Who can read your messages
The lack of end-to-end encryption by default is what sets Messenger apart from WhatsApp, Signal, and many others. In Telegram, this only works for "secret chats" – and this function itself is not implemented in the most obvious way for a simple user. Even Telegram itself admits that it is very inconvenient . For example, there are simply no “secret chats” in the desktop and web versions of the messenger.
But why is end-to-end encryption needed at all? In general, so that no one, including Telegram, has even a theoretical opportunity to read user messages. With end-to-end encryption, only the user and his interlocutor have the keys to decrypt each dialogue.
Another pebble in the Telegram garden: unlike other messengers, Durov's company did not audit its applications. The server part of the application code remains closed – that is, no one except employees knows what, where and in what form is stored on Telegram servers and what additional information the messenger collects about users (if at all). Since 2018, the company has promised the authorities of different countries to transfer, after a court decision, the data of people who are suspected of terrorism, although they are rather meager: the IP address and phone number, but not the content of the correspondence itself.
No one except Telegram employees knows what, where and in what form is stored on the servers
Although Telegram has never confirmed the transfer of such information to the security forces, in 2022 the Spiegel magazine reported that cases of transferring user data to German law enforcement officers did take place. It allegedly was about investigating cases of extremism and the distribution of child porn. What information was transmitted and whether it was transmitted at all is unknown.
Durov calls MTProto's own encryption algorithm one of the ways not only to keep user data secret, but also to restrict Telegram employees' access to this information. And even the FBI seems to confirm this. In 2021, thanks to the efforts of the American NGO Property of the People, an FBI document was obtained comparing what information the security forces can get from some encrypted messengers.
The American security forces admitted that Telegram can only give out data about the user's phone number and IP address, but never transmits the contents of messages and even the user's social graph (data about who he communicates with). According to the same FBI help, it is quite possible to get much wider access to messages from WhatsApp – if the backup occurs via iPhone or iCloud. That is, in this case, the transfer of messages to the security forces will occur from Apple. Apple itself also agrees to issue messages from its own messenger to the authorities – both those that got into the backup and fresh ones. However, WhatsApp was also seen in the transfer of correspondence to the authorities – this is how high-ranking employee of the US Treasury Natalie Edwards was arrested and sentenced to imprisonment, who transferred secret documents to journalists in this messenger. Her guilt was proven using data obtained from WhatsApp, despite the statements of the owner of the company Mark Zuckerberg about how he cares about the privacy of users.
According to The Insider, some Telegram vulnerabilities still allow you to get a list of users' contacts.
How correspondence from Telegram became available to the security forces
Since the beginning of 2016, the Russian database of court decisions contains almost 35,000 criminal cases where the Telegram messenger would be mentioned. Only a few hundred of them are not under narcotic articles. The prosecutor's office in the accusatory documents retells that one witness or the accused wrote to another. However, there is still no evidence that the security forces can read the correspondence to which none of its participants gave access, experts say. “In Russia, attackers or security forces can gain access to correspondence, in particular in Telegram, either through access to the end equipment – by intercepting the mobile device itself, or through the issuance of a duplicate SIM card <to which the Telegram account is registered – The Insider> to the account, which is not protected or poorly protected by two-factor authentication,” says Sargis Darbinyan, head of legal practice at Roskomsvoboda. Something like this – through the reissue of a SIM card – in 2016, access was gained to the Telegram account of activist Oleg Kozlovsky and FBK employee Georgy Alburov. Another anonymous expert, in a conversation with The Insider, notes that scammers are more likely to use reissuing a SIM card – for example, the Free Internet Laboratory found a case in judicial practice when a Muscovite's SIM card stopped working on vacation, and upon her return, the woman discovered that fraudsters withdrew money from her account, having obtained access to her mobile bank using a duplicate SIM card.
In other words, the security forces can get access directly to the correspondence only by taking away the phone from the victim or reissuing the SIM card and gaining access to the Telegram session. The latter, however, happens extremely rarely and is immediately noticeable to the victim.
In group chats – especially in open ones – there can also be security officials who figure out which chat participants are doing something that, from their point of view, is illegal. For example, they invite you to a rally or simply call the war in Ukraine a “war”. This is probably what happened to Anna Sudnikovich, a resident of Karelia, who, in a small open chat in Petrozavodsk in March 2022, called people to a rally against Russian military aggression. In the administrative case filed after that, as many as ten documents prepared by the police and the administration of Petrozavodsk confirm Sudnikovich's guilt: basically, it describes how the policeman observed the correspondence in the chat. The woman received a fine of 10 thousand rubles.
