Telegram requires users to register with a phone number, which is a critical piece of personal data under GDPR and CCPA. This raises important questions:
Data Minimization: While the phone number is mandatory, Telegram allows telegram data users to create usernames and engage in chats without sharing their number publicly. This partially addresses data minimization principles under GDPR.
Anonymity and Pseudonymity: Users can choose to remain pseudonymous in groups and channels, enhancing privacy. However, Telegram still retains the phone number internally, which may be accessed under legal orders.
Data Linking: Phone numbers can potentially link user accounts across different services or platforms if combined with other identifiers, increasing privacy risks.
Telegram’s policies emphasize that phone numbers are not shared with third parties without consent, except for legal compliance.
Encryption and Data Security
Telegram uses a unique encryption protocol called MTProto, which is proprietary and designed to balance speed and security:
Cloud Chats: These are encrypted client-server/server-client but not end-to-end encrypted. Telegram stores these messages on its servers to allow synchronization across devices.
Secret Chats: These are end-to-end encrypted and stored only on user devices, never on Telegram’s servers.
The hybrid model offers convenience but exposes Telegram to potential legal requests for cloud chat data.
Under GDPR’s security principle, Telegram must ensure appropriate technical measures to protect personal data. Telegram claims to implement strong security but the proprietary nature of MTProto has attracted criticism from cryptographers who prefer open standards.
Data Retention and Deletion
Under GDPR, data should not be retained longer than necessary. Telegram’s policy allows users to delete:
Messages: Either individually or entire chats.
Accounts: Deletion removes data from Telegram servers after a period of inactivity (6 months by default).
Telegram also offers self-destruct timers for messages in secret chats, enhancing compliance with data minimization and user control rights.
However, there is less clarity on Telegram’s retention of logs, metadata, and backups for legal compliance or operational reasons.