In June 2017, a study of more than 3,000 Massachusetts Institute of Technology (MIT) students published by the National Bureau for Economic Research (NBER) found that 98% of them were willing to give away their friends’ email addresses in exchange for free pizza.
“Whereas people say they care about privacy, they are willing to relinquish private data quite easily when incentivized to do so,” the research said, pointing out a what’s called the privacy paradox.
Now, nearly seven years later, Telegram has introduced a new feature that gives some users a free premium membership in exchange for allowing the popular messaging app to use their phone numbers as a relay for sending one-time passwords (OTPs) to other users who are attempting to sign in to the platform.
The feature, called Peer-to-Peer Login (P2PL), is currently being tested in selected countries for Android users of Telegram. It was first spotted by tginfo in February 2024 (via @AssembleDebug).
According to Telegram’s Terms of Service, the phone number will be used to send no more than 150 OTP SMS messages – including international SMS – per month, incurring charges from the user’s mobile carrier or service provider.
That said, the popular messaging app notes that it “cannot prevent the OTP recipient from seeing your phone number upon receiving your SMS” and that it “will not be liable for any inconvenience, harassment or harm resulting from unwanted, unauthorized or illegal actions undertaken by users who became aware of your phone number through P2PL.”
Even worse, the mechanism – which largely relies on a honor system – doesn’t prohibit users from contacting strangers to whose number the OTP authentication SMS was sent, and vice versa, potentially leading to an increase in spam calls and texts.
Telegram said it reserves the right to unilaterally terminate an account from the P2PL program if participants are found sharing personal information about recipients. It also warns users not to contact any OTP recipients or reply to them even if they message them.
As of March 2024, Telegram has more than 900 million monthly active users. It launched the Premium subscription program in June 2022, allowing users to unlock additional features like 4 GB file uploads, faster downloads, and exclusive stickers and reactions.
With online services still relying on phone numbers to authenticate users, it’s worth keeping in mind the privacy and security risks that could arise from partaking in the experiment.
Meta in Legal Crosshairs for Intercepting Snapchat Traffic
The development comes as newly unsealed court documents in the U.S. alleged that Meta launched a secret project called Ghostbusters to intercept and decrypt the network traffic from people using Snapchat, YouTube, and Amazon to help it understand user behavior and better compete with its rivals.
This was accomplished by leveraging custom apps from a VPN service called Onavo, which Facebook acquired in 2013 and shut down in 2019 after it came under scrutiny for using its products to track users’ web activity related to its competitors and secretly paying teens to capture their internet browsing patterns.
The data-interception scheme has been described as a “man-in-the-middle” approach, in which Facebook essentially paid people between ages 13 and 35 up to $20 per month plus referral fees for installing a market research app and giving it elevated access to inspect network traffic and analyze their internet usage.
The tactic relied on creating “fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis.”
The apps were distributed through beta testing services, such as Applause, BetaBound, and uTest, to conceal Facebook’s involvement. The program, which later came to be known as In-App Action Panel (IAAP), ran from 2016 to 2018.
Meta, in its response, said there is no crime or fraud, and that “Snapchat’s own witness on advertising confirmed that Snap cannot ‘identify a single ad sale that [it] lost from Meta’s use of user research products,’ does not know whether other competitors collected similar information, and does not know whether any of Meta’s research provided Meta with a competitive advantage.”