FSB warns Russians off Telegram

Russia’s security service is suddenly warning citizens not to use Telegram — a platform the Kremlin has alternately tried to block, co-opt, and exploit. Der Spiegel reports that the FSB is telling Russians that Telegram use is risky, urging “security” precautions that, read plainly, amount to a demand for communications to migrate into ecosystems where the state can compel access.

Technically, the FSB’s implied threat model is not that Telegram’s end-to-end encryption is “broken” (most Telegram chats are not end-to-end encrypted at all; only “Secret Chats” are), but that the device and network environment are. If the state can compromise endpoints — via malware, forced “updates,” physical seizure, or coercion of administrators — encryption becomes a footnote. Likewise, if the state can insert itself into distribution and authentication, it doesn’t need to crack cryptography; it can swap clients, inject spyware, or harvest metadata at scale.

That is the real subtext of the warning: metadata and client control. Telegram’s architecture already leaves a lot of room for metadata collection in ordinary cloud chats (who talks to whom, when, from which IPs/devices), and Russia has long demonstrated that it prioritizes this layer. A state that can pressure telecoms, ISPs, app stores, certificate authorities, and domestic hosting providers can build a practical man-in-the-middle environment without ever claiming to “decrypt” anything.

But the FSB’s message is also politics disguised as engineering. Telegram is one of the last mass channels in Russia where opposition figures, investigative outlets, and war reporting communities can still reach large audiences quickly — even if they do so under persistent surveillance and intermittent takedowns. A public “security” warning functions as a nudge (and a pretext) toward domestically controllable alternatives, where the state can demand not merely metadata but also key material, logging, and content moderation — the kind of compliance that’s easiest when the company’s executives, servers, and payment rails sit inside the jurisdiction.

The FSB is not warning Russians about state surveillance; it is warning them about the inconvenience of using a platform the state does not fully command. In authoritarian systems, “secure” can mean “securely governable.” For users, the advice remains old-fashioned and unglamorous: assume the endpoint is the weakest link; minimize identifiable metadata; separate identities; and don’t confuse a messaging app’s brand with a threat model that survives a determined security service.