In 2014, General Michael Hayden — former director of both the NSA and the CIA — made a remark that should have ended the "I use an encrypted app so I'm fine" line of reasoning. "We kill people based on metadata," he said. He meant it literally: drone targeting decisions had been made on communication patterns alone, with no access to message content.
Most people's threat model is considerably less dramatic. But the principle scales all the way down: metadata is a surprisingly complete record of your life, and encrypting message content leaves it entirely intact.
What Metadata Actually Is
Every message you send produces two distinct categories of information. The first is content — the words, files, and images in the message itself. The second is everything else:
- Who you communicated with
- When — date, time, and duration
- How often — frequency and rhythm of contact
- From where — IP address, which resolves to city, ISP, and often precise location
- On what device — hardware identifiers, OS version, app version
- Network conditions — which cell tower, which Wi-Fi network
End-to-end encryption protects the first category. The second category is produced before encryption is applied and after it's removed — it exists at the transport layer, visible to every intermediary between you and the recipient.
What a Metadata Record Reveals
A 2016 Stanford research project called MetaPhone asked 800 volunteers for their phone call metadata — just the numbers called and the call times, nothing else. Researchers found they could accurately identify:
- Participants calling a cardiac arrhythmia specialist, then a medical device manufacturer → inferred: heart condition requiring a pacemaker
- Participants calling a gun shop, then a background check service → inferred: firearm purchase
- Participants whose call patterns to a spouse dropped off while calls to a specific number increased → inferred: affair
These inferences came from phone call metadata alone, with no access to what was said. Messaging apps generate richer metadata than phone calls. The conclusions that can be drawn are correspondingly more precise.
The Phone Number Problem
Signal's cryptography is excellent. Its metadata handling is a different story.
Using Signal requires a phone number. That number ties your Signal account to your carrier's records. Your carrier knows every number you've ever called or texted, timestamped, with tower location data. In the US, law enforcement can obtain these records with a subpoena — a significantly lower legal bar than a search warrant.
Signal introduced usernames in 2024 partly to address this, allowing users to share a username instead of a phone number with contacts. But the phone number is still required to create an account, still held by Signal, and still the underlying identity. The username is a display layer over the same infrastructure.
More fundamentally: every time you send a Signal message, your device contacts Signal's servers to deliver it. Signal knows when you are active, at what times, and with what frequency. Signal has published strong statements about the limits of what they log, and their track record of responding to law enforcement demands is genuinely good. But "trust us, we don't log that" is a policy, not a cryptographic guarantee.
The Service Provider Problem
The same dynamic applies to encrypted email services. ProtonMail encrypts your message content — they genuinely cannot read your emails. But ProtonMail's servers receive your connection, process your session, and route your messages. They know:
- Your IP address at login (unless you use a VPN or Tor)
- Exactly when you send and receive messages
- Who you correspond with (recipient addresses are metadata, not content)
- The size of each message
- Your login frequency and session duration
In 2021, ProtonMail received a Swiss court order requiring them to log the IP address of a French climate activist. They complied — they were transparent that Swiss law could require this. The activist had assumed "encrypted email" meant "anonymous." It does not.
The core distinction: encryption protects your content from ProtonMail reading your emails. It does not protect your metadata from ProtonMail's servers receiving it. These are fundamentally different problems.
What Metadata Minimization Actually Requires
Reducing your metadata exposure requires more than choosing an encrypted app:
An identity that isn't your phone number. A phone number is a permanent, carrier-issued identifier tied to your billing address. Using it as your messaging identity links every conversation to that record. Email addresses can be created pseudonymously, aliased, and separated from your real identity in ways phone numbers cannot.
Aliases for compartmentalization. Using a single identifier for all communication creates a single point of aggregation. Multiple aliases — one per relationship, purpose, or context — fragment the picture, making pattern aggregation dramatically harder.
IP address protection. Your IP address reveals your location and ISP. For high-sensitivity communication, routing through a trusted VPN or Tor is the only reliable mitigation. No messaging app can fix this on its own.
Technical controls over policy controls. "We don't log" is a promise. Zero-knowledge architecture — where the server literally cannot decrypt your data — is meaningfully stronger than a logging policy. The latter can change; the former is a cryptographic constraint.
The Honest Answer for Most People
If your threat model is "I don't want Facebook reading my messages," Signal or iMessage are fine. E2EE handles that adversary cleanly.
If your threat model is "I don't want someone with legal authority over my service provider to be able to map my communication patterns," the requirements are stricter. You need an identity not tied to a phone number, IP protection, and a provider operating under legal constraints that limit what they can be compelled to disclose.
If your threat model is "I need to be effectively anonymous," no consumer messaging app currently solves that — and most make it harder by requiring phone numbers.
Encryption is a necessary component of a private communication system. It is not sufficient. Understanding what metadata reveals — and what your tools actually protect against — is the difference between privacy and the feeling of privacy.
This article was originally published on the Haven Blog. Haven is an end-to-end encrypted email and chat app that uses email-based identity — no phone number required.
Top comments (0)