Watch Nearby!: Privacy Analysis of the People Nearby Service of Telegram

Maurantonio Caprolu; Savio Sciancalepore; Aleksandar Grigorov; Velyan Kolev; Gabriele Oligeri

doi:10.1145/3643833.3656121

Watch Nearby! Privacy Analysis of the People Nearby Service of Telegram

Maurantonio Caprolu, Savio Sciancalepore, Aleksandar Grigorov, Velyan Kolev, Gabriele Oligeri

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

4 Downloads (Pure)

Abstract

People Nearby is a service offered by Telegram that allows a user to discover other Telegram users, based only on geographical proximity. Nearby users are reported with a rough estimate of their distance from the position of the reference user, allowing Telegram to claim location privacy. In this paper, we systematically analyze the location privacy provided by Telegram to users of the People Nearby service. Through an extensive measurement campaign run by spoofing the user's location all over the world, we reverse-engineer the algorithm adopted by People Nearby to compute distances between users. Although the service protects against precise user localization, we demonstrate that location privacy is always lower than the one declared by Telegram (500∼meters). Specifically, we discover that location privacy is a function of the geographical position of the user. Indeed, the radius of the location privacy area (localization error) spans between 400∼meters (close to the equator) and 128∼meters (close to the poles), with a difference of up to 75% (worst case) compared to what Telegram declares. After our responsible disclosure, Telegram updated the FAQ associated with the service. Finally, we provide some solutions and countermeasures that Telegram can implement to improve location privacy. In general, the reported findings highlight the significant privacy risks associated with the use of the People Nearby service.

Original language	English
Title of host publication	WiSec '24
Subtitle of host publication	Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks
Place of Publication	New York
Publisher	Association for Computing Machinery, Inc.
Pages	20-30
Number of pages	11
ISBN (Electronic)	979-8-4007-0582-3
DOIs	https://doi.org/10.1145/3643833.3656121
Publication status	Published - 27 May 2024
Event	17th ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2024 - Seoul, Korea, Republic of Duration: 27 May 2024 → 29 May 2024

Conference

Conference	17th ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2024
Abbreviated title	WiSec 2024
Country/Territory	Korea, Republic of
City	Seoul
Period	27/05/24 → 29/05/24

Funding

This research was made possible by the INTERSECT project, Grant ID NWA.1162.18.301, funded by Netherlands Organisation for Scientific Research (NWO). The contents herein are solely the responsibility of the author(s).

Keywords

instant messaging apps
localization
location privacy
telegram

Access to Document

10.1145/3643833.3656121

pdfFinal published version, 7.13 MBLicence: CC BY-NC

Cite this

@inproceedings{92ff002e5e7b44938cfc0824bb03ebd0,

title = "Watch Nearby!: Privacy Analysis of the People Nearby Service of Telegram",

abstract = "People Nearby is a service offered by Telegram that allows a user to discover other Telegram users, based only on geographical proximity. Nearby users are reported with a rough estimate of their distance from the position of the reference user, allowing Telegram to claim location privacy. In this paper, we systematically analyze the location privacy provided by Telegram to users of the People Nearby service. Through an extensive measurement campaign run by spoofing the user's location all over the world, we reverse-engineer the algorithm adopted by People Nearby to compute distances between users. Although the service protects against precise user localization, we demonstrate that location privacy is always lower than the one declared by Telegram (500∼meters). Specifically, we discover that location privacy is a function of the geographical position of the user. Indeed, the radius of the location privacy area (localization error) spans between 400∼meters (close to the equator) and 128∼meters (close to the poles), with a difference of up to 75\% (worst case) compared to what Telegram declares. After our responsible disclosure, Telegram updated the FAQ associated with the service. Finally, we provide some solutions and countermeasures that Telegram can implement to improve location privacy. In general, the reported findings highlight the significant privacy risks associated with the use of the People Nearby service.",

keywords = "instant messaging apps, localization, location privacy, telegram",

author = "Maurantonio Caprolu and Savio Sciancalepore and Aleksandar Grigorov and Velyan Kolev and Gabriele Oligeri",

year = "2024",

month = may,

day = "27",

doi = "10.1145/3643833.3656121",

language = "English",

pages = "20--30",

booktitle = "WiSec '24",

publisher = "Association for Computing Machinery, Inc.",

address = "United States",

note = "17th ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2024, WiSec 2024 ; Conference date: 27-05-2024 Through 29-05-2024",

