Telegram CEO Pavel Durov recently announced that Telegram would be handing over user data (such as phone numbers and IP adresses) to the authorities. Now it turns out that it has been doing so since 2018.

My previous post may have seemed to announce a major shift in how Telegram works. But in reality, little has changed.

Since 2018, Telegram has been able to disclose IP addresses/phone numbers of criminals to authorities, according to our Privacy Policy in most countries.

For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3.

To reduce confusion, last week, we streamlined and unified our privacy policy across different countries.

Telegram was built to protect activists and ordinary people from corrupt governments and corporations — we do not allow criminals to abuse our platform or evade justice.

Full text of the post.

📰 My previous post may have seemed to announce a major shift in how Telegram works. But in reality, little has changed.

🌐 Since 2018, Telegram has been able to disclose IP addresses/phone numbers of criminals to authorities, according to our Privacy Policy in most countries.

⚖️ Whenever we received a properly formed legal request via relevant communication lines, we would verify it and disclose the IP addresses/phone numbers of dangerous criminals. This process had been in place long before last week.

🤖 Our @transparency bot demonstrates exactly that. This bot shows the number of processed requests for user data.

✉️ For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3.

📈 In Europe, there was an uptick in the number of valid legal requests we received in Q3. This increase was caused by the fact that more EU authorities started to use the correct communication line for their requests, the one mandated by the EU DSA law. Information about this contact point has been publicly available to anyone who viewed the Telegram website or googled “Telegram EU address for law enforcement” since early 2024.

🤝 To reduce confusion, last week, we streamlined and unified our privacy policy across different countries. But our core principles haven’t changed. We’ve always strived to comply with relevant local laws — as long as they didn’t go against our values of freedom and privacy.

🛡 Telegram was built to protect activists and ordinary people from corrupt governments and corporations — we do not allow criminals to abuse our platform or evade justice.

  • xiao@sh.itjust.works
    link
    fedilink
    arrow-up
    110
    arrow-down
    2
    ·
    28 days ago

    Telegram was built to protect activists and ordinary people from corrupt governments and corporations — we do not allow criminals to abuse our platform or evade justice.

    Criminals according to what standard ? In some countries, activism or sympathy with a cause is considered criminal behavior.

    Evade justice ?? What justice is he talking about? The justice of the United States of America, Chinese justice, or the justice of the nationalities he possesses?

    Better to avoid this platform

    • melroy@kbin.melroy.org
      link
      fedilink
      arrow-up
      29
      ·
      28 days ago

      You are 100% correct!

      When governments are corrupt; rebellion is the same as criminal, because you are going against the government. That is the whole problem.

      • sunzu2@thebrainbin.org
        link
        fedilink
        arrow-up
        7
        ·
        28 days ago

        PoliScie 101.

        Even the US founders hinted at this issue, if not outright called it out and added some protections for the plebs via a few amendments… But normies got nothing to hide 🤡

    • zante@lemmy.wtf
      link
      fedilink
      English
      arrow-up
      15
      ·
      28 days ago

      As a Russian he should know better anyone the difference between an Activist and a criminal is one phone call from the FSB

    • zingo@sh.itjust.works
      link
      fedilink
      arrow-up
      13
      ·
      edit-2
      28 days ago

      Criminals according to what standard ? In some countries, activism or sympathy with a cause is considered criminal behavior.

      Exactly!

      It is a slippery slope.

      Even with services like Proton (big company in the privacy realm) etc, you can only fully trust yourself.

      That’s why documents are always client side encrypted before I send my data, to any cloud platform.

      • boldsuck@scribe.disroot.org
        link
        fedilink
        arrow-up
        2
        ·
        28 days ago

        Even with services like Proton (big company in the privacy realm) etc, you can only fully trust yourself.

        That’s why documents are always client side encrypted before I send my data, to any cloud platform.

        Exactly. I will never understand why people have their secret GPG-key on services like Tuta or Proton instead of on their own devices. 😂

  • zante@lemmy.wtf
    link
    fedilink
    English
    arrow-up
    62
    arrow-down
    5
    ·
    28 days ago

    Everyone was told, from the outset , not to trust telegram. Amnesty International, the EFF, the cryptography community all said this as long as 10 years ago.

    It’s actually pathetic to read a Russian talking about how it was “built for activists and not criminals “ . What a worm.

