Telegram Messenger is notorious because of its wide-scale used by ISIL. Indeed, this notoriety may have fueled a popular conception that Telegram is highly secure and private.
Despite privacy and security experts not sharing this view, the app remains wildly popular. This is especially true in the Middle East. In Iran alone, Telegram has some 40 million monthly active users. It also played a critical role in the 2016 Iranian parliamentary election. I will discuss the specific situation with Telegram and Iran later in this article.
A number of governments have tried, or have proposed, to block Telegram - notably Indonesia and Russia and Iran.
Please see below for a discussion on how a Virtual Private Network (VPN) can - and cannot - help Telegram users.
VPNs for Telegram: Considerations
Using a VPN will allow you to access the Telegram website and download the desktop software, even when it is otherwise blocked. It should also help unblock Telegram in the event of Internet Service Providers (ISPs) blocking the Telegram protocol.
If Telegram is not available from the Google Play store in your country, Android users can download the app using F-Droid.
Unfortunately for privacy, Telegram authenticates users using their phone numbers. This means that Telegram Messenger LLP knows who its users are. Thus it can (in theory) associate non-end-to-end encrypted conversations with individual users (more on this later). Would it ever divulge this information to governments? Probably not, but who knows?
Of more concern is the fact that Telegram stores this information on its servers. It is therefore vulnerable to hacking and surveillance. In Russia last year, two activists’ Telegram accounts were hacked, probably by Russian security services with the cooperation of the activists’ mobile provider.
As Nima Fatemi, an independent security researcher based in the US, told the Committee to Protect Journalists (CPJ):
“If any of [Telegram's] servers get compromised, all of the users' data is up in the air. We know from the Snowden revelation and all massive hacks that no single computer can be protected from hackers. Especially if it's a juicy target with millions of people's conversations stored on it."
Telegram is Not That Secure!
Despite its reputation for privacy and security, privacy and security experts are not fans of Telegram.
Central to Telegram’s privacy and security claims is its Secret Chat option. This uses end-to-end encryption in order to allow for private and secure conversations. It means that all messages are encrypted on the sender’s device when he/she enables Secret Chat. The messages can only be decrypted and read on the intended recipient’s device.
Messages sent using Secret Chat should, therefore, secure, even against hackers and Telegram Messenger LLP itself.
This is great. However, experts have criticized Telegram for not enabling Secret Chat by default. Unless you specifically activate Secret Chat, messages sent using Telegram aren't secure. This means that Telegram Messenger LLP and hackers could access them.
It's gravely concerning that many Telegram users don't know that their messages aren't secure by default. Some may simply forget to turn Secret Chat on.
When combined with Telegram’s method of authenticating users using their phone numbers, this makes it very easy for governments to seize accounts and access unencrypted messages.
Always use the Secret Chat option when you want to keep your conversations private
Additionally, even if you enable Secret Chat, researchers are critical of the encryption used by Telegram. Rather than use tried, tested, and fully audited encryption standards, Telegram uses its own MTProto encryption protocol.
As a detailed security assessment (.pdf) of MTProto notes:
“Our main discovery is that the symmetric encryption scheme used in Telegram – known as MTProto – is not IND-CCA secure, since it is possible to turn any ciphertext into a different ciphertext that decrypts to the same message…
"The take-home message (once again) is that well-studied, provably secure encryption schemes that achieve strong definitions of security (e.g. authenticated-encryption) are to be preferred to home-brewed encryption schemes.”
This is a criticism endorsed by Nate Cardozo, senior staff attorney at Electronic Frontier Foundation, who has recommended not using Telegram because of "its lack of end-to-end encryption [by default] and its use of non-standard MTProto encryption protocol, which has been publicly criticized by cryptography researchers, including Matthew Green."
If you would like to know more about how encryption works, why not check out our ultimate guide to online privacy?
The only way to know if software can be trusted is if it is open source. This means that researchers can freely examine the code to ensure nothing malicious is going on. The Telegram client is primarily open source, but contains some elements (called binary blobs) that are not.
Some experts have also criticized Telegram for being slow publishing recent versions its open source code. This is a security problem, as the code could be modified without anyone being aware of it.
The server-side code is closed-source and proprietary. However, this shouldn't be an issue if you enable end-to-end encryption (Secret Chat).
Signal is More Secure
If privacy and security are your main reasons for using Telegram then you should consider switching to Signal. Experts widely regard Signal as the most secure means of remote communication currently available.
The WhatsApp app is based on Signal. Although not without issues, WhatsApp is also much more secure than Telegram.
Of course, you may simply want to use Telegram because your friends and colleagues use it. You may also want to follow particular Telegram users via the app’s mass-broadcast Channel function. This is absolutely fine, but please bear in mind Telegram’s limitations on the privacy/security front.
Telegram in Iran
Iran blocks mainstream media platforms such as Facebook, Twitter, and most international news sites. Telegram is widely used as a means to bypass state censorship and to access reformist viewpoints.
Indeed, analysts believe that Telegram assisted dozens of moderate and reformist-leaning candidates in becoming elected to the Majles (Iran's parliament) in the 2016 elections. As Amir Rashidi, an internet security researcher at the Center for Human Rights in Iran, told CPJ,
“Telegram had a huge impact in Iran's last parliamentary election. Reformist activists had very limited access to major media outlets and the state radio and TV, so they used Telegram to send and spread their messages."
In response to this, the conservative and authoritarian Iranian government has sought to regulate Telegram. It now requires all Iranian citizens by law to register Telegram channels with more than 5,000 followers with the Ministry of Culture and Islamic Guidance. Some 2,000 Channels (Persian) are now registered in this way.
According to statement by Telegram, in advance of the 2017 elections “internet providers in the country are blocking the protocol that is used to establish a connection between users before a P2P call can be activated.”
If you're looking to circumvent state restrictions on content in Iran, our best 5 VPNs for Iran should make for interesting reading.
Iranian authorities arrested the administrators of 12 reformist Telegram Channels ahead of the May 2017 election. These Channels included Reform News, with more than 111,000 followers, and Assembly of Reformists, with 94,000 followers.
It is my understanding that the authorities later released the Channel admins. However, Radhidi argues that the arrests helped to create an atmosphere of fear and intimidation among liberals and progressives in the country.
Russia Bans Telegram
On Friday 19 April 2019 a Moscow court authorized Roskomnadzor, the Russian communications and technology watchdog, to block Telegram.
The move follows demands from the Federal Security Service (FSB) that Telegram hand over its encryption keys to the secretive KGB successor after claiming that it is widely used by terrorists. Telegram refused.
Good news, however, is that Telegram can still be freely accessed in Russia using a VPN. This is because a VPN hides the fact that you are connecting to the Telegram network from your internet and/or mobile provider (and therefore the Roskomnadzor).
For more information on this story please see our full Russia Bans Telegram Messenger article.
Best Telegram Messenger VPNs: Conclusion
Telegram has proven itself to be a useful tool for defeating censorship and exercising freedom of speech. If you can't access the Telegram website, or your ISP attempts to block the Telegram protocol, a VPN will help.
Do please be aware, however, of Telegram’s limitations as a privacy tool. Most importantly, always remember to use the Secret Chat feature when participating in discussions that you would rather the authorities not access.
Best VPNs for Telegram Messenger: Side-by-Side Summary
Image Credit: Allmy/Shutterstock.com