Telegram’s new peer-to-peer SMS relay is an absolute privacy nightmare

Telegram has started offering some of its users free access to its Premium subscription in exchange for access to their phones for sending out login verification codes via SMS. The feature is potentially a privacy and spam nightmare, as participants will presumably be able to see the numbers that their phones are sending out codes to. Even though they’re not allowed to contact these numbers as per the terms of service, Telegram shouldn’t provide random users with other users’ phone numbers for whatever reason.

The new offer was spotted by Telegram channel Telegram Info English, with the new terms of services calling the feature “Peer-to-Peer Login Program” (via @AssembleDebug on X). According to screenshots shared by the channel, Telegram offers a splash screen in some regions telling users that they can get Premium for free when they “Help Send Login SMS.” According to the screenshot, this affects 0.01% of the total user base. When users allow access, Telegram will use their phones to send up to 100 SMS verification codes per month to other Telegram users, which gives the person offering their phone free Premium for a month.

Based on the screenshots, accepting the terms of service looks like a matter of ticking a checkbox, with Telegram not ensuring that they’re actually read. This can have serious security consequences for both the senders and receivers, who will see each other’s phone numbers. While Telegram explicitly forbids contacting any of the numbers that a user’s phone sent verification codes to, there is likely no effective technical blocking mechanism in place. Likewise, SMS code receivers could send the sender follow-up questions about the login process or any other message, which Telegram explicitly says senders should ignore.

Telegram writes in its terms of service:

3. Privacy

The architecture of the P2PL Program facilitates the sending of OTPs, while taking great care to protect the privacy of its participants. However, Telegram cannot prevent the OTP recipient from seeing your phone number upon receiving your SMS. Therefore, you acknowledge and agree that you have considered any and all potential repercussions this may entail, and you have taken the necessary precautions to mitigate them as you see fit. Accordingly, you understand and agree that Telegram will not be liable for any inconvenience, harassment or harm resulting from unwanted, unauthorized or illegal actions undertaken by users who became aware of your phone number through P2PL.

3.1 Communication

Conversely, you agree not to contact any OTP recipients outside the scope of your involvement in P2PL. You agree not to send any messages beyond the automated SMS codes generated by your Telegram App, even if the recipient replies to you. You also agree not to otherwise contact or communicate with recipients on any other platforms, including but not limited to Telegram. You acknowledge that sharing or divulging any personal information about recipients, including their phone number, will result in not only your termination from the P2PL program, but may also result in legal action to the extent allowed by applicable law.

To be clear, with this policy, any Telegram users’ phone numbers could potentially be shared with strangers even if they haven’t opted into the program themselves — they might simply receive an OTP code from one of the phones who participate in the program, potentially leaking their phone number to them. Even if the terms of service forbid it, this opens the door to data leaks, harassment, phishing, and spamming. Telegram doesn’t have control over these phones.

In its P2PL terms of service, the company says that the program “may not be available to users in certain regions in accordance with current demand, economic factors, relevant regulatory restrictions and local telecommunications infrastructure.” This seems to indicate that some users protected by privacy laws like the GDPR in Europe or the CCPA in California may not receive codes from numbers part of the P2PL program. However, Telegram doesn’t mention the fact that it’s sharing phone numbers with third-parties for the purpose of SMS verification at all in its privacy policy or Premium terms of service, indicating that its new P2PL program violates its own privacy policy.

People who join the P2PL program to get free Telegram Premium could also face problems with their mobile service providers. It’s likely that most carriers forbid subscribers from sending automated messages like this through their regular consumer accounts. This is probably why Telegram will only send up to 100 messages a month, but even then, participants could face being banned by their cellular service provider.

Telegram promises privacy but doesn’t follow the industry’s best practices

Given that Telegram is often used by the opposition and protesters in dangerous political climates, leaking users’ phone numbers to other random people can have grave consequences. Telegram routinely claims to be a privacy champion with slogans like “Telegram keeps your messages safe from hacker attacks” and “Telegram messages are heavily encrypted and can self-destruct,” all while it’s one of only a few services that doesn’t use end-to-end encryption by default, storing (encrypted) messages on its servers. Other services like Signal and WhatsApp only temporarily store encrypted messages in transit. Even though Telegram has further safeguards in place, it all comes down to trusting the company not to share your messages’ contents with others.

With the SMS verification experiment, it looks like Telegram will soon no longer protect its users from being detected as Telegram users, which could already give adverse actors enough information to act against them. We’ve reached out to Telegram for comment and will update the story when we hear back.