Telegram now has 35M users, but can it be trusted?

After WhatsApp revealed its sale to Facebook(s fb), some of its users decided they would abandon ship – and many of those chose Telegram as their lifeboat. The Berlin-based messaging firm saw a sudden spike in downloads in late February and, on Monday, it said it had 35 million monthly active users and 15 million daily active users.

For context, Telegram had 100,000 users last October. WhatsApp has 450 million active users, so this is clearly still minor-league stuff, but Telegram sure is growing quickly, and a lot of that has to do with its focus on privacy and security. WhatsApp may be adamant about not changing post-acquisition, but Facebook has a bad reputation on the privacy front.

But how secure and private is Telegram, actually?

Homegrown security

First off, it must be noted that WhatsApp doesn’t have a terrific security reputation itself, though it is clearly taking these things more seriously these days. In other words, being more secure than WhatsApp isn’t necessarily the tallest order.

Telegram offers optional “secret chats” that are protected by end-to-end encryption and leave no trace on the users’ devices or Telegram’s servers. These chats are also self-destructing, Snapchat style. However, they are not as simple to conduct as non-secret chats.

For all chats, Telegram provides encryption between the client and server, which is a good start–WhatsApp does not do this, though it does encrypt its message databases. However, Telegram uses a homegrown encryption protocol called MTProto rather than industry-standard Transport Layer Security (TLS), and some researchers have claimed it is possible to snoop on chats if you compromise Telegram’s servers.

The company actually paid out $100,000 to someone who nailed down that flaw in its secret chat mechanism, then fixed the flaw. It still has an as-yet-unclaimed $200,000 prize for anyone who can crack MTProto. That said, such contests have a bad rep for being conveniently framed, and Telegram has taken some heat on this front from noted developer Moxie Marlinspike, who I should point out is part of the small Whisper Systems team working on a rival app called TextSecure.

Then there’s the matter of Telegram’s business model, which does not exist. The company is funded by Pavel Durov, the erstwhile owner of Russian Facebook rival VKontakte, and Telegram says it is a non-commercial project, a “messenger for the people.” That’s noble, but nobility only goes so far when you have tens of millions of users and a non-peer-to-peer system.

If the funds run dry, Telegram says it will “invite our users to donate or add non-essential paid options.” Again, it remains to be seen how sustainable that is in the long run, and what happens if it isn’t.

Depends on what you want

As with so many security and privacy-related issues, whether or not Telegram is locked-down enough for you really depends on what you’re looking for.

If you’re jittery about WhatsApp reneging on its privacy promises under Zuckerberg’s yoke, but you want WhatsApp-style convenience, then Telegram could very well be worth checking out. The secret chat option is good to have, though it’s inconvenient enough that most people will probably never use it.

If the idea of a homegrown security protocol makes you nervous and you want something super-secure yet free, Whisper Systems’ TextSecure could be right for you. It’s what I’m using right now. Full on-device local encryption is a nice touch, as is the fact that all chats are secret by default.

Because the app is designed to take over your handset’s SMS functionality too, it’s not as streamlined as a pure instant messaging app, and can occasionally feel a bit clunky compared with WhatsApp. TextSecure has its quirks–when I swapped out the SIM card on a recent visit abroad, incoming messages just queued and didn’t arrive until I returned home–but overall it works and I’m sure its tiny developer team will iron out the kinks. I realize, though, that it’s not yet a mass-market proposition, whereas Telegram seems to have become just that.

Ultimately, though, the reality is that most people can use all of these apps or any combination. There’s little to tie someone to one platform or another, apart from who else is on those platforms, and there’s nothing stopping you from using WhatsApp to talk to family, Telegram to talk to business colleagues, and TextSecure to talk to your lawyer.

In fact, splitting your communications in this way is a form of compartmentalization, an operational security strategy that makes it harder to glue together a complete picture of you. If that’s what you’re after, and as long as nobody already has access to your device, then by all means, mix and match to your heart’s content.

This article was updated at 8.15am PT to note the bounty paid out for finding a flaw in Telegram’s secret chat feature.