Telegram is an instant messaging service that was developed in 2013 with the goal of providing a secure alternative to other messaging services, all while maintaining a rich set of features not offered by many of its competitors, such as an accessible user interface. Today it is one of the top 5 downloaded apps worldwide and has one billion monthly active users. Because of its promises of security since its inception, it has been a mainstay of many journalists and activists.

Despite this, its security has long been a center of debate. On one side stand those who praise it as a beacon of security, on the other side are those who accuse it of giving false promises of security. Nevertheless, after last year’s arrest of its founder[1] and the crackdown on many of its communities, a reevaluation of its security is in order.

This article aims to assess the following main points of criticism leveraged against Telegram:[2][3][4]

  1. Its encryption is not end-to-end
  2. Flawed encryption scheme
  3. Server-side code is closed-source
  4. Sensitive metadata is stored

End-to-End Encryption

It is true that messages in Telegram are not end-to-end encrypted (E2EE) by default. Telegram, however, gives the option for E2EE chats.

Telegram follows a unique model for its messaging service, as it offers two types of chats for the users: Cloud Chats and Secret Chats.

  1. Cloud Chat is the default, it is client-server encrypted, meaning all the encrypted messages along with their decryption keys exist on Telegram’s servers. This type is always set for group chats and channels.[5]
  2. Secret Chat, it is E2EE but it must be manually enabled by the users.[6] this type is limited to personal chats.[7]

Therefore, it is not true that Telegram does not have end-to-end encryption, but it is true that it isn’t applied by default. But why does Telegram use Cloud Chats by default? The answer is automated backups.

In end-to-end encryption, when two clients communicate, they share a secret key which is used to encrypt/decrypt all traffic between them, this secret key is shared only by the communicating clients and no one else. This eliminates the possibility for having automated backups for E2EE chats. This is the case because for automated backups to be implemented, both the encrypted messages and their decryption keys must exist on some third-party server, so that when a client changes their device they will have both their encrypted messages and the necessary decryption keys automatically imported from the third-party server.

If the decryption keys didn’t exist on some third-party server and existed only on the clients’ devices, the client will either have to manually transfer the decryption keys and their encrypted messages to their new device, or they will simply have to accept that they have lost their chats forever (especially if they lost their previous device). This is why Signal, for example, does not have automated backups among different devices, it only supports manual backups because all of its chats are E2EE.[8]

Cloud Chats are used by default to cater to the average user who automatically seeks convenience, and expects the latest features without much concern for privacy or security. Backups are essential for such a user for two main reasons: Firstly, many users rely on messaging apps to store valuable conversations, photos, videos, etc., and having automated backups eliminates the risk for valuable data loss. Secondly, users expect their chat history to move with them when they switch devices. Since most competitors offer automated backups[9][10][11] then failing to incorporate it will significantly reduce the user base.

For the security conscious user, Telegram offers E2EE Secret Chats, with traffic that is indistinguishable from Cloud Chat traffic, which means that users of Secret Chats cannot be targeted or suspected for using E2EE, because its traffic is mixed with the non-E2EE Cloud Chats.

It is concluded that Telegram's two-chat model allows it to cater to the average user, enhancing mass adoption, while offering the privacy-conscious user the option of stronger security. This has led other messaging apps to adopt the same model for their chats.[12] It must be noted that since Cloud Chats are the default and enabling Secret Chats requires a few manual steps, only few users will use this type which is a considerable risk for the average user's security.

But can we trust Secret Chats to be actually E2EE?[note] To answer in the affirmative, the Telegram client must be open-source (so we can check that the code actually performs E2EE) and the encryption protocol used must be secure. Fortunately, Telegram's client code is open-source, so we have this covered. The security of its encryption protocol is what we discuss next.

Flawed Encryption Scheme

The security of Telegram's encryption protocol, MTProto, has long faced scrutiny from security professionals. This is mainly due to the custom, home-grown nature of their protocol, along with the odd design choices they make for their scheme, while also lacking the extensive peer review and the testing that other protocols enjoy.

