CYBER AWARENESS

The Illusion of Secure Messaging

What Your Messaging App Knows About You

Telegram • WhatsApp • Signal

February 2026

For discussion and awareness among friends and colleagues

The Problem: Encryption ≠ Privacy

Most of us use messaging apps daily — for work, family, friends, and community. We see the "end-to-end encrypted" label and assume our conversations are private. This assumption is dangerously incomplete.

Encryption protects the content of your messages — the words you type. But it does not protect the metadata — the digital envelope around your message. And metadata often reveals more about you than the message itself.

Metadata includes: who you message, when, how often, for how long, your IP address, your device info, your location, and your network details. Think of it as: they cannot read your letter, but they are reading every detail on the envelope.

1. Telegram: Security Theater

Telegram markets itself as a secure messenger. The reality is more complicated.

The Default is Not Encrypted

Regular Telegram chats ("Cloud Chats") use client-server encryption, NOT end-to-end encryption. This means Telegram’s servers can access the contents of your messages. Only "Secret Chats" provide true end-to-end encryption, but most users never activate this feature because it is buried in the menu.

Every group chat on Telegram is visible to Telegram’s servers. Secret Chats are only available for one-on-one conversations, are device-specific, and are not synced across devices.

The Protocol is Non-Standard

Telegram uses its own proprietary MTProto 2.0 protocol instead of industry-standard encryption like TLS. Security researchers have found several cryptographic weaknesses and noted that the protocol falls short of guarantees provided by established protocols. The unconventional design choices make it harder to formally verify its security.

Infrastructure Concerns

A 2025 investigation found that key parts of Telegram’s network infrastructure were operated by companies with long-standing business ties to Russian state institutions, including the FSB (Federal Security Service). While this does not prove direct control, it raises serious questions about data sovereignty.

Pavel Durov’s Arrest

Telegram’s founder Pavel Durov was arrested in France in August 2024 and indicted on twelve charges including complicity in distribution of child exploitation material and drug trafficking. French prosecutors revealed that Telegram’s non-compliance with police requests had blocked 2,460 cases between 2013 and 2024. As of November 2025, his travel ban was lifted but the investigation continues.

Feature	Telegram Reality
Default Encryption	Client-server only — Telegram can read your messages
Group Chats	Never end-to-end encrypted
Secret Chats	E2E encrypted but hidden, device-specific, no groups
Protocol	Proprietary MTProto 2.0 — non-standard, weaknesses found
Server Code	Closed source — cannot be independently verified

2. WhatsApp: The Metadata Machine

WhatsApp uses the Signal Protocol for end-to-end encryption, meaning your message content is genuinely protected. However, WhatsApp is owned by Meta (formerly Facebook), and the real value to Meta is not your messages — it is everything around them.

What WhatsApp Collects

Even with end-to-end encryption, WhatsApp records: your phone number, device info, IP address, who you message, when you message them, how frequently, call duration, your network details, browser info, ISP, and identifiers linked to other Meta products on the same device. Their privacy policy states they record "the time, frequency, and duration of your activities and interactions."

How Your Metadata is Used

1. Feeding the Ad Machine — If your WhatsApp is linked to Meta’s Accounts Center, your metadata is used for advertising across Facebook and Instagram. They do not need to read your messages. Knowing you contacted a lawyer at 2 AM, called a real estate agent three times, and frequently chat with someone in another city paints a complete picture.

2. Building Shadow Profiles — In late 2025, researchers from the University of Vienna exploited a Contact Discovery loophole to harvest metadata associated with up to 3.5 billion WhatsApp account identifiers. This was not a hack — it was a feature being abused.

3. Law Enforcement Access — WhatsApp is required by law to share metadata with authorities. An internal company memo acknowledged that ongoing "collect and correlate" attacks would break their intended privacy model. Without reading a single message, governments can map your entire social network.

4. Meta AI Integration — In 2025, Meta integrated its AI assistant directly into WhatsApp. Interactions with Meta AI are NOT end-to-end encrypted and are actively used for ad targeting. This was done without user consent, and users cannot disable or remove the feature.

5. Business Chat Exposure — When you message a business account using Meta’s services, once received, your message becomes subject to the business’s own privacy practices. Meta can use this data for marketing.

