You send texts, share photos, and join group chats every day. Your messages may be encrypted, but the story around them isn’t. That story is called metadata, and it might reveal more about you than you think. Ever wondered what that actually is?
To put it simply, metadata is data about data. It’s information that describes and organizes other data, providing context about its origin, content, and structure to make it easier to find, use, and manage. For example, a photo’s metadata might include the date it was taken, the camera used, and its location, while a spreadsheet’s metadata could be its creator, the last modified date, and column definitions.
What’s end-to-end encryption?
You’ve probably seen this term a lot online. Most messaging apps will say they provide “end-to-end encryption”, meaning the companies owning and managing them won’t be able to see the content receiver and sender are sharing. Privacy International explains encryption works with cryptography to scramble information: “E2EE continuously protects the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting it at its destination”.
Messaging apps like WhatsApp or Telegram, although the content is encrypted and not visible to the companies that own and manage those apps, there’s a whole world of information that is, indeed, available to them. According to this article by the Freedom of the Press Foundation, these details can include the name and location of the sender and receiver, the date and time the message was sent, its digital size, and more. All this depends, of course, on what app you’re using. Most are still using well-known platforms. WhatsApp has over 3 billion monthly users, and Telegram, more than 1 billion globally. This doesn’t mean they’re the best in terms of privacy, though.
A lot of journalists and pro-privacy web users favor Signal as their go-to messaging tool. There has been a surge in the usage of privacy-enhanced apps like the above, but also SimpleX Chat and Session. The first focuses on “a decentralized framework with no user identifiers” and gives users options, like allowing self-hosting of servers and communities in incognito mode.
Selling and Using Metadata
There are several companies that sell metadata about their users to other companies that want information for marketing and analysis purposes. It provides valuable insights into user behavior and social connections, and it’s used to refine targeting capabilities. Meta, the owner of Facebook, Instagram, and WhatsApp, crosses metadata from the different platforms. It uses data from WhatsApp users to target advertising on social media networks. According to this BBC article, the underlying principle is that when the user isn’t paying for the service directly, their data is the product being sold, often indirectly through refined advertising and product development.
There are also companies specializing in buying metadata, like databrokers (Experian, Equifax, and Acxiom), advertising, marketing platforms, and data marketplaces such as AWS Data Exchange or Snowflake.
The main goal is to use this data for audience insight, data enrichment, compliance and governance, and market research. From a marketing perspective, it makes sense. But that also means our preferences on clothing, groceries, doctors, medicine, and so many other details of our lives are being shared worldwide — and nowadays, with our consent.
Weaponizing Metadata
Do you remember those notepad-like phones that corporate employees had and that were said to provide more secure connections? They were even known for their brand name: BlackBerry. You probably won’t see Blackberries around anymore, but the company still exists and is still focused on enhancing privacy in communications. In this article, they highlight a much darker side of metadata: the weaponization of information. Although it’s mainly used for surveillance and criminal investigations, it can also be manipulated by hackers for cyber warfare and other ends.
BlackBerry identifies at least four ways in which metadata is being used as a weapon: (1) coordinated event (like big sports happenings or global summits) surveillance with information sharing amongst different agencies, like border control and local authorities; (2) insider threat detection is yet another concern. Even though authorities can’t see the content of messages, they are able to trace things by connecting seemingly unconnectable dots like timestamps and locations; (3) sensitive location discovery is also possible via apps, especially if they emit live location: “the fitness app, Strava, inadvertently exposed classified military base locations through public heatmaps generated from metadata”; (4) With AI, targeting emergency coordination is easier now, especially if cybercriminals are looking to tamper with the actions of governmental agencies to instigate conflict.
How to Avoid Sharing Metadata
If you want to avoid having your metadata shared, you can start by switching your preferred messaging app. Signal shares very few details, and SimpleX Chat, a Web2-based app, is the first messenger without user IDs. It uses “pairwise anonymous addresses of unidirectional message queues, separate for received and sent messages, usually via different servers”.
Widely used by journalists and people who recognize their own data is too valuable to be shared across the web, Signal created the Signal protocol, which is made of a series of cryptographic technologies, like X3DH and the Double Ratchet Algorithm. Signal is focused on providing safe communication and tackling censorship from powerful institutions like totalitarian governments. This article makes for an interesting read on how the non-profit works to fight against surveillance and control.
Blockchain-based Session also claims to use “pseudonymous public-private key pairs (…), makes it difficult to link IP addresses to accounts or messages sent or received by users, through the use of an onion routing protocol”, and “does not rely on central servers; a decentralised network of thousands of economically incentivised nodes performs all core messaging functionality”.
Threema is yet another messaging app that ensures confidentiality, but it’s focused on the corporate world and providing safe communications between coworkers. To “protect your company against industrial espionage and cyberattacks”, you can “operate the messenger on your own infrastructure and maintain full control over your data”.
Integritee to the Rescue
What if Integritee could have a pivotal role in protecting your data while you message your friends? We turn to Trusted Execution Environments and a blockchain-based layered solution to create solutions that put privacy first. When incorporated within messaging apps, Integritee can ensure that even metadata is shielded from exploitation or surveillance.
Our architecture can add a decentralized trust layer, making it nearly impossible for third parties, including the platform itself, to monetize, track, or leak sensitive user information. With seamless integration, apps could continue delivering the same user-friendly experience while guaranteeing their users true end-to-end privacy, setting a new standard in secure communication.
Why Private Messaging is the Way to Go
Privacy is becoming a valuable tool and asset for everyone, including individuals who don’t want conversations with their friends to be shared online, but also to protect confidential information, be it at the office, remote locations, or even in conflict scenarios.
If you’re reading this article and thinking that the information you share isn’t worth protecting, think again. A seemingly small and worthless detail can be profitable to marketing companies, agencies, banks, and many other institutions. If those suffer a cyber attack, info like your address, full name, ID number, or bank details can be leaked and eventually sold to the highest bidder.
Although WhatsApp claims to provide end-to-end encryption, Meta uses the metadata they have access to to create targeted ads on Instagram and Facebook. The mega-company guarantees it doesn’t sell its users’ information, but the truth is that it’s still used in one way or another. Choosing platforms that collect and exploit this data means giving up more of your privacy than you may realize.
The safest step you can take is to move away from platforms that profit from your data and instead choose private messaging apps that minimize metadata collection. In today’s world, protecting your digital footprint is just as important as locking your front door.
• • •
About Integritee
Integritee is the most scalable, privacy-enabling network with a Parachain on Kusama and Polkadot. Our SDK solution combines the security and trust of Polkadot, the scalability of second-layer Sidechains, and the confidentiality of Trusted Execution Environments (TEE), special-purpose hardware based on Intel Software Guard Extensions (SGX) technology, inside which computations run securely, confidentially, and verifiably.
Community & Social Media:
Join Integritee on Discord | Telegram | Twitter | Medium | Youtube | LinkedIn | Website
Products:
L2 Sidechains | Trusted Off-chain Workers | Teeracle | Attesteer | Securitee | Incognitee
Integritee Network:
Governance | Explorer | Mainnet | Github