experiment. What if you could really say what you thought? Completely, not just some pretend veil of anonymity, but guaranteed? But as we know the modern era, someone would ruin it for 'fun' in all of five minutes.
The title they used is a direct manipulation attempt, contradicting their shared statements:
Telegram Formally Complies with Indian Court Decision, User Data not Transferred
At no point do they declare that no data has been transferred. The 'official' 'Telegram' response at least uses shyster-speak to create confusion and suggest hope.
'Telegram' has the listed information. In all cases, period. There is no way to avoid this whatsoever. The only data they would not be able to access (without a possibly undiscovered backdoor) are 'secret chats', which use E2E encryption. Even for those, they still have all the metadata, which is enough to track user actions, especially if specific files are targeted in a specific channel.
(The file sizes are not manipulated as far as I remember from our tests years ago. I don't know any messenger that even considers this. It also makes no sense with 'Telegram's 'infinite cloud', but that's for another time, or I'll be writing for a week...)
Metadata kills. It's enough to strip you off social security in many countries, to condemn you to starvation. (Algorithmic decisions over human life are real in post-industrialist dystopia.)
System people like to ignore this a lot. Even 'metadata-resistant' solutions are not 'metadata-free'. 'Telegram' is a huge datakraken, it hardly gets any easier to track users, without being 'Google'-sized.
This case is not even about the 'secret chats'. Channels are all unencrypted. They can tell when you opened the 'app', when you clicked a file, when you scrolled over which message.
They don't even try to minimize this, our research showed they are going in the complete opposite direction. They're adding more tracking instead of trying to be clever about minimizing it.
It's apparent to non-techies, too: How could they display all these stats, without having the information?
Marketing scum likes to conflate TLS with E2E:
TLS = transport layer = entirely meaningless when it comes to the operator
E2E = 'end to end' = content can be encrypted, even if not metadata
The single only topic that matters in this, and life in general really, is trust. Not even any of the fancy new 'trustless' systems are completely 'trustless'.
We bet on Durov. His marketing scum department was amazing. All the promises we wanted to hear were made over and over. There is nothing but trust in the end. If he were to stick to what he promised, he would simply shut down official operations in India. With all the consequences: being banned from the Indian 'playstore' and whatnot. Trivial to circumvent, but he wants maximum profit, quite obviously. (He also promised there'd never be ads or any commercial element, simply a datakraken-billionaire 'being nice'. That was the USP.)
But that would impede his ability to generate profit in India. Modi makes it hard for foreigners to transact. And there is no simple way to circumvent official services: All the corruptocoins are pointless, as every exchange is tracked and full of insane 'verifications'. 'Mixing services' that are not an open scam are nonexistent, cash transactions far too marked up to be viable even if you wanted to use some ring-sig based corruptocoin. So Durov could not realistically use his corruptocoin for circumvention. He wants to make money in India, he needs to comply.
An honest operator would minimize information in the first place, and simply tell users the truth. Just like CHIP. CHIP does not pretend to remove our own responsibility.
Keep minimal data online, be sure to trust the operator that deletion is real, and that backups are rotated in reasonable timeframes. Know the software. None of this could ever work 'trustlessly', it's human interaction, basic trust and instinct.
Even ricochet leaks metadata to some bigger enemies like the NSA, which has the resources needed to handle large scale traffic, and is plugged into every relevant network on earth. Since the reveal of 'PRISM' a decade ago, we know that much. "But wait, there's more": Does every involved party use a trustworthy OS? What does their storage look like? You see, how it always comes down to trust.
Even suggesting there are no data in this case is nothing short of hilarious.
Remember that true science is not trustful but verifiable.
A lot must be taken on trust, and can never be verified by yourself. Never trust the merchant-class.