Today, we live in an increasingly interconnected world. People and their devices are continuously in communication with one another. This enables us to reach out to beloved ones in mere seconds - something that was unthinkable a century before. Rather than writing a letter, sending it by snailmail and waiting weeks for its arrival, we are now able to grab our cellphone from our pocket, talk or start a videochat.

Every friend and relative is always within arm's reach thanks to this virtual and continuous connection, but it also presents some unique challenges. Constant dangers loom in the background, waiting for a moment of thoughtlessness to sway us into doing something we otherwise wouldn't have done. Within this virtual space, adversaries are constantly trying to eavesdrop on our private conversations and activities. One of the tools available to mitigate this, are secure messengers. They allow to have private conversations with others, by making sure there are no unwanted parties eavesdropping in.

However, these secure messengers aren't created equal.

Encryption

A technology that helps safeguarding against eavesdropping and abuse of data is encryption. Secure messengers often employ a more thorough form - called 'end-to-end encryption' (or E2EE).

The architecture of E2EE is designed to have the devices of conversation participants agree on a 'secret' that is being used to encrypt the messages send back and forth. The agreed-upon 'secret' can be compared to a physical key; only the key is able to open the lock, just as the key in the E2EE is the only means to decipher the messages. E2EE is unique in the sense that this key never leaves the device. Thus, while the messages are being sent over the internet, the messages can't be read. Just like any data, it can be intercepted, copied and eavesdropped upon, but without the key, it will be nothing more than seemingly random gibberish.

End-to-end encryption is a crucial piece of technology that enables completely confidential communication between dissidents, whistleblowers, journalists and many others. One could argue that E2EE is essential to protecting democracy. Unfortunately, not all end-to-end encryption is created equally. The strength relies on various factors, like the ciphers, key exchanges, protocols - and the implementation.

Shortly put: encryption is the technogical means to enforce confidentiality. And E2EE is the superior way of doing it, as it requires much less trust in other parties. With properly implemented E2EE, it just requires trust in the parties you are communicating with - plus your and their devices.

Background

WhatsApp might be the most popular instant messaging application, worldwide. It is certainly not the only one. One of the alternatives, dubbed Telegram, is frequently touted as a highly secure and private alternative, facilitating communication between users without the eavesdropping that is purportedly occurring at WhatsApp.

Pavel Durov, 39, is a Russian-born entrepreneur who has spent the majority of his life in Italy, where his father (a well-known classist) worked¹ . In 2006, he received his Ph.D. in Philology from Saint Petersburg State University. Following that, he founded VKontakte, a social media platform influenced by Facebook² .

Durov resigned from the VKontakte board in 2014, stating that he had no plans to return to Russia. He had been occupied with his new venture, Telegram. The company, which was founded in Berlin and then transferred to Dubai, developed a secure messaging application with the same name.

In the modern day era, the ability to exchange messages is critical. Sharing thoughts and ideas in private - from sending over a lovely recipe to a family member to sending your lover a sensual selfie without others being able to eavesdrop in. It is not always that innocent though. Journalists, dissidents, whistleblowers lawyers and politicians have more at stake. Their life could very well depend on the confidentiality of a conversation. Thus, it is paramount that a 'highly secure' messenger lives up to the promise of being secure.

Fundamentally broken

Telegram doesn't hold up to the promise of being private, nor secure. The end-to-end encryption is opt-in, only applies to one-on-one conversations and uses a controversial 'homebrewn' encryption algorithm. The rest of this article outlines some of the fundamentally broken aspects of Telegram.

By default, chats are not end-to-end encrypted

Naturally, users would expect a communication platform that portrays itself as fundamentally secure and private to at least enforce a high level of confidentiality using industry standard procedures. But with Telegram, this is not the case. End-to-end encryption is not used by default for conversations on the platform. Conversations are stored in plain-text on the Telegram servers, meaning that Telegram, its employees and adversaries with access to the servers (eg, through a breach) can read the conversations, view the shared media, etc. Telegram does, however, provide E2EE through an opt-in mechanism dubbed 'secret chats'. This feature employs a fully custom encryption algorithm, dubbed MTProto. Secret chats are not available for groups - but solely for one-on-one conversations.

The fact that the 'secret chats' are opt-in and only available for one-on-one interactions is peculiar and inappropriate, to put it midly. Furthermore, this functionality is hard to use for novices and comes with multiple caveats. As Matthew D. Green blogged³ :

As a kind of a weird bonus, activating end-to-end encryption in Telegram is oddly difficult for non-expert users to actually do.

