Telegram publishes users' locations online

&gt;[Line] fixed it by adding a random number to the user&#x27;s destination<p>This is a imperfect solution. There&#x27;s two possibilities: the offset (aka &quot;random number&quot;) is dynamic, or it&#x27;s fixed. If it&#x27;s the former all you have to do is sample enough times to get through the noise. If it&#x27;s the latter, it&#x27;s not vulnerable to the previous attack, but if you have a known point of reference (so you can deduce what the offset is), then you can still stalk them (forever?). IMO the only way to do is &quot;properly&quot; is to quantize people into map cells, like how apple does it with their coarse location feature[1].<p>[1] &quot;Apple doesn&#x27;t reduce the accuracy of location fixes by adding noise. Instead, they&#x27;ve carved up the world into regions, allowing approximate locations to preserve the user&#x27;s current city when possible.&quot; <a href="https:&#x2F;&#x2F;radar.io&#x2F;blog&#x2F;understanding-approximate-location-in-ios-14" rel="nofollow">https:&#x2F;&#x2F;radar.io&#x2F;blog&#x2F;understanding-approximate-location-in-...</a>

A user does not show up in “People nearby” unless they enable the function. Doing so triggers a warning from Telegram informing you your location is about to be published and it may lead to undesired attention so it really can’t happen by accident.<p>I’m also using the app on iOS, the operating system asks periodically if I want to continue sharing location in the background (in case I forget to turn it off) or I can just choose to enable it while using the app (which is what I usually do).

Clickbait.<p>User explicitly shares location to all people nearby, discovers it is accessible to all people. Feature is disabled by default, and user must find this and enable it. They are not even prompted to enable it unless they seek it.

The ability to find user locations via triangulation is overlooked in a <i>lot</i> of products - it&#x27;s easy to not think twice when showing a user the distance between themselves and someone else.<p>In my own products I fix this by aggressively rounding&#x2F;adding noise before the distance calculation is performed, and then rounding again afterwards, or quantizing into ranges (e.g. &#x27;0-10 miles&#x27;). Other solutions can be storing locations imprecisely to begin with, using pre-defined geobuckets, and so on, although remember that randomness by itself can be bypassed with enough queries since it will average out. It&#x27;s rare that you need to know <i>exactly</i> how far away someone is from you rather than a rough approximation. Telegram is definitely not the only product with this issue, but hopefully they fix it even so.

Triangulation is often used incorrectly instead of trilateration as in this article. Since the author is dealing with distances and not angles it’s trilateration.<p><a href="https:&#x2F;&#x2F;gis.stackexchange.com&#x2F;questions&#x2F;17344&#x2F;differences-between-triangulation-and-trilateration" rel="nofollow">https:&#x2F;&#x2F;gis.stackexchange.com&#x2F;questions&#x2F;17344&#x2F;differences-be...</a>

On the &quot;People Nearby&quot; page in the Telegram app it specifically says<p>Quickly add people nearby <i>who are also viewing this section</i> ...<p>If a user is not specifically on that page, they are not listed in the section. The user most likely wants the world (or strangers) to know his position.<p>This case shows precise localization can be a double-edge sword. But instead of fuzzing the returned location, we should educate the people on privacy implications of showing their position to the public.

It&#x27;s a shame that people still use Telegram when Signal is so much better, and has better credentials all around.

Please change title so that it reflects that shared location is only for those who explicitly enabled feature to do so and not implicitly that all users location is shared.

Hmm...So I have Telegram installed via F-Droid (so presumably without Google Play Services). I do NOT have the &quot;People Nearby&quot; feature. I am curious if that means my location is not published?

More systems need to truncate location data. It is relatively &quot;easy&quot; to solve this particular issue by just not returning highly specific data. Instead of saying &quot;896m&quot;, return &quot;&lt;1km&quot; or &quot;1km-3km&quot; etc. Can you still abuse the data to some extent? Yes in theory, but it&#x27;s significantly harder and takes a lot more work to get anything reasonable.<p>You can also truncate the data you have on users. 2 digits of Decimal_degrees precision is +&#x2F;- 1KM. If you&#x27;re doing an Uber-like service, knowing where a user is down to a few feet makes a different (which side of the street). But if you&#x27;re just concerned with &quot;Hey people nearby you are using this app too&quot; (which is all too common).. Do you really need to know&#x2F;save&#x2F;keep where a user is beyond 1 sq km? No, you don&#x27;t.<p>Yes, Apple has a coarse data that does something like this, but take it that one step farther. Don&#x27;t need the info? Don&#x27;t collect it (your app doesn&#x27;t need to send it) and don&#x27;t store it.

