Telegram security

How safe is Telegram?

News that Telegram(new window) founder and CEO Pavel Durov has been arrested(new window) and charged on a wide range of charges(new window), including fraud, drug trafficking, organized crime, and the promotion of terrorism, has thrown a spotlight on the unmoderated nature of the controversial messaging platform. But is Telegram safe to use? As we’ll discuss in this article, that very much depends on how you use it.

Telegram is an open source, cloud-based messaging app that allows you to send text messages, voice messages, photos, videos, and files of various types. It was launched in 2013 by brothers Pavel and Nikolai Durov, who also founded the Russian social networking site VK(new window) (from its original name, VKontakte).

Boasting over 500 million users, Telegram is wildly popular, in no small part due to the widespread perception that it’s highly secure. This perception is only heightened by a number of governments that are trying to block or ban the app, notably Indonesia, Russia, and Iran.

What is Telegram used for?

Telegram can be used as a one-to-one or group private messenger, much like WhatsApp(new window) and Signal(new window). However, it’s the ability to create public “channels” that really sets Telegram apart.

Users can create and post content on channels, which can attract an unlimited number of subscribers. This feature has become particularly popular in countries with strict censorship, such as Iran, where Telegram boasts over 40 million users despite government efforts to block access.

Public channels can be created using an alias and a unique URL, allowing anyone to subscribe. This makes Telegram an effective platform for organizing resistance and spreading information (but can also be exploited for less savory purposes). 

How secure is Telegram?

Telegram has a reputation for its use of end-to-end encryption, but this level of encryption is not enabled for all use cases and isn’t on by default. Many of the most popular Telegram features, such as channels, are not end-to-end encrypted, meaning the company can see much of the user data in the app and making it susceptible to surveillance and data breaches. 

What does Telegram know about me?

To use Telegram, you must register using your real mobile phone number. Telegram requests access to your phone’s contacts to discover other users you might know, or you can add other Telegram users manually via their phone number. 

Telegram asks for your first name (which it doesn’t verify), and providing a second name is optional. 

Telegram encryption

All Telegram communications (whether E2EE or otherwise, which we’ll discuss below) are secured using the in-house MTProto protocol. The original MTProto v.1.0, which is deprecated and is currently being phased out, was criticized(new window) by security experts for being prone to a number of fairly simple attacks. However, MTProto 2.0(new window) has been formally verified(new window) to be cryptographically secure.

The encryption keys used to secure conversations are split into pieces across Telegram’s own secure global cloud infrastructure, and never stored in the same place as the information they protect.

Is Telegram end-to-end encrypted?

Telegram supports “secret chats”. This provides end-to-end encryption (E2EE) for one-to-one text, voice, and video conversations. 

Learn more about end-to-end encryption(new window)

But (and this is a big but):

  • Group chats and channels can’t be end-to-end encrypted
  • One-to-one conversations aren’t end-to-end encrypted by default. “Secret chats” must be manually enabled on a per-chat basis (so there’s no global option), and it’s worth noting that the secret chat option isn’t very obvious.

Does Telegram collect metadata?

According to its privacy policy(new window), Telegram “may collect metadata such as your IP address, devices, and Telegram apps you’ve used, history of username changes, etc. If collected, this metadata can be kept for 12 months maximum”.

As former NSA and CIA director Michael Hayden once remarked(new window): “We kill people based on metadata”, and this is a non-trivial amount of metadata (especially the recording of your IP address(new window)).

Is Telegram safe? Depends how you use it

Other than some nagging concerns about how much metadata Telegram collects, end-to-end encrypted one-to-one “secret chats” are probably safe. Just remember that these must be manually initiated — by default, one-to-one conversations are not secure. It’s worth noting that many other apps (such as Signal or even WhatsApp) provide the same level of functionality, but with E2EE by default. 

What sets Telegram apart (and is the main reason for its huge popularity) is channels, and these (and group chats) are not safe to use. Without end-to-end encryption, Telegram (or anyone who can pressure Telegram or gain access to its systems) can read everything posted in such conversations. And since all Telegram users are identified by their real phone numbers (which can be hidden from other users on channels, but are visible to Telegram), they can be easily identified. 

Despite these issues, Telegram remains very popular — notably in restrictive countries  where many people rely on the platform for objective news and to organize. Although we recommend using safer options, Proton VPN allows you access Telegram, even in places where authoritarian governments try to block it.

Related articles

How to fix a 502 error
en
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
en
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
en
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
en
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
en
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
en
  • Privacy basics
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .