Earlier this decade, encrypted chat service Telegram gained notoriety for providing a channel for the Islamic State to communicate ahead of major terrorist attacks.
Since then, it’s gained even more notoriety after cybersecurity experts suggested it may not even be that secure. Many concerns relating to Telegram are founded in the mistrust of its founder, Pavel Durov.
Durov has been a controversial figure ever since founding VK, the biggest social networking site in Russia. He has been described by former business partners as “unpredictable,” and he’s currently a fugitive of his home country after several run-ins with the Kremlin.
Where does that leave Telegram, though? In unclear territory, that’s for sure. We decided to put the software to the test to discover, once and for all, whether Telegram remains a viable option for encrypted communication or whether it has become as untrustworthy as its founder.
How to use Telegram
Telegram’s installation process is fairly painless. For mobile users, the app is available on the App Store, Google Play, and the Microsoft store. From there, all you’ll need to do is download the app to your phone and register your mobile number with the app.
Telegram’s interface essentially works like the majority of other messenger apps. There is the option to provide a username so that others can search you, although if you’re mindful of your online data privacy then this isn’t advisable – any user can search for your username and then message you through the Telegram app.
As with many other messenger systems, Telegram is also available on desktop (OS X, Windows, and Linux). However, partially because the software uses mobile numbers as identifiers, you are required to register your account via the mobile app(s) first. Telegram then sends you a verification code via SMS which will activate the app on your desktop device.
Is Telegram secure?
Unlike many other messengers, the Telegram app allows users to create a personal passcode lock. The good thing about this is that, when the app is locked, the user will never receive push notifications. The company states that this is to ensure “private data stays hidden from prying eyes.”
However, our issue with the passcode lock is that it is only four digits long. This isn’t the best form of security because a four-digit passcode can be brute-forced by a computer in under seven minutes. Telegram’s passcode lock is therefore a weak promise of security.
We were initially worried when starting the research for our Telegram review given that the initial login verification is conducted through SMS. This kind of communication is notoriously unsecure, and many users have reported that their SMS four-digit code had been intercepted and their account hacked.
Fortunately, we soon found that Telegram allows for two-step authentication, wherein a user-generated password can also be applied at the login stage. While this makes sense from a cybersecurity standpoint, it’s quite unwieldy and seems like the team behind Telegram are simply putting out fires as soon as they pop up.
Partially due to the two-step verification mentioned above, the Telegram app can be used on multiple devices. This can be either highly convenient or a nightmare; it’s easy to become paranoid over whether you remembered to log out of any devices that may also be used by other people – not to mention if one of those devices is stolen.
Nevertheless, Telegram has an “active sessions” feature that allows you to see which devices you are logged in on. You thus have the option to terminate any of these sessions if you really need to.
The bad thing about this, though, is if you didn’t lock a session on a device that has gone missing, then whoever gets their hands on your device can easily view your active sessions. They have the opportunity to log you out of your own account, and they also have information on your other IP addresses. In our opinion, this feature is a massive oversight on behalf of Telegram security.
Telegram also features the option to open what is known as “secret chats,” which make use of end-to-end encryption and self-destructing messages. The time limit on message self-destruction can be set by the user. Additionally, you can set photos to self-destruct, and the countdown for that begins as soon as the receiver opens the photograph.
In this way, Telegram is sort of like a more customizable version of Snapchat. However, we were disappointed while surveying this feature during our Telegram app review as it basically reveals that Telegram only uses end-to-end encryption during secret chats. With other instant messengers, this comes as standard.
We’re not sure how to view this next feature: Telegram automatically deletes your account if it has been inactive for six months. It’s understandable when considering the need for Telegram to maintain enough disk space to run the service, but certain other pieces of information we came across when researching our Telegram app review gave us serious cause for concern.
As messages on Telegram is decentralized, they have no way of accessing your messages, let alone deleting them. While this is technically good news, it’s also worth noting that the company admits they cannot remove your messages from other users’ devices (unless you enable automatic self-destruction of those messages which, again, is only available in secret chats).
What this means is that, if you simply forget to use Telegram for a while, your account could be permanently deleted, but any messages you have sent before this happens will remain in the hands of the person you sent it to. Quite simply, there are endless ways this could go wrong.
One thing we do like about Telegram is that it provides you with the option to not share your “last seen” status. This is a huge flaw with other services such as Facebook Messenger, and the fact that you’re able to toggle this can definitely improve your privacy.
Telegram users are always complaining about the broken notifications system – Telegram basically neglects to notify many new users of incoming messages. This is a settings issue, and can be optimized easily enough with a bit of troubleshooting. Unfortunately, the website is very unclear about this, and thus it is easy for the uninitiated to become stuck with this problem.
Given its controversial history, Telegram is blocked in a number of territories. These include: Iran, Russia, Pakistan, Bahrain, and China. It is by far the most widely-censored instant messaging service currently on the market, which of course is a significant detractor to those who wish to use Telegram without having to consult a VPN.
How Telegram compares to other private messaging apps
Owner: Telegram Messenger LLP
Users: 200 million (monthly)
End-to-end encryption: Yes, but only in secret chats
Secret chats: Yes
Secure file sharing: No
Data storage in servers: No
Chat/Messages self-destruction: Yes, but only in secret chat
Requires mobile number: Yes
Supported platforms: Android; iOS; Windows Phone; PC; Mac; Linux
Owner: WhatsApp Inc.
Users: 1.5 billion
End-to-end encryption: Yes
Secret chats: Yes
Secure file sharing: No
Data storage in servers: Yes, but only until the message has been sent. (If the message has not been sent, it remains on the server for 30 days.)
Chat/Messages self-destruction: No
Requires mobile number: Yes
Supported platforms: Android; iOS; Windows Phone; PC; Mac
Mikaela is an investigative journalist that likes to cover the ever-changing world of technology. She tries to keep her finger on the pulse of digital trends and share her insights on the most relevant topics, including big tech, security, privacy, and data breaches.