The Misconception
A lot of people think Telegram is a secure messenger. Telegram markets itself that way. Pavel Durov has publicly claimed Telegram is “way more secure” than WhatsApp and even implied Signal and WhatsApp are backdoored by the US government. The reality is the opposite.
Telegram’s Encryption Problem
Telegram does not use end-to-end encryption by default. Standard chats — what Telegram calls “Cloud Chats” — use client-server encryption only. Messages are decrypted on Telegram’s servers. Telegram can read them. According to an IEEE Spectrum analysis, this means Telegram’s default security is essentially TLS — the same level of encryption your browser uses to load a webpage.
Telegram offers “Secret Chats” that are end-to-end encrypted, but you have to manually enable them for each conversation. They only work in one-on-one chats. Group chats have zero E2E encryption option. No group chat on Telegram is ever end-to-end encrypted.
As cryptographer Matthew Green wrote: the vast majority of Telegram conversations are visible on Telegram’s servers, which can see and record everything.
The Server Code Is Closed
Telegram’s client apps are open source. The server code is not. You have to trust Telegram’s servers — and Telegram’s claim that they keep encryption keys split across jurisdictions. For a platform that markets itself on privacy, this is a critical gap. You can’t verify what you can’t inspect.
Post-Arrest Data Sharing
In August 2024, French authorities arrested Telegram CEO Pavel Durov at Le Bourget Airport. The charges included complicity in distributing child exploitation material and facilitating drug trafficking on the platform.
Within weeks, Telegram completely reversed its data-sharing stance. Before September 2024, Telegram’s policy was to share user data only in terrorism cases. After the arrest, they began sharing IP addresses and phone numbers with law enforcement across dozens of countries. In France alone, data disclosures jumped from 54 users in the first half of 2024 to 1,386 users in Q4. India saw 23,535 users’ information disclosed over the year.
This is the fundamental issue with trusting a server that holds your plaintext messages: when the pressure hits, the data is there to hand over.
Why Signal
Signal uses end-to-end encryption by default for every message, every call, every group chat. There is no “Secret Chat” toggle — everything is secret by design.
The Signal Protocol — combining the Double Ratchet Algorithm, prekeys, and X3DH key exchange — is the industry standard. WhatsApp and Google Messages both use it. Signal’s implementation includes forward secrecy and post-compromise security, and they’ve recently introduced the Sparse Post Quantum Ratchet (SPQR) to defend against future quantum computing threats.
Both Signal’s client and server code are open source under AGPLv3. Anyone can audit them. The EFF has given Signal a perfect score on their secure messaging scorecard.
Signal collects almost no metadata. They store only your account creation date and last connection time. The Signal Foundation is a 501(c)(3) nonprofit — they have no advertising business model and no incentive to mine your data.
The Bottom Line
Telegram is a feature-rich messaging platform. It is not a secure one. If your threat model involves keeping your messages private from the server operator and anyone who might compel that operator, Telegram fails by default.
Switch to Signal. Tell your contacts to switch. The security difference is not marginal — it’s architectural.