Is the messenger reliable and secure?

At Telegram, colorful stickers and cloud storage meet opaque structures and dubious, sometimes criminal groups. There are a few points to be aware of, especially when it comes to the security of the app.

Telegram is repeatedly being discussed as an alternative to Whatsapp. Some criticize a lack of standard end-to-end encryption, a rather opaque company and a lack of open source disclosure of the server code; The others see practical features such as device-independent chat synchronization thanks to cloud usage as advantages.

“Telegram is the most insecure messenger that is currently being passed around, security is only faked,” writes SWR3 online boss Stefan Scheurer in an article, Heise security expert Jürgen Schmidt Telegram calls “i[m] A disaster in terms of privacy ”. But what are the reasons for such harsh criticism of Messenger?

Probably the biggest criticism regarding the security of Telegram is the encryption of messages. In contrast to Whatsapp, for example, conversations with Telegram’s cloud-based service are not automatically end-to-end encrypted. If you want to use this security setting, you have to set it manually for the respective chat and then lose some of the familiar functions (partly for technical reasons).

This does not mean that messages outside of the so-called “secret chats” at Telegram are always sent completely unencrypted – according to the manufacturers, a message is sent here Server-client encryption. Calls via Telegram are automatically end-to-end encrypted, but for group chats there is no “secret” chats variant.

Overall, Telegram works according to its own information with a combination of “2048-bit RSA encryption, symmetrical 256-bit AES encryption” and Diffie-Hellman key exchange.

Especially in the case of conversations and processes that are not end-to-end encrypted and stored on Telegram’s servers with an unknown location and correspondingly unknown data protection laws, critics fear that the information will be read out, passed on and used for by attackers or by Telegram itself different purposes could be used.

The company itself writes on the subject of data requests from third parties: “To date we have given 0 bytes of user data to third parties, including all governments.” The data from the cloud chats would be “stored in several data centers around the globe, which are controlled by different legal entities in several jurisdictions” . Keys and associated data would never be stored in the same location. In order to force Telegram to disclose data, court orders from several countries would have to uniformly order the release, according to the provider.

The company also denies the transfer of data, for example for advertising purposes: “We do not use your data for targeting advertising and we do not sell it to others.” Telegram is generally GDPR-compliant. Complaints about public contributions such as bots, channels or sticker packages would, however, be checked upon request and removed if necessary. Telegram also works with Europol.

Anyone who uses the app must be aware that, in theory, not only the parties involved in the chat, but also the app operators have access to the entire message history including files. Whether Telegram actually manages these conversations as promised is not exactly transparent – here users have to weigh up whether and to what extent they trust the service and its statements. Sensitive data in particular should therefore not be sent in normal chats.

Telegram was founded in 2013 by the two Russian brothers Nikolai and Pawel Durow. Before that, Pavel Durow in particular had made himself unpopular with the Russian authorities because, as the head of the Russian Facebook alternative VKontakte, he had refused to delete pages critical of the Kremlin – not from social ones, but rather for business reasons.

Overall, for example, if you search in vain for an imprint on the German-language website, it becomes clear that Telegram obviously does not want to be found. The imprint would actually be mandatory in Germany and would also make the company more transparent for users. In 2016, for example, the editorial team had the world started trying To locate the company headquarters located in Berlin at the time – but without success.

According to the company’s own FAQ, Telegram is now based in Dubai, but they are ready to change location if the laws there change (unfavorably). “The Telegram team had to leave Russia due to local IT regulations and has tried a number of locations, including Berlin, London and Singapore.” Critics perceive this very low level of transparency regarding the structures and locations of Telegram as a shortcoming – so Not only do the third parties allegedly avoided by Telegram, but also the users do not know too exactly where their data ends up and is managed.

This question can be answered with a yes and no. Above all, the code of the Telegram clients is available to the public and as a GNU General Public License licensed. The server code, on the other hand, is not open source, but proprietary, but an open programming interface (API) is offered.

Telegram’s handling of error messages seems to be different in parts: In July 2021, one international experts: internal team several cryptographic vulnerabilities found in the protocol. Telegram responded and made improvements. On the other hand, the interaction with another researcher went less smoothly, who reported a massive gap in the deletion of self-destructive photos in the app in the spring of 2021. According to his information He was initially in contact with the Telegram team for months until they finally offered him a bonus for his find – on the condition that he would not talk about the events or only with written approval from Telegram.

As a particularly secure messenger alternative, Telegram cannot pride itself on the lack of standard end-to-end encryption. For the convenience of cloud-based chats, which can be accessed from anywhere, users must take the risk that the entire conversation, including files, will be stored on internationally distributed servers – this offers the potential for abuse and attacks from both external and external sources from the internal side.

Basically, users have to weigh up whether they trust the company’s promises to secure data that is not end-to-end encrypted. There is more security at Signal, for example, and self-hosted services would also be an alternative. Especially with the latter, however, the mass suitability that established messenger services bring with them is likely to be severely limited.

The function of group chats with up to 200,000 members and the channels offer the opportunity to exchange ideas with numerous people with the same interests. Combined with the less pronounced interference by Telegram, not only opposition activists in Hong Kong can exchange ideas on the platform, but also, for example, lateral thinkers and right-wing extremist groups. Again and again it becomes clear that Telegram is the contact point for criminal and terrorist groups who feel undisturbed there. Combined with the opaque structure of the company, this casts a rather dubious light on Telegram – the structure aspect, for example, is used very deliberately by the company.

Overall, when it comes to messenger services, it pays to carefully weigh up comfort, security and your own convictions and take a closer look. An overview of the various services such as Threema, Ginlo or Wickr is available here, for example.