In June 2017, a study of more than 3,000 Massachusetts Institute of Technology (MIT) students published by the National Bureau for Economic Research (NBER) found that 98 percent of them were willing to give up their friends’ email addresses in free pizza exchange.
“While people say they care about privacy, they are willing to give up private data quite easily when they have incentives to do so,” the research says, underscoring what is called the privacy paradox.
Now, nearly seven years later, Telegram has introduced a new feature that offers some users a free premium subscription in exchange for letting the popular messaging app use their phone numbers as a relay to send one-time passwords (OTPs) to others users who are trying to access the platform.
The feature, called Peer-to-Peer Access (P2PL), is currently being tested in select countries for Telegram’s Android users. It was first noticed by tginfo in February 2024 (via @AssembleDebug).
According to Telegram’s Terms of Service, the phone number will be used to send no more than 150 OTP SMS messages – including international SMS – per month, incurring charges from the user’s mobile operator or service provider.
That said, the popular messaging app stresses that it “cannot prevent the OTP recipient from seeing your phone number after receiving your SMS” and that it “shall not be liable for any inconvenience, harassment, or damage resulting from any unwanted actions, not authorized or illegal actions undertaken by users who became aware of your telephone number via P2PL.”
Even worse, the mechanism – which is largely based on an honor system – does not prohibit users from contacting strangers to whose number the OTP authentication SMS was sent, and vice versa, potentially leading to an increase in calls and of spam messages.
Telegram said it reserves the right to unilaterally terminate an account from the P2PL program if participants are found sharing personal information about recipients. It also warns users not to contact any OTP recipients or respond even if they send them a message.
As of March 2024, Telegram has more than 900 million monthly active users. It launched the Premium membership program in June 2022, allowing users to unlock additional features such as 4GB file uploads, faster downloads, and exclusive stickers and reactions.
Given that online services still rely on phone numbers to authenticate users, it’s worth keeping in mind the privacy and security risks that could arise from participating in the experiment.
Meta in the legal crosshairs to intercept Snapchat traffic
The development comes as recently made public court documents in the US allege that Meta has launched a secret project called Ghostbusters to intercept and decrypt the network traffic of people using Snapchat, YouTube and Amazon to help it understand user behavior and better compete with its rivals.
This was achieved by leveraging custom apps from a VPN service called Onavo, which Facebook acquired in 2013 and shut down in 2019 after coming under scrutiny for using its products to track users’ web activity relative to its competitors and for secretly paying teenagers to capture their videos. Internet browsing patterns.
The data interception scheme was described as a “man-in-the-middle” approach, in which Facebook essentially paid people aged 13 to 35 up to $20 a month plus referral fees for the setup of a market research app and giving them increased access to inspect network traffic and analyze their Internet usage.
The tactic was based on creating “fake digital certificates to impersonate trusted analytics servers from Snapchat, YouTube, and Amazon to redirect and decrypt secure traffic from those apps for Facebook’s strategic analytics.”
The apps were distributed via beta testing services, such as Applause, BetaBound, and uTest, to hide Facebook’s involvement. The program, which later became known as the In-App Action Panel (IAAP), ran from 2016 to 2018.
Meta, in its response, said there is no crime or fraud and that “Snapchat’s own testimony on advertising confirmed that Snap cannot” identify a single ad sale that [it] lost from Meta’s use of user research products,’ does not know whether other competitors have collected similar information, and does not know whether any of Meta’s research provided Meta a competitive advantage.”