The arrest of Pavel Durov, the founder and CEO of Telegram, has shaken up the tech community.
The charges against Durov include refusal to cooperate with authorities and complicity in offenses related to child sexual abuse material and drug trafficking. If convicted, Durov faces up to 20 years or more in jail.
With almost 1 billion users, Telegram has long presented itself as a privacy-first, anti-surveillance messaging app. “To this day, we have disclosed 0 bytes of user data to third parties, including governments,” says the company on its website. But with criminal responsibility looming over the CEO’s head, will Telegram stick to that policy? And was it as private as it claims to be, to begin with?
Moonlock sat down with experts to understand the state of Telegram today and how well it actually protects your data.
Experts weigh in: Telegram today, tomorrow, and in the long run
Irina Tsukerman is a national security and human rights lawyer and a geopolitical analyst. Moonlock asked Tsukerman how worried users of the platform should be about Telegram’s privacy today.
“Most likely, Durov’s arrest in the immediate to short term will not have a significant impact on the privacy and security settings,” Tsukerman said. “Durov’s team is unlikely to overhaul the platform or to impose major challenges in policies without Durov’s approval while his fate remains uncertain.”
Tsukerman added that while no legal demands or orders have been undertaken by the French or any other government against the platform itself so far, the EU has not yet ruled on any potential violations of the EU Digital Services Act. This ruling could eventually impact privacy and security settings.
If it is found, for instance, that the platform promotes disinformation, this could have major implications. The same goes for if it is found that the platform manager or founder has not complied with relevant digital services regulations.
“For now, Telegram is running as it was before the arrests,” Tsukerman said. “Moreover, Durov’s arrest appears to have had no impact on its use or concerns regarding the platform.”
Tuskerman said that in the future, this could change. If Telegram is more clearly implicated in Durov’s investigation, the situation will become much more complicated. The same will be true if the investigation yields additional information regarding the insufficiency of the current settings.
“It is also possible that the Telegram team will undertake a personnel shift or change the way the platform is managed to continue being competitive despite the bad publicity,” Tsukerman added. “Even before Durov’s arrest, many in the cybersecurity community, as well as regular users, complained about the privacy and security settings.”
Session CTO talks to us about the risks for users
The Telegram messenger app is considered less encrypted and less secure than Signal. It is also considered less secure than Session, which requires the exchange of encryption keys to participate in messaging.
Moonlock spoke to Kee Jefferys, CTO at Session, to get his insight on the issue.
“In most cases, (Telegram) accounts are tied to a phone number,” Jefferys said. “Each time you send a message, your IP address is visible to Telegram’s centralized servers.”
“Pavel Durov’s arrest doesn’t alter these fundamental issues, but it does raise concerns that the French government could exert pressure on Telegram’s leadership to disclose this data to authorities,” Jefferys warned.
The CTO of Session explained that Telegram’s security has not changed. By default, messages are encrypted only in transit to Telegram’s servers.
“Unless you’re using ‘Secret Chats,’ Telegram retains the ability to view message content once it reaches their servers,” Jefferys said. “This technical reality hasn’t changed post-Durov’s arrest, but the arrest may increase the likelihood of governmental pressure to access users’ unencrypted messages.”
According to the CTO of Session, the greatest risk for Telegram users is the platform’s lack of end-to-end encryption outside of Secret Chats. This means that messages are accessible to Telegram’s servers (the cloud).
Additionally, Jefferys explained that Telegram does not protect metadata when users connect. This means that sensitive information, such as IP addresses and contact details, is exposed whenever messages are sent or received.
“This creates a potential honeypot of users’ messages and metadata,” Jefferys said.
Another risk is that as Pavel Durov’s case progresses, French prosecutors may pressure Telegram’s team to grant access to this data as part of their investigations. Consequently, some Telegram users could be put in a precarious position.
Telegram has a bad record with governments
For years, governments around the world have been warning about the dangers of Telegram. With these new complications, they may have had enough.
Recently, Euronews reported that the platform has already been banned by 31 countries since 2015. This includes the recent UK ban of Telegram, which came in early August 2024.
The UK government found that the platform was being used to spread misinformation and coordinate anti-immigrant riots in the country. The ban was imposed in the aftermath of the Northern England case in which 3 girls were killed in a violent stabbing.
Telegram’s problems with governments worldwide are driven by abundant misinformation, extremism, terrorism promotion, illicit drug selling, and cybercriminal resources found on the platform.
Countries that have banned Telegram include China, Iran, Thailand, Russia, Turkey, Pakistan, India, and Belarus. Some of these bans have only been temporary or partial. Nevertheless, they all represent restrictions on the availability and use of Telegram.
