A dispute between the founder of Telegram, one of the most popular “secure” messaging apps, and a former employee has revealed that the company may be more vulnerable to influence by the Russian government than it appears.
Telegram’s CEO Pavel Durov first founded VK, the Russian version of Facebook originally known as VKontakte, in 2006 with his brother Nikolai. But after clashing with the Kremlin over censorship and struggling with Putin loyalists over control of the site, the brothers left the company in 2013 and fled to Buffalo, New York, to start Telegram. “We had a simple choice: Either betray our values or keep our values and leave Russia to try to do something new,” Pavel Durov told Reuters.
Since then, Durov has repeatedly proclaimed to be an uncompromising champion of free speech. Being an exile bolstered this claim, and made it easier to believe that Telegram would and could protect activists and journalists from having their communications intercepted.
However, Anton Rozenberg, a software developer and former employee of Telegram’s parent company, is now saying that there are Telegram employees working out of the historic Singer House in St. Petersburg, Russia’s former imperial capital, a claim that has since been corroborated by others. That’s significant because the Singer House is also home to VK, which is now owned by the oligarch and Putin ally Alisher Usmanov. (It’s also the building where in 2012 Durov and coworkers infamously folded 5,000 ruble notes, worth about $150 each, into paper airplanes and threw them out the window, sparking violence in the street below.)
The revelation casts doubt on Durov, who denies Telegram has an office in Russia, and continues to style himself as a rebel at odds with the complex Russian power structure that includes the government and oligarchy.
It also raises questions about how safe Telegram is from Kremlin interference, given that VK is owned by a Kremlin sympathizer and that the Kremlin has an obvious interest in monitoring and controlling popular social networks. “As a security specialist, I have some questions about how their office isn't physically protected from the offices that surround it,” Rozenberg told The Outline. “VK employees, for a long time, have had access to Telegram offices.”
Rozenberg said he worked at VK from 2007 to 2014, first as a systems administrator and then as CTO. He then worked at Telegram from 2014 to 2017 as Director of Special Projects, he said.
In an interview with The Outline, Rozenberg said he and Nikolai Durov became friends in sixth grade where they bonded over their love of math. According to Rozenberg, at Telegram, Nikolai was CTO and therefore Rozenberg’s boss. But in January, Rozenberg discovered that his old friend was in love with his then-fiancee and now wife Kate, which led to an argument that ended their friendship. Shortly after that, Nikolai revoked Rozenberg’s access from Telegram’s servers, leaving him unable to work, Rozenberg said. Two months later, after Rosenberg said he refused Pavel Durov’s request to step down, he was fired.
Rozenberg filed a lawsuit for wrongful termination on May 18 against Telegraf LLC, which Rozenberg says is Telegram’s parent company; Telegraf LLC signed his paychecks as well as those of the other core Telegram developers, he said. On August 7, Telegraf LLC countersued for 100 million rubles, or roughly $1.3 million, alleging that Rozenberg’s lawsuit had disclosed company secrets and violated his non-disclosure agreement.
Pavel Durov told The Outline that Telegraf LLC employed core Telegram developers until 2014, but that it now only exists as a shell company and is no longer affiliated with Telegram. Durov said he sold Telegraf LLC in August after the lawsuit was filed. Durov’s story was slightly different in August, when a VK employee confirmed that at least four Telegram developers were working out of the Singer House. When asked about it at the time, Durov said, “I think you must have met guys from the former Telegraph LLC. We outsourced stuff like processing spam reports there until recently.”
When The Outline asked if Durov was behind the lawsuit against Rozenberg, Durov would only say that he “didn’t object” if Telegraf LLC’s lawsuit “reminded” Rozenberg about his non-disclosure agreements.
Durov admitted that the Telegram team did work in the Singer House in its early days, but moved out in 2014 and is now transient. “We used the Berlin base back in 2014 and early 2015, but failed to stay there permanently due to bureaucracy with resident permits that we failed to obtain for the entire team,” Durov told The Outline, “So we switched to easier jurisdictions.” Durov himself has St. Kitts and Nevis citizenship, which allows him visa-free travel throughout much of the world, flitting between Paris, Venice, Singapore, and others. (“Me myself, I’m not a big fan of the idea of countries,” he once told The New York Times.) Telegram is in the process of setting up an office in Dubai, Durov told The Outline, and he and his brother plan to join the team within a week.