WhatsApp is a secure delivery truck driven by a surveillance company. The lock on the back door works, but the driver is writing down every address you visit. — Adapted from security researchers’ analogy

Why Shopee Knows What You Want

This is how targeted advertising works: Meta knows from WhatsApp who you talk to, when, and how often. It knows from Facebook and Instagram your interests, browsing habits through Meta Pixel embedded on millions of websites — including e-commerce platforms like Shopee and Lazada. Your device’s advertising ID ties everything together across apps.

You do not need to search for a product. Just messaging someone about it generates enough metadata signals for the algorithm to connect the dots. People think their phone is "listening." The reality is worse — it does not need to listen. It already knows.

3. Signal: The Gold Standard (With Caveats)

Signal is widely considered the most secure messaging app available. It is end-to-end encrypted by default for ALL conversations — messages, calls, groups, media. Even Signal itself cannot access your content.

When law enforcement serves Signal with a court order, all they can provide is: when the app was downloaded and when it was last used. Nothing else. They literally do not have your data.

Who Owns Signal

Signal is owned by the Signal Technology Foundation, a 501(c)(3) nonprofit. It was co-founded in 2018 by Moxie Marlinspike (cryptographer and creator of the Signal Protocol) and Brian Acton (co-founder of WhatsApp, who left Meta over disagreements about data monetization). Acton provided an initial $105 million at 0% interest, not due until 2068.

Signal has no advertisers, no investors, and can never be acquired by a tech company. It runs entirely on donations. The current president, Meredith Whittaker, is a vocal critic of surveillance capitalism.

The Sustainability Question

Signal spends approximately $40–50 million per year on operations but generates only about $2 million in real revenue. It survives on Acton’s initial endowment and user donations. This raises legitimate questions: Can a truly private messenger survive without a profit motive? If Signal collapses, what then?

Reasons for Healthy Skepticism

Signal’s predecessors received nearly $3 million from the US government-sponsored Open Technology Fund. As of 2025, the CIA installs Signal by default on employee devices. Why would intelligence agencies promote an app they cannot break into — unless the relationship is more nuanced than it appears?

Signal still requires your phone number to register, linking your identity to the service. And while their code is open source, you are still trusting that what runs on their servers matches the published code.

4. Side-by-Side Comparison

Feature	Telegram	WhatsApp	Signal
Default E2E Encryption	✘ No (opt-in only)	✔ Yes	✔ Yes
Group Chat E2E	✘ Never	✔ Yes	✔ Yes
Metadata Collection	Moderate	Extensive	Minimal
Data Shared with Ads	No	Yes (via Meta)	No
Open Source (Client)	✔ Yes	✘ No	✔ Yes
Open Source (Server)	✘ No	✘ No	✔ Yes
Ownership	Private (Durov)	Meta (Facebook)	Nonprofit Foundation
Revenue Model	Premium + Ads	Metadata → Ads	Donations
Law Enforcement Data	Cloud chat content possible	Full metadata	Install date + last used
Phone Number Required	✔ Yes	✔ Yes	✔ Yes

5. What You Can Do

Immediate Steps

For WhatsApp: Disconnect WhatsApp from Meta’s Accounts Center (Settings > Account Center). Disable link previews in sensitive chats. Do not interact with Meta AI. Enable Advanced Chat Privacy for each chat. Consider using a secondary number.

For Telegram: Use Secret Chats for sensitive one-on-one conversations. Do not assume group chats are private. Be aware that default chats are stored on and accessible by Telegram’s servers.

For truly sensitive communication: Use Signal. For absolute privacy, consider apps like Threema or SimpleX that do not require a phone number at all.

The Bigger Picture

Every platform you disconnect from is one less data source feeding the surveillance machine. Every smart device connected to the cloud is another data point in someone’s profile of you. The old saying holds true: if the service is free, you are the product.

The most secure conversation remains the one had face to face, with no devices in the room.

"They cannot read your letter, but they are reading every detail on the envelope. And the envelope tells them almost everything."

Sources

ESET Telegram Privacy Analysis (2025) • MTProto Security Analysis (Albrecht et al., EUROCRYPT 2025) • JOSA Telegram Security Report • Mozilla WhatsApp Privacy Review (2025) • TechRadar WhatsApp Metadata Analysis • University of Vienna Contact Discovery Research (2025) • Signal Foundation Wikipedia • France24 Durov Travel Ban Report • Pixel Defence WhatsApp Metadata Leak Report (2025)

This document is compiled for awareness and discussion purposes. It represents a synthesis of publicly available research and reporting as of February 2026. Readers are encouraged to verify claims independently and form their own conclusions.