I’ve seen a rash of rightists on the Internet bring up Telegram as some kind of “secure” alternative to Discord and Twitter, bringing up how it has “end-to-end encryption” or whatever else. They bring up how the government can’t get on it and how it’s safe to post your plans to overthrow said government on it. I have some bad news for those users: it isn’t. I’m going to break down why I find this service to be an obvious honeypot into a few key points.
- It Has Channel Links Like Discord Invite Links
Every one of its channel links follows the following format: https://t.me/CHANNEL_NAME_HERE. This is similar to the Discord invite link format which look like this: https://discord.gg/RghMm9C. You will notice something specific in this format: they all require you to visit a specific domain name. This means that Telegram Messenger Inc. is informed that you went to this particular channel. You tell them when you do. Your privacy is compromised here just by that fact alone.
- It Takes Your Real Fucking Phone Number
When somebody signs up to use Telegram, it sends an SMS message to their phone, and even asks for permission to read SMS messages to make filling it in easier. This means it can associate a user account to a phone number and a time, and that phone number plus timestamp means it can be associated to a specific person through a phone company’s records. Now, I’m aware that there are ways to get phony burner numbers that let you bypass this, but the fact that they’re trying to get this information out of you in the first place is telling that they’re not exactly interested in your privacy. They want you to tip your hand.
Also, implying that their automatic reading of the security code is the only time it reads your SMS messages.
- You Can Report Posts
I thought this thing was supposed to be secure and immune to Telegram Inc’s spying, but then I discovered that you can report posts. Report them to who? Since they apparently can’t read your messages, why would reporting a message ever do anything at all? Here’s a hint: because they can, as a matter of fact, read your messages.
- Its Backend Is Closed Source And Proprietary
Since it’s so secure and there’s just no way it could possibly be spying on its users, why keep the source code of the backend hidden? Naturally, to prove that their system isn’t malicious, they would not need to divulge sensitive information like database passwords or API tokens, and even then, they could release a fake backend repository to make it seem legit. They didn’t even do that. They straight up don’t tell you what the backend does. It’s a black box.
To anybody who fell for the “Telegram is secure” meme, consider the following: if you went to a used car dealership and they had a sign that read “no ripoff,” how seriously would you take that sign? Would you take it at face value without skepticism? No, you wouldn’t. So when some “app” or online service tells you that it’s secure and that the government can’t track you on it, always assume that the government can and try to figure out how they can. Ninety nine percent of the time, you’ll figure out exactly how the government can spy on you through it (see above), and the other one percent of the time you’re likely just missing something.
This is not to say that there are no secure-ish means of communication online. However, it should be noted that the most secure way to send messages like this (that I’m aware of) is called “Pretty Good Privacy.” That should tell you something. If you know what you’re doing, you’re going to admit that there’s almost definitely a way to break or circumnavigate whatever cute security power play you have to deploy that you aren’t aware of. Asking a real security expert “is this line secure?” is like a head of state asking his defense minister “is it impossible to lose a war?”
It’s also worth noting that the most important detail of security is trust. Discord is “secure” insofar as your communication with the server isn’t going to be successfully intercepted by some third party trying to steal your password, because it uses SSL effectively. However, Discord Inc. can still see everything you send over the line, so if you don’t trust Discord to not spy on you (you shouldn’t) then you shouldn’t send any interesting content over that line. And that’s just Discord Inc. itself; what about whoever hosts their servers? I bet they can see some cool stuff too if they deigned to look. The same can be said for any random IRC server with SSL; if you trust the administrator of that IRC server,, as well as the hosts of that IRC server, and keep good track of the SSL fingerprints, you’ll be fine, but even then, you should assume you’re being watched.