New Paper Reveals Telegram is Leaking Unique Device IDs

Pavel Durov—you have failed us big time. Telegram, one of the biggest messaging apps in the entire world with over a billion users, has always promised it would never share user messages.

In 2025, CEO Pavel Durov famously quipped that he would rather die than give access to third parties. It turns out he never needed to share the content of the messages, because the unique device identifiers were being sent over the internet completely naked and unencrypted without HTTPS, according to a new security paper.

This is a massive and fundamental privacy flaw that helps any attacker monitoring the internet—say, an internet service provider or an intelligence agency—to get signals that would help it track down who is talking to whom, when, and where from. Using a VPN can help, but it only shifts the point of exposure.

The part that makes me the most angry is the fix is incredibly easy and simple—just use HTTPS, which 99% of websites do already. But Telegram has never fixed it or made it possible for users to fix it themselves by enabling HTTPS.

A new paper by esteemed cryptographer Nadim Kobessi lays out the potential of de‑anonymization when using Telegram and its custom encryption protocol MTProto.

Kobessi is one of the cryptography OGs and has pointed out the flaws of popular privacy tech like ProtonMail and encrypted webmail in general. If you want to learn more about that, check out my article on #TBOT.

I’ve used Telegram since 2020. It was a haven during the mass censorship of the COVID era, and it stood out as a social media platform where people could congregate and share information without being censored or spied on.

Even though there has been speculation that Telegram has been sharing data with third parties since 2024—on account of Durov being arrested by French police in 2024—to this day they still promise they haven’t shared a single byte of private messages.

However, they do now hand over phone numbers and IP addresses to law enforcement. So if Telegram is telling the truth about never sharing messages, how does law enforcement get tipped off in the first place? It all comes down to a few things.

For one, as should be obvious by now, most of Telegram is public via groups. Anyone can join a group, and there are bots or even real people monitoring them. If illegal activity is going down in public chats, law enforcement can request more information from Telegram. That’s one piece; the second is the MTProto messaging protocol.

MTProto’s auth_key_id

Telegram’s encryption scheme is called MtProto, a custom encryption protocol. It’s been the subject of controversy over the years, but today’s video isn’t about what gets encrypted with MtProto; it’s about what doesn’t get encrypted. Remember, Telegram primarily uses cloud chats, meaning almost nothing is end‑to‑end encrypted, and Telegram’s servers are able to see the content of your messages.

For every normal chat, your device exchanges keys with the server, and the content of your messages is sent encrypted. Once they arrive, the server decrypts your message and re‑encrypts it with the keys of your intended recipient. This means Telegram has complete visibility of normal cloud messages. This is even useful to a degree, because this is how you can search through years of old messages in your personal chats. Users put trust in Telegram to never share these decryption keys with third parties. And from what Telegram reports, only a select few in the organization are even able to access these keys.

But even though the content of your message is encrypted, you would assume your device identifier would be, too. I assumed they would do everything in their power to protect us from outside observers—I was completely wrong.

At the bottom of the image above, you see what gets sent over the internet. You have your encrypted data, but you also have something called the auth_key_id. This auth_key_id is unique to your device, and it’s how Telegram’s servers know which key to decrypt the message with. Notice the auth_key_id in grey at the bottom; it’s outside the encryption envelope, meaning it’s plain for everyone to see as it travels over the internet.

Normally, when you use online services, you use something called HTTPS (Hyper‑Text‑Transport‑Protocol‑Secure) to protect your traffic in transit. It’s rare these days to find a website that isn’t using it— you see “your connection is not secure” when this happens.

This is a really basic thing, but Telegram doesn’t use HTTPS to connect to its messaging servers. This means the auth_key_id is being sent over the internet naked. Anyone monitoring network traffic, from your local café’s guest Wi‑Fi to your internet service provider, is seeing your unique device identifier.

Independently verified by Kobessi’s paper, this auth_key_id never changes—it’s always there. So when you use Telegram in the U.S. and then travel to France, the same auth_key_id is traveling over the internet in plaintext. Telegram has responded to say that the auth_key_id rotates regularly; however, this contradicts the findings in the paper.

Why does that matter? It matters because if an adversary has a general idea of which devices are messaging and when, it can also determine who is talking to whom using timing analysis.

If Alice and Bob are sending messages back and forth at approximately the same time, one after another, that can be inferred by watching their connections to Telegram’s servers—once again, unencrypted.

This is the ‘metadata’ of the messages, which is just as important—if not more—than the content of those messages. And Telegram doesn’t give you the ability to force HTTPS when using its messaging servers across its mobile and desktop applications. So this massive flaw can’t be fixed by users. It’s up to Telegram to enforce and enable HTTPS for its app.

It doesn’t even matter if you use a VPN or Tor because at some point these services will need to connect directly to Telegram’s messaging servers.

We the users must demand answers from Pavel Durov: why is this gaping hole in privacy allowed to exist for its billion users? What’s the explanation?

Telegram is now profitable—bringing in over $1 B in revenue in 2025. It’s making profits by inserting ads in front of users it promises privacy to, and these findings are a huge slap in the face. Until we get some accountability, I’m not recommending Telegram and I’m making moves to switch to better protocols.

My channel @TakeBackOurTech on Telegram recently passed the 10,000‑follower mark, and I’m willing to sacrifice this channel until we get some accountability. I am encouraging all of my followers to switch with me to a new private messaging protocol, SimpleX. SimpleX allows for channels, groups, and direct messaging—all without metadata.

Watch the solutions section of #TBOT 24 to learn how.

Join our SimpleX group
https://smp9.simplex.im/g#IcBYNSscyr19yLioGTfYl048k5-Qs2-25k0GsDCe3Zc

Follow our SimpleX channel
https://smp9.simplex.im/c#42JhYLTvg6_HQ11XeUYLftQMOKUWFDWWkFTCymLk0RQ

Blog | Youtube | X |Tiktok | Odysee | Rumble

Privacy phones aren’t just alternatives—they’re better than big tech.

With Above Phone, you’ll unlock features and freedom you didn’t even know existed.

• Works with any cell service (and even over WiFi with an internet phone)
• Download the apps you love (private app stores)
• Have complete control over your app permissions