News that Telegram(nieuw venster) founder and CEO Pavel Durov has been arrested(nieuw venster) and charged on a wide range of charges(nieuw venster), including fraud, drug trafficking, organized crime, and the promotion of terrorism, has thrown a spotlight on the unmoderated nature of the controversial messaging platform. But is Telegram safe to use? As we’ll discuss in this article, that very much depends on how you use it.
Telegram is an open source, cloud-based messaging app that allows you to send text messages, voice messages, photos, videos, and files of various types. It was launched in 2013 by brothers Pavel and Nikolai Durov, who also founded the Russian social networking site VK(nieuw venster) (from its original name, VKontakte).
Boasting over 500 million users, Telegram is wildly popular, in no small part due to the widespread perception that it’s highly secure. This perception is only heightened by a number of governments that are trying to block or ban the app, notably Indonesia, Russia, and Iran.
What is Telegram used for?
Telegram can be used as a one-to-one or group private messenger, much like WhatsApp(nieuw venster) and Signal(nieuw venster). However, it’s the ability to create public “channels” that really sets Telegram apart.
Users can create and post content on channels, which can attract an unlimited number of subscribers. This feature has become particularly popular in countries with strict censorship, such as Iran, where Telegram boasts over 40 million users despite government efforts to block access.
Public channels can be created using an alias and a unique URL, allowing anyone to subscribe. This makes Telegram an effective platform for organizing resistance and spreading information (but can also be exploited for less savory purposes).
How secure is Telegram?
Telegram has a reputation for its use of end-to-end encryption, but this level of encryption is not enabled for all use cases and isn’t on by default. Many of the most popular Telegram features, such as channels, are not end-to-end encrypted, meaning the company can see much of the user data in the app and making it susceptible to surveillance and data breaches.
What does Telegram know about me?
To use Telegram, you must register using your real mobile phone number. Telegram requests access to your phone’s contacts to discover other users you might know, or you can add other Telegram users manually via their phone number.
Telegram asks for your first name (which it doesn’t verify), and providing a second name is optional.
Telegram encryption
All Telegram communications (whether E2EE or otherwise, which we’ll discuss below) are secured using the in-house MTProto protocol. The original MTProto v.1.0, which is deprecated and is currently being phased out, was criticized(nieuw venster) by security experts for being prone to a number of fairly simple attacks. However, MTProto 2.0(nieuw venster) has been formally verified(nieuw venster) to be cryptographically secure.
The encryption keys used to secure conversations are split into pieces across Telegram’s own secure global cloud infrastructure, and never stored in the same place as the information they protect.
Is Telegram end-to-end encrypted?
Telegram supports “secret chats”. This provides end-to-end encryption (E2EE) for one-to-one text, voice, and video conversations.
Learn more about end-to-end encryption(nieuw venster)
But (and this is a big but):
- Group chats and channels can’t be end-to-end encrypted
- One-to-one conversations aren’t end-to-end encrypted by default. “Secret chats” must be manually enabled on a per-chat basis (so there’s no global option), and it’s worth noting that the secret chat option isn’t very obvious.
Does Telegram collect metadata?
According to its privacy policy(nieuw venster), Telegram “may collect metadata such as your IP address, devices, and Telegram apps you’ve used, history of username changes, etc. If collected, this metadata can be kept for 12 months maximum”.
As former NSA and CIA director Michael Hayden once remarked(nieuw venster): “We kill people based on metadata”, and this is a non-trivial amount of metadata (especially the recording of your IP address(nieuw venster)).
Is Telegram safe? Depends how you use it
Other than some nagging concerns about how much metadata Telegram collects, end-to-end encrypted one-to-one “secret chats” are probably safe. Just remember that these must be manually initiated — by default, one-to-one conversations are not secure. It’s worth noting that many other apps (such as Signal or even WhatsApp) provide the same level of functionality, but with E2EE by default.
What sets Telegram apart (and is the main reason for its huge popularity) is channels, and these (and group chats) are not safe to use. Without end-to-end encryption, Telegram (or anyone who can pressure Telegram or gain access to its systems) can read everything posted in such conversations. And since all Telegram users are identified by their real phone numbers (which can be hidden from other users on channels, but are visible to Telegram), they can be easily identified.
Despite these issues, Telegram remains very popular — notably in restrictive countries where many people rely on the platform for objective news and to organize. Although we recommend using safer options, Proton VPN allows you access Telegram, even in places where authoritarian governments try to block it.