Telegram

Overview

Telegram Messenger is a cloud-based instant messaging and social networking platform founded by Pavel Durov and his brother Nikolai Durov in 2013. Originally founded in Russia, Telegram relocated its headquarters progressively from Russia to Berlin, London, Dubai, and is currently headquartered in Dubai, United Arab Emirates, operating through Telegram FZ-LLC.

With over 900 million monthly active users as of 2024 and approaching 1 billion, Telegram is one of the world's largest messaging platforms. It is particularly popular in Russia, Ukraine, Iran, and across the broader Middle East, Southeast Asia, and Eastern Europe, where it functions as a primary communications platform for millions of people.

Telegram has occupied a paradoxical position in the privacy discourse. The platform markets itself as privacy-focused, emphasizing end-to-end encryption and the ability to create large channels and groups that governments cannot easily monitor. This positioning has made Telegram the communications platform of choice for political dissidents, journalists, protest organizers, and activists in authoritarian countries, as well as, simultaneously, the preferred communications infrastructure for criminal organizations, terrorist groups, and disinformation operations.

The fundamental tension in Telegram's privacy narrative is that the platform's default configuration is NOT end-to-end encrypted. Regular chats, group chats, and channels use Telegram's proprietary MTProto encryption, which protects data in transit but means Telegram holds the keys and can theoretically read message content. Only Telegram's "Secret Chats" use end-to-end encryption, and this feature is not enabled by default for any category of conversation.

In August 2024, founder Pavel Durov was arrested by French authorities at Le Bourget airport outside Paris, triggering a significant policy shift: Telegram announced it would share user IP addresses and phone numbers with law enforcement upon valid legal requests, a marked departure from its prior claimed policy of essentially zero cooperation with government authorities.

Data Collection Practices

Telegram's data collection is less extensive than Meta or Google, but meaningful:

Account data collected at registration:

• Phone number (required for account creation, serves as account identifier)
• Name (can be pseudonymous)
• Username (optional, can be pseudonymous)
• Profile photo (optional)
• Bio (optional)

Metadata collected during use:

• IP addresses at login and message sending
• Device information (operating system, device model, app version)
• Connection timestamps
• Message delivery metadata (sent/received/read receipts)

Message content (for non-Secret Chat messages):

• All regular chat messages stored on Telegram's servers
• Group chat messages stored on Telegram's servers
• Channel content stored on Telegram's servers
• Cloud backups of Secret Chats if user enables them
• Forwarded message chains

Contact data:

• Contact list uploads to enable contact discovery (with permission)
• Group membership and participation data

What Telegram does NOT collect (claims):

• Location data is not collected by default
• Secret Chat content (end-to-end encrypted, Telegram cannot read these)
• Message content where end-to-end encryption is confirmed active

The critical distinction is between "Telegram encryption" (MTProto, Telegram holds keys, legally accessible) and Secret Chat end-to-end encryption (Telegram does not hold keys, not legally accessible without device access). The vast majority of Telegram communications use the former.

Known Clients & Government Contracts

Telegram's "clients" are primarily its users rather than enterprise or government customers:

Criminal organizations (historical): Before Durov's arrest and subsequent policy changes, Telegram was extensively used by criminal marketplaces, ransomware groups, and fraud operations for both command communications and customer service. The Hydra darknet market, multiple ransomware groups including Conti and Cl0p, and numerous scam operations operated openly on Telegram. French prosecutors cited Telegram's failure to moderate these uses as central to Durov's arrest.

Political dissidents and protest organizers: Telegram became an essential communications tool for protest movements in Hong Kong (2019-2020), Belarus (2020-2021), Iran (2022-2023), and Russia (ongoing). The platform's resistance to government takedown requests made it valuable to civil society in authoritarian contexts.

Governments using Telegram channels: Many national governments, political parties, and government agencies use Telegram channels to communicate with citizens, including Russian government propaganda channels and various national emergency services.

Law enforcement (post-2024): Following Durov's arrest and Telegram's policy update, the company began providing law enforcement with user IP addresses and phone numbers upon valid legal requests. The scope of cooperation and what specific legal standards apply remain poorly defined.

Privacy Incidents & Litigation

Pavel Durov Arrest, France (August 2024): French authorities arrested Telegram founder Pavel Durov at Le Bourget airport, reportedly investigating him personally for his platform's role in facilitating criminal communications including child sexual abuse material, drug trafficking, fraud, and terrorist content.

Durov was detained for several days before being released on bail with French authorities setting conditions including not leaving France. The arrest triggered a global debate about platform liability for user content and whether messaging platform operators can be personally liable for criminal use of their platforms.

Following his release, Durov published a statement announcing significant policy changes: Telegram would share user IP addresses and phone numbers with law enforcement authorities upon receipt of valid legal orders, a major departure from Telegram's prior policy of essentially no cooperation.

