Telegram Security and Privacy
Now is the perfect time to tell you about Telegram’s security and privacy settings.
End-to-end encryption is not the default option on Telegram
The first thing to know about The Telegram app is that conversations hosted in the cloud, as Telegram calls its standard exchanges, are not end-to-end encrypted. This article explains why end-to-end encryption is so important when it comes to privacy.
How to enable end-to-end encryption to keep Telegram conversations secret
Telegram instant messaging is well and truly equipped with end-to-end encryption; you just need to activate it. These conversations protected by end-to-end encryption are known as Secret Exchanges.
All sent messages, images, videos, and other files are end-to-end encrypted during a secret exchange. This means that only you & the recipient have the decryption key and Telegram cannot access the data.
Also, the content of secret exchanges is not stored in Telegram’s servers. Since secret exchanges are only saved on the device, they cannot be accessed from any other device, and they disappear as soon as you log out of Telegram or delete the app.
Secret Exchanges are available with Telegram versions of iOS, Android, and macOS. The Web version and the Windows application are incompatible with secret exchanges. These systems cannot guarantee that conversations are stored securely on the device.
How to create a secret exchange on Telegram
With the Telegram app’s current versions, it is quite difficult to find the secret exchange option.
To create a secret exchange, you must open the profile of the person you are interacting with, tap or click all three buttons (or More in some cases), and then select Start a secret exchange.
This option opens a conversation where messages are end-to-end encrypted (a notification appears at the start of the conversation). You can also indicate when messages will be deleted by tapping or clicking the stopwatch icon in the received messages section.
Obviously, self-destruction of messages does not prevent your correspondent from taking a screenshot but, if he does, will be notified in the conversation. There is only one exception: if the other person is using the macOS app. You will not receive a notification in this case.
Here’s another helpful tip: Telegram allows multiple secret exchanges with the same person. Telegram Group chats cannot be secret, unlike WhatsApp, which by default applies end-to-end encryption to all conversations.
How to tell if a conversation is end-to-end encrypted: the padlock icon
As Telegram’s conversations are either stored in the cloud or secret, it is important to know what you are using in some cases. If an exchange contains sensitive information, it should be secret, right?
Yes of course. End-to-end encrypted conversations are almost identical to usual. To confirm your situation, look for the padlock icon next to the caller’s name or phone number. If there is one, the exchanges are secret. Otherwise, end-to-end encryption is disabled and you should create a new conversation.
You can also touch or click on the corresponding conversation icon to check if the exchanges are end-to-end encrypted. If so, the Encryption Keywords appear at the bottom of the open window.
How to configure Telegram’s security and privacy settings
While we’re at it, let’s take the time to configure the app’s security and privacy settings. Click Settings at the bottom right and select Privacy & Security.
Security settings on Telegram
The first step is to make sure that no one can read your conversations if you accidentally leave your device unlocked or unattended. To do this, select Passcode and Face ID, activate the function, and think of a PIN code that you will not forget. Enter it and confirm.
Then enter Auto-lock and enter the time frame, between 1 and 5 minutes. If your device supports fingerprints or facial recognition, you can enable this option here.
Then you need to accept two-factor authentication to protect your account from cybercriminals. With each new connection, you will receive a one-time code by text message, but Telegram invites you to choose a password as the second factor.
So, go to the Confidentiality and security section, select Double authentication (term chosen by Telegram to designate 2FA) then choose a complex password. You will rarely enter this password and easily forget it, so keep it in a safe place such as a password manager.
What will happen if you forget this additional password? You will need to reset your account. In other words, you have to apply to completely delete your account and then you have to wait seven days. The account will disappear after a week (associated contacts, cloud conversations, and channel subscriptions) and you can create a new, completely empty one using the same phone number.
Privacy settings on Telegram
You need to correctly set up your profile to only share the bare essentials with Telegram’s 500+ million users. So, see all of the Telegram’s Privacy settings and then change the values. By default, anyone can access all options and data. We recommend that you configure your account in this way:
- Phone number → Who can see my number? – No one.
- Phone no → Who can find me by my number? – My contacts.
- Presence → Who can see your last presence? – No one.
- Profile picture → Who can see my profile picture/video? – My contacts.
- Calls → Who can call me? – My contacts (or Person, if you prefer).
- Calls → Peer-to-peer – My contacts (or Person, if you do not want to share your IP address with your contacts).
- Forwarded Telegram messages → Who can add a link to my account when forwarding my Telegram messages? – My contacts.
- Telegram Groups and channels → Who can add me to groups and channels? – My contacts.
This also a perfect time to check the Privacy & Security → Data Settings section and delete from Telegram’s memory any information you don’t want the app to have.
Telegram security for the more careful
The above info should be enough for most users, but here are some more for the more thorough:
Choose another phone number to create a Telegram account or a virtual phone number instead of a real number. However, be careful not to use a one-time number or something similar otherwise, anyone will be able to access your account.
Use VPN to hide your IP address (which Telegram can disclose at law enforcement request, for example).
Consider using another application (one more suited to secure and confidential communications) such as Signal or Threema. Unlike Telegram, they encrypt all conversations by default and offer several additional privacy options.
On the other hand, they are less well known and do not have some features that encourage users to choose Telegram.
Remember that even the most secure instant messengers are helpless if someone has access to your device, either physically or remotely.
Thus, we advise you to always lock all your devices with a password or a PIN code, regularly install updates to installed applications and the operating system, and have a trusted antivirus to protect you from malware.