The recent arrest of Telegram founder Pavel Durov on 24 August 2024 at Paris-Le Bourget airport has again brought the spotlight to the messaging app. Various governments have accused the app of being a major “meeting place” for unsavory characters, including fraudsters, terrorists, and producers and consumers of child pornography. According to the prosecution, these criminals choose Telegram as their communication tool because the app’s end-to-end (E2E) encryption is generally considered very secure.
What is End-to-End Encryption?
E2E encryption involves the use of two keys, a public one and a private one, to encrypt chats for both endpoints (i.e. the ends of the conversation). The private key is only available to the sender and the recipient. This method is widely regarded as highly impenetrable, to the extent that Telegram has described itself as “more secure than mass messaging applications such as WhatsApp and Line.”
Telegram’s Security Features
Durov’s app, which boasts over 900 million active users worldwide, offers a comparable level of security to that of WhatsApp and similar applications. However, it should be noted that Durov’s app does not apply end-to-end encryption to all chats; it is exclusively used for those set as “secret.” These chats can be configured to self-destruct after a certain amount of time and to prevent messages sent to the secret conversation from being forwarded to other chats. Telegram employs a proprietary protocol for encryption, which ensures additional privacy but has faced criticism for its lack of transparency.
The Limitations of Classic Chats
Encryption on Telegram is not automatically activated for all chats, groups, and channels. For these “classic” chats, messages are stored on Telegram’s servers and are therefore technically accessible, as they leave a trace that can (at least potentially) be intercepted. This represents a significant distinction from other competing messaging services, primarily WhatsApp and Signal (another messaging app considered to be highly secure for private communications), which maintain end-to-end encryption by default.
Server-Client Encryption and Geographical Distribution
Nevertheless, Telegram claims to also protect chats that are not covered by end-to-end encryption, using a distributed infrastructure employing so-called server-client encryption. In essence, chat data is distributed across multiple data centers in various geographical areas, each controlled by a separate legal entity that falls under different jurisdictions. The decryption keys are also divided into several parts and are never kept together with the data they protect, thus making it more difficult to find the data associated with the conversations stored on Telegram’s servers.
The Role of VPNs in Enhancing Privacy
In this context, the use of Virtual Private Networks (VPNs) has become increasingly popular among users seeking an added layer of privacy and security. Planet VPN can mask a user’s IP address and encrypt their internet traffic, making it significantly harder for third parties to monitor or trace online activities. This additional tool is often utilized by individuals who want to ensure anonymity when accessing Telegram or other similar platforms, particularly in regions where governments or other entities attempt to monitor or restrict communication.
Legal Protections and Data Disclosure
Consequently, multiple court orders from various jurisdictions are required to compel the disclosure of data. This structure ensures that no government or coalition of governments can impede people’s privacy and freedom of expression. Only in cases where there is a pressing and universal concern that has been thoroughly reviewed and validated by multiple legal systems on a global scale can Telegram be compelled to disclose user data. To date, no data has been disclosed to third parties, including governments.
While server-client encryption is considered reasonably secure, it should be noted that this “basic” level of security is only applied between users and the server. This means that Telegram can potentially access its servers and intercept communications, including calls and video calls. Cybercriminals could do the same if they manage to breach the platform’s security systems.
Activating Telegram’s End-to-End Encryption
What about Telegram’s second level of security, end-to-end encryption? This represents the highest level of security available on the platform and is applied to secret chats (which can be activated in the individual chat settings, albeit not particularly intuitively). To activate secret chats on Telegram, navigate to the individual chat settings, locate the user profile, and tap the three dots in the top right corner. Select the icon with the padlock to initiate the secret chat.
MTProto Protocol and Its Cryptographic Features
It should be noted that the proprietary MTProto protocol, applied to Telegram’s servers, is only available at this stage. This protocol is able to protect user communications by means of client-to-client encryption. To elaborate further, the MTProto protocol utilizes a combination of cryptographic algorithms, including AES-256 encryption for messages, 2048-bit RSA encryption for cryptographic key exchanges, and Diffie-Hellman key exchange to establish secret chats on unprotected communication channels.
As a non-open source protocol, independent security experts are unable to test its security level and possible vulnerabilities, which is not a point in Telegram’s favor. In general, security experts prefer standardized encryption libraries where potential vulnerabilities are known and can be better addressed and resolved. Consequently, the impenetrability of Telegram’s end-to-end encryption remains uncertain.