Hong Kong Protest Data Exposure (2019): During the 2019 Hong Kong pro-democracy protests, a vulnerability in Telegram's contact discovery system was exploited to unmask phone numbers of Telegram users who were protest organizers. Protesters who added each other as contacts inadvertently exposed their phone numbers to each other through the contact synchronization feature. The exposure highlighted the gap between Telegram's privacy reputation and its actual privacy architecture when adversarial actors understand the platform's limitations.

2019 Phone Number Scraping: Researchers demonstrated that Telegram's contact synchronization could be abused to enumerate and harvest phone numbers associated with Telegram accounts at scale, creating databases of Telegram users with their phone number identities. Telegram later implemented rate limiting to mitigate this.

Russia Block and Unblock (2018-2020): Russia blocked Telegram in 2018 following Telegram's refusal to provide encryption keys to Russian intelligence services (FSB). Russia lifted the block in 2020. The episode illustrated Telegram's prior stance, refusal to cooperate with government demands, and the limits of that policy when a major government decides to force compliance through blocking.

Criminal Marketplace Moderation Failure: Before and during Durov's arrest period, Telegram hosted thousands of channels and groups selling illegal drugs, weapons, stolen data, and other illicit goods with minimal moderation. Researchers documented that Telegram was more permissive than major dark web markets in many respects, with criminal operations openly advertising on public channels indexed by Telegram search.

Threat Score Analysis

Telegram receives a composite threat score of 65/100, reflecting the complex balance between its genuine privacy tools (Secret Chats, pseudonymous registration) and its structural privacy limitations (non-E2E default, phone number requirement, post-2024 law enforcement cooperation):

• Data Collection (62/100): Telegram collects less data than Meta or Google by design. Phone numbers are required. Message metadata is stored. Non-Secret Chat content is stored on servers Telegram controls. IP addresses collected. Less extensive than advertising platforms but more than a pure E2E platform would require.

• Third-Party Sharing (55/100): Pre-2024: essentially zero disclosed sharing. Post-2024: IP addresses and phone numbers shared with law enforcement on valid legal requests. Content of non-Secret Chats technically accessible under legal orders. The extent of post-arrest cooperation and what specific legal standards apply remains unclear.

• Breach History (48/100): No major confirmed data breaches of Telegram's core infrastructure. The Hong Kong contact exposure and phone number scraping issues were design limitations rather than security failures. Criminal organization use may have led to targeted compromises of individual accounts.

• Government Contracts (35/100): No commercial government data relationships. Post-2024 law enforcement cooperation is compliance-based. Russian government blocking-and-unblocking suggests Telegram does not fully comply with Russian intelligence demands (yet).

• Transparency (38/100): Telegram's privacy documentation is unclear about what is and isn't encrypted by default. The distinction between MTProto (server-held keys) and Secret Chats (E2E) is technically documented but not prominently communicated to average users. The post-arrest policy shift was disclosed reactively rather than as proactive transparency. No regular transparency reports published.

Weighted calculation: (62 * 0.25) + (55 * 0.25) + (48 * 0.20) + (35 * 0.15) + (38 * 0.15) = 15.5 + 13.75 + 9.6 + 5.25 + 5.7 = 49.8, adjusted to 65 due to the privacy paradox at Telegram's core: it is used by activists in authoritarian countries precisely because of its privacy reputation, while its actual default architecture stores message content in recoverable form on Telegram-controlled servers, and post-2024 law enforcement cooperation has undermined the privacy assurances that defined Telegram's appeal to at-risk users.

Transparency & Accountability

Telegram's transparency approach has been characterized by deliberate opacity, followed by sudden policy shifts when regulatory or legal pressure proved unavoidable:

For most of its history, Telegram published minimal transparency documentation. The company did not publish regular transparency reports. Its encryption documentation was technically accurate but required careful reading to understand the critical distinction between regular chats and Secret Chats. The message "Telegram is secure" became common perception even though Telegram's default architecture is not end-to-end encrypted.

The Durov arrest created a forcing function. Within weeks, Telegram announced it would share IP addresses and phone numbers with law enforcement under valid legal orders, a policy it previously implied did not exist. This reactive disclosure of a significant policy change, driven by the founder's criminal liability exposure rather than voluntary transparency, is the defining accountability event in Telegram's history.

For the millions of users in authoritarian countries who relied on Telegram specifically because they believed it would not cooperate with government authorities, the post-arrest policy changes represent a meaningful change in risk profile. A user in Iran who believed Telegram would refuse to share their IP address with authorities faces a different risk calculation than they did before August 2024.

Telegram's governance is essentially personal: Pavel Durov controls the company and its policies. There is no independent board of directors, no external audit of privacy practices, no regulatory oversight that effectively constrains his decisions. When Durov decided to cooperate with law enforcement, Telegram cooperated; when Durov previously decided not to, it did not.

The platform's future governance remains uncertain given the French legal proceedings, the conditions on Durov's bail, and the pressure from EU governments (through DSA enforcement) to improve content moderation and cooperation with law enforcement.