Telegram’s founder, Pavel Durov, has consistently praised his platform for allowing free speech and digital privacy to flourish. However, a new investigation says that the messaging app may be less secure than popularly thought.
-
Telegram infrastructure is controlled by a man whose companies have collaborated with Russian intelligence services, an investigation by IStories claims.
-
If users want to use end-to-end encryption on Telegram, they have to turn on the feature manually. Most don't.
-
The investigation highlights the dangerous disconnect between what many believe about Telegram’s security and privacy features, and the reality.
The popular belief is that Telegram, just like many other top messaging apps, offers end-to-end encryption. It indeed does – but not by default.
If users want to use end-to-end encryption on Telegram, they have to turn on the feature manually, enabling the Secret Chats function. If they don’t, these chats are decrypted and stored on servers. The vast majority of people don’t realize this and communicate through regular “cloud” chats.
That’s a problem, a new investigation by an exiled media outlet IStories now says, because “this means that whoever controls the server can access the correspondence.”
According to IStories, a bit of digging around has revealed that Telegram’s infrastructure is maintained by Global Network Management (GNM), an obscure company based in Antigua and Barbuda that has provided Telegram with over 10,000 IP addresses.
GNM’s owner is Vladimir Vedeneev, who testified in a US court once that his company installs and maintains Telegram’s infrastructure. The firm actually has staff in Russia. Plus, court documents reviewed by IStories show that Vedeneev also serves as Telegram’s chief financial officer.
Quite a few of GNM’s IP addresses used to belong to Globalnet, a St. Petersburg-based telecommunications company that has links to the Kremlin and Russian security services, including the FSB.
According to IStories, Telegram also received 5,000 IP addresses from another St. Petersburg-based firm, Electrontelecom. Electrontelecom is indeed an FSB contractor, having helped the agency install secure communications systems used in intelligence operations.
Interestingly, when Globalnet implemented user traffic monitoring systems in 2022 at the request of the Russian state communications watchdog Roskomnadzor, Oleg Matveychev, deputy chairman of the State Duma’s Information Policy Committee, said that Telegram and the FSB had reached a “compromise.”
It involved Telegram installing infrastructure enabling authorities to monitor users caught in criminal investigations. These users can be suspected terrorists, but in Russia, they can also be opposition activists or anti-war protesters.
“If true, this reporting highlights the dangerous disconnect between what many believe about Telegram’s security and privacy features, and the reality,” John Scott-Railton, a senior researcher at The Citizen Lab, told IStories.
“When people don't know what is actually going on, but assume they have metadata privacy, they can unknowingly make risky choices, bringing danger to themselves and the people they’re communicating with. This is doubly true if the Russian government sees them as a threat.”
Telegram, though, responded to the IStories investigation, telling BBC News Russian that the company “has contracts with dozens of different service providers around the world,” but none of them “has access to Telegram’s data or confidential infrastructure.”
"As a global company, Telegram has contracts with dozens of different service providers around the world. However, none of these service providers have access to Telegram data or sensitive infrastructure," said the company.
"All Telegram servers belong to Telegram and are maintained by Telegram employees. Unauthorized access to any data is impossible. Throughout its entire history, Telegram never disclosed any private messages to a third party – and its encryption has never been breached.
Your email address will not be published. Required fields are markedmarked