Security forces can sit in group chats, who figure out which of the participants is doing something illegal
There is another way to read all correspondence – and do much more on the victim's phone. This is spyware, the most famous example of which is Pegasus . It was developed by the Israeli company NSO Group and sold to companies and government agencies in some countries. According to Sargis Darbinyan, only one Pegasus installation was allegedly sold to Russia – this concerned the case of Nastya Rybka and the oligarch Oleg Deripaska. Pegasus and similar spyware can monitor keystrokes on an infected device, take screenshots, collect passwords from the device and transfer them to the customer. Such programs use vulnerabilities in the operating system of phones, but operating system manufacturers regularly improve their software. However, nothing prevents spyware manufacturers from introducing new known vulnerabilities – just like states buying "exploits" (programs that use individual vulnerabilities) in "black" hacker markets. Cases when something like this was used to hack specifically Telegram accounts are still not known for certain.
How to find out who owns an account
When registering with Telegram, each user receives a unique identifier . Even if you later change the phone number on this account, the identifier will remain the same. This means that even when changing the number and nickname, it will be possible to find it using the old data – they are already in the database.
“All of these bots are based on ‘leaked dumps’ <here: database version — The Insider> over the past few years. The next step is to merge these databases. There may also be Yandex. Food”, and the Russian Post, and everything related to users. This is accumulated in a single database,” says Sarkis Darbinyan.
A separate source of information about the user is open groups and chats in which he is a member. According to them, some "breakthrough" bots show the interests of the user – even if he has already left groups with such interests.
A separate source of information about the user – open groups and chats in which he is a member
One of the big sources of the “phone number – Telegram ID” link is the user bases that appeared due to the contact import function. In simple terms, when a user adds to contacts the number of a person who is not yet in Telegram, this number is stored on the Telegram servers, and not just on his phone. That is why, when this person registers in the messenger, the user will receive a message in the spirit of “Samsara Tire Service is now in Telegram”.
This feature of the messenger has long been used by people who compile open source databases – after going through all the possible phone numbers for some countries where Telegram is especially popular, they compiled a database of phone numbers – even those that have not yet been sold and have not been in use. After that, when a person was added to Telegram and an identifier was assigned to him, the ID was added to these databases, as well as the nickname and name that the person indicated. Thus, for millions of users, the "binding ID – phone number" will be known to third parties, even if the person has tried to anonymize his account as much as possible.
An example of such a database
On the leak market, such bases were sold in the public domain: anyone could buy them in order to use them for their own needs in the future. Including members of the security forces.
In the market of leaks, such bases were sold in the public domain
It might work like this. A person buys a number that has already entered a similar database. It is impossible to find out if he is there: the bases are not public. However, since the numbers got into them by a simple enumeration, the probability of this is high. After all, a number is essentially an 8-10-digit number (depending on the country), and their set is finite. The creators of the database create accounts in advance, to which they add all the numbers, and at the time of registering a person in Telegram, they receive the message “XXX is now in Telegram”. After that, a bunch is added to the database "number – new assigned Telegram ID", as well as a name and nickname. If after some time the user starts doing something that the state does not like, for example, selling drugs or participating in protest movements and doing this in open chats, then the security officer, who is most likely also present in the same chat, will forward the message into the bot with the penetration base and finds out the phone number thanks to the "Telegram ID – phone number" link. Neither a nickname in the spirit of "Anon Anonovich" nor a hidden phone number will save. In addition, he will receive information about all open chats, where the user is, under what name he is registered with those who know his number, and a lot of other information that may be useful to him for a report. In addition, by phone number, he will be able to get your passport data from a mobile operator.
To understand what data can be made available about a user through leaked apps, The Insider asked for a volunteer's phone number and punched it in one of the popular bots. The volunteer does not currently live in Russia, but the application accurately showed his region, where he lived in Russia and was engaged in activism. Also, in a few seconds, we found photographs of a person at different times, full name and patronymic, two ip-addresses – in Kazan and Moscow, two pages on VKontakte and one on Instagram, Odnoklassniki and Telegram, three e-mail addresses , full date of birth, 11 groups and chats in Telegram. We learned that the person uses the VTB mobile bank and posted at least two ads on Avito. The volunteer confirmed the reliability of the data obtained.
