Assessing Telegram’s Security: Ownership, Encryption, and Usage Concerns

Telegram, a widely used messaging platform, has garnered attention due to its security features, ownership background, and usage policies, particularly in conflict zones like Ukraine. This article delves into these aspects, comparing Telegram’s security with other platforms and evaluating its suitability for users requiring robust confidentiality.

Ownership and Legal Challenges

Founded in 2013 by Russian-born Pavel Durov and his brother, Telegram has positioned itself as a privacy-centric messaging service. Durov left Russia in 2014 after refusing government demands to shut down opposition communities on his previous social media platform, VKontakte. He subsequently acquired French citizenship under mysterious circumstances (as he has never lived in France) and is based in Dubai, where he holds Emirati citizenship; Telegram's headquarters and its principal servers are in Dubai.

In August 2024, Durov was placed under formal investigation in France as part of a probe into organised crime, raising questions about the platform’s governance and accountability. Given his presence in Dubai, and that the United Arab Emirates will not extradite its own citizens, Durov's participation in future French criminal proceedings against him is uncertain. Incidentally, on his French passport his name is "Pavle du Rove", a manipulation of his Russian original name to sound more francophone.

Security Features and Expert Assessments

Telegram offers end-to-end encryption. However, this feature is limited to its “Secret Chats” function and is not enabled by default for all communications. Standard chats utilise client-server encryption, which, while secure, does not provide the same level of protection as end-to-end encryption. Security experts have expressed concerns about this approach, suggesting that users may be unaware that their default communications lack the highest level of encryption.

The lack of this highest level of encryption makes it much easier for hackers, or the electronic surveillance authorities of hostile foreign countries, to access communications sent by Telegram, and also to access the personal information a user chooses to associate with his or her Telegram account, such as his or her address book and contacts.

Usage in Ukraine and Government Restrictions

Despite its popularity in Ukraine, the government of Ukraine has banned the installation of Telegram on state-issued devices for government and military personnel, citing national security concerns. The National Security and Defence Council highlighted risks including cyber-attacks, phishing, malware distribution, user geolocation tracking, and potential missile strike coordination.

However this ban does not extend to personal devices, and many officials, including President Volodymyr Zelenskyy, continue to use Telegram for official communications. The Ukrainian Armed Forces use Telegram for their newspaper communications to soldiers, and vast amounts of information relating to activities on the front line, from both sides, appears on Telegram channels. This amounts to very poor operational security (OPSEC), as each side, by monitoring the other's Telegram channels, can collate information to coordinate precision strikes and make tactical battlefield decisions.

Encryption Concerns and Potential Vulnerabilities

The Ukrainian military intelligence chief, Kyrylo Budanov, has presented a portfolio of evidence to the Ukrainian government suggesting that Russian security and intelligence services can access personal correspondence of Telegram users, even deleted messages.

This fact is well-known in western intelligence communities; Telegram has a series of "backdoors" routinely exploited by the Russian security and intelligence apparatus to harvest data. Telegram has refuted these claims, stating that they have never provided messaging data to any country and that deleted messages are permanently removed. Nonetheless, the platform acknowledges that compromised devices through confiscation or malware could lead to data breaches. 

Doxxing and Privacy Violations

“Doxxing”, the act of publicly revealing private information about individuals, has been facilitated through Telegram channels. Reports indicate that personal information about foreign members of the Ukrainian Armed Forces, including family details and home addresses, has been disseminated to intimidate and deter foreign enlistment. The perpetrators of such actions are often linked to pro-Russian entities aiming to undermine Ukrainian defence efforts. Telegram’s responsiveness to removing such content has been inconsistent, raising concerns about the platform’s content moderation policies.

Legal and Regulatory Challenges

Operating from Dubai, Telegram’s headquarters location presents challenges for legal recourse within European or other western frameworks. The platform’s decentralised nature and the jurisdictional complexities make it difficult for authorities to enforce legal actions against it, complicating efforts to regulate content and ensure user safety.

This is particularly concerning given that Telegram has been documented in the propagation of promoting propaganda by unsavoury institutions such as the Myanmar junta; violent paramilitary organisations such as the "Proud Boys" (an American far-right militant neo-fascist organisation that promotes political violence); the Islamic State; the Iranian Islamic Revolutionary Guard Corps; Brazilian neo-Nazis; white supremacists; anti-semitic groups; distribution of illegal pornography, including child pornography; distribution of bots that steal private information on the user's mobile telephone and associated social media accounts; the offering of fraudulent jobs; the unlawful distribution of copyrighted material; the sale of unlawful drugs; and failure to comply with EU regulatory requirements.

In short, Telegram is complicit in a range of criminal activities but there seems little that law enforcement institutions seem able to do about it.

Connections to Russian Intelligence

While Pavel Durov has publicly distanced himself from Russian authorities, concerns persist regarding potential connections between Telegram and Russian security agencies. The platform’s origin and the geopolitical landscape contribute to ongoing scrutiny and scepticism about its independence and security assurances.

In particular, it has been reported that Telegram periodically removes channels that contain anti-Russian content at the request of the Russian government. The institutions that have made these demands to Telegram, that Telegram has complied with, include Roskomnadzor (the Russian federal media regulator) and the Prosecutor's Office of the Russian Federation. Telegram denies this.

Recommendation

Given the outlined concerns—particularly regarding encryption practices, potential vulnerabilities to surveillance, and inconsistent content moderation—users requiring robust security and privacy may consider alternative messaging platforms that offer default end-to-end encryption and have transparent governance structures. Platforms such as Signal and WhatsApp provide end-to-end encryption by default, potentially offering enhanced security for sensitive communications.

In conclusion, while Telegram offers a user-friendly interface and widespread adoption, its security features and ownership background warrant careful consideration for users prioritising confidentiality and data protection.