Telegram is only end-to-end encrypted if you solely use 'secret chats'

I haven’t looked into the arrest of message-app Telegram’s founder Pavel Durov enough to form an opinion, but one thing I did learn from a recent Guardian newsletter on the subject was that Telegram is a lot less private and secure than I’d imagined.

I’d imagined it as an alternative to fully encrypted messaging services like Signal that I just hadn’t had any reason to use much so far. But despite its home page promoting it as being privacy oriented - “Telegram messages are heavily encrypted and can self-destruct”, in reality the service is not end-to-end encrypted for the most part.

Whilst all messages are “basic-encrypted” such that your internet provider or anyone intercepting communications between your phone and your Wifi router couldn’t read them, only DMs sent via the “secret chats” feature - an opt-in feature that you have to discover and enable yourself - are end-to-end encrypted. Everything outside of that, including all messages in group chats and broadcast channels, is not end-to-end encrypted.

A lack of end-to-end encryption means that in theory anyone with the correct access - legitimately acquired or not - to Telegram’s systems could in theory read your messages. In addition, Telegram would be able to hand your correspondence over to any authority that requests them.

It’s an ongoing debate as to whether this is a net good or net bad thing of course. But if you came to Telegram for its privacy, well, you have to go to some effort and also stop yourself using most of its features if you want to be absolutely certain that no-one other than your intended recipient can read your message.

All in all, if you want truly private messaging that not even the service’s CEO - or a hacker using their account - could see, then from an encryption point of view it turns off you’re likely better off using Signal or even, believe it or not, Meta’s WhatsApp (! A cynic might say that this is a sign that it wasn’t Meta that invented WhatsApp, they just bought it). Both Signal and WhatsApp are end-to-end encrypted by default.

That’s not to say even those two services know nothing about you. It just means they don’t know the content of your messages, which is often people’s first concern - even though metadata can on occasion give away rather more information about you that you might expect.

Signal makes a big deal about how little it stores even on the metadata front. They basically know when your account was created and when it was last used, so that’s all they can give to the authorities when legally compelled to do so. WhatsApp on the other hand may apparently know when and where you were when you used the app, the names of your group chats, and has the ability to record which phone numbers your number chats too if legally required to do so.

iMessage or Google’s message apps are also apparently contenders for end-to-end encryption fans but only if you’re absolutely sure that everyone you talk to is using the same type of phone and same chat app. Any convo that involves an iMessage green bubbler for instance isn’t end-to-end encrypted. You also apparently give Apple the keys they need to decrypt your iMessages if you back them up to iCloud using the default settings.