Telegram’s Pavel Durov Warns Push Notifications Undermine Privacy
lu****@gmail.com2026-04-16
Pavel Durov warns that push notifications create privacy leaks. OS-level logs can store message previews even after deletion, bypassing encryption. Security requires a system-wide approach.
Pavel Durov, the creator of the messaging application, Telegram, has recently brought attention to an additional privacy concern with regards to the messaging app. As stated by Durov, push notifications could be a potential point of vulnerability leading to disclosure of data after messages have been deleted.
Many are discussing this issue and some have begun to wonder about the extent to which popular messaging applications are secure from unauthorized access or disclosure and if these applications' convenience features are contributing to a risk of losing confidentiality through unauthorized access through convenience features.
How Push Notifications Become a Privacy Risk
Push notifications are created for ease and efficiency. By showing a preview of upcoming messages on the lock screen or notification center of a device, push notifications make it possible for users to view content without having to launch an application.
However, convenience can lead to subtle but potentially grave problems.
For example, when a push notification is sent:
a copy of the notification is often housed in the device's notification system.
All copies will be kept on the device regardless of whether the application is still available.
Even if the notification is deleted, fragments may remain on the device within the operating system.
Durov contends the existence of a persistent presence of data allows users' correspondence to be recoverable through means other than the direct communication channels long after they think it cannot be recovered.
FBI Case Raises Alarm Bells
According to Durov, a report from 404 Media points to the fact that the FBI recovered deleted Signal messages from a user.
The revelation in this case is that they recovered the messages not by breaking Signal's encryption but rather getting access to the notification logs stored on the user's iPhone, where previews of the messages were found. As such, that data was out of reach of signal's end to end encryption because the data was stored outside of the signal app, it's exposed to possible theft at the operating system level.
This revelation highlights an uncomfortable truth:
Even the most secure messaging apps can be undermined by the systems they run on.
Why Turning Off Previews Is Not Enough
Many privacy OBR-consumer disabling notification previews, believing this provides them with some level of privacy from others hearing their conversations is an incorrect assumption, based on Durov’s response.
He goes on to say that:
The person you’re talking to could have their notifications turned on
The other person could potentially keep some type of record of any messages that were sent between both parties by storing the content in a separate file
Your personal messages will still be available to your friend through their notification log, but they will not be on your notification log
This means that there is a shared risk between both people involved in a conversation, where both individuals are at threat from one person making a mistake.
Encryption vs System Level Exposure
The gold standard of secure communication is widely advertised through end-to-end encryption. Signal and Telegram both market themselves as providing message security via protocol-level end-to-end encryption. Durov's warning reveals some substantial limitations of this.
Encryption is meant to provide security for
Data that is in transit between users, and
Data that is in the secure environment of the app.
However, end-to-end encryption does not provide security for:
Data that is included in the notification systems on users' devices;
Data that is cached on the user’s operating system;
Data that is logged by the user’s operating system;
Therefore, security can fail at the edges or the periphery, not in the centre.
Implications for Privacy Focused Users
Pavel Durov's statement indicates that individuals utilizing chat apps as a mode of personal conversation may want to reconsider whether their ideas about those chat applications are valid.
1) Operating System-level Security is Most Important
The Operating System, or OS, that is on your mobile device will largely dictate how much data will become exposed; All apps, including those that are deemed secure or unbreakable, will continue to remain subject to how the OS when it comes to handling notifications.
2) Privacy is a Joint Responsibility
Your overall privacy is subject to entities outside of your own privacy settings; The actions of individuals you are messaging can also have a negative impact on your security.
3) Returning to Point #1; Convenience Comes with a Risk of Exposure.
Features such as instant previews or one-click to respond takes away ease of use and can potentially expose you.
What Can Users Do to Reduce Risk
Users can take actions to reduce their exposure to risks, although there is no perfect solution:
Disable previewing notifications on any device.
Use apps that block what is displayed in notifications.
Do not share very private information by using standard messaging applications.
Whenever possible, frequently delete notification histories.
Use updated devices with the most recent patches or updates to prevent any security vulnerabilities.
While there is a reduced amount of risk associated with Durov’s warning, it does not mean there is no risk at all.
A Broader Wake Up Call for Messaging Apps
Beyond an individual platform, this issue is also reflective of a deeper structural problem with modern digital communications.
The security of the entire system will be defined by the weakest layer of that system.
Even if companies such as messaging platforms put a lot of resources into encryption, if operating systems continue to send out notifications of messages that are unencrypted, then the entire model of privacy for messaging becomes quite weak.
For developers, this presents some additional questions as well:
Should notification channels be redesigned so that the amount of private data sent through them will be considerably reduced?
Are encrypted notifications going to be the standard for notifications?
What is the proper amount of control that an application should have over system level behaviour?
Conclusion
Pavel Durov's warning regarding push notifications is an example of the blind spots that still exist with regard to privacy on the Internet. In many circumstances, users are focused on encrypting their data and making sure that their applications have sufficient security; however, those small, everyday features designed for convenience might be the greatest area of vulnerability.
The message is clear – deleting a message does not actually delete the message.
Messaging apps continue to grow and adapt to user needs as well as user's growing awareness of privacy issues. This will require both developers and users to take a fresh look at how they are handling personal data that is beyond just the messaging window. To truly provide privacy in a world where everything is connected and notifications can reveal information; it will require a comprehensive, system-wide approach.
