The CEO responded to the claims in 404’s article: This is our official response to 404 Media
"Dear Joseph,
Frankly, we were, to put it mildly, extremely surprised by the superficial and unsubstantiated nature of the publication, particularly given that it originates from a source presenting itself as an objective media outlet. While we understand that provocative headlines and content may be intended to generate attention and public reaction, we would reasonably expect that material addressed to a broad audience meets basic standards of diligence, substantiation, and evidentiary support. We also take this opportunity to remind the authors of their responsibility when disseminating information that may be false, misleading, and potentially harmful to the reputation of the parties concerned.
With regard to the allegations concerning the purported insecurity of encryption in TeleGuard, we state as follows:
“TeleGuard … implements its encryption so poorly that an attacker can trivially access a user’s private key and decrypt their messages.” This assertion is factually incorrect, misleading, and presented in an unjustifiably categorical manner. TeleGuard employs encryption algorithms that conform to established industry standards (including, inter alia, Salsa20). Any statement suggesting trivial compromise of private keys is without factual basis.
“TeleGuard also uploads users’ private keys to a company server, meaning TeleGuard itself could decrypt its users’ messages, and the key can also at least partially be derived from simply intercepting a user’s traffic.” This statement reflects a fundamental misunderstanding of the underlying technical processes. The data transmitted to the server consists of a hashed representation, not a usable private key. The actual private key remains encrypted on the user’s device using the user’s password. Accordingly, it is not accessible to TeleGuard, nor can it be decrypted via interception of network traffic, absent compromise of the user’s credentials.
For the avoidance of doubt, the referenced “keys” are used solely for user invitation mechanisms and play no role in message encryption. They do not, under any circumstances, enable access to the content of user communications.
The following statement is particularly concerning and is categorically rejected: “The app has also repeatedly been linked to child abusers, with one local media outlet reporting TeleGuard is ‘notorious’ among prosecutors for child sexual abuse material.”
This allegation attempts to associate TeleGuard with criminal activity of the most serious nature. We unequivocally deny any such association. TeleGuard has never supported, facilitated, or condoned illegal activities of any kind, and we are prepared to defend this position in any competent jurisdiction.
We fully acknowledge that encrypted and anonymous communication tools, like any technology, may be subject to misuse. Upon receipt of valid reports from competent authorities concerning unlawful activity, the relevant user accounts are promptly blocked. Due to the technical architecture of the service, it is not possible to access the content of user communications without access to the user’s device.
In order to substantiate the claims made in the publication, we invite the referenced “security experts” to provide verifiable, reproducible evidence of the alleged vulnerabilities, including demonstrable access to user correspondence. For this purpose, we are prepared to provide a test account under controlled conditions.
In the absence of such evidence, the allegations presented must be regarded as speculative and without sufficient factual foundation.
We do not assert that TeleGuard is entirely free from defects; no technical system can make such a claim. However, we affirm that we exercise all reasonable care and diligence to ensure that the service operates in accordance with the standards represented to our users.
We further reiterate that TeleGuard and its parent company, Swisscows, are firmly committed to the protection of user privacy. At no time have we intentionally compromised, nor will we intentionally compromise, the security of user data.
We also note that modern communication infrastructures are inherently complex and continuously evolving. Data transmission involves multiple transformations and intermediary systems, each of which may present potential vulnerabilities or points of failure, whether due to malicious activity or human error.
As developers, we consider it our responsibility to continuously monitor, assess, and address such risks. While issues may arise, we maintain that responsible disclosure practices require that identified vulnerabilities be communicated directly to developers prior to public dissemination, allowing for timely remediation.
We remain open to constructive and well-founded criticism and consider it an important component of ongoing improvement. However, we expect such criticism to be based on verifiable facts and presented in a fair and objective manner, rather than relying on anonymous or undisclosed sources.
We remain available to engage in a substantive and fact-based dialogue with qualified experts and to address specific, demonstrable concerns. However, we categorically reject unfounded allegations of incompetence or intentional misconduct.
Sincerely, The TeleGuard Team"