Somewhere out there, on a server you’ll never see, your messages might be sitting in plaintext. Not intercepted. Not hacked. Just… readable. By design.
I recently tried opening a Telegram channel only to find it had been banned for violating their terms of service. Which raised an obvious question: if Telegram is supposed to be this encrypted, privacy-first platform, how did they know what was in the channel?
The answer is simpler than you’d expect. Telegram’s default chats — including every group and every channel — are not end-to-end encrypted. They use client-server encryption, which means your messages are encrypted between your phone and Telegram’s servers, but Telegram itself can read everything once it arrives. The only exception is their “Secret Chats” feature, which is end-to-end encrypted but limited to one-on-one conversations. You have to manually opt into it every time. Groups and channels don’t get it at all.
So Telegram can moderate content because they have access to it. User reports, automated scanning, government pressure — they have every tool available because the data is right there on their servers.
What about WhatsApp? It’s actually a different story. WhatsApp uses end-to-end encryption by default for all messages, including group chats. Meta cannot read your message content in transit or at rest. But — and this is a significant but — they harvest an enormous amount of metadata: who you talk to, when, how often, your IP address, device fingerprint, contacts list, and group memberships. Metadata alone can paint a remarkably detailed picture of your life without anyone reading a single word you typed. There’s also the backup loophole: if anyone in your chat backs up to Google Drive or iCloud without enabling encrypted backups, those messages land in plaintext on someone else’s cloud.
And when someone reports a message on WhatsApp, the app forwards the decrypted content from the reporter’s device to Meta’s moderation team. So content review still happens — it just takes a different path to get there.
If you actually want private messaging, Signal is the standard. End-to-end encrypted by default for everything — messages, groups, voice calls, video calls. Minimal metadata collection (basically just your phone number and the last time you connected). Open-source protocol. Run by a nonprofit with no advertising business model. It’s what security researchers use, and that tells you something.
Here’s a quick mental model for how to think about it:
Telegram treats encryption as an opt-in feature that most people never activate. WhatsApp encrypts your content but monetizes everything around it. Signal encrypts everything and collects almost nothing.
The lesson is that “encrypted” is not a binary. It matters what’s encrypted, when, and what’s being collected alongside it. The app that feels private and the app that is private are often not the same thing.