MTProto is currently in its 2.0 version. Its previous version, MTProto 1.0, has received widespread criticism for both its design and the cryptographic primitives it uses (e.g. using SHA1 improperly). Some vulnerabilities were even discovered in the 1.0 version.[13] After this criticism, they have rolled out their 2.0 version which addressed some of the issues mentioned. However, this has not eliminated concerns over its security, as many security experts still point out the poor and unconventional design decisions which make analyzing the protocol a difficult task.

Moreover, unlike the Signal protocol, there is still no formal proof of MTProto's security, which means that no one can be certain of its security. Some researchers have also discovered possible theoretical attacks on MTProto 2.0, and while it is true that these attacks are hard to practically carry out in a real scenario, they still point to inherent issues within the protocol and can lead to actual attacks in the future.[14]

But even if the protocol itself actually turns out to be secure, this does not mean it will be correctly implemented in code. On the contrary, because of the design issues of MTProto, developers of third-party Telegram clients often erroneously implement the protocol, making it vulnerable to security attacks. This cannot be glossed over because a substantial user base relies on these third-party clients.[15]

Closed-Source Server Side

So far, our discussion has dealt with Telegram's client side, which is open-source. Now, we look at the dark close-sourced side of the moon.

For Secret Chats, which are E2EE, whether the server is open- or closed-source is irrelevant to Telegram's security, since all encryption and decryption happens at the client side.

For Cloud Chats, which are not E2EE, what the server does is relevant. Here the server is an active part of the communication between the two clients, since all traffic is client-server encrypted. The server stores all encrypted messages and all decryption keys, which means that Telegram can potentially access all Cloud Chat messages.

Nonetheless, having the server-side code publicly available will not eliminate this concern. This is because the server-side code cannot be verified anyway. Furthermore, even if the server-side code is open-source and it can be verified that it is the code actually running on the server, this does not eliminate the fact that decryption keys will still be stored on servers (if automated backups are implemented), which means Telegram can still access Cloud Chat messages. Therefore, it is irrelevant to the security of Telegram whether its server-side code is open- or closed-source. As such, even if the server-side was open-source, if security is the highest concern for the user, then Cloud Chats should never be trusted, as it is a potential threat that allows Telegram to access user messages. Using Cloud Chats also exposes the user to the risk of leaking all of their chats if Telegram's servers get compromised.

For what it is worth, there is yet no evidence of Telegram sharing chat content with third parties, which they affirm in their FAQ by claiming that 0 bytes of user messages were disclosed to third parties, to this day. Telegram also shares the following about its servers to assuage the worries of its users:

To protect the data that is not covered by end-to-end encryption, Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.[16]

But this really boils down to one thing: that they tell us to trust their servers, which is not an option if security is the user's primary concern. But even if we choose to trust these claims, there is still privacy concerns associated with their storage of metadata on their servers, let's take a look at what this entails.

Metadata Storage

Metadata storage is a huge privacy issue that is often glossed over despite metadata being the raw material of mass surveillance. Metadata can tell who someone communicates with, when, where, and how often. With this set of data it is possible to draw long-term patterns that expose key information about a person, and the danger is exacerbated with AI.[17] Former NSA General Counsel Stewart Baker even goes to say that metadata is even more important than the actual content of communication: "Metadata absolutely tells you everything about somebody's life. If you have enough metadata you don't really need content."[18][19]

So how does Telegram handle metadata? It stores metadata that includes IP addresses, phone numbers, usernames, time of messages, and channel admins info, and on top of that Telegram reserves the right to share them with authorities if prompted.[20]

After facing a long list of charges, including complicity in cybercrime, organized fraud, and distribution of illegal material, which resulted in Telegram's founder getting arrested in France, Telegram has updated its privacy policy with the following:[21]

If Telegram receives a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency.[22]

While this new addition to the privacy policy is understandable as criminal activity on Telegram has long gone unchecked, at the same time it shows that Telegram stores important metadata about its users that can pose a threat to users' privacy. Furthermore, this privacy policy can be misused to share private information of journalists and activists who might get targeted.

