Errors in the Wired Article

Wired published an article by a freelance journalist who doubted the safety of Telegram due to a lack of understanding about how Telegram's API and Secret Chats work.

Below is an explanation of why these doubts are unfounded.

1. Secret Chats

Contrary to the journalist's fears, "messages erroneously marked as read" can't mean that a third party is accessing Telegram's Secret Chats. Had an intruder somehow been able to intercept messages from a Secret Chat, they could have also prevented read receipts (messages are not marked as read automatically – to do this, apps need to send a special request). But such a hack is impossible.

Telegram is the only popular messaging application that allows any researcher to independently confirm that its open-source code is identical to the code of apps that its iOS and Android users download from the AppStore and Google Play. Thanks to this, independent experts can fully evaluate the integrity of Secret Chats. In the almost 10 years of Telegram's existence, no security flaws that would enable a third party to intercept or decrypt Secret Chats have ever been found.

No issues with read statuses can affect the security of Secret Chats. However, it is not even clear whether these issues existed. The journalist claimed that Yana Teplitskaya "noticed that many of her secret chats were erroneously marked as read," but she told Telegram she never had any issues with Secret Chats. Yana says she only ever saw regular cloud chats erroneously marked as read.

2. Access to Messages

Contrary to the journalist's misconceptions, there is no evidence that law enforcement had access to politician Marina Matsapulina's messages before her arrest. Her location was established based on her mobile network usage and not by reading her messages. This is mentioned in the conversation with an investigator she published: "...the FSB has very good equipment that shows your location based on your phone [usage] accurate up to 1 meter."

Marina's devices had been in the hands of law enforcement for 3 hours by the time her messages were first quoted to her. According to independent experts, these messages were physically extracted from her confiscated devices using Cellebrite tools which are regularly used by Russian special services – this has nothing to do with Telegram's security, as no app can defend against direct access to a device.

3. Geolocation Data

The article misleadingly claims that the location of any Telegram user "who turned on their location" could be accessed via the API (application programming interface for developers or third-party apps). This was never the case.

The Telegram API can only be used to receive the locations of users who agreed to publicly broadcast their location in the optional section 'Find People Nearby'.

Less than 0.01% of users have ever opted into this feature – and they did it knowingly, with the exact intention of sharing their location with the world. This optional feature is not a vulnerability.

4. "Monitoring" via the API

The article portrays the Telegram API for developers as a tool that allows "authorities to monitor users."

In reality, the Telegram API only allows one to obtain the same data that is accessible to all users via regular Telegram apps. Even if you know somebody's phone number, there are no guaranteed ways for you to find messages they left in publicly accessible groups – let alone receive confidential data of any kind, like which channels you follow.

The source of the author's confusion most likely lies in the fact that the Telegram API is used by third-party Telegram apps and bots with which users often voluntarily share their data (for example, by adding bots to chats as administrators or by using unofficial Telegram apps.) 

Unfortunately, the article's author, freelancer Darren Loucaides, decided to ignore comments from Telegram and other sources in his article.

This article is also available in Russian.