Hong Kong Protesters Fear Telegram Is Revealing Their Identities
In the summer of 2019, Hong Kong saw massive protests sparked by proposed amendments to the existing extradition law. If passed, these changes would allow Hong Kong to extradite suspects to jurisdictions with which it has no formal extradition agreements, including Taiwan, Macau, and mainland China. Over time, the protests evolved to include demands for police accountability due to harsh actions against demonstrators, as well as calls for the resignation of the city’s chief executive. The mass protests are ongoing.
According to media reports, protesters have been coordinating their actions primarily through Telegram. However, journalists at ZDNet noted that many participants do not fully understand how the app works and have accused its developers of a dangerous oversight.
The Privacy Concern
Telegram allows users to set their privacy level and decide who can see their phone number, including an option for “Nobody.” However, Hong Kong protesters discovered that choosing this setting does not guarantee that their number will remain completely hidden. In theory, an attacker could add tens of thousands of phone numbers to their device’s address book, join a Telegram group, and sync their contacts with the app. As a result, Telegram would reveal which numbers have active accounts and are members of the protest group.
This means that law enforcement or intelligence agencies could collect protesters’ phone numbers and then compel local mobile operators to disclose the identities of the owners.
Community Response and Developer Reaction
After this issue was discussed on popular Hong Kong forums, a group of local engineers published a warning (noting that the vulnerability is easy to automate and exploit) and tried to contact Telegram’s developers to fix the problem. The authors of the warning stated that the flaw hinders the coordination of future demonstrations and puts protest group members at risk, as the government is likely already aware of and using the bug. They suggested that, unless the issue is resolved, the only solution is to use disposable or “burner” SIM cards.
Protesters are reluctant to switch to other messaging apps, saying that Telegram is better suited for managing large groups, while alternatives like Signal and Wire are limited to a few hundred members per group. Additionally, Signal also reveals users’ phone numbers.
ZDNet journalists not only highlighted the concerns of Hong Kong users but also reached out to Telegram’s developers for comment. The Telegram team responded that the app already has mechanisms in place to prevent such attacks.
Telegram’s Defense and Remaining Risks
According to the developers, a bot used to extract phone numbers—demonstrated in screenshots by Hong Kong protesters—was only able to operate for two seconds before being deactivated. During that time, it managed to import just 85 contacts, not the 10,000 claimed. Furthermore, after being banned from importing contacts, a user can add no more than five new numbers per day. Any additional contacts will appear as if they do not use Telegram, even if they actually do.
Unfortunately, this protection can be bypassed. For example, multiple bots can be created to extract phone numbers, which would not be difficult, especially for law enforcement or government agencies.
Protesters are also frustrated that, despite selecting “Nobody” in the privacy settings, they expected their phone numbers to be completely hidden. Telegram’s developers responded that this setting has never worked that way. Like WhatsApp and Facebook Messenger, Telegram is based on phone contacts, meaning users can see which of their contacts also use the app. While privacy settings allow some control over phone number visibility, they clearly warn that people in your address book can still “see” you, even if you select “Nobody.”
- Our other channels
- Our friends and partners