Now that my phone supports it, I just installed Wire. I wish their desktop version had more options regarding appearance, for one. Honestly, it would not take much to implement giving us, users the choice to change a couple of things.<p>I hate it how I cannot make the left bar less wide, for example, and there are a couple of more complains, all of which have been reported a long time ago. They are easy to add&#x2F;fix!<p>I also wish the desktop version supported sending audio messages just like the Android version does, similarly to WhatsApp. No need for these fancy audio filters, just let me record and send an audio message from the desktop version!

You might want to change the title to something not as clickbaity and misleading.

so i know some people around me who are using telegram and very likely most of them did not change anything about their privacy settings as usual. However, i do not see any of them in the list and it even shows me users some 10km away. When viewing this list on the top it has a button to make yourself visible so i assume if you don&#x27;t do it voluntarily its not broadcasted at all which appears to be a non issue then, like he was already told.

This reminds me of a study done more than 5 years ago on this exact problem.<p><a href="https:&#x2F;&#x2F;www.wired.com&#x2F;2016&#x2F;05&#x2F;grindr-promises-privacy-still-leaks-exact-location&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.wired.com&#x2F;2016&#x2F;05&#x2F;grindr-promises-privacy-still-...</a><p>Gay Dating Apps Promise Privacy, But Leak Your Exact Location<p>Researchers in Kyoto demonstrate for WIRED how they can precisely track the locations of people using Grindr, Hornet, and Jack&#x27;d despite features meant to hide them.<p>The mentioned research paper is here: <a href="https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;1604.08235.pdf" rel="nofollow">https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;1604.08235.pdf</a>

After going into the &#x27;People nearby&#x27; I do not see any option to disable. I do see &#x27;Make myself visible&#x27; option and a list of nearby users. (on iPhone)<p>I wonder if this will be sufficient?

- Clickbait headline<p>- Of course this shouldn&#x27;t be possible, what is up with Telegram? At last make publishing your precise location optional (within that feature) with a good warning!

This is less of an issue in highly dense urban areas, such as typical east-asian metropolises. If you live in a building with 2000 other people, it becomes less concerning.<p>It seems like it would be rather easy to create an automated tool for triangulating users locations; by spoofing the GPS location of ones phone say 33 times, it should be very easy to triangulate every single person in the &#x27;nearby&#x27; section.

So in the article, the author was able to find the x- and y- coordinates of the other user. What if the target user lives in a high rise building, is there any technique you can get the height of the said user? Makes me wonder how the law enforcement is able to tri-angulate the suspect&#x27;s exact location.

Maybe this would be a little to confusing for users, but perhaps apps that have an option to publish your location should have an option to automatically disable location publishing when you are near home, or even better when you are near any location on a user-specified list of locations.

&gt; If this feature is enabled on your phone, you&#x27;re publishing your home address online.<p>Depending on your definition of &#x27;online&#x27; this is true of any app you use.<p>Telegram could at least take a similar approach to Tinder, who have already learnt from a similar mistake.

Signal puts your safety first because of the organization behind it.<p>Telegram will continue to expose its most sensitive users over novel features while they try to capitalize on use of the Signal protocol. The profit motivation predicted this.<p>Don&#x27;t trust Telegram.

I&#x27;ve asked family to switch to Telegram because I didn&#x27;t want Facebook to read my data. What shall I do then? Revert to WhatsApp, which I still have for those who can&#x27;t be bothered by choosing a different tool?

Oddly enough, I don&#x27;t see that feature in Telegram FOSS from F-Droid

iOS recently introduced per-app “Precise Location” toggle in Settings.<p>Turning this toggle off is a great mitigation for apps who haven’t fixed or clarified how they handle such triangulation attacks.

I used the &quot;people nearby&quot; feature once, and I kept getting random messages from random people 2 months later. I could not figure out how the hell to turn it off.

“Users in the People Nearby section” Is that everyone on telegram or just your “friends”?

So wait by showing your location on the map you show your location on the map? Scandal.

I discovered a bug too. If you ask a user to give you their location, this can be used to find out where they are!

I can confirm on Android it does not warn you people will&#x2F;could know your precise location in anyway.<p>It implies it&#x27;s only &#x27;nearby&#x27; with a warning about people you don&#x27;t know messaging you.<p>Claims the app warns you or the user should know are either everything wrong with IT, or perhaps iOS is different.

Telegram has so many anti features and dark patterns that I really wish it was less popular. I honestly use WhatsApp over Telegram because at least I know WhatsApp is insecure while people sometimes act like Telegram is a secure platform.

It’s a good first step but not enough. I was scammed a while back on Telegram and wish I had been able to also see the persons real identity to recover my money. Location is not enough to go on.<p>Perhaps TG should publish an API to allow people to see any users government ID if they are scammed.