Durov has repeatedly dismissed Rozenberg’s claims, saying he may be mentally ill because “he made crazy claims that are easy to refute.” According to Durov, Rozenberg never worked on Telegram and is lying. “He worked at Telegraph LLC that we outsourced dealing with spam to,” Durov told The Outline. “The point is probably again - to get some attention.”
But Axel Neff, who worked at VK and then at Telegram as its first CIO before leaving in 2014, told The Outline that Rozenberg did in fact work on Telegram.
“Durov is a showman,” Neff told The Outline. “He lives in a world of spin. He’s very efficient in getting his desired stories out through social media and publications.”
Telegram, which said it has 100 million monthly active users early last year, is the go-to app for many in the former Soviet space, including Ukraine — which is fighting an undeclared war against Russia-backed insurgents — despite its alleged Kremlin connection. It claims to have some 40 million users in Iran, which is roughly four times as many as it has in Russia. (Iranian prosecutors have filed criminal charges against Durov, saying the app supports extremism and child pornography.) Telegram is also widely reported to be the communication method of choice for ISIS.
Computer security experts have long suspected Telegram might be insecure due to a weak encryption standard and the fact that messages over the app are sent unencrypted by default.
“VK employees, for a long time, have had access to Telegram offices.”
Telegram created its own proprietary encryption method instead of using a protocol that is public and proven to be secure, as most companies including Facebook, Google, and the secure messaging startup Signal do. Telegram has also been criticized for leaving messages unencrypted in transit by default, meaning users who don’t deliberately change the setting are vulnerable to mass surveillance and hacking. Because of this, Edward Snowden called the app “dangerous for non-experts.”
The fact that Telegram has employees in St. Petersburg casts even more doubt over whether the app is truly secure. “If part of the team does work in Russia, the developers — and through them the company — are open to both legal and extrajudicial risks,” Bloomberg columnist Leonid Bershidsky writes. “They can come under heavy pressure to allow the [Russian government] access to Telegram communications.”
On September 17, one day before both trials were set to begin, Rozenberg published a long post on Medium filled with photos from the Singer House office and screenshots of conversations from his time at VK and Telegram. The post has since been removed, but is preserved here.
In the post, which included details beyond what was in the lawsuit, Rozenberg claimed that Telegram is connected to a network of shell companies, owned by Durov, in countries around the world, many with extremely similar names.
According to Rozenberg, there’s Telegraph Inc., the company that owned Telegraf LLC before it was sold to a company called Digital Solutions. Telegraph Inc is registered in Belize, according to Rozenberg, and has a 50 percent stake in Telegram Messenger LLP, which is registered in London. The other 50 percent is owned by a company called Dogged Labs Ltd, which is headquartered in the British Virgin Islands and is also owned by Pavel Durov, Rozenberg said. On the Apple App Store in the U.S and U.K., the Telegram app is sold under yet another name, Digital Fortress LLC. “We have about a dozen companies worldwide,” Durov told The Outline. “We want to remain flexible and independent, dropping shells we previously used if we face risks in a given jurisdiction.”
Rozenberg and his lawyers are discussing a potential settlement, Rozenberg said, but his lawsuit and Telegraf’s countersuit are proceeding in court behind closed doors. That’s why Rozenberg is speaking with journalists, he said — because he fears what could happen to him if the case plays out in secret. “If nobody knew my story I could go to prison,” Rozenberg said, because me and Pavel have very different resources in Russia and Pavel has much more.”
While that may be true, Durov’s standing in Russia is shaky at best. It looks fairly likely that Telegram will soon be blocked entirely in Russia. Earlier this summer, Russia’s communications regulator Roskomnadzor threatened to block the app if it did not formally register with the state. Telegram eventually complied, but this week Durov said the FSB or Federal Security Service, the successor to the KGB, is now asking for the encryption keys that would allow the state to read users’ messages. Meanwhile, the Russian media has been calling Durov an anarchist and emphasizing Telegram’s popularity with terrorists.
The extent to which Durov could or would resist Kremlin intervention is very unclear, and the decision about whether to trust an app to keep communications private should never depend on the trustworthiness of one person. But multiple sources claiming Telegram employees currently work out of St. Petersburg coupled with Durov’s flat-out denial and apparent attempt to intimidate a former employee, are just the latest reasons not to use it when there are more secure alternatives.
Christopher Miller contributed reporting and editing.