One cannot help but contrast this with Signal's collection of metadata, which is so minimal that even when they have to comply with a court order, they can offer no more than the last time the user used Signal and the time their account was created, making it a more private option.[23]

Notes

  1. For a detailed and rigorous analysis done by a professional cryptographer about the encryption scheme, check this article which addresses the design decision issues of Telegram's protocol, such issues impede efforts to cryptographically analyze it. This article by the same author, is also worth reading as it highlights the difficulties introduced by MTProto's design choices, while showing some vulnerabilities it had in the past.
  2. Telegram uses the Diffie-Hellman algorithm for key exchange in Secret Chats, which is vulnerable to a man-in-the-middle attack that allows the attacker to forge the secret key to both clients, enabling the attacker to read all the messages in the Secret Chat. To ensure actual end-to-end encryption, the two clients must check if their secret keys match, this can be done through the settings of the Secret Chat, where a visual representation of the secret key can be found. If the two clients have the same visual representation of the secret key, then their chat is end-to-end encrypted.[24]

References

  1. The Verge – French authorities arrest Telegram’s CEO. https://www.theverge.com/2024/8/24/24227672/telegram-ceo-pavel-durov-arrested-ceo
  2. Hacker News – Telegram is closed-source. https://news.ycombinator.com/item?id=10665464
  3. IEEE Spectrum – The Trouble with Telegram. https://spectrum.ieee.org/telegram-security
  4. Gizmodo – Why You Should Stop Using Telegram Right Now. https://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415
  5. Hacker News – Telegram groups are not encrypted. https://news.ycombinator.com/item?id=25670960
  6. Telegram FAQ – What if I’m more paranoid than your regular user? https://telegram.org/faq#q-what-if-im-more-paranoid-than-your-regular-user
  7. Pavel Durov – Why Isn’t Telegram End-to-End Encrypted by Default? https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by-Default-08-14
  8. Signal Support – Backup and Restore Messages. https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-Messages
  9. Reddit – Switching from Android to iOS but lost all my… https://www.reddit.com/r/signal/comments/zwxiei/switching_from_android_to_ios_but_lost_all_my/
  10. Reddit – What happens when you get a new phone? https://www.reddit.com/r/signal/comments/w8jb9m/what_happens_when_you_get_a_new_phone/
  11. Hacker News – Discussion thread. https://news.ycombinator.com/item?id=26293244
  12. Markus Ra – Should you stop reading Gizmodo right now? https://telegra.ph/Why-you-should-stop-reading-Gizmodo-right-now-Long
  13. Jakob Jakobsen and Claudio Orlandi – On the CCA (in)security of MTProto. https://eprint.iacr.org/2015/1177.pdf
  14. The Atlantic – The Flaw in ISIS’s Favorite Messaging App. https://www.theatlantic.com/technology/archive/2016/01/isiss-favorite-messaging-app-has-a-security-problem/422460/
  15. Theo von Arx and Kenneth G. Paterson – On the Cryptographic Fragility of the Telegram Ecosystem. https://eprint.iacr.org/2022/595
  16. Telegram FAQ – Do you process data requests? https://telegram.org/faq#q-do-you-process-data-requests
  17. Nym – What is metadata & what can it reveal about you? https://nym.com/blog/what-is-metadata
  18. Wired – NSA Doesn’t Need to Spy on Your Calls to Learn Your Secrets. https://www.wired.com/2015/03/data-and-goliath-nsa-metadata-spying-your-secrets/
  19. Nym – How safe is Telegram in 2025? What you should know, and how to protect yourself. https://nym.com/blog/what-is-telegram
  20. Avast – Is Telegram Safe? A Guide to the Secure Messaging App. https://www.avast.com/c-is-telegram-safe
  21. The Verge – Telegram will now hand over your phone number and IP if you’re a criminal suspect. https://www.theverge.com/2024/9/23/24252276/telegram-disclose-user-data-legal-requests-criminal-activity
  22. Telegram Privacy Policy – Law Enforcement Authorities. https://telegram.org/privacy#8-3-law-enforcement-authorities
  23. Signal – Grand jury subpoena for Signal user data, Eastern District of Virginia. https://signal.org/bigbrother/eastern-virginia-grand-jury/
  24. Telegram FAQ – What is this ‘Encryption Key’ thing? https://telegram.org/faq#q-what-is-this-39encryption-key-39-thing/