Does a telegram have a private sphere

Telegram - the privacy nightmare

Telegram has become a widely used messenger in the past few years. The app now has over 400 million users worldwide (as of April 2020). And that number continues to grow. Telegram has established itself as a widely used messaging app alongside WhatsApp & Co. But who actually operates Telegram, how secure is the messenger and what is the level of privacy?

tl; dr

hands off, there:

  1. Chats are by default Not End-to-end encrypted (E2EE).
  2. Telegram accesses metadata and contacts. The synchronization can be prevented. It is unclear what happens to personal data and metadata.
  3. Telegram uses dubious cryptographic methods.
  4. Behind Telegram there is an opaque network of companies.
  5. Since only parts of the software are open source, you have to trust the operators and an objective test is not possible.

History of Telegram

Telegram was launched by Pavel Durov. He originally developed the app in Russia as a response to the censorship prevailing there. Durov had appeared in the tech scene before. He had developed VKontakte, the Russian equivalent of Facebook. In addition to Pavel Durov, his brother Nikolai is also involved in Telegram. Pavel Durov ideologically supports Telegram and finances the company with his private assets. Nikolai Durov, on the other hand, brings his technical knowledge to the table, according to Telegram's FAQ.

You can read a background story on Pavel Durov here.

The Telegram development team is now based in Dubai. Previously, other locations were Berlin, London and Singapore. However, the team is always ready to relocate again if the legal situation and regulations at their location should change. In this way, the company evades state control and censorship.

How secure and private is Telegram?

Telegram has succeeded in positioning itself as a secure and private messenger provider and building an image that promises: We are against the establishment, we are independent, we protect your privacy and encrypt your communication.

In its FAQ, the Telegram team writes:

Here at Telegram we think that real privacy is a precious and, above all, worthy of protection and that the following two points should be given top priority instead:

  • Protection of private conversations from third parties, e.g. authorities, employers, etc.
  • Protection of private data from third-party companies, e.g. marketing agencies, advertising companies, etc.

But what about Telegram's privacy and security promises in detail?

How Telegram works

The Telegram client and the programming interface (API) are open source. However, this does not apply to the server-side infrastructure. Telegram works with cloud storage to store data.

Telegram uses the MTProto protocol developed in-house for the transmission of messages. The security of this protocol has been questioned by many security experts. In a security analysis, a team of researchers from the Massachusetts Institute of Technology (MIT) pointed out the serious weaknesses of the Telegram protocol - which, however, were gradually being remedied - and were able to spy on chat partners in their own experiment. As a result, they were able to determine to the second who had communicated with whom and at what time.

The Telegram FAQ for technically savvy people can be found here.

Cloud Chats vs. Secret Chats

Telegram has two different options for private chats - an insecure and a secure one. The unsecure one is called cloud chat, the secure one is called secret or secret chat.

Cloud chats

Telegram's “normal” chat function is cloud-based. The encryption takes place here only via a server-client encryption. Messages are only encrypted on the routes between sender-to-cloud and cloud-to-recipient. The communication is therefore only encrypted for transport. This means that the standard chat is not much more secure than an SMS that can be viewed by mobile network providers. Even WhatsApp Telegram is superior here, since WhatsApp, like Signal, work with the Signal protocol.

Telegram enables individual files with a file size of up to 1.5 GB to be sent. The files are stored on the servers, where they can be accessed at any time. For users, the advantage is that the entire chat history, including all files and media, can be accessed across platforms. That means: You can send a file via your own smartphone, log in to the PC in the browser using the Telegram desktop app and access this file there. At the same time, this means that the security of communication is entirely in the hands of Telegram. Because all data such as photos, videos, files and voice messages are stored on Telegram servers, you have to trust that Telegram secures its servers adequately.

Secret chats

Secret chats are end-to-end encrypted and (presumably) do not leave any traces of data on the servers. No log files are saved. Such chats are only saved on the devices of the users involved. As a result, all messages are not available in the cloud and can only be accessed via those devices that were used to communicate. The media shared in secret chats are each encrypted separately with a separate key. However, these encrypted media are on Telegram servers, but should look like “undecipherable data garbage” and cannot be assigned to a chat.

Individual messages can also be provided with a self-destruct timer, and individual chats can be secured with a PIN.

How can you start a secret chat? Select chat> tap on the contact bar at the top> open the 3-point menu in the top right> start secret chat

Group chats and channels

Group chats and channels are cloud chats and are therefore not encrypted. There is also no way to encrypt them.

