"Encrypted" Doesn't Mean "Private": What Your Messaging Apps Really Know About You

The Day I Realized "Encrypted" Was a Marketing Term

I got a text from my friend Sarah last Tuesday:

"I just got an ad for divorce lawyers. On Instagram. I never searched for that. I never mentioned it to anyone except you. On WhatsApp. How the hell did they know?"

Good question, Sarah.

WhatsApp is "end-to-end encrypted." Facebook (sorry, "Meta") can't read your messages. That's true.

So how did they know Sarah was having marital problems?

Because "encrypted" doesn't mean what most people think it means.

Let me show you what I mean.

What "End-to-End Encryption" Actually Protects

First, let's be clear: End-to-end encryption (E2E) is real and important.

When done correctly, it means:

Your messages are scrambled before leaving your phone

Only the person you're messaging can unscramble them

The company running the app cannot read your messages

Even if their servers get hacked, your messages stay private

This is genuinely powerful technology.

When WhatsApp says they use E2E encryption, they're telling the truth. They use the Signal Protocol—the same encryption Signal uses. Meta really can't read your messages.

So what's the problem?

The problem is what encryption doesn't protect.

The Metadata Loophole (Or: How They Know Everything Without Reading Anything)

Here's what most people miss:

Encryption protects your message content. It doesn't protect your metadata.

What the Hell is Metadata?

Metadata is "data about data." It's everything except what you actually said:

They can't see:

❌ Your message: "I'm having an affair"

But they CAN see:

✅ You messaged a divorce lawyer 23 times last month

✅ You're in a group chat called "Single Parents Support"

✅ You stopped messaging your spouse after 11pm (you used to chat every night)

✅ You're now messaging someone new, always late at night

✅ Your location shows you're sleeping at a different address on weekends

They don't know what you said. But they know everything else.

Why This Matters More Than You Think

Former NSA and CIA director Michael Hayden once said:

"We kill people based on metadata."

He wasn't joking. In 2014, he explained that U.S. drone strikes were often authorized based on phone metadata patterns—not the content of calls.

If metadata is powerful enough for military targeting, it's powerful enough to profile your entire life.

Real Examples: What Platforms Know Without Reading Your Messages

Let me walk you through some scenarios.

Scenario 1: Sarah's Divorce Lawyer Ad

Sarah never told anyone she was having problems. But WhatsApp knew:

What Meta collected from WhatsApp (without reading messages):

Contact added: "Thompson & Associates Family Law"

Messages to that contact: 23 in the last month

Message timing: Mostly late night (when spouse is asleep)

New group membership: "Single Parents Support Group"

Message pattern change: 10 messages/day to spouse → 2 messages/day

New frequent contact: Unknown number, messages every night after 11pm

Location data: Staying at different address on weekends

Meta can't read the messages. But they can infer:

Marriage problems (lawyer contact, support group)

Possible affair (new frequent late-night contact)

Separation (location change on weekends)

High stress (timing patterns)

Ready for divorce services (lawyer contact)

Result: Divorce lawyer ads on Instagram and Facebook.

Sarah never searched for "divorce." She never even said the word out loud on her phone.

But the metadata told the whole story.

Scenario 2: The Job Interview You Didn't Want Public

Mike is interviewing for a new job while currently employed:

What WhatsApp/Meta knows:

New contact added: "Jennifer - Google Recruiting"

Message frequency: 8 messages over 2 weeks

Message timing: Always during work hours, quick responses

Calendar integration: "Meeting with Jennifer"

Location: At Google office twice during work hours

Search history: "Google software engineer salary," "negotiate job offer"

No messages to current coworkers about these meetings

Meta can't read: "Can you interview on Thursday?"

But they can infer:

Job interview at Google (contact + location + timing)

Still employed elsewhere (secretive messaging patterns)

Serious about the role (multiple in-person meetings)

Likely to accept (salary research)

Ready for career services ads

Result: LinkedIn shows Mike ads for resume services, interview prep, and moving companies (to Silicon Valley).

His current employer uses Meta's enterprise tools. The timing pattern raises flags.

Scenario 3: The Health Scare Nobody Knows About

Jessica found a lump. She only told her sister on WhatsApp:

What Meta collected:

Messaged sister 47 times in one week (usual: 5/week)

New contacts: "Dr. Chen - Oncology," "Sarah - Cancer Support"

Joined group: "Breast Cancer Under 40"

Message timing: Late night, stress indicators

Location: Multiple visits to hospital

Calendar: "Biopsy appointment," "Follow-up results"

Search history linked to Google: "breast cancer survival rates," "BRCA gene testing"

Meta can't read: "The test came back positive."

But they can infer:

Health scare (doctor contact + hospital visits)

Cancer concern (oncologist + support group)

High stress (message patterns + timing)

Young (under-40 support group)

Ready for: Insurance ads, financial planning, therapy services

Result: Targeted ads for cancer treatment centers, genetic testing, disability insurance.

Jessica hadn't told her parents yet. But advertisers already knew.

Platform by Platform: What They Actually Collect

Let's break down what each major platform collects, even with encryption.

