Updated on: June 7, 2024
Telegram can be a secure messaging app for most of us with a few adjustments, but it may not be as safe as you think by default. The main reason is that it doesn’t encrypt all chats end-to-end, which technically means that Telegram could decrypt and read the contents of regular conversations.
I spent a couple of days testing the app and looking at its privacy and security features to get an idea of whether it’s the right choice for those who want to protect their online chats. I get into details about what I like and don’t like about the app below.
To maximize your safety with the Telegram app, I recommend using it alongside a VPN. My #1 VPN in 2024 is ExpressVPN, which has blazing-fast speeds, provides high-end privacy and security features, and is very easy to use. Editors' Note: ExpressVPN and this site are in the same ownership group.
TRY EXPRESSVPN WITH TELEGRAM NOW
What Is Telegram & Who Owns It?
Telegram is one of the most popular instant messaging apps in the world. It lets you send and receive messages, photos, videos, and files of any type. It also allows you to broadcast messages to a larger audience (up to 200,000 people with groups and unlimited with channels). You can get Telegram on Android, iOS, Windows, macOS, and Linux completely free.
The company was founded by Pavel Durov and his brother, Nikolai Durov, with Pavel acting as the face of the company. The brothers previously founded VK, one of the biggest social media platforms in Russia today. Pavel claims to have been ousted from the company following conflicts with the Russian government over VK’s refusal to share user data and censor anti-government accounts, after which the brothers left the country and founded Telegram.
Telegram is currently based in Dubai, in the United Arab Emirates (UAE). According to Pavel, he chose the location because the UAE is a neutral country, which aligns with his vision of Telegram as a neutral platform.
How Does Telegram Protect Your Privacy?
Secret Chats
Secret Chats are one-on-one chats that are protected by end-to-end encryption (E2EE). With normal encryption (which you get with regular Telegram chats), the message is encrypted when you send it, so anyone trying to intercept it can’t read it. However, the message is decrypted by the messaging service’s servers before being sent to the recipient. This means that the service provider has access to the unencrypted messages and can potentially read them or hand them over to authorities if required.
With E2EE, the message is encrypted on your device and stays encrypted as it travels to the recipient’s device, where it is finally decrypted. This means that not even Telegram can read your Secret Chats.
IMPORTANT: You have to manually start a Secret Chat in the Telegram app to benefit from E2EE. Note that Secret Chats aren’t very convenient — they only work for one-on-one chats, and you can’t send a message unless the person you want to talk to accepts your request and is online.
Open Source
Telegram’s client-side code is open source. This means that you can check the code for its clients if you’re worried about its privacy or security. Telegram also offers verifiable builds for Android and iOS, which lets you verify that the app you download uses the exact same code that is published online.
By publishing its code online, Telegram lets you independently verify its privacy and security claims, so you never have to take the company at its word, like you have to with closed source messaging apps.
An additional benefit of having open source code is that with many eyes on the code, vulnerabilities and bugs are more likely to be identified and fixed quickly. The community can contribute to finding and patching security issues, often faster than a closed team of developers.
One notable flaw with Telegram is that it doesn’t publish its server-side code. The company claims that this is because making its server code open source serves no purpose, since there’s no way for anyone to verify that the code that they publish is the same one they run on the servers. While this may be true, it does mean that the community can’t help scrutinize its server code for issues.
Two-Step Verification
Two-step verification adds an extra layer of security to your account by requiring you to enter a code you receive on your phone via SMS as well as a password. This is an important security measure against hackers who could potentially intercept your SMS messages and log into your account on their own device to spy on your conversations or impersonate you.
Auto-Delete Messages
Auto-delete messages let you set a timer for how long messages will stay in a chat before they’re deleted. You can choose timeframes like 24 hours, 1 week, 1 month, or set a custom duration. This feature works in both one-on-one and group chats.
By setting messages to auto-delete, you reduce the risk of someone else reading your old messages if they gain access to your device or account.
Please be aware that this doesn’t prevent your conversation partner from copying your message before it disappears or taking a screenshot of it.
Disappearing Media
You can set a timer on photos and videos you send, so that they self-destruct after being opened. When you set a media file to self-destruct, it will appear blurry in the preview image, and once your conversation partner opens the file, the countdown timer will begin. Once the countdown ends, the media will be deleted and replaced with a message stating: “Photo/video has expired.”