}

Caprolu, M, Sciancalepore, S, Grigorov, A, Kolev, V & Oligeri, G 2024, Watch Nearby! Privacy Analysis of the People Nearby Service of Telegram. in WiSec '24: Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks. Association for Computing Machinery, Inc., New York, pp. 20-30, 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2024, Seoul, Korea, Republic of, 27/05/24. https://doi.org/10.1145/3643833.3656121

Watch Nearby! Privacy Analysis of the People Nearby Service of Telegram. / Caprolu, Maurantonio; Sciancalepore, Savio; Grigorov, Aleksandar et al.
WiSec '24: Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks. New York: Association for Computing Machinery, Inc., 2024. p. 20-30.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Watch Nearby!

T2 - 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2024

AU - Caprolu, Maurantonio

AU - Sciancalepore, Savio

AU - Grigorov, Aleksandar

AU - Kolev, Velyan

AU - Oligeri, Gabriele

PY - 2024/5/27

Y1 - 2024/5/27

N2 - People Nearby is a service offered by Telegram that allows a user to discover other Telegram users, based only on geographical proximity. Nearby users are reported with a rough estimate of their distance from the position of the reference user, allowing Telegram to claim location privacy. In this paper, we systematically analyze the location privacy provided by Telegram to users of the People Nearby service. Through an extensive measurement campaign run by spoofing the user's location all over the world, we reverse-engineer the algorithm adopted by People Nearby to compute distances between users. Although the service protects against precise user localization, we demonstrate that location privacy is always lower than the one declared by Telegram (500∼meters). Specifically, we discover that location privacy is a function of the geographical position of the user. Indeed, the radius of the location privacy area (localization error) spans between 400∼meters (close to the equator) and 128∼meters (close to the poles), with a difference of up to 75% (worst case) compared to what Telegram declares. After our responsible disclosure, Telegram updated the FAQ associated with the service. Finally, we provide some solutions and countermeasures that Telegram can implement to improve location privacy. In general, the reported findings highlight the significant privacy risks associated with the use of the People Nearby service.

AB - People Nearby is a service offered by Telegram that allows a user to discover other Telegram users, based only on geographical proximity. Nearby users are reported with a rough estimate of their distance from the position of the reference user, allowing Telegram to claim location privacy. In this paper, we systematically analyze the location privacy provided by Telegram to users of the People Nearby service. Through an extensive measurement campaign run by spoofing the user's location all over the world, we reverse-engineer the algorithm adopted by People Nearby to compute distances between users. Although the service protects against precise user localization, we demonstrate that location privacy is always lower than the one declared by Telegram (500∼meters). Specifically, we discover that location privacy is a function of the geographical position of the user. Indeed, the radius of the location privacy area (localization error) spans between 400∼meters (close to the equator) and 128∼meters (close to the poles), with a difference of up to 75% (worst case) compared to what Telegram declares. After our responsible disclosure, Telegram updated the FAQ associated with the service. Finally, we provide some solutions and countermeasures that Telegram can implement to improve location privacy. In general, the reported findings highlight the significant privacy risks associated with the use of the People Nearby service.

KW - instant messaging apps

KW - localization

KW - location privacy

KW - telegram

UR - http://www.scopus.com/inward/record.url?scp=85198085898&partnerID=8YFLogxK

U2 - 10.1145/3643833.3656121

DO - 10.1145/3643833.3656121

M3 - Conference contribution

SP - 20

EP - 30

BT - WiSec '24

PB - Association for Computing Machinery, Inc.

CY - New York

Y2 - 27 May 2024 through 29 May 2024

ER -