Secret chats can only be initiated in the mobile application and cannot be synchronised to different devices. As a consequence, secret chats aren't usable from the desktop application.

Tl;dr: Telegram having no E2EE by default means that there is no real confidentiality

Telegram uses non-standard encryption protocols

Telegram created MTProto in-house. Custom encryption is strongly discouraged for obvious reasons - and is an extreme understatement. Large vendors like IBM⁴ have advised against it for decades. In the words of cryptographer, computer security expert and writer Bruce Schneier:

Anyone can invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break.

This statement became later known as "Schneiers Law", a term coined by Cory Doctorow⁵ , whom is a journalist, author and editor. The same mantra is often rephrased as "don't roll your own crypto". Yet, Telegram completely ignored it and cooked up MTProto. Telegram announced a contest, promising a reward of $200,000 USD for breaking the protocol. This seemingly good initiative, however, was flawed. As Crypto Fails puts it ⁶:

Unfortunately, the contest is useless. Neither users nor Telegram developers will learn anything from it. But Telegram will still be able to point to it and say, “Look! No one has won the contest, so our software is secure!” Naive users will believe it, and they will feel safe using dangerously broken encryption.

The article continues on to explain why the contest is flawed and how it does nothing to attest the security of MTProto. Matthew D. Green, a prominent cryptography expert and professor at John Hopkins University, has stated the following⁷ :

There are so many things wrong with it. Check out their MTProto authenticated encryption. It's like using bacon to build a house.

Another statement from Green⁸ :

The crypto is like being stabbed in the eye with a fork.

In an academic research paper named "On the Cryptographic Fragility of the Telegram Ecosystem", researchers Theo von Arx and Kenneth G. Paterson - both affiliated with ETH Zurich, draw the following conclusion⁹ :

We have shown replay and reordering attacks against the Pyrogram, Telethon, and GramJS Telegram clients. The attacks are practical and can be exploited by running a malicious Wi-Fi access point, for example. The attacks are powerful in that they allow an attacker to significantly alter the view of a conversation for any participant that uses a vulnerable client Most important, we have explained why our attacks should not be viewed as isolated vulnerabilities, but how they highlight the need for action on a deeper level to improve the security of the Telegram ecosystem. The fact that developers systematically fail to implement MTProto 2.0 correctly [..]

Tl;dr: Telegrams flawed encryption protocol results in broken confidentiality

Telegram 'steals' the contacts

According to the Telegram privacy disclaimer ¹⁰:

Telegram uses phone numbers as unique identifiers so that it is easy for you to switch from SMS and other messaging apps and retain your social graph. We ask your permission before syncing your contacts. We store your up-to-date contacts in order to notify you as soon as one of your contacts signs up for Telegram and to properly display names in notifications. We only need the number and name (first and last) for this to work and store no other data about your contacts.

Thus, granting the permission, infers that the contact's name and phone number are uploaded to Telegram. The privacy disclaimer fails to state if and what measures are taken to protect this data. I am therefor assuming that there aren't any, other than encryption in transit (TLS / HTTPS). In conclusion, this data is accessible by Telegram, its employees and other parties with access to the servers - whether intentional or not. In short, Telegram has a list of all contacts their users have - including the contacts name and their phone number.

Tl;dr: Telegram uploads the addressbook (phone number, first and last name) to themselves, without encryption

Weird storage of the chats and disclosures to LE

Quoting from the Telegram FAQ¹¹ :

To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.

It can be inferred that the majority of discussions taking place in Telegram are not "covered by end-to-end encryption" given that the default is a chat without E2EE. According to Telegram, user data is encrypted on the server and the encryption key is segmented through different jurisdictions (countries).

Verification of these assertions is not possible because the source code for the Telegram server is kept secret. A technical objection to the solution is that the dispersed keys need to be connected at some point for the functionality to be useful. However, it should be noted that the same FAQ article states the following:

To this day, we have disclosed 0 bytes of user data to third parties, including governments.

This is disputed by the reputable German news outlet Der Spiegel ¹². An English summary of the piece can be found at various sources, inluding AndroidPolice ¹³. According to DerSpiegel, Telegram has handed over user data to German authorities, involving terror and child abuse cases. If Telegram has in fact handed over data to authorities, this statement is blatently false.