In groups up to 200,000 people can communicate with each other. Administrators can assign or restrict rights.

In Channels communication is one-way. Only administrators can send messages there. A channel can have an unlimited number of subscribers. Similar to Facebook groups, there are also public channels that you can easily enter. Such public channels can be found using the search function.

Delete chat history

In cloud chats and secret chats, individual messages or the entire history can be deleted from the chat. When deleting, you can optionally specify that the messages should also be deleted from the recipient. This is possible for an unlimited period of time. According to Telegram, no traces of data remain on their own servers. This statement cannot be verified.

What data does Telegram store?

According to the Telegram Privacy Policy, which is only available in English, the Display name, profile picture and optional username always public. However, if other people have already saved your number in their contacts, the name under which it was saved there will be displayed. If you activate two-factor authentication (2FA), your email address will also be saved.

Telegram also saves all cloud chat histories including all media exchanged. All data is stored in encrypted form. Since Telegram the Identification number uses, this is also saved.

In addition, the following metadata is stored for 12 months:

  • IP address
  • Username history
  • Device type
  • App version
  • Presumably location data (e.g. with the function for sharing the live location)
  • aggregated metadata based on ratings (frequently used contacts, frequently used modes for attachments)

According to his own statement, the data is stored on different servers in data centers that are subject to different legislations. For all users from the United Kingdom and the European Economic Area, according to Telegram, data is stored on servers in data centers in the Netherlands.

However, Telegram does not make it transparent what happens to the metadata that is collected and which data is exactly accessed. However, according to the company's own statement, the data is not used for advertising purposes, but only to ensure the functionality of the app. The Data from secret chats are only processed on the sending and receiving device. Server storage is only encrypted. The messages should not be able to be decrypted without the associated keys, which only sender and recipient have.

In the privacy settings (Hamburger menu> Settings> Privacy and security) it can be specified, among other things,

  • that your own messages cannot be forwarded by others.
  • that contacts are not automatically synchronized.
  • that contacts that have already been synchronized should be deleted from the Telegram servers.
  • that others cannot see your own phone number.

Who does Telegram share personal data with?

Personal data is shared with the Telegram users with whom one communicates. In addition, all personal data can be shared with the Telegram parent company (Telegram Group Inc) in the British Virgin Islands and the subsidiary (Telegram FZ-LLC) in Dubai. In the event of suspected terrorism, Telegram can disclose the IP address and telephone number to the law enforcement authorities. However, this has not yet happened in a single case. This is confirmed by the empty transparency report.

Telegram does not intervene in private and group chats. Telegram writes: these “are the private affairs of the respective users and we do not accept any requests to process them”.

The situation is different with public content. This includes all content that is shared in channels and via bots. Telegram blocks thousands of terrorist bots and channels every month.

Conclusion on Telegram

In summary, it can be said: Telegram is not recommended. The service offers all common messenger features and extends them with other useful functions. However, it leaves a big question mark when it comes to privacy.

How trustworthy is Telegram really? Here it has to be said very clearly that this cannot be exactly clarified. Based on the personal story of the founder Pavel Durov, who evaded state control and censorship by Russia, Telegram was able to build the image of being a particularly secure app and evading state control and surveillance. However, the fact that Telegram does not use the most secure cryptographic procedures and that no end-to-end encryption is used at all by default does not fit this image.

So if you want to use Telegram because you attach great importance to data protection and have heard that the service has its strengths in this point, you should reconsider. There are other messengers that require less trust to protect privacy and that use far more secure technical processes.

[+] Positive

  • Additional features (stickers, bots, cloud access to data)
  • Lots of users
  • The client is open source
  • Self-destruct function for messages (only in secret chats)

[-] Negative

  • Little to no transparency
  • End-to-end encryption is not a standard, but must be actively selected
  • Data protection is in Telegram's hands
  • Own, dubious protocol
  • Not the highest security standards (e.g. SHA01 stat SHA256)
  • According to εxodus, it contains two trackers that have no place in private and secure communication: Google Firebase Analytics and Microsoft Visual Studio App Center Crashes

Which messengers you should use instead

In a nutshell: Signal or Threema. Why? You can find the answer to this in this overview.

If you prefer to delete Telegram now, you will find instructions here. You can get to the official deactivation page here. The deactivation (hopefully) also causes the deletion of all data stored in the cloud.

Learn more about Gardion VPN +