Telegram cybercrime risks are abundant
Tsukerman spoke about the abundant cybercriminal activity on Telegram and the platform’s unpatched vulnerabilities.
“Hackers can steal Telegram accounts to spread scams or steal data,” Tsukerman said. “They might trick users into clicking malicious links or exploit vulnerabilities to gain access, and once in, they can steal contact lists, chat history, or sensitive information files.”
Telegram is also widely used to distribute malware.
“The platform itself is open to penetration by foreign intelligence actors, as indicated by various public reports and personal user experience,” Tsukerman said. “And Telegram has also appeared not to have undertaken any action to prevent the proliferation of such actors or even to warn the users about this situation.”
Reports show that various extremists, as well as hostile intelligence agencies, have made use of the popularity of channels within the platform to create their own Telegram channels.
Tsukerman said that these interests often operate under false pretenses, encouraging or manipulating users toward criminal activity.
“The proliferation of phishing kits and other tools means that Telegram can be used specifically to target user systems,” Tsukerman added. “These tools are now readily available on Telegram and can be found using the search function.”
Durov: Criminal accomplice or “freedom of speech” advocate?
The arrest of the CEO of Telegram almost instantly triggered a worldwide debate. Some wonder if this case is a freedom of speech issue or a criminal case.
Alexander Linton, Director at OPTF, a nonprofit organization creating secure and privacy-protecting solutions, told Moonlock that Pavel’s arrest is a good reminder that we should not use apps whose integrity relies on just one person.
“No matter what Pavel is, they will make a hero out of him if he is prosecuted for providing encrypted messaging — something everyone should have access to,” Linton said.
Linton believes that Telegram’s privacy and security post-arrest are the same as they were before — dubious.
“Telegram is centralized and doesn’t use end-to-end encryption by default,” Linton added. “So, I wouldn’t consider it a particularly private or secure option.”
Setting a potentially dangerous precedent
Jefferys from Session added that, in his opinion, the CEO of Telegram is no more a criminal accomplice than the CEO of an internet service provider when someone uses their internet connection to commit a crime.
“A dangerous precedent would be set for online platforms if they were treated as a distinct legal class, separate from other carrier services, which generally cannot be held criminally liable for the simple act of relaying messages,” Jefferys said.
Similarly, other public figures in the social media community, like Elon Musk, also believe the case sets a bad precedent.
However, some cybersecurity researchers see things differently. These experts have seen the good, the bad, the ugly, and the outrageous emerge from Telegram.
“From its inception, the platform has gained notoriety not for merely being anti-establishment but for harboring illicit content ranging from child pornography to terrorist communications and propaganda, to criminal transactions, from scrutiny and authority,” Tsukerman told Moonlock.
“None of that has anything to do with free speech,” Tsukerman added.
Tsukerman said that the lack of encryption in Telegram actually has the opposite effect on freedom of speech. Why? Because it can easily be exfiltrated by threat actors and cyberespionage groups.
“Dissidents and opposition groups become vulnerable targets in such a space,” Tsukerman warned.
“Durov has acted disingenuously and with willful disregard for international and local laws and public safety by allowing Telegram to become a safe space for extremists, terrorists, criminals, black hat hackers, and rogue regimes.”
“It is astonishing that anyone seriously dedicated to freedom of speech could consider Durov an example of a free speech warrior when Telegram appears nothing more than a shell/veneer for authoritarian interests of all stripes,” Tsukerman concluded.
What should Telegram users do moving forward?
Today, Telegram users who want to strengthen their privacy can consider enabling features like Secret Chats. But is this enough?
Jefferys from Session said that users who are looking for private or secure conversations should consider looking into other platforms.
“If moving away from Telegram isn’t an option, I suggest using Telegram’s Secret Chats feature, which, although not perfect, provides end-to-end encryption in a semi-secure manner,” Jefferys said.
Conclusion
Telegram’s security and privacy features and capabilities are unlikely to change anytime soon. Even before the arrest of its CEO, the messaging platform was plagued by criminal activity of all kinds. Its default lack of end-to-end encryption is to blame.
The app has been used for a wide range of malicious activities. These range from black ops to cybercriminals selling malware, child pornography, terrorism, drug trafficking, and extremism.
It is worth considering that as Durov’s case advances, it’s possible that Telegram’s security and privacy will change. In the future, governments could demand that the platform open up its digital data trove. Additionally, cybersecurity risks are high on Telegram.
If what you are looking for is end-to-end encryption by default, then currently, Telegram is not your best option. In the end, it comes down to a personal decision every user needs to make.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Telegram FZ-LLC. Telegram is a trademark of Telegram FZ-LLC.