Comrade Mayor’s leaker: “I gave them the mobile phone. Instead, I got big traffic on my website”

Access for security officials, authorities and Meduza only

A file with personal data of more than three thousand people was published on Comrade Mayor Telegram channel a day before one of the recent Moscow rallies. Phone numbers, names, addresses, birth dates, passport numbers — everything ended up in the public domain. It should be noted that most of the information published in the base belonged to the participants of the recent protests in Moscow.

Comrade Mayor met its revenge last week — Meduza journalists revealed the identity of the anonymous Telegram channel’s author. Supposedly it is an SMM manager from Moscow Vitaly Taysayev. The programme Insider Telegram created by the Centre for Research of Legitimacy and Political Protest ANO helped the journalists find the culprit of the leakage.

It seems that a new deanonymiser has appeared in the market (the description of the software on the Centre’s website confirms it). Moreover, the same team that already created Laplace's Demon (a system of round-the-clock monitoring and data collection from social networks) as well as Cryptoscan (a programme that also deanonymises Telegram users) created it.

“There are now more than 10 million numbers in the program’s database,” the centre’s director, Yevgeny Venediktov explained. “We simply check all the numbers in a row to see if they’re present on Telegram: we take, let’s say, all the numbers beginning with +7911, and we run the whole numbering capacity from zeros to nines. When you use Telegram on your smartphone, you automatically see any accounts linked to your contacts, right? Well we’re simply adding all the country’s Telegram users to our very fat ‘phone book.’”

Realnoe Vremya decided to test the possibilities of Insider Telegram. However, having turned to Yevgeny Venediktov, we got an ambiguous reply: “The access is for security officials and authorities only. Sorry”. In answer to a logical question of to which of these two groups Meduza journalists belonged, the interlocutor of our newspaper said the following: “They just gave a specific user name and asked to do so that I would give them the mobile phone. Instead, they inserted a hyperlink, and I got big traffic on my website. That’s to say, it was a commercial exchange”. Nothing surprising in general.

Just a new version of Cryptoscan?

According to ex-director of special areas in one of Telegram’s structures Anton Rozenberg, the story of Insider Telegram isn’t new actually — Izvestiya talked about the development of the same Centre for Research on Legitimacy and Political Protest exactly a year ago. However, it was called Cryptoscan then, but the features were the same: a phone number was given with a user name, the account is linked to it. However, the modus operandi was described in the following way: there was allegedly found vulnerability in Telegram’s API with the help of which the phone number returned directly at one's request indicating the account.

1

2

The interlocutor of our newspaper also remembers that this way was discussed in the Net previously.

“When I came to work at Telegram in 2016, I found other ways of sorting through phone numbers almost without limits. I eliminated the vulnerabilities found and took on a systemic solution to the problem. Unfortunately, I had to leave the messenger’s team soon. The Durov brothers didn’t ask me to hand over the business, so I don’t know if somebody dealt with these issues afterwards. However, it is impossible to solve this problem completely anyway until there are features showing all users of the messenger from your phone book with their phone numbers. And Durov will unlikely refuse it, as the increase of the number of users and involvement of users, not security or privacy, remains a priority for him. So if you identify a phone number with the account, which once created there, it won’t be a big deal to check if it is still valid: it is enough to add this number to your phone book and see the account it is linked to now. It is what Meduza correspondent did,” the expert said.

It should be noted that in the case of anonymous people’s identification, the accuracy of the results the programme detects is important.

“As there is already a database, Telegram developers can’t influence its content any more. However, it is unknown how often the data is updated there. If the number has been linked to the account for long and hasn’t changed, it may be found in the base. As I already said, the found number’s validity can be checked with a hundred per cent accuracy. If one changes numbers regularly, the system will likely show one of the previous phone numbers. It will be possible to check that isn’t valid. However, the information about the owner of this number at least wasn’t linked with this account in the past remains there. Then it depends on who will ask questions, what questions or have claims for the number’s owner and if he will believe the answers like ‘I sold the channel/handed over the access together with the SIM card,” Anton Rozenberg thinks.

Confidentiality or security?

According to head of projects in Yakovlev and Partners college of advocates in Moscow Andrey Naberezhny, there has been a serious demand for the identification of real users in recent time who chat or have channels in any messengers. Our interlocutor’s attitude to this occurrence is ambiguous.

1

The ex-director of special areas in Telegram also evaluated the legality of the programme’s modus operandi.

“At the moment the problem affects mainly Russian users (maybe Ukrainian, too). At least I haven’t heard about sorting through phone numbers of other countries. So there is a question: if somebody will complain, if so, where. Russian justice unlikely can do something with Telegram, as the messenger poses itself as non-Russian (without specifying another jurisdiction), while in Russia it already must be officially banned. A similar story happened to Vk.com and SearchFace allowing people to search people with photos. The social network threatened to file a suit against the search engine’s developers at that moment, the latter first removed links to profiles from search results. However, it was relaunched later as FindClone. I don’t know how the opposition ended. But Pavel Durov will unlikely do the same and defend the users’ data in the court,” Anton Rozenberg supposes.

Besides, the expert gave the messenger’s users some advice in the light of the appearance of a new deanonymiser in the market. Firstly, you shouldn’t hope that nobody will find out your phone number. This includes chatting in the messenger — you shouldn’t write something you can consequently suffer from. Moreover, you shouldn’t use Telegram with illegal purposes. You should keep in mind that all your actions can become public sooner or later.