Privacy in text communication is not a benefit, but a standard.
Encrypting content without controlling metadata is only half protection: who, when, with whom, how often, and from where can reveal relationships, routines, and sensitive situations — conflicting with the fundamental principles of correspondence privacy as well as GDPR requirements, particularly data minimization and purpose limitation.
EU regulators confirm that metadata are personal data with all associated legal consequences. It is not enough to “not read messages” — the context in which messages are sent must also be minimized.
Here especially applies the rule of the digital economy: when you don’t pay with money, you often pay with data and metadata, because the value of centralized platforms relies on user context and profiling that enables commercial exploitation of such data.
The entrenched narrative that encryption implies something to hide is outdated. Privacy is recognized as a fundamental personal value, and everything we do in the digital space should serve to protect it.
Privacy in text communication is not a benefit, but a standard.
Encrypting content without controlling metadata is only half protection: who, when, with whom, how often, and from where can reveal relationships, routines, and sensitive situations — conflicting with the fundamental principles of correspondence privacy as well as GDPR requirements, particularly data minimization and purpose limitation.
EU regulators confirm that metadata are personal data with all associated legal consequences. It is not enough to “not read messages” — the context in which messages are sent must also be minimized.
Here especially applies the rule of the digital economy: when you don’t pay with money, you often pay with data and metadata, because the value of centralized platforms relies on user context and profiling that enables commercial exploitation of such data.
The entrenched narrative that encryption implies something to hide is outdated. Privacy is recognized as a fundamental personal value, and everything we do in the digital space should serve to protect it.
The risk of data leakage is part of every environment.
Basic vulnerabilities and GDPR
- Metadata enable profiling even without reading the content; the combination of timestamps, frequency, and IP addresses creates a map of relationships and habits, posing both security and regulatory risks.
- Cloud backups and key management by providers or third parties often bypass E2EE*); account compromises, incorrect permissions, and chain vulnerabilities are among the common causes of incidents and conflict with GDPR requirements for security and data minimization.
Lowest level of protection: SMS/MMS
- Traditional SMS/MMS are not end-to-end encrypted, and providers may have access to both content and metadata. Downgrading from modern protocols to SMS/MMS results in the loss of E2EE and a significant increase in risks, including from a GDPR perspective.
- Enterprise A2P*) channels and various implementations without E2EE expand the metadata footprint and create additional compliance weaknesses within the telecommunications infrastructure.
System messages: iOS and Android
- iMessage: Uses E2EE and PQ3*), but delivery via Apple Identity Service and APNs generates operational metadata; push metadata may be subject to government requests, and iCloud backups without full key protection extend risks beyond E2EE.
- Android messages (RCS*)/Google Messages: E2EE is available for P2P chat within Google Messages, but downgrading to SMS/MMS removes E2EE; A2P channels are not fully E2EE, and various implementations introduce additional metadata and compliance nuances.
Content encryption on endpoints — computers and mobile devices.
*)A2P – Application to Person
Messages sent from applications to end devices. For example, emails containing sensitive information about contracts or health data.
*)PQ3 – Post Quantum, layer 3
Encryption protocol developed by Apple, implemented in iMessage since spring 2024.
*)RCS – Rich Communication Service
Modern standard for sending SMS/MMS.
Centralization or freedom?
Two communication models
Centralized messengers
WhatsApp (Meta)
- The app collects phone numbers, contacts, timestamps, IP addresses, device types, and usage patterns, and shares this information within the Meta group; the model has been criticized for relying on “legitimate interest” rather than explicit consent.
- “Voluntary activation” of additional features (opt‑in), such as AI tools, may, once enabled, send portions of data or context to Meta servers outside the original communication, further expanding the data footprint.
Signal
- Advanced cryptography and usernames reduce exposure; however, accounts are historically tied to phone numbers, and the service relies on its own servers for registration and contact discovery — metadata from registrations and operational layers do not disappear.
- Centralized infrastructure and linkage to the phonebook limit anonymity and full GDPR compliance, even though message content is protected by E2EE.
Threema
- Does not require a phone number and minimizes retention, reducing its footprint compared to WhatsApp and Signal; however, it remains centralized within a single jurisdiction and provides “available” information under its model when legally compelled.
- Enterprise use requires precise definition of processing roles and the scope of metadata, otherwise compliance risks persist within the provider infrastructure.
Decentralized systems
Briar
- Communication without central servers, synchronized via Bluetooth, Wi‑Fi, or Tor, with local data storage on the device, reduces the metadata footprint and allows operation even during internet outages.
- Platform limits: Available on Android and desktop (Windows/macOS/Linux), not on iOS; iOS background execution restrictions complicate offline scenarios in mixed groups.
Session
- Onion routing through a network of community Service Nodes and swarms ensures that no node simultaneously knows both sender and recipient; IP is hidden, and metadata is minimized by the architecture.
- Availability on iOS, Android, and desktop facilitates cross-platform deployment, although reliance on a public node network can result in higher latency and occasional delivery delays.
aloo chat
- Ease of deployment: no phone number required, no mandatory contact upload, and a focus on direct, clear identity management, reducing metadata linkage to phonebooks and aligning with GDPR principles.
- Architecture oriented toward decentralized, peer-to-peer access and minimizing centrally correlatable data reduces the risk of mass interventions and institutional misuse.
Direct connection between endpoints without the need for centralized server solutions.
Don’t wait for an incident: act before your metadata speaks for you.
Anyone who communicates sensitive information or content subject to GDPR should actively use applications with minimal metadata — and without storing or backing up encryption keys in the cloud.
This applies especially to lawyers, auditors, compliance and risk professionals, financial advisors, HR and company management, social workers, doctors, journalists, consultants, and public officials.
Don’t risk your reputation, trust, or penalties for data leaks: protect the context as well as the content, because “free” often means paying with your data and metadata. Move your sensitive communication to applications that don’t store metadata and truly protect your privacy.