    • The Doctor@beehaw.org
      link
      fedilink
      English
      arrow-up
      10
      ·
      28 days ago

      There are lots of things I could say to agree with you, but all I can do is gesture helplessly.

    • delirious_owl@discuss.online
      link
      fedilink
      arrow-up
      5
      ·
      28 days ago

      I don’t think Russians actually thought that. Its just that if they publicly pointed out the issues with Telegram and publicly suggested better alternatives, bad things would happen to them.

    • loutr@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      27 days ago

      I know “security experts” from a top French bank who insisted on using telegram instead of signal. So even people who were supposed to stay informed about this stuff fell for the hype and marketing.

  • zephorah@lemm.ee
    link
    fedilink
    arrow-up
    26
    arrow-down
    3
    ·
    28 days ago

    This is really simple. Use Signal or WIRE. Proton or maybe Tutanota for email.

    Avoid garbage like Telegram and FB Messenger. Discord as well.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      4
      ·
      edit-2
      28 days ago

      Wire isn’t that great. Definitely avoid email as it is riddled with problems that aren’t easily fixable despite what the email companies tell you.

      Simplex Chat, Signal or possibly Matrix

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          5
          ·
          28 days ago

          It really isn’t though

          It is less secure, less private and less user friendly and is run by a company who I question.

              • delirious_owl@discuss.online
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                27 days ago

                So does Wire. The reason Wire is better than Signal and Telegram is privacy.

                The reason Wire is better than SimpleX is usability. Namely, it has clients on all platforms, and the messages sync between all those devices.

                • shaserlark@sh.itjust.works
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  27 days ago

                  That’s cool I’ll look into that, any alternative to a centralized service that requires phone number auth is appreciated and I think competition will make these apps only better.

                  I like SimpleX because you can self host, create hidden profiles and even throwaway invite links. What platforms are you missing for SimpleX? I think you can run it on Android, iPhone and through Fdroid plus you could even run it on Tails. I don’t really need interconnectivity so never tried it, but I think it exists.

                  Anyway, for me it really doesn’t matter, just stumbled upon SimpleX and liked it. But the more alternatives the better.

    • floquant@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      11
      ·
      27 days ago

      There seems to be a gross misunderstanding of how everything works here. Any platform will need to provide data to authorities when “asked properly” - as in, receives an actual order from some enforcing body that has authority on the subject in question. No commercial company will fight the CIA in court to protect your data. The best you can hope for is that they minimize what kind of data they collect about you in the first place - in the case of E2EE, they will only have access to IPs and other metadata such as connection timestamps and nothing else. But all of the services you listed will collect at least IPs and most will do phone numbers as well. The only difference with Telegram is that they’re transparent about it. You can either avoid using commercial platforms altogether, or use them in a way such that data retrieved from them will be useless. But believing that “Signal will never give my IP to law enforcement” is delusional.

      • zephorah@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        27 days ago

        Proton had a recent subpeona they had to honor. All the data they had was yes, the dude has an email here. But no content. Granted, if you’re exchanging with a gmail account, it’s moot, for those exchanges anyway.

        • zephorah@lemm.ee
          link
          fedilink
          arrow-up
          3
          ·
          27 days ago

          It’s cool when these companies get subpoenaed. Then we all know exactly what data they keep.

    • sunzu2@thebrainbin.org
      link
      fedilink
      arrow-up
      9
      arrow-down
      2
      ·
      28 days ago

      That’s the privacy starter pack.

      Mid level is Linux, DeGoogled pbone, and openwrt on the router

      Make your fed work for you! You pay him a healthy wage for it 🐸

      • zephorah@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        27 days ago

        GrapheneOS. Faraday bags. Depends on you and how far you want to take it. And how much you like and rely on dynamic maps.

    • sibachian@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      27 days ago

      I see a lot of people mention WIRE recently. Did everyone collectively forget how they sold out in 2019 and removed their canary (aka. compromised)?

      In July 2019 Wire raised $8.2m investment from Morpheus Ventures and others. On July 18 of the same month, 100% of the company’s shares have been taken over by Wire Holdings Inc., Delaware, USA.

    • Clot@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      27 days ago

      Does those apps have unlimited storage? Channel with unlimited subscribers? Or much more

      • The Doctor@beehaw.org
        link
        fedilink
        English
        arrow-up
        13
        ·
        28 days ago

        Articles like this go very far toward chasing people away from things that work and toward things that are dangerous.

