Review date: Sept. 8, 2021
What could happen if something goes wrong?
There is good news and bad news when it comes to Telegram. The good news: Video calls (and voice calls) are encrypted end-to-end which makes them private and secure from start to finish. Yay! The bad news: Text messages and files are not encrypted end-to-end by default. This means unless users chose to use Telegram’s “secret chat” feature which does use end-to-end encryption, this information could be vulnerable to eavesdroppers. For a messaging app that says it focuses on security, it might not be as quite as secure as users hope, unless extra steps are taken. Telegram also seems to have a third-party AI-bot problem. These AI-bots can do cool things like respond to messages and schedule reminders. They also can and have been abused and used for some pretty terrible things. Like last year when an AI-bot created abusive deepfake naked images of women and girls. Ick! And worse, researchers claim Telegram was initially not very responsive at taking this disgusting bot down. Double ick! More bad news: Telegram has had some pretty serious hacks and security flaws. In 2019, it was reported protesters in Hong Kong had their telephone numbers exposed and monitored by Chinese authorities. And there was a voicemail hack that reportedly exposed some Brazilian politicians' data. In 2020, Iranian hackers reportedly were able to get past Telegram’s security to spy on opponents. All in all, it seems a fair amount can and has gone wrong on Telegram. Couple that with instances of the spread of hate speech, violence, and abuse on the platform and we think there are better privacy and security focused apps out there like Signal and Threema.
Can it snoop on me?
What can be used to sign up?
What data does the company collect?
Phone number, username, profile picture (optional), 'about' information (optional), e-mail (optional, for 2-step verification)
By default: contacts, metadata, messages, photos, audio, videos and files, cookies. Optional: location & live location.
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In April 2020, it was reported leaked personal data of 42 million users, mainly from Iran, were discovered on the darknet. The data included usernames and phone numbers, among others. In August 2019, Telegram was at the center of controversy for exposing phone numbers of Hong Kong campaigners. One week later Telegram agreed to solve the issue but only in the single region.
Can this product be used offline?
The app can be used offline to access already downloaded files and messages. To exchange data, internet connection is needed.
User-friendly privacy information?
Though privacy information can appear as if it is formulated in a user-friendly language, it lacks transparency on numerous crucial points, such as storage of metadata, data deletion and access rights, and encryption details, to name a few.
Links to privacy information
Does this product meet our Minimum Security Standards?
Calls and video calls are end-to-end encrypted by default. Messages and files on Telegram are not end-to-end encrypted by default, thus can be deciphered at the server by anyone with the keys (for example, by Telegram itself). Telegram Users can turn on end-to-end encrypted self-disappearing chats.
An authorisation per SMS is used instead. For chats, a passcode can be added as an extra security layer.
The service regularly provides updates.
Telegram has a dedicated team that have fixed some of known security vulnerabilities in the app, often promptly.
In October 2020, data protection regulators in Italy opened an investigation into the deepfake bot on Telegram that was believed to have created more than 100,000 abusive images of women, incl. underage women. Access to the bot has been restricted on Apple’s iOS. Reports from America, South Korea, and Israel have also detailed how Telegram has been used to share abusive images over the year 2020. Telegram has never publicly commented about the harm caused by the Telegram bot or its continued position to allow it to operate.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Iranian Hackers Found Way Into Encrypted Apps, Researchers SayNew York Times
Telegram Bug ‘Exploited’ By Chinese Agencies, Hong Kong Activists ClaimForbes
Telegram rolls out fix for voicemail hack used against Brazilian politiciansZDNet
Telegram had some major security vulnerabilitiesTechRadar
Telegram Still Hasn’t Removed an AI Bot That’s Abusing WomenWired
Signal Vs Telegram—3 Things You Need To Know Before You Quit WhatsAppForbes
Scheduled Messages, Reminders, Custom Cloud Themes and More PrivacyTelegram
WhatsApp, Signal & Co: Billions of Users Vulnerable to Privacy AttacksUniversity of Würzburg
Got a comment? Let us hear it.