Risk Assessment for Government and NGO News Use on Telegram

Government agencies and NGOs rely on Telegram because it’s fast, free, and works even when the internet is spotty or censored. In Ukraine, it’s how aid groups coordinate with villages under fire. In Russia, it’s how activists share information when other channels are shut down. But here’s the problem: Telegram is not secure. Not for sensitive work. Not anymore.

Why Telegram Looks Like a Good Idea - But Isn’t

Telegram’s appeal is obvious. You can create a public channel in seconds. You can send videos up to 2GB. Millions of people are already on it. For NGOs trying to reach displaced communities or governments needing to broadcast emergency alerts, it’s hard to ignore.

But the same features that make Telegram useful for news also make it dangerous for secure communication. Public channels are indexed and searchable. Anyone can join. Even if you think your messages are private, Telegram stores all non-Secret Chat messages on its servers - and those servers are spread across multiple countries, including ones with weak legal protections.

Worse, Telegram’s encryption isn’t automatic. Only “Secret Chats” are end-to-end encrypted - and most users don’t even know how to find them. A February 2025 report from Digital Defenders Partnership found that 83% of NGO staff in Eastern Europe didn’t realize regular chats were stored unencrypted on Telegram’s servers. That means if your organization uses Telegram like WhatsApp - sending group updates, sharing documents, posting links - you’re broadcasting that data to anyone who can access Telegram’s infrastructure.

The Hidden Backdoor: How Telegram Lets Governments Spy

Telegram claims it has never handed over a single message to any government. But that’s not the whole story.

Security researcher Michał ‘rysiek’ Woźniak uncovered a critical flaw in Telegram’s MTProto protocol: the auth_key_id. This is an unencrypted identifier tied to each user’s device. It doesn’t reveal your message content - but it does reveal which device sent or received a message. When combined with other data - IP addresses, timestamps, contact lists - this identifier becomes a digital fingerprint.

According to a May 2025 investigation by OCCRP, Telegram’s network engineer, Vladimir Vedeneev, has unparalleled access to the platform’s core systems. Russian intelligence services have long been known to monitor Telegram traffic. Now, with this device-level tracking capability, they can link a specific phone or laptop to a user’s activity - even if that user is in Germany, Canada, or the U.S.

This isn’t theoretical. Dmitry Zair-Bek, head of the Russian NGO First Department, confirmed that in multiple treason cases, the FSB used Telegram metadata - not just message content - to identify, track, and arrest activists. “By the time arrests occur,” he said, “the FSB already possesses full records of the users’ private Telegram correspondence.”

Telegram’s Policy Shift: From Privacy Advocate to Compliance Mode

Telegram used to pride itself on resisting government pressure. In 2018, it refused to hand over encryption keys to Russia. In 2020, it was banned there for years.

That changed after CEO Pavel Durov was arrested in France on August 24, 2024. Within weeks, Telegram quietly updated its privacy policy. Now, it states clearly: “We will disclose users’ phone numbers and IP addresses upon receiving a valid court order.”

This isn’t just about Russia. It’s about precedent. If Telegram complies with French courts, it sets a global standard. Governments in Hungary, Turkey, Iran, and beyond will now demand the same access. And Telegram has no incentive to say no - it’s a business, not a nonprofit. Its infrastructure is centralized, its leadership is isolated, and its security claims are unverifiable.

The Electronic Frontier Foundation’s 2024 Secure Messaging Scorecard gave Telegram just 2 out of 7 points. Signal? Perfect 7 out of 7. Why? Because Signal encrypts everything by default. It doesn’t store your messages. It doesn’t collect your metadata. It doesn’t have a single point of control that can be pressured or compromised.

What Happens When NGOs Use Telegram - Real Cases

In November 2024, three staff members of a Ukrainian NGO were detained in Russia. They had been using Telegram to coordinate humanitarian aid deliveries to border towns. They thought their messages were private. They weren’t.

The evidence against them? Timestamps. Location data. Channel subscription logs. All pulled from Telegram’s servers. Their phones were never hacked. Their passwords weren’t stolen. The data came straight from Telegram’s own infrastructure.

A Reddit user from Ukraine, posting under u/SecurityFirstNGO, wrote: “Three of our staff in Russia were detained in November 2024 based on Telegram messages they thought were secure - evidence included timestamps and metadata that shouldn’t have been accessible.”

Microsoft’s threat intelligence team documented over 20 NGO breaches in early 2025 linked to the Russian threat actor Void Blizzard. These weren’t advanced hacking operations. Most were simple password spraying and credential theft - because NGO staff used weak passwords, reused them across platforms, and didn’t enable two-factor authentication. Telegram doesn’t force security. It assumes users know how to protect themselves. Most don’t.

Alternatives That Actually Work

If you need to send sensitive information - donor lists, witness locations, operational plans - you need a tool designed for that.

• Signal: End-to-end encryption by default. No metadata collection. Open-source. No phone number required for group chats. Used by the U.S. Department of Defense for non-classified comms.
• Wire: GDPR-compliant. Built for governments and NGOs. Regular third-party audits. Supports secure file sharing and encrypted video calls.
• Threema: No email or phone number needed. Pay once, no ads, no tracking. Used by Swiss government agencies and international human rights groups.

These tools don’t have 900 million users. But they don’t need to. They’re built for trust, not scale.

Telegram’s network effect is its biggest trap. People use it because everyone else does. But when you’re dealing with life-or-death communications, popularity doesn’t equal safety. It equals exposure.

What NGOs and Governments Should Do Now

If your organization still uses Telegram for anything beyond public announcements, you’re at risk.

Here’s what to do:

1. Stop using Telegram for internal communications. Period.
2. Migrate all sensitive channels to Signal or Wire. Train staff on how to use them.
3. Use Telegram only for public broadcasts - press releases, event announcements, non-sensitive updates.
4. Require two-factor authentication on all accounts - even public ones.
5. Never save sensitive documents in Telegram chats. Use encrypted cloud storage instead.
6. Conduct a security audit of all communication tools by June 2025. Document every platform used and why.

Gartner and Forrester both issued advisories in early 2025 warning governments not to use Telegram for any communications involving national security, protected sources, or sensitive operations. If your agency’s legal team hasn’t reviewed this yet, they should.

The Bottom Line

Telegram isn’t broken. It was designed this way - for mass appeal, not security. Its architecture is built for convenience, not confidentiality. And now, with its leadership under pressure and its infrastructure exposed, it’s no longer a tool for free expression - it’s a surveillance vector.

Governments and NGOs have a duty to protect their staff, their sources, and their missions. That means making hard choices. Using Telegram for news is fine. Using it for coordination? That’s not bravery. That’s negligence.

The safest message you can send isn’t the fastest one. It’s the one that can’t be intercepted.