        Like Telegram.

      • ᥫ᭡ 𐑖ミꪜᴵ𝔦 ᥫ᭡@feddit.org
        link
        fedilink
        English
        arrow-up
        8
        ·
        edit-2
        28 days ago

        Oh boy, I never read the entire thing, but they can decrypt quantum encrypted messages, if that’s true ( and I wish cryptography experts could debunk this ), if that’s true, then the NSA has went too far with this open source honeypot… perfection!

      • Petter1@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        27 days ago

        I hate signals take on anti federalism and that it forces you to have either iOS or realAndroid to set it up

        Matrix is way better in that regard…

  • SorryforSmelling@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    20
    ·
    27 days ago

    ok this feels like a real hot take. but i am somewhat glad about this. in my country telegram has the reputation to be the nazi (and sometimes the pedo-) app. so i am not unhappy those people online activity can be used against them in court. That beeing said i can respect people who feel otherwise.

    • JargonWagon@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      27 days ago

      I’m with you. If they’re verifying the information request, as in vetting it to determine if there is actual criminal behavior going on i.e. pedos/money laundering/etc, then good. Hand them over to the authorities.

      They state that they don’t cater to corrupt governments or organizations - good.

      Everyone here arguing against these things are throwing up major red flags. Didn’t the CEO just go to court because he wasn’t handing over information willy nilly? I would hope Signal and Proton would be doing the same things.

    • Zarcher@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      27 days ago

      I am not sure that this news relates to passing the content of telegram messages to any authority. If i read it correctly it is just about sharing personal information such as ip adress, phone number etc.

      • SorryforSmelling@lemmy.blahaj.zone
        link
        fedilink
        arrow-up
        2
        ·
        27 days ago

        i do not get that from the resources provided here and havent heard about that either… the ip adress ect. is shared with authorities only, which i personaly dont disagree with per se. maybe i was unclear i my first coment about that tho.

        If you got info about telegram sharing that info with private institutions, and are willing to share, id love to read that. that would make me deinstall the app rather quickly ^^

  • underisk@lemmy.ml
    link
    fedilink
    arrow-up
    22
    arrow-down
    5
    ·
    28 days ago

    Never trust a third party to keep your shit private. Especially if privacy is their main selling point.

      • underisk@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        27 days ago

        If you can read and understand the code, sure. Otherwise you’re still just extending trust to someone perhaps less reputable than even the corporations who are dying to sell you out. For example, the back door some mysterious contributor slipped into xz recently.

        My recommendation is to live life as if privacy on the internet did not exist, because it doesn’t.

        • delirious_owl@discuss.online
          link
          fedilink
          arrow-up
          1
          ·
          27 days ago

          There is such a thing as credibility. You can extend trust to others that have credibility. For example, security audits from companies that are credible. Or, you use an app because a trustworthy techie friend of yours says they’re safe.

          But a prerequisite in all these cases is going to be FOSS code and client side encrypt.

          • underisk@lemmy.ml
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            27 days ago

            Telegram had credibility. It was being used by journalists to protect sources.

            You can extend trust to individuals but do not apply that to companies or organizations if you care at all about what they’re doing with what you give them. Not everyone has some mythical tech privacy wizard on call to give them perfect advice every time they open an account on an app or website.

            Even client side encryption is not infallible. The algorithm you use will eventually be crackable and probably sooner than you think. Nothing lasts forever.

            The most foolproof way to ensure something remains private is to not put it on the internet at all.

    • JubilantJaguar@lemmy.world
      link
      fedilink
      arrow-up
      3
      arrow-down
      3
      ·
      edit-2
      28 days ago

      This doesn’t really compute. Society would collapse if nobody trusted “third parties”, and your second phrase is just hyperbole.

      It’s more complex than that. The issue is money, and incentives, and how power is structured. A third party that you are paying or whose income is uncoupled to the profit motive, and preferably one that has both private and institutional stakeholders - well, if we choose not to trust them, then basically we can’t trust anyone for anything. That would be a dark place to be.

    • ByteOnBikes@slrpnk.net
      link
      fedilink
      arrow-up
      14
      arrow-down
      6
      ·
      28 days ago

      I’ve been calling this out for years.

