You Need To Stop Using Telegram Messenger. Here's Why

After I first stumbled upon Telegram at the behest of a friend circa 2015, the app became my go-to messenger. It was fast. It was cross-platform, web-based, and it let you conceal your phone number by only adding people via username. It was doing now-standard things long before they were cool like message reactions, live location sharing, self-destructing messages, animated stickers, and more. Development has kept a blistering pace since day one, and it continues to roll out features I wish other apps would include like built-in, real-time chat translation, and account self-destruction — peace of mind in case you forget your password. 

In many ways, the app remains functionally amazing, and I've praised it as a Messenger alternative. However, I can no longer recommend it in good conscience, and think its users should now migrate elsewhere.

Telegram isn't new to controversy. The ease with which it allows the spread of misinformation is nothing short of alarming — especially when AI can now create convincing fake media — and its role in the Russian-Ukrainian war is a huge can of worms. The app's Russian origin — which is what typically raises red flags for Western users — is not even something I'd worry about, to the surprise of some reading this article. The issues are with both the app itself, and the people pulling the strings behind the scenes. 

Whatever your qualms about WhatsApp or Signal, it's time to take your communication there instead. Here's why I think it's time to jump ship on Telegram, at least for the time being.

It's hard to overestimate just how important end-to-end encryption (E2EE) is. If your data is E2EE protected, only you can access it. Neither service providers, nor governments, nor even hackers can break properly-implemented encryption of this kind. They'd have to compromise you by other means. At a very high level, E2EE means the data is encrypted on your device before being sent, only to be decrypted by the recipient — and no one else. Both WhatsApp and Signal support it right out of the box. With Telegram, E2EE is optional.

By default, Telegram uses server-client encryption, which means the data is encrypted as soon as it arrives at the server. This creates two major problems: one, the data could potentially be intercepted en route to the server; two, you have to trust the server holding the information not to access it. Trust is a terrible policy for security. E2EE means you don't have to worry about a server security breach (hackers) or an inside job (company employees) compromising your data. Even if you could trust Telegram completely, data breaches are something of an inevitability — as the saying goes, it's not if they hack you, but when.

Telegram does support E2EE, but they call it Secret Chats. It's not made clear to new users what secret chats are, or that you have to specially enable one yourself. Until Telegram enables E2EE by default, or makes it crystal clear that it doesn't, then users should look elsewhere for a platform to host their private conversations.

WhatsApp and Signal employ the Signal Encryption Protocol, a form of E2EE that has been vetted and praised by security experts. Importantly, it's open-source, meaning anyone can examine the code and contribute to building it, and the Signal app itself was built by actual security experts. It's a case study of good security, so good authoritarian governments and ignorant politicians despise it. Despite this, it's still easy to use, without major compromises to user convenience. The same can't be said for MTProto, Telegram's proprietary encryption protocol.

As early as 2015, MTProto 1.0 had concerning security vulnerabilities, and one person even discovered a potential backdoor. Thankfully, 1.0 was replaced with a more sound 2.0 in 2017, but the problems didn't stop there. In 2019, Shielder discovered 13 new vulnerabilities. Researchers from Royal Holloway University of London did an in-depth analysis of MTProto in 2021 and discovered "several cryptographic weaknesses in the protocol that ranged from technically trivial and easy to exploit, to more advanced." All of these were patched, but it's impossible to know how many more exist. Meanwhile, the Signal Encryption Protocol's record is practically spotless. 

Plus, Telegram's secret chats are not as fun or convenient to use. They are dreadfully slow, remain on a single device, are separate from normal Cloud chats with the same person, and lack basic functionality like message reactions, which is not the case with WhatsApp and Signal. Considering MTProto has such a flawed history, you're getting the double whammy of worse security and an inferior user experience. Are Telegram's features really amazing enough to overlook these glaring issues? I'd say no.

Pavel Durov, Telegram's founder and CEO, is Russia's version of Mark Zuckerberg, if Zuck were a little more anti-establishment. He founded VK (the Russian equivalent of Facebook) in 2006, then sold all his shares and fled the country in 2014 rather than comply with an FSB (Russia's FBI) seizure of VK user data. However, Durov's clashes with the Kremlin did not end there. In 2018, the Russian government blocked Telegram nationwide when Durov refused to hand over user data, again. In 2020, it was unblocked, but not because the Kremlin flinched playing chicken with Durov. No, CCN reports that Russia's parliament struck a deal with Telegram in exchange for a nebulous, off-the-record agreement to collaborate.

