If you are a journalist today, you probably have five different messaging apps open at once. You're juggling a lead on Signal, a tip on WhatsApp, and a massive leak in a Telegram group. But here is the uncomfortable truth: just because a chat is "private" doesn't mean your source is safe, and it certainly doesn't mean the information is true. Using these apps for source verification isn't as simple as hitting 'send'. In fact, relying on the wrong platform for the wrong type of conversation can leave your sources exposed to surveillance or your reporting open to disinformation.
The core problem is that we often confuse privacy with security. Privacy is about who can see your data; security is about how that data is protected from being stolen. When we talk about "closed messaging apps," we are looking at platforms like Telegram, a cloud-based messaging service known for its massive group capacities and broadcast channels, Telegram Messenger, Signal, an open-source encrypted messaging app focused on maximum privacy, and WhatsApp, a widely used messaging platform owned by Meta that uses the Signal Protocol for encryption. While they all look similar on your home screen, their inner workings are worlds apart.
The Encryption Trap: Default vs. Opt-In
Most people assume that if they are using an app like Telegram, their messages are automatically locked away from prying eyes. That is a dangerous assumption. Unlike Signal or WhatsApp, where End-to-End Encryption (E2EE), a system of communication where only the communicating users can read the messages is the default for every single chat, Telegram handles things differently.
In Telegram, your standard chats are not end-to-end encrypted. They are encrypted between the client and the server, meaning Telegram itself holds the keys. To get true E2EE, you have to manually start a "Secret Chat." If you're talking to a whistleblower and you haven't clicked that specific button, your conversation is stored on a cloud server. For a journalist, this is a critical vulnerability. If a government agency subpoenas the platform or a server is breached, the plaintext of those messages could be accessible.
Then there is the matter of the "homemade" protocol. Telegram uses its own encryption system called MTProto, a proprietary encryption protocol developed by Telegram. While Telegram claims it's secure, the global cryptography community is skeptical. Why? Because it isn't a standardized, peer-reviewed protocol like the Signal Protocol used by Signal and WhatsApp. When security experts can't independently verify the math behind the lock, the lock is only as good as the company's word.
The Group Chat Dilemma
This is where things get really tricky for newsrooms. Telegram is famous for its scale. You can have "Supergroups" with up to 200,000 members or "Channels" with an unlimited number of subscribers. For distributing news to a mass audience, it's a powerhouse. But for gathering sensitive information? It's a liability.
Here is the deal-breaker: no group chat on Telegram is end-to-end encrypted. Not the small 3-person editorial brainstorm, and not the 10,000-person activist hub. If you are coordinating a sensitive story with a team of sources in a Telegram group, that data is sitting on a server. Compare this to Signal, where every single group chat is encrypted by default. If your primary goal is protecting a group of collaborators, Signal is the only logical choice.
| Feature | Telegram | Signal | |
|---|---|---|---|
| Default E2EE | No (Opt-in) | Yes | Yes |
| Group E2EE | None | Yes | Yes |
| Protocol | MTProto (Proprietary) | Signal Protocol (Open) | Signal Protocol (Open) |
| Max Group Size | 200,000 members | Moderate | Moderate |
| Metadata Collection | High (IP, Contacts) | Minimal | Moderate |
Metadata: The Invisible Paper Trail
Even if your messages are encrypted, the "envelope" they come in tells a story. This is called metadata-the data about the data. Telegram collects a surprising amount of it: your IP address, your contact list, the groups you belong to, and your last sign-in time. They can store this for up to 12 months.
For a source who needs to remain anonymous, metadata is often more dangerous than the message content. If a security service can prove that a specific phone number (the source) was communicating with a specific journalist at 3:00 AM from a specific city, the content of the message doesn't even need to be decrypted to blow the source's cover. Signal minimizes this by design, while Telegram's cloud-centric model makes it a metadata goldmine.
Furthermore, Telegram moderators have the ability to access flagged messages to combat spam. While this is a necessary feature for managing a platform of millions, it confirms that the wall between the user and the platform isn't absolute. If your source's identity is a matter of life and death, you cannot afford to have a moderator-or a hacker who gains moderator access-peeking into the conversation.
Verification vs. Encryption
Now, let's tackle the biggest misconception in digital journalism: the belief that a secure app equals a verified source. Encryption protects the pipe through which the information flows, but it says nothing about the person at the other end of the pipe. In fact, the very things that make closed apps great for privacy-low barriers to entry and lack of algorithmic curation-make them perfect for disinformation.
Because these apps don't have the same public-facing identity checks as a verified Twitter/X account or a corporate email, anyone can claim to be a government official or a high-ranking whistleblower. We've seen a rise in coordinated campaigns using Telegram channels to seed fake documents that look authentic because they arrived via a "secure" channel. The psychological effect is powerful: if the source is using a "secret app," the journalist is more likely to trust the info without the usual skepticism.
To avoid this, you need a verification protocol that exists outside the app. This means cross-referencing a tip with secondary sources, verifying documents via forensic analysis, or using "out-of-band" verification (like a physical meeting or a known voice call) to confirm who is actually typing on the other end.
Practical Guidelines for News Organizations
Choosing an app isn't about finding the "perfect" one; it's about matching the tool to the risk level. If you are just coordinating a lunch meeting with a colleague, Telegram's stickers and ease of use are great. If you are handling state secrets, you need a different approach.
- For Mass Distribution: Use Telegram Channels. They are unparalleled for getting a story out to thousands of people instantly without an algorithm hiding your post.
- For High-Risk Source Communication: Use Signal. The default E2EE and minimal metadata collection provide the strongest shield for both the journalist and the source.
- For Casual Networking: WhatsApp is acceptable due to its ubiquity and default encryption, though it collects more metadata than Signal.
- For Group Collaborations: Avoid Telegram for sensitive editorial discussions. Move the team to Signal to ensure that the group's metadata and contents are encrypted.
Remember, the weakest link is usually the human, not the software. A secure app is useless if your source uses a phone linked to their real identity or if you forget to turn on "Secret Chats" in Telegram. Education is the only way to bridge the gap between having a secure tool and actually being secure.
Is Telegram safer than WhatsApp for journalists?
It depends on the use case. For mass broadcasting, Telegram is superior. However, for one-on-one source protection, WhatsApp is actually safer by default because it uses end-to-end encryption for all chats. In Telegram, you must manually enable "Secret Chats" to get the same level of protection.
Are Telegram groups encrypted?
No. Regardless of the size-from a small group to a Supergroup of 200,000-Telegram groups do not use end-to-end encryption. They are stored on Telegram's cloud servers, meaning the company technically has access to the messages.
Why do experts prefer Signal over Telegram?
Signal is preferred because everything is encrypted by default, it collects almost zero metadata, and it uses the open-source Signal Protocol, which has been independently audited and peer-reviewed by cryptographers worldwide.
Can I verify a source's identity using only a messaging app?
No. Encryption only ensures that no one else can see the conversation; it does not prove who the sender is. You must use traditional journalistic methods, such as cross-referencing information and verifying documents, to authenticate a source.
What is the risk of using "Secret Chats" in Telegram?
The main risk is human error. Since Secret Chats are opt-in, it's easy to start a regular chat by mistake, leaving your conversation unencrypted on the cloud. Additionally, they only work for one-on-one conversations, not groups.
