What is Telegram's new Peer-to-Peer login program and how it may be a security risk

WhatsApp rival Telegram is reportedly testing a new way for users to access its Premium subscription for free. The instant messaging platform allows users to access its paid tier if they allow the company to use their phones to send out login verification codes via SMS. The feature was first spotted by a Telegram channel named Telegram Info English reports Android Police.Another tipster named AssembleDebug took to micro-blogging site X (previously Twitter) to reveal the same. As per the X post, Telegram’s new terms of service are calling the feature “Peer-to-Peer Login Program” (P2PL).

However, this new program has the potential to turn into a privacy and spam nightmare. According to the report by Android Police, this program may allow participants to see the numbers to which their phones are sending out codes. The company’s terms of service note that users will not allowed to contact these numbers as per the terms of service. Still, Telegram provides users with others’ phone numbers pose a security risk.
While revealing the program, the Telegram channel also shared some screenshots explaining how this feature will work. As per the shared images, Telegram will offer users a splash screen in some regions. This page will notify users about the opportunity to get Premium for free when they “Help Send Login SMS.”

The screenshots also mentioned that this program will affect 0.01% of Telegram’s total user base. As users allow access, the messaging platform will use their phones to send up to 100 SMS verification codes per month to other Telegram users. Users who agree to the company’s terms will be offered a free Premium subscription for a month for free.
With this program, both the senders and receivers will be able to see each other's phone numbers. The report claims that this can have serious security consequences.
While Telegram has asked users to avoid contacting any of the numbers that have been used to send verification codes, still the company has yet to introduce an effective technical blocking mechanism for the same.
Similarly, SMS code receivers could send the sender follow-up questions about the login process or any other message. Telegram has also explicitly asked senders to ignore the same.
The report also claims that this policy will allow any Telegram users’ phone numbers to be potentially shared with strangers even if they haven’t opted into the program themselves.
For example, if someone has simply received an OTP code from one of the phones that participated in the program, may be at risk of leaking the phone number to them.
Even if the terms of service forbid it, this may potentially allow for data leaks, harassment, phishing and spamming. Also, Telegram won’t have control over these phones to keep their identity safe from others.
In the program's terms of service, Telegram notes that the program “may not be available to users in certain regions in accordance with current demand, economic factors, relevant regulatory restrictions and local telecommunications infrastructure.”
This suggests that some users protected by privacy laws like the GDPR in Europe or the CCPA in California may not receive codes from numbers who are a part of the P2PL program.
However, Telegram’s privacy policy or Premium terms of service doesn’t confirm if it’s also sharing phone numbers with third parties for SMS verification.
The report also notes that users who are joining the P2PL program for free Telegram Premium may even face problems with their mobile service providers.
Most carriers are likely to stop their customers from sending automated messages like this through their regular accounts and may even face being banned. This might be the reason for Telegram to send only up to 100 messages a month.