What does this collaboration entail? We don't know the full scope of it beyond "banning illegal channels," particularly as it concerns extremism and terrorism. That might sound fine, until you consider Russia's authoritarian regime puts the LGBTQIA+ community on that list, per Reuters. There's now increasing anecdotal evidence from publications such as Wired that the Kremlin uses Telegram as a jury-rigged surveillance apparatus, either because Telegram is cooperating more than it lets on, or because its security is so weak the government has compromised it. Neither is good, especially for Ukraine, which uses the app as a vital communication tool.

Further, Telegram admits that it will hand over data if forced to, but assures users it hasn't — yet. Knowing that Telegram is an active cooperation with the Kremlin, that claim is specious at best. We all know from experience how companies are often caught years after they infringe on user privacy. Considering the Russian government labels whatever's expedient as extremism, they can decide any user is an extremist at will.

If nothing I've said so far raises your eyebrows, then this certainly will. One of Telegram's strongest pulls is its diverse, thriving communities. Its group chats can support up to 200,000 members, and include many of the wonderful features that make Telegram great. Think of it like Discord's community servers. Problem is, Telegram's poor moderation has led to the platform being a haven for all the grimiest parts of the Internet.

Where to begin? Let's start with some of concerns raised by Guardio, a cybersecurity organization which dubbed the app a scammer's paradise in a report that details how Telegram gives you ready-made phishing kits to steal peoples credentials. Mashable reports that Telegram has helped the spread of revenge porn, Reddit users complain that it's practically overrun with bots, and Vox notes that it's the platform of choice for right-wing extremism, including groups such as the Proud Boys. Wired identified it as a tool for terrorist organizations like Hamas to mass-distribute propaganda, and Fortune reports that it's a place where you can buy illicit drugs and firearms.

You may not believe it, but this is the shortened list. I don't participate in any Telegram groups, but out of curiosity, I've taken a look at a few. I didn't last long. Imagine those stereotypical deranged Facebook posts shared by your grandma, but on steroids. I've seen quite a few purported news channels spreading flat out disinformation, many in foreign languages. We've all seen how Facebook struggled with COVID misinformation during the pandemic, so imagine a platform that makes practically no effort to stem that tide.

One of the most alarming revelations about Telegram came from the horse's mouth — and this was the tipping point that made me write this article. Pavel Durov admitted to Tucker Carlson in an interview that the company has 30 engineers, give or take. Durov argued his operation was merely efficient, but others disagreed. Security experts lambasted Telegram both because that number's not enough, and because Durov was vague in follow-up requests for comment about whether or not his team includes key positions like Chief Security Officer. 

Such as small team over an almost billion-user messaging platform with flawed encryption (which isn't even the default anyway) is a recipe for disaster. For one thing, it doesn't seem like Telegram is equipped to handle security breaches. Just in terms of day-to-day operations, that team of engineers has an awful lot on their plate. They are implementing new features alongside testing and patching bugs in MTProto. This is to say nothing of other aspects like content moderation, which Telegram handles via a volunteer force, not a vetted, professional team. If the picture I'm painting seems like an organization that's spread-thin, then you're right on the money.

I get that Telegram isn't cheap to run. No tech company is. Beyond that, Telegram (like many tech companies) hasn't yet achieved profitability. However, the app advertises itself as privacy-first, and chooses intentionally not to have E2EE as the default. Telegram is asking us to trust it with our messages, but how can it do that if it lacks the manpower to stay good to its word?

Quite frequently, I've seen Telegram, when questioned about its MTProto flaws, mention a big contest they had back in the day that proved it was bulletproof. To it's credit, Telegram did run a contest where anyone who could crack Telegram's encryption would win $300,000. Not a soul could, plenty of fuel for Telegram to pound its chest and say, "See? MTProto is invincible! Case closed." Except, that contest ran in 2015, and at least one expert believes it doesn't prove much.

The site Crypto Fails argues that the contest was no good because Telegram didn't give adversaries enough power to really put MTProto through its paces. They also argued that the protocol does many things that go against conventional cryptographic wisdom, like using a broken SHA1 hash function. Telegram responded to this criticism arguing that its focus is on speed and reliability over security — which Crypto Fails then rebutted. It's a great read, even if the techno verbiage is a bit dense.