Tl;dr: Telegram has a broken method of storing sensitive data and likely discloses data to law enforcement agencies

Location leaks

Telegram boasts functionality dubbed "People Nearby", allowing its users to easily find other Telegram users nearby. However, this functionality allows adversaries to triangulate the exact location. The Telegram security team stated that "this is not an issue"¹⁴ . That, in and by itself is a delusional perception of reality. Location data shows travelling patterns and can be abused for nefarious purposes. For instance - the "People Nearby" functionality can be abused to scan in sensitive and/or restricted areas. Stalkers nearby a womens shelter, personnel on army bases, journalists meeting up with sources, etc.

What makes this even worse is that the defaults in Telegram display everything publicly. The contact directory doesn't need an exact match and autocompletes. As a consequence, users can be found by simply entering a partial username or guess thereof.

Tl;dr: Telegram shares the location with other users nearby

Succesful attacks

Telegram portrays itself as being secure and thwarting attacks - but deeper research indicates otherwise. There are weaknesses in Telegram that are more of a theoretical nature¹⁵ - but doesn't stop there. In the course of a few years, Telegram has leaked personal data of millions of users, including their phone numbers¹⁶ and e-mail addresses¹⁷.

Most secure messengers do require personal identifiable registration during the signup - like a phone number or e-mail address. There are, however, ways to store this securely, so that an eventual data brach doesn't result in this data leaking.

Tl;dr: Telegram has had data leaks before - which might occur again

Durov

The sole factor influencing Telegram, its architecture, policies and politics is the founder - Pavel Durov. He maintains a controversial strategy for evading discussion about Telegrams shortcomings¹⁸.

So right from the start Durov starts with what is called "pivot and deflect": Shift from original disliked question (why doesn't Telegram use E2EE) and draw attention to something you want to cast attention to: "Instead of answering why Telegram isn't E2EE by default, let's discuss a single competing product and its problems regarding its E2EE."

Durov was arrested in France¹⁹, on 24 august 2024 on 12 different charges. These charges can be summarized into four categories²⁰:

Telegram’s founder has been charged with being complicit in storing and distributing CSAM content, facilitating drug trafficking and facilitating organized fraud and other illegal transactions.
The court claims that Telegram refuses to cooperate with law enforcement when they file a formal request for information or documents.
Durov faces several charges related to Telegram’s cryptographic features as they haven’t been formally declared or certified by French authorities. These seem to be minor offenses according to professor of law Florence G’sell.
Durov is accused of taking part in a “criminal association with a view to committing a crime or an offense punishable by 5 or more years of imprisonment,” as well as money laundering.

The first and fourth category is likely because Telegram is in the technical position to perform content moderation but flatout refuses to do so. In comparison, most other secure messengers are unable to corporate with requests and court orders, because they apply E2EE. For instance, Signal is able to hand over the registration and last activity date - and to kick an account off its platform²¹. Signal is not able to produce other data, including metadata and the social graph on users of their platform.

Other issues

Telegram shows the original author when forwarding a message. When Alice sends a message to Bob and Bob subsequently forwards it to Carol, then Carol sees that Alice is the original author of that message.
The EU is investigating whether Telegram downplayed their usercount to avoid regulation ²².

Conclusion

Due to the flaws and concerns described above, a fair conclusion is that Telegram is fundamentally broken - and labelling it as a secure and/or private messenger is incorrect.Telegram, its employees and adversaries have access to most conversations and shared files/media. Telegram has leaked data before, from millions of its users.

Aside from the technical flaws, there are other serious factors that should be weighed in. Telegram is used as a tool by oppressive regimes to find, jail and kill dissidents. The app boasts functionality that can be (and is) abused by stalkers, criminals and others. Management doesn't seem to care, often ignoring requests and court orders and blowing off security disclosures as "being not an issue".

Hence, Telegram touting itself as private and secure is complete misinformation.

Ask yourself this: "when you send a message to someone you generate both a message and metadata. who do you trust to keep both of them secure?".

With Signal, you have to trust yourself and the recipient and the devices both of you use. WhatsApp adds one additional factor: Meta is responsible to keep the metadata secure. With Telegram, you have to trust yourself, the recipient, the devices and Telegram - to keep the metadata and the messages itself secure. Even if you get all the stars aligned, use a secret chat, it'll still be insecure because of Telegram's choice of encryption.

Heliography in Darkness