Facebook’s WhatsApp recently updated its privacy policy, causing many disgruntled users to switch to rival messengers, among them Telegram. Thanks largely to this exodus, Telegram added 25 million new users in just a few days, pushing its user base over the 500 million mark.
That makes this the perfect time to talk about Telegram’s security and privacy.
End-to-end encryption is not the default option in Telegram
The first thing to know about Telegram is that Cloud chats, as Telegram calls its standard chats, are not end-to-end encrypted. (Here’s why end-to-end encryption is important for privacy.)
In a nutshell, the absence of end-to-end encryption means Telegram has access not only to metadata (who you wrote to, when, how often, and so forth), as WhatsApp does, but also to the contents of standard chats with no end-to-end encryption. According to Telegram’s privacy policy at the time of this writing, the data is not used for advertising purposes. However, as we know from experience, policies can change.
How to enable end-to-end encryption for secret chats in Telegram
Telegram does have end-to-end encryption — you just need to enable it. Telegram calls chats with end-to-end encryption enabled Secret chats.
In secret chats, text messages, pictures, videos, and all other files are sent using end-to-end encryption. That means only you and the recipient have the decryption key, so Telegram cannot access the data.
Moreover, the contents of secret chats are not stored on Telegram’s servers. Because secret chats are saved only on the devices of chat participants, they cannot be accessed from another device — and they disappear when you log out of Telegram or delete the app.
Secret chats are available in Telegram’s iOS, Android, and macOS apps. The Web version and Windows app do not support secret chats; they cannot ensure secure storage of chats on the device.
How to create a secret chat in Telegram
Current versions of the Telegram apps do not make the secret chat feature easy to find.
To create a secret chat, you need to open the profile of your chat partner, tap or click the three-dot button (sometimes called More, sometimes not), and select Start Secret Chat.
That opens a chat in which end-to-end encryption is applied to messages (a notification to that effect appears in the chat window at the start). You can also set the time after which messages will be deleted by tapping or clicking the clock icon in the message input box.
Of course, the automatic deletion of messages doesn’t prevent your chat partner from taking screenshots, but if they do, you will be notified about it in the chat. The one exception is if the other person is using the macOS app; in that case you won’t get a notification.
Here’s another handy tip: Telegram allows multiple secret chats with the same person. Group chats cannot be secret, however, unlike in WhatsApp, which applies end-to-end encryption to all chats by default.
How to know if a chat is end-to-end encrypted: The padlock icon
Because Telegram chats can be either cloud or secret, in some cases it is important to know which type you are using. If a chat contains sensitive information, it should be secret, right?
Yes, of course. But end-to-end encrypted chats look almost identical to regular ones. To confirm which kind you’re in, look for a padlock icon next to the name or phone number of your chat partner. If it’s there, the chat is secret. If not, then end-to-end encryption is off, in which case you should create a new chat.
You can also tap or click your chat partner’s icon, and if end-to-end encryption is enabled, the words Encryption Key will appear at the bottom of the window that opens.
How to configure Telegram security and privacy
While we’re at it, let’s take a moment to configure security and privacy in the app. Click the Settings button in the lower right corner of the screen and select Privacy and Security.
Telegram security settings
The first step is to make sure no one can read your chats if you accidentally leave your device unlocked and unattended. To do so, select Passcode, tap or click Turn Passcode On, think up a PIN code you won’t forget, set it, and confirm.
Next, select Auto-Lock and set a low value — 1 or 5 minutes. If your device supports fingerprint or face recognition, you can enable the option here.
The next step is to set up two-factor authentication to protect your account against hijacking. The primary login method uses a one-time code sent by text, so Telegram lets you set a password as the second factor.
To do so, on the Privacy and Security tab, select Two-Step Verification (Telegram’s term for 2FA), and set a strong combination. Remember that you will rarely enter this password, so it is very easy to forget; store it somewhere safe, such as in a password manager.
What will happen if you forget that additional password? You’ll have to reset your account. In essence, that means submitting a request to remove your account completely, after which you will have to wait seven days. After a week, the account will be deleted (including associated contacts, cloud chats, and channel subscriptions) and you can create a new, completely empty account using the same phone number.
Telegram privacy settings
So as not to share unnecessary details with all 500 million–plus Telegram users, configure your profile privacy appropriately. To do so, go through Telegram’s Privacy settings, changing the set values — all options and data are available to everyone by default. We recommend the following:
- Phone Number → Who can see my phone number — Nobody.
- Phone Number → Who can find me by my number — My Contacts.
- Last Seen & Online → Who can see my timestamp — Nobody.
- Profile photo → Who can see my profile photo — My Contacts.
- Calls → Who can call me — My Contacts (or Nobody, if you prefer).
- Calls→ Peer-to-peer — My contacts (or Nobody, if you prefer not to share your IP address with chat partners).
- Forwarded Messages → Who can add a link to my account when forwarding my messages — My Contacts.
- Groups & Channels → Who can add me — My Contacts.
This is also a great time to take a look at Privacy & Security → Data Settings and remove from Telegram storage any information you do not want to be there.
Telegram security for the extremely cautious
The above tips should be enough for most users, but here are a few more for the extra cautious:
- Use a separate phone number to sign in to Telegram — or even a virtual phone number instead of a real mobile number. However, make sure not to use a one-time number or else someone else could access your account.
- Use a VPN to hide your IP address (which Telegram can disclose at the request of law enforcement agencies, for example).
- Consider using another app — one better suited to secure and private communication, such as Signal or Threema. Unlike Telegram, they encrypt all chats by default and have a bunch of extra privacy options. On the other hand, they are less popular and lack some of the features that attract users to Telegram.
Keep in mind that even the most secure messenger is defenseless if someone gains access to your device, either physically or remotely. With that in mind, we recommend always being sure to lock all of your devices with a password or a PIN code, regularly updating all apps and operating systems installed on them, and using a reliable antivirus solution to protect against malware.