DO NOT use Telegram in sensitive applications Telegram's MTProto: Assessing Deanonymization Potential for a Network Attacker blackGNMX-01 https://symbolic.software/pdf/gnmx-01.pd… Telegram's MTProto protocol transmits the auth_key_id, a persistent 64-bit device identifier, in cleartext or trivially obfuscated form. Both Telegram for Android and Telegram Desktop transmit MTProto over unencrypted TCP connections, despite the availability of secure transport alternatives. The auth_key_id remains constant across application restarts, network changes, and extended periods, enabling long-term device tracking by any passive network observer. The vulnerability exists at the transport layer, meaning it affects all Telegram users, including those utilizing end-to-end encrypted Secret Chats or Perfect Forward Secrecy. Perfect Forward Secrecy does not prevent tracking because temporary authorization keys are observable and linkable across key rotations through timing and session correlation. The use of port 443 by Telegram Desktop creates a deceptive appearance of security, as it does not implement actual TLS encryption, potentially misleading users and automated security tools. Passive network observers, such as ISPs, network administrators, and state-level actors, can extract these identifiers without needing active attacks or protocol manipulation. The persistence of the auth_key_id undermines anonymity tools like VPNs, as the identifier remains constant even when routing through such services. Telegram is architecturally responsible for this vulnerability due to its decision to forgo mandatory transport-layer encryption, a standard practice for other messaging platforms. The recommended technical solution is for Telegram to implement mandatory TLS for all MTProto connections, which would effectively eliminate the tracking capability with minimal impact.