Using this feature means that you don’t leave permanent records of any sensitive media that you might send. However, as with auto-delete messages, you can’t really stop your conversation partner from recording the media before it self-destructs.
Disappearing Media is only available in one-on-one chats.
Passcode Lock
Enabling this feature prevents unauthorized access to your contacts list or messages on your device by making it so that anyone who tries must first enter a user-defined password. In other words, it prevents anyone who gets their hands on your phone (or anyone you lend your phone to temporarily) from being able to simply open your Telegram app and read your conversations. The app will auto-lock itself again after a user-defined period of time from 1 minute to 5 hours.
Once you enable Passcode Lock, you’ll also be given the option of hiding the preview of the Telegram app in your phone’s task switcher. Turning this feature on makes the preview of the Telegram app in the task switcher into a blank white sheet.
What Data Does Telegram Collect?
Telegram records and stores your user data, including your IP address and device information, for up to 12 months. As its privacy policy states, Telegram is legally required to retain some performance data and provide it to authorities in case of a legal request, such as during an investigation that involves you, and it has done so in recent years.
It also collects data that’s necessary for the app to function. Notably, this necessary data includes your phone number. Some users may also be asked to provide an email address, which they must use to receive login codes instead of SMS. Additionally, Telegram can see basic account data, such as your profile name and picture. However, it never uses any of this data to target you with personalized ads or for other commercial purposes.
Some of Telegram’s optional features require more data. If you choose to sync your contacts, Telegram will be able to see your contacts list and each contact’s name and number. It uses this information to notify you if they sign up for Telegram. Similarly, if you share your Live Location in a chat or using your People Nearby feature, this will allow Telegram (and users with whom you share that information) to see your location.
Also, Telegram holds the decryption keys for regular chats on its servers, so it’s technically possible for it to decrypt the data and read your communications. For more private communications, you should use its Secret Chats feature, which uses end-to-end encryption, so not even Telegram can see what you send there.
Telegram vs. Other Messaging Apps
Telegram occupies a solid middle ground between privacy and ease of use. It’s not the most private or secure messaging app on the market — that would be Signal. But it has a much bigger user base than Signal, so it’s far more likely that your friends, family, and colleagues are already on the platform (saving you the hassle of having to convince them to switch over).
Telegram collects more information than Signal (which doesn’t log your IP address and can’t see your profile information). But its privacy policy compares favorably to WhatsApp and Facebook Messenger, which are notorious for collecting a ton of data about users and sharing that information with other Meta companies.
Telegram has a fairly clean record as well. In its most notable security incident, which occurred in 2016, hackers only managed to obtain information that was already publicly available. They didn’t gain access to any user accounts or chats. This is good compared to Meta (the owner of WhatsApp and Facebook Messenger), whose record is dotted with major privacy violations and security breaches.
One major issue with Telegram is that its end-to-end encryption (E2EE) isn’t enabled by default, like it is on Signal, WhatsApp, Facebook Messenger, and iMessage — you have to manually start a Secret Chat to ensure that your communications are fully secured. Additionally, not all chats have the Secret Chats function. For example, group chats don’t support Secret Chats.
Telegram has also come under criticism for its use of its own encryption protocol, MTProto, rather than a tried and tested encryption protocol, like the Signal protocol.
The company claims that making profits isn’t its end goal and restricts advertisements to broadcast channels (so you won’t see any ads in one-on-one or group chats), but it’s not non-profit and ad-free like Signal.
Finally, while its client-side code is open-source, which allows anyone to check its code for problems, its server-side code isn’t. This is better than nothing — WhatsApp, Facebook Messenger, and iMessage are all closed source — but Signal is completely open source.
Check out the table below for a quick overview of the pros and cons of the most popular messaging apps on the market now:
Has Telegram Ever Been Compromised?
Yes, Telegram has had several notable incidents. In 2016, hackers intercepted SMS verification codes and used brute force on the API to access sensitive information such as phone numbers and unique user IDs that belonged to approximately 15 million users.
Telegram claimed the collected information was already publicly available and that the hackers did not gain access to any user accounts. The company did concede that more than a dozen accounts were compromised as hackers managed to intercept SMS verification codes, but that this wasn’t a significant threat, and argued that checking if a number is registered in the system is something that you could do for any contact-based messaging app, including WhatsApp and Facebook Messenger. Still, the company said it took measures to ensure that it’s no longer possible to perform mass checks like this.