      And every time, some commenter goes, “Nu uh, look at their website bro! It’s super private!”

    • Pika@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      27 days ago

      In terms of end-to-end encryption I don’t mind if they have my phone number or not, if it’s done right.

      Let’s use signal for example, because honestly they do it pretty decently, the most information that you can obtain from signal in a data information request is the date and time that an account is created, and the last time the account went online.

      Actual content such as the user’s contact list, the people that user was talking with(including groups), and of course the messages that you sent are fully end to end encrypted meaning that signal does not have access to it meaning that they cannot give that information out in a data information request as they never had it in the first place.

      The most that signal is able to confirm in a data information request, is yes this specific account ID has a signal account and this is the last time they went online.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        3
        arrow-down
        3
        ·
        27 days ago

        Are you mad? The phone number tells you what phone company to call. In most countries, that tells them your name and government ID.

        The phone number is the thing that tells them everything about you.

        • Pika@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          27 days ago

          and what is that going to give them? The information that they have is yes, they have an account, and that’s also saying that they used an actual number and not a VOIP number for registration. but if they are asking via phone number, they will already have that information at hand. They won’t get any information about what chats that number is part of, or even any info really at all, anything about the account is encrypted and not visible.

          If they are able to provide my phone number without knowing the info you said there, there is some other leak already involved, and either way they won’t get anything but a “yes he has an account and he was last connected on X”

        • Willifire@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          26 days ago

          If somebody is that paranoid (or in a situation where that level of secrecy is necessary) they would not use a number that is traceable to them… So it doesn’t matter if they have your phone number or not.

          • delirious_owl@discuss.online
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            26 days ago

            Most people live in countries where they cannot legally buy phone numbers that are not traceable to them

            Check your privilege.

            • Willifire@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              26 days ago

              You wouldn’t concern yourself with the legality, if your threat vector includes the traceability of the phone number.

              And regarding your (in this context) nonsensical privilege remark: I live in such a country. Yet I have used such numbers.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        1
        ·
        26 days ago

        No, it gives usernames in addition to phone numbers. They refuse to remove the phone number requirement. How else could they help the feds identify your account?

      • khalil@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        26 days ago

        AFAIK signal stil requires a phone numer for registration, however you now can add people by their username.

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    ·
    28 days ago

    Telegram was built to protect activists and ordinary people from corrupt governments and corporation

    Didn’t they announce that they were no longer sending data to China about users participating in the Hong Kong unrest, implying that they were giving data.

    • quant@leminal.space
      link
      fedilink
      English
      arrow-up
      4
      ·
      27 days ago

      Implementing an in-house encryption was raising eyebrows already back then. No e2ee as default was also a red flag since it gives users without proper knowledge a false sense of security.

    • Duamerthrax@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      27 days ago

      There was some privacy centered linux group that used Telegram that I thought I needed to follow, but noped out when they required a real phone number.

  • celsiustimeline@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    2
    ·
    27 days ago

    I assume every single chat app is either a honey pot or is more than willing to hand over all logs to law enforcement. Anything advertising E2EE is basically saying “hey all you pedophiles and money launderers, have I got a data tracking app for you!”

    • Pika@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      27 days ago

      I know you didn’t directly say it but it’s implied so I wanted to clarify.

      telegram chat isn’t E2E, the only E2E on the platform is secret chats, which is only available to mobile users of the platform and not enabled by default. It does have client-server encryption but, in the terms of privacy that is worthless if you don’t trust the host (and it opens the host up to legal information requests as it has the capability of decrypting the messages)

  • Todd Bonzalez@lemm.ee
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    27 days ago

    This is a wild admission. Not only does it show that Telegram completely betrayed all of their users, but it also reveals that they know about all the terrorism and child porn channels on their service, and deliberately didn’t delete them.

    • grrgyle@slrpnk.net
      link
      fedilink
      arrow-up
      4
      ·
      26 days ago

      If I’m being charitable I could presume that they left them so as to not disrupt sting operations

  • sparky@lemmy.federate.cc@lemmy.federate.cc
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    27 days ago

    Pretty sure this is the same as every other messaging app - metadata is never protected information. The contents of the messages may be encrypted to some extent (which on Telegram they are, not end-to-end as with iMessage, but they’re not plain text), however your IP address, username, etc are subject to subpoena on any messaging platform.