Telegram Privacy Best Practices?

I'm using the node-red-contrib-telegrambot for home video security. I've configured its nodes:

  • to send video clips from Node-Red to my smart phone, and also
  • to receive /commands from my smart phone.

When I delete a video clip in my bot using the Telegram app, I get a message that says:

This will delete it just for you

This got me wondering about what is going on with Telegram's privacy. I do not want others to see my video clips, nor to send commands to my Node-Red system.

As background, I don't have much experience with Telegram. Do other users or groups need to request access from me to see my chat or send commands?

As a start, I used BotFather:

  • to ensure "Allow Groups" was disabled, and
  • under "Group Privacy", I set "Forbid users to add [my_bot] to groups". It now says "Privacy Mode".

Is there anything else that I should do? Is there a way I can verify that my bot and chat are private?

Background
I used BotFather to create my Telegram bot, username, and token. Then I used curl to get the chat ID.

In general Telegram is OK but you should treat some of its claims about privacy with some skepticism since it has become clear that chats are not always end-to-end encrypted, it appears as though chats might still be accessible to Telegram staff. This is not generally an issue since most cloud services are the same.

However, unless you are involved with anti-govnment groups in some extreme countries, it appears to be reasonably private.

If you wanted much higher levels of security and privacy, you would need to switch to using something like Signal. However, creating bots for such secure services is a whole lot harder.

One other thing you can do in the node's config is to limit the chat id's that the bot will listen to. This only impacts the Node-RED end of things but would prevent attackers from issuing commands unless they had managed to get into your group. You can also limit interactions with a bot to your own personal chatid as well so that any interactions from groups would be ignored.

1 Like

Thanks Julian.

I'm not dealing with highly sensitive privacy issues. I just don't want to leave Telegram settings open to the public to access my home video clips or control my Node-Red system. I'm just trying to figure out how to configure the privacy "fences" between Telegram's bots, groups, channels, users, etc.

I just double-checked and had already configured the Telegram config node to only authorize my Chat ID. And yes, I used BotFather to disable groups for my bot. So it sounds like I've done all I can do with the Telegram settings. Thanks.

I see that Node-Red messages coming out of the Telegram Command node also include 'first_name', 'last_name', and 'username', so I can check those before processing these commands.

command node output

I also found some settings in the Command node:

  • Register at telegram server (optional)
    • Default
    • Private Chats
    • Group Chats
    • Chat Administrators
  • Strict in group chats (optional)

I will explore the node's github code/issues further to try to interpret.

Looks like you've got things well covered.

Using Signal in Node-Red is not that difficult. Unfortunately, the available contrib-node went dead almost 2 years ago, but back then I created an example flow for using another containerised API.

In the meantime I moved to yet another solution (signald with tcp), which I should write a new flow about :slight_smile: , but the gist is that using signal is not too complicated and it can be considered very secure.

3 Likes

Thanks for that. I must have another look since I already use Signal for work as a backup for if/when MS Teams fails & discussions with certain organisations that need slightly higher levels of privacy. :wink:

Though to be honest, my minimal use of Telegram just works and is plenty good enough for home automation use even for the mildly paranoid like me. :slight_smile:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.