WhatsApp (Meta/Facebook)

Encrypted: Message content, voice calls

NOT Encrypted (collected):

✅ Your phone number

✅ Every contact in your phone

✅ Transaction data (WhatsApp Pay)

✅ Device identifiers

✅ IP address and location

✅ How often you use the app

✅ Who you message and when

✅ How long your messages are

✅ Group memberships

✅ Profile photos and status

✅ App navigation patterns

What Meta does with it:

Builds social graphs across Facebook/Instagram/WhatsApp

Targets ads on other Meta platforms

Shares with business partners

Combines with Facebook/Instagram data

From their 2021 privacy policy:

"We share information... with the Facebook Companies to provide integrations, help improve infrastructure, understand how people use our services..."

Translation: Your WhatsApp metadata feeds Facebook's $110 billion/year advertising machine. (For a deep dive into exactly what Meta collects across all their platforms, see our full investigation into Meta's surveillance empire.)

Signal

Encrypted: Message content, voice calls, metadata (partially)

What Signal collects:

⚠️ Your phone number (encrypted on their servers)

⚠️ When you created account

⚠️ When you last connected

What Signal does NOT collect:

❌ Who you message

❌ Group memberships

❌ Contact lists

❌ IP addresses (not logged)

❌ Message timing patterns

❌ Usage analytics

How they make money:

Donations and grants

Non-profit foundation

No advertising = no incentive to collect data

The catch: Signal is only messaging. Not a social platform.

Facebook Messenger

Encrypted: "Secret Conversations" only (must manually enable)

NOT Encrypted (default):

❌ Regular messages (Meta can read them)

❌ Photos and videos

❌ Everything you've ever shared

What Meta collects from Messenger:

Everything they collect from WhatsApp (see above)

Plus: Full message content in regular chats

Plus: Everything in your Facebook profile

Plus: Cross-platform tracking across Instagram/WhatsApp/Facebook

Bottom line: Unless you use "Secret Conversations" (which nobody does because it's hidden), Facebook reads everything.

iMessage (Apple)

Encrypted: Messages between Apple devices

NOT Encrypted:

⚠️ SMS/MMS to non-Apple users

⚠️ iCloud backups (unless Advanced Data Protection is on)

⚠️ Messages to/from Android users

What Apple collects:

⚠️ Who you message and when

⚠️ Some device metadata

⚠️ iCloud backups (can include message content)

Apple's advantage:

Doesn't use data for advertising (they sell devices, not ads)

Generally more privacy-focused than Meta

Apple's weakness:

iCloud backups aren't E2E encrypted by default

Ecosystem lock-in (only works well between Apple devices)

Can be subpoenaed by law enforcement

Encrypted: "Secret Chats" only

NOT Encrypted:

❌ Regular chats (stored on Telegram servers)

❌ Group chats (always stored unencrypted)

❌ Most messages people actually send

What Telegram collects:

Regular chat content (they can read it)

Contact lists

Group memberships

All metadata

Red flags:

Uses custom encryption (not recommended by security experts)

Based in Dubai (unclear jurisdiction)

Business model unclear (how do they make money?)

Secret Chats aren't the default

Bottom line: Not as private as most people think.

Discord

Encrypted: Nothing. Zero. Nada.

What Discord can see:

✅ Every message you send

✅ Every voice call

✅ Every server you join

✅ Everything you share

✅ All your DMs

What Discord does with it:

Stores permanently on their servers

Can be read by Discord employees

Can be subpoenaed by law enforcement

Used for moderation and features

Bottom line: Discord is not private. It's designed for public communities, not private conversations.

The Business Model Question (Follow the Money)

Here's the fundamental issue:

If you're not paying for the product, you are the product.

Platform	Cost	Business Model	Privacy Incentive
WhatsApp	Free	Meta advertising	❌ Makes money from your data
Messenger	Free	Meta advertising	❌ Makes money from your data
Telegram	Free	???	⚠️ Unclear—concerning
Discord	Free/Freemium	Nitro subscriptions + data	⚠️ Mixed incentives
Signal	Free	Donations	✅ Non-profit, no data incentive
iMessage	Free*	Device sales	✅ Makes money selling hardware
Snugg	Paid	Subscriptions	✅ Makes money protecting your privacy

The business model determines the privacy incentives.

WhatsApp is free because you're paying with your metadata. That metadata is worth more to Meta than a $5/month subscription would be.

What Snugg Does Differently

We built Snugg around one principle:

If we can't read it, we can't abuse it.

Everything is End-to-End Encrypted

Not just messages. Everything:

Posts and comments

Photos and videos

Reactions and emoji

Group membership

Even who's in your groups

The platform stores ciphertext it cannot read. Only group members can decrypt it.

Minimal Metadata Collection

We don't log what we don't need:

❌ No tracking who viewed what

❌ No logging when you read messages

❌ No location tracking

❌ No contact list harvesting

❌ No behavioral analytics

❌ No "engagement" metrics

We literally can't build advertising profiles because we don't collect the data.