Then, in 2018 and 2019, Telegram experienced major Distributed Denial of Service (DDoS) attacks from Russia and Hong Kong respectively, which caused some of Telegram’s servers to slow or stop. The good news is that though DDoS attacks may cause service disruptions, they don’t give hackers access to user data.
How to Protect Your Device & Data While Using Telegram
- Use Secret Chats. Whenever possible, use Secret Chats to gain the privacy and security benefits of its end-to-end encryption. Keep in mind that Telegram holds the encryption key for all of your regular chats on its servers and could, technically, decrypt and read them at any time. This also means that a hacker who compromises its servers could do the same.
- Turn on two-step verification. Hackers can intercept SMS messages containing the authorization codes required to log in to Telegram from a new phone, which allows them to view a user’s messages and chat history. Two-step verification also requires a user-defined password, so your account is better protected.
- Get a good VPN. Telegram collects your IP address, which can be traced back to you. A good VPN prevents this by hiding your real IP address behind an IP address owned by the VPN provider. Many top VPNs also come with malware blockers, which can protect you from phishing links and malware-infected sites that show up in your chats, too. ExpressVPN is the #1 VPN in 2024.
- Don’t use the People Nearby feature. This feature lets people nearby start a conversation with you on Telegram without having your phone number. Hackers can easily exploit this tool to find your precise location, so I recommend that you keep this feature turned off.
- Turn on Auto-Delete Messages. This deletes messages you send on Telegram after a certain amount of time has elapsed, so anyone who gains access to your chats later won’t be able to see your entire conversation history.
- Turn on Passcode Lock. This prevents people from seeing your contacts list or chats unless they enter a user-defined password. It can also stop your task switcher from showing a preview of your Telegram app (potentially exposing your chats).
Editors' Note: ExpressVPN and this site are in the same ownership group.
How to Set Up a Telegram Account
- Download the Telegram app on your device. You can find it on your device’s app store (Play Store for Android devices and the App Store on iOS devices) or download it from the official Telegram site on your PC.
- Install the Telegram app. The installation wizard will guide you through the whole process. You will be asked to provide the app with certain permissions, such as the ability to make and manage phone calls, enter and verify your phone number, and to set up your profile.
- Launch the Telegram app. That’s it! You can start adding contacts and chatting with friends and family on Telegram.
Frequently Asked Questions
Is Telegram as safe as WhatsApp?
There are pros and cons to both apps. Each offers strong security features, like end-to-end encryption (E2EE), disappearing messages, and 2-step verification.
What I like about WhatsApp is that it has E2EE on by default for all communications in the app. For comparison, Telegram only encrypts chats end-to-end via the Secrets Chats feature, which isn’t available for group chats and requires both parties to be online at the same time for it to work.
On the other hand, Telegram’s client-side code is open source, and the company collects far less user data than WhatsApp. WhatsApp, which is owned by Meta, has a checkered history of privacy violations and security issues, and shares a lot of user data with other Meta companies.
Can Telegram be hacked?
No app is 100% safe from hackers. However, Telegram has a pretty decent record thus far. The single most notable security incident that happened occurred in 2016, when hackers were able to link Telegram accounts to the phone numbers of 15 million users. That said, the attack didn’t actually give the hackers access to any of those accounts or their chat histories, and all of the information they obtained was technically publically available.
Does Telegram sell user data?
Telegram’s privacy policy states that it doesn’t use your data to target you with ads or for any other commercial purposes — any data that it collects is only used to operate its service.
Necessary data that Telegram collects includes your phone number, IP address, and potentially your email address. Telegram can see your basic account data as well, such as your profile information. You may optionally share your contacts list or location if you use certain features.
What country is Telegram from?
Telegram is a private company owned by Russian entrepreneur Pavel Durov. However, the service is currently based in Dubai, and Pavel has stated his wish for Telegram to be a neutral communication platform.
There are no known connections between Telegram and the Russian government. In fact, Pavel has been outspoken in his criticism of the government of his home country. He came into conflict with the Russian government when he was CEO of VK (a social media platform popular in Russia), over his refusal to share user data and censor accounts of opposition groups.