This is how the result of a breakdown in one of the bots looks like
For another volunteer, in addition to such information, we also found addresses in different cities – they were probably taken from the leak of State Services and Yandex, since among them were both the place of registration and the person's real place of residence. For the same volunteer, we found a list of sites on which he registered by phone number – these were sites from which data leaks have occurred over the past years. We also found out how many times these phone numbers have already been “punched through”, and for some accounts, very old e-mail addresses. When the volunteer hid his nickname, we could no longer find him by his nickname. However, accounts are searched for by phone number, even if you use the old number, and now the account has changed both the phone number and the nickname.
Do the security forces know about this?
Similar merged databases are probably also used by employees of government agencies. Back in 2021, Rostec bought the development of the St. Petersburg IT company T.Hunter for use by the police. “The investigator will be able to upload the e-mail or phone number of the suspect to the system, and the software package, using this fragment, will compare data arrays with it: IP addresses, information from payment systems and advertising identifiers – more than 40 parameters,” told Kommersant developer company manager Igor Bederov. Meduza claims that Okhotnik can even install the accounts of administrators and owners of Telegram channels.
In addition to Okhotnik, there is also an interface and a separate e-mail for government agencies in the most popular service in Russia, God's Eye.
In Belarus, the security forces have developed their own system for calculating the accounts of people who participated in protest chats. According to BYPOL , the Belarusian security forces compiled lists of users of protest chats (collected their Telegram-IDs and nicknames and linked them in the database with all the messages that the person wrote – anonymously or under his real name and phone number). If there were people in the protest chat who did not hide the phone number in the profile or pretended to be in some other way, they came to them with a search, confiscated their phones and unloaded the list of contacts from the phone book and all instant messengers. A special program compared known Telegram-IDs (and all messages from open chats written by these people) with the names and phone numbers from the contacts of the seized phone. Having performed such an operation with several detainees, the security forces thus replenished their database with the real names and telephone numbers of a huge number of other people who were previously anonymous to them.
The security forces replenished their database with the real names and phone numbers of people who were previously anonymous to them.
The Insider could not find reliable information that the Russian security forces practiced this method, but they have no obstacles to such activities.
How to become a crypto anarchist
If you want to keep using Telegram – and this desire is understandable, since it is one of the most popular instant messengers – The Insider, along with experts, offers several rules that will help you avoid identifying your identity in the ways indicated above.
If you plan to join some chats, the presence in which can tell something about you to the security forces, do not do it from an account that has been assigned to you for a long time. You can purchase an anonymous number that is not associated with a person, for example, on the Fragment platform, where virtual numbers are sold for cryptocurrency, or on another site where virtual numbers are traded that you can receive SMS on. Another option is a foreign prepaid SIM card, that is, one that does not ask you for passport data when buying. You can find examples of operators offering such SIM cards in different countries at the link . How to set up privacy in a new account, we will tell below. The disadvantage of this method is that it can be troublesome to buy a new SIM card, and if you make this account the main one, you will have to transfer all your chats and contacts there, which can be many.
Anonymize your account as much as possible.
- Hide your phone number from everyone and prevent everyone from looking for you by phone number except those who are already in your contacts.
- If you're using a personal profile photo, consider restricting it to only your contacts.
- Specify in your settings that no one or no one other than your contacts can see your profile if your message is forwarded.
- Set a call limit so that you cannot be called by those who are not in your contacts. The same goes for adding to groups and chats. You can even set in the settings that no one can call you and add you to chats.
- If you use a nickname (to give it to potential contacts instead of a phone number), do not use the same nickname that you have on other social networks or accounts.
Since you have tied your privacy to your contacts (only they can see your account, photos, call you, and so on), do not add strangers to your contacts. You can chat with someone without adding the person to your contact list, especially if you're not entirely sure who you're chatting with.
Excellent protection against account hacking and theft – two-factor authentication. You can learn about what types of "two-factor" are from the article by Roskomsvoboda . Telegram only offers two-factor authentication with a second password you'll need to remember or via email. The first option is relatively safer, but the main thing is to connect at least some.
Автор благодарит экспертов, пожелавших остаться анонимными, за участие в подготовке материала.