True Deletion

When you delete your account:
1. We destroy your encryption keys
2. All your encrypted content becomes unreadable noise
3. We don't keep backups
4. Your data is cryptographically gone

This isn't a promise. It's a mathematical guarantee.

Open Source

Don't trust us—verify:

Our code is public on GitHub

Security researchers can audit everything

Independent audits published regularly

No hidden backdoors (check the code yourself)

Subscription Business Model

You pay us. We serve you. That's it.

Individual: $3/month (founding members)

Family: $6/month (founding members)

We make money from subscriptions, not surveillance.

We have zero incentive to collect your data because we're not selling ads.

The Comparison

Feature	Snugg	Signal	WhatsApp	iMessage	Telegram	Discord
E2E Encryption	Everything	Messages	Messages	Between Apple	Secret only	None
Metadata Collection	Minimal	Minimal	Extensive	Moderate	Extensive	Extensive
Business Model	Subscription	Donations	Ads (Meta)	Device sales	Unclear	Freemium
Open Source	✅ Yes	✅ Yes	❌ No	❌ No	⚠️ Partial	❌ No
Social Features	✅ Yes	❌ No	⚠️ Limited	⚠️ Limited	✅ Yes	✅ Yes
Ad-Free	✅ Yes	✅ Yes	✅ Yes*	✅ Yes	✅ Yes	⚠️ Freemium

*WhatsApp has no ads yet, but Meta uses your data for ads on Facebook/Instagram

What You Should Actually Do

1. Match Platform to Sensitivity

For casual group chats:

Discord is fine (if you accept it's not private)

For organizing political action:

Use Signal

For sharing family photos:

Consider whether you want Meta building a profile of your kids

For private conversations with close friends:

Use something actually private (Signal, Snugg)

2. Understand What You're Trading

Ask yourself:

What does this platform encrypt?

What metadata do they collect?

How do they make money?

What are their incentives?

Can I verify their claims?

3. Read the "Data We Collect" Section

Privacy policies are boring. But the "Data We Collect" section tells you everything.

If it says they collect:

"Device identifiers, IP addresses, contact lists, usage patterns, location data, interaction metadata..."

They're not private, no matter how good their encryption is.

4. Stop Saying "I Have Nothing to Hide"

You're not hiding from observation. You're protecting yourself from manipulation.

Sarah wasn't hiding her marital problems. But she didn't want Meta selling that information to divorce lawyers.

Mike wasn't hiding his job search. But he didn't want his current employer finding out.

Jessica wasn't hiding her health scare. But she didn't want insurance companies building a risk profile.

Privacy isn't about having something to hide. It's about not being exploited.

The Bottom Line

End-to-end encryption is necessary, but not sufficient, for privacy.

It's like having a safe with a great lock (encryption) but glass walls (metadata).

Sure, people can't read your documents. But they can see:

How often you open the safe

Who you show documents to

Which documents you access most

Where the safe is located

When you're most likely to open it

Who else has keys

Real privacy requires:
1. ✅ Strong encryption (protecting content)
2. ✅ Minimal metadata collection (protecting context)
3. ✅ No third-party sharing (protecting from leaks)
4. ✅ Aligned incentives (business model that doesn't need your data)
5. ✅ Verifiable claims (open source, audits)

That's what Snugg was built to provide.

Try Snugg

If you're tired of platforms that claim privacy while selling your metadata:

What you get:

✅ 30-day free trial (no credit card required)

✅ Everything encrypted (content + metadata)

✅ No ads, ever

✅ Open source and audited

✅ Small group social platform (not just messaging)

What you don't get:

❌ Metadata collection

❌ Behavioral tracking

❌ Data sales

❌ Targeted advertising

❌ Privacy theater

Join the waitlist →

Questions?

"Isn't this paranoia?"

No. Read WhatsApp's privacy policy. They tell you exactly what they collect. Sarah's divorce ad isn't a conspiracy theory—it's their business model.

"But I have nothing to hide."

Neither did Sarah, Mike, or Jessica. They just didn't want to be exploited. There's a difference.

"Why can't Signal just add social features?"

Signal is excellent at what it does. But it's a messaging app, not a social platform. Different tools for different needs.

"How do I know Snugg is telling the truth?"

We're open source. Check the code. We publish security audits. If we lied about encryption, cryptographers would destroy us.

Share this if you know someone who thinks "encrypted" means "private."

About Snugg: A truly private social platform for small groups. No metadata collection, no advertising, no surveillance. Just encrypted conversations with people you trust.

Learn more: snugg.social
Questions: hello@snugg.social

About the Author - Sam Bartlett

I'm a yacht surveyor based in the Caribbean and the founder of Snugg. After 15 years watching social media platforms prioritize ads over genuine connection, I decided to build the alternative. I previously built and ran a successful sailing holiday business, topping Google search results for years before algorithm changes destroyed organic reach. I'm not a developer or privacy activist—just someone who got tired of platforms that forgot their purpose. When I'm not building Snugg or surveying yachts, I wish everyone had more time for sailing in beautiful places (or whatever brings you joy).

Connect with me:

Twitter: @snugg_social

LinkedIn: Sam Bartlett

Email: hello@capitainesam.com