Russia’s state-run messaging app Max has given rise to its own mythology, with numerous rumors and conspiracy theories attributing functions to it that it most likely does not possess. While there are significant risks from using it, they are far more concrete and prosaic than the many popular horror stories currently doing the rounds.

Max gives the Russian authorities sweeping powers to monitor personal messages and calls. The only thing missing for total surveillance is the reluctance of many Russians to switch to the app from the two most popular means of private communications: WhatsApp and Telegram, both of which are outside the control of the Russian government.

The government blocked Whatsapp back in February and is currently moving toward a similar ban on Telegram. In the meantime, the Russian intelligence agencies are creating dozens, if not hundreds, of “honeypots” on Telegram: bots operated by the security services that appear to be offering recruitment into the ranks of Russians fighting on behalf of Ukraine or providing other forms of assistance to the Ukrainian military. Corresponding with these bots has formed the basis for treason cases.

The Max app has no need for such provocations: ​​every word written, every photo sent, and every phrase uttered in a video call is not simply made available to the intelligence agencies, which couldn’t possibly handle them all, but to automatic filtering systems which use neural networks to identify material of interest to the security services.

The problem is that it’s very difficult to make a new messaging app become mainstream. The main factor in the success of this type of program is the user network: quite simply, how many of a person’s friends are on it.

It’s not that the government hasn’t even tried to use competitive methods to attract new users. New features are integrated into Max practically every month, from age verification for buying alcohol and cigarettes to Gosuslugi, the government platform through which Russians can manage their dealings with the state and municipal authorities, and the Gosklyuch digital signature app. But all these services were either already available as separate apps, or there is simply no demand for them—or certainly not enough that people are ready to hand over all their personal correspondence to the state.

Since playing nicely didn’t yield the required result, the authorities resorted to their usual tricks and decided to make Max the primary means of communication for Russians by simply banning its rivals. But Telegram held two trump cards.

Firstly, Telegram is the most popular means of communication for Muscovites, whose loyalty the authorities generally strive to maintain. The government has tried to compensate for economic losses, sanctions, and international isolation by developing convenient and reliable digital services and infrastructure, even in the face of drone attacks on the capital.

The second trump card is that for thousands of propagandists, pro-war bloggers, and other pro-Kremlin “Telegram media,” the messaging service was a key source of income. By threatening to block it and ban advertising on Telegram, the authorities are depriving this loyal group of both their usual audience and advertising revenue.

For now, the blocking of Telegram has been lifted to some extent, and the Federal Antimonopoly Service (FAS) has promised that no one will be fined for advertising on Telegram before the end of the year. Meanwhile, some officials have suddenly started emphasizing the “optional” nature of Max. Even State Duma deputies have begun publicly complaining about the “imposition” of the state messaging service.

The transition to Max is being hampered not only by Telegram’s continued popularity, but also by the unanimous reluctance Russians have shown to adopt the state-run messaging app. Max clones have emerged that display an error screen enabling people to convince their employers that the app has failed to launch, should they come under pressure at work to use it. Even many officials, who have little choice but to use it, are reportedly using separate devices for Max, just to be on the safe side.

Meanwhile, the internet is awash with not only instructions from digital security experts, but also urban legends, conspiracy theories, and AI-generated articles that distract from the app’s true problems.

A typical example is the panic over the app’s geolocation feature. Under certain conditions, Max can indeed determine the device’s location, but that is nothing new: the state already has more effective tools for hunting down individuals such as political activists (first and foremost, data from cell phone towers).

An equally popular scare story is that the messenger app can access other apps on the device. That is extremely unlikely: mobile operating systems have been improving security for years precisely to minimize such risks. But even if Max could do that, the question remains: what’s to stop the Russian authorities from introducing the same function into all the other Russian apps that people use without a second thought?

Max’s developers are not helping to alleviate concerns. Recently, users noticed that when the app is launched, it runs multiple checks of the user’s IP address, which the app already knows in any case. The messenger was transmitting all this information to its servers. The implication was that Max was determining whether a VPN was being used on the device to bypass blocked sites and apps.

Unsurprisingly, this immediately sparked widespread concerns that it was part of an ongoing campaign to identify and block private VPN servers. There were even improbable rumors that using Max would stop VPNs from working.

In fact, the authorities have far more effective and reliable means of combating attempts to circumvent blocking. It’s far more likely that Max’s developers are using these methods to limit the messaging app’s “particularly sensitive” features when a VPN is enabled, such as the aforementioned access to the GosKlyuch digital signature app.

After the app’s seemingly suspicious behavior was reported in the media, the number of checks upon its launch was reduced, and the results of these checks are no longer shared. Max’s press service was swift to deny accusations of searching for VPNs in order to block them, but that only fanned the flames of distrust and added to the conspiracy theories.

As a result, instead of focusing on the real risks and adjusting their behavior accordingly, people are simply panicking. Many Russians are focusing on the threats posed by just one app, while ignoring other chinks in their digital armor. Others are gripped by fatalism: after all, if surveillance is ubiquitous, resistance is futile.

Risks can only be mitigated through a sober assessment of the threats. That requires studying the behavior of suspicious apps like Max, developing users’ digital literacy, and, if possible, avoiding using the state messaging app, since the main danger of doing so is its comprehensive surveillance of all communications within the app itself.