In a recent blog post, Pavel Durov, CEO of Telegram, confirmed that they have not moved servers to Iran and related countries as rumored by various media publications and related sources. In the post, Durov claimed that all reports of Telegram hosting data at servers in Iran were false and that it’s the local CDN nodes at such countries that route the data between the users and the Telegram servers.
There are countries where Telegram does not want to set up servers, primarily for security concerns and to avoid abiding by unnecessary and tough local government regulations. These countries include India amongst Iran, Indonesia, Argentina, Iraq and Turkey.
In the post, he said that Telegram rents CDN nodes in such countries though to make public data available faster by caching it locally. These are public data and not private informaton from users which includes Telegram account information and messages. Even if these CDN nodes were to cache these private information, these are rather encrypted at every stage throw the funnel and are not accessible by anyone apart from the user.
Some politicians and journalists discussing “servers” of a company in a country are confused about the terms and what they actually mean by “servers”. Along with a company’s servers that store private data in safe places, there also are internet providers that deliver its encrypted traffic to users, and third party caching nodes (CDNs) that make sure popular public content doesn’t go twice around the globe every time to reach its users. If Telegram servers store data, these third parties merely provide connectivity between Telegram servers and its users.
It seems that politicians / journalists sometimes refer to an internet traffic provider or a CDN provider that delivers or caches encrypted data of Telegram as “Telegram” or “Telegram servers“, thus misleading the public. There’s a world of difference between them: Telegram servers store private data and will never “travel” to countries with internet censorship, while internet providers and CDNs operate all over the world and have no access to private data of Telegram (and other secure apps).
Data flowing between the servers and the app at the user end are always hashed and cannot be decrypted apart from the Telegram app owned by the user. In addition to these claims, Telegram has also put up a page with extensive technical details on caching process at CDN nodes and also invites people with technical knowledge to study the Telegram apps for security purposes. Here’s the original Telegraph published by Durov.