Telegram retains deleted messages?
This story is from the Belarusian section of the internet, and I doubt it'll reach a broader audience, yet I think it should. I'm not going to translate the whole article but will take a few excerpts that I find concerning. It's hard to say whether the information in the piece is completely true, but I'm inclined to trust Zerkalo, they've been around for a while.
Kirył cleaned his account in 2021: deleted some conversations and messages, search history, and the block list. In 2024, when he was interrogated by GUBOPiK (Main Directorate for Combating Organized Crime and Corruption), they had a desktop version of Telegram open with fresh conversations but also everything he deleted: conversations, separate messages, media, content from before 2021. Kirył says his account was secure: it had complicated password, 2FA, recovery email.
He doesn't state whether he checked for other active sessions, but even if GUBOPiK had access to his account, when Kirył deleted content from his phone, it should've disappeared from their client too (by design). It didn't, which means they either have a client that ignores deletions initiated by the server, or Telegram did not delete the data at all and GUBOPiK has privileged access to it.
The article also links to a week-old story, also about data that was not deleted from Telegram servers, despite the user explicitly asking to do so:
Alesia deleted her chat with a friend, selecting “Also delete for {friend}” while doing so. They had another conversation, which was deleted in the same way. A few days later, she installed Telegram on a new iPhone, and after that the friend told her that the deleted messages reappeared in his desktop Telegram client.
A couple of observations: the messages likely were not removed from Telegram servers, and were restored after a semi-related trigger.
Cyber Partizans and investigative journalist Anderj Zacharaŭ both say that this has happened before, but it's unclear whether this is a bug or intended bahviour.
As a summary, I'll quote Andrej:
Given Telegram's vulnerability and its deliberate rejection of end-to-end encryption, I simply wouldn't conduct any important correspondence there. It's unclear how to delete correspondence if it stays on the servers even for a short time. I don't even know if deleting your account would help.