Telegram, the FSB, and the Man in the Middle

This report assesses Telegram’s privacy and security claims, explaining that default cloud chats are not end-to-end encrypted and that MTProto’s inclusion of an unencrypted auth_key_id can allow network observers to track devices and infer users’ IP addresses and locations. Despite Telegram’s assurances about distributed storage and split keys, experts argue the design exposes metadata that can be used for user tracking even when message content remains unreadable.