While I'm not a cryptographer, I do find it alarming that this contest has not been repeated since 2015, much less modified to give the adversary more power as Crypto Fails prescribes. Remember, MTProto 2.0 has shown to have multiple vulnerabilities. Telegram needs to put its money where its mouth is and offer up $300k (or more) to really prove it's uncrackable. To be fair, they do have a bug bounty program that offers up to $100,000, but that might not generate enough interest to attract the best and brightest to eventually figure out MTProto's Achilles' heel.

While I have praised Telegram before, the usage experience hasn't been perfect in my own, totally anecdotal view — despite how much I love many of the features. It's somewhat ironic that Telegram advertises itself for speed (almost as much as privacy) because that's been the opposite of my experience. I've lived in several countries, and in every single one Telegram takes ages to connect and retrieve messages, even when using a VPN. Photos and videos sent by friends often don't load, forcing me to quit and re-open the app.

The calling experience also leaves a lot to be desired. It takes too long for calls to connect, and call quality is spotty even on uncongested, high-speed networks. Don't bother asking about video quality. The few times I have done video calls on the app, my friend and I have immediately abandoned ship to continue in WhatsApp or Signal. This is all assuming you are using Cloud chats — lock your communication down behind secret chats, and you'll be even less impressed.

Using WhatsApp and Signal, on the other hand, has been virtually painless. Messages send almost instantly. Call quality is excellent. Media sends and downloads quick, and the overall experience is relatively snappy. Both of these apps — to beat a dead horse — are E2EE, so I can enjoy that blazing-quick communication with the peace of mind that no creepy intruders are eavesdropping.

Remember how we discussed that server-side encryption forces you to trust Telegram? I feel like my trust in Durov's brainchild wanes with every passing day seeing how the company behaves. If a company's reasoning faculties appear to be lacking, that puts the security of my data in question. This article is too short to give a comprehensive overview of its many questionable decisions, so let's take a look at just a few.

My favorite example of late was when Telegram offered a free Premium subscription to users who would allow their phones to send SMS verification codes to other Telegram users, as reported by Android Police. Not a bad deal to get the $4.99 per month premium subscription, right? Though there is no evidence of it so far (this offer was only extended to a select few), I imagine there were at least a few instances of harassment when someone receiving a login code decided to text back that number knowing it's a human being. It's just a poorly thought-out decision that never should have escaped the brainstorming phase of an ostensibly privacy-first company.

Then there was the decision to sell anonymous numbers to users who wanted to sign up without an account. They had to buy said number with Toncoin (which has, ironically, been used in scams on the platform) and access it through the Fragment blockchain. I'll admit my bias right up front here: I think cryptocurrency is the biggest scam of our generation (something I think the historical record bears out), so anything is tainted by association. Especially considering this isn't the company's first foray into crypto, as noted by The Verge. I could also mention the many questionable things Durov has said over the years, too, but I'll stop at that.

At this point, I don't think even Telegram's most ardent evangelists can deny that the app has some troubling concerns worth examining. If it weren't the issues with MTProto, it's the issues with the company's practices. I truly can't imagine how Telegram could correct course — I get the feeling only a major security event (the encryption breaking, or a data breach) will give people cold feet in large enough numbers. Or hey, maybe this article will plant some seeds of doubt (fingers crossed).

WhatsApp and Signal are my two biggest recommendations for those jumping the Telegram ship. Yeah, WhatsApp is closed-source and owned by Meta, and yeah, Meta has long treated user privacy like disposable wet wipes. Still, WhatsApp's E2EE is solid, even if it does share more of your data (phone number, logs of whom you contact, etc.) than I'd like. Those you contact are more likely to use it, and it's got a robust feature set to ease your crash landing from the more versatile Telegram.

Signal is open-source, and has far superior privacy-protecting features. Problem is, it's a hard sell for casual users like your friends and family who see no reason to leave behind their iMessage or Instagram DMs. Trust me, I speak from way too much experience. As such, I'd recommend Signal over WhatsApp for users with above average privacy needs, or a higher threat model. VIPs, journalists, political dissidents, that sort of thing. It's an app you can bet your life on, both in keeping the content of your messages secure and verifying the identity of your recipients. Unless you're about to whistle-blow the next Panama Papers, WhatsApp's security will be just fine.