The very act of storing customer data creates inherent vulnerability, according to cybersecurity experts. “The joke is that, ‘If you store it, they will come,’” says Yael Grauer, Program Manager for Cybersecurity Research at Consumer Reports. “Meaning, if you store customer data anywhere, then it’s vulnerable.”
While end-to-end encrypted messaging applications are often touted as secure, many retain substantial amounts of metadata – information *about* the messages, rather than the messages themselves – that can be accessed by third parties. This metadata can include call logs, contact lists, and usage patterns, and can be shared with advertisers, developers, and data brokers.
This data reveals significant information about users’ identities and activities. Knowing who someone communicates with, and when, can be exploited for surveillance or to build detailed profiles, even without access to the content of the communications. Metadata is subject to the same legal pressures as other forms of data, including court orders and the risk of breaches.
Signal, a messaging app frequently recommended for its privacy features, offers a contrasting approach. Because Signal is designed to store minimal user data, it has limited information to provide in response to legal requests. On multiple occasions, the company has been compelled to disclose data on its users, but could only provide timestamps indicating account creation and last connection to its servers, as reported by Consumer Reports.
The increasing capabilities of artificial intelligence add another layer of concern regarding stored data. Rapid advancements in AI tools allow for the swift analysis of vast datasets, identifying patterns and insights previously unattainable. Platforms that retain extensive metadata could be vulnerable to these AI-driven analyses, potentially revealing information users would prefer to keep private. By choosing platforms that minimize metadata storage, users can proactively mitigate both current and future risks associated with data exploitation, according to Grauer’s research.
Yael Grauer’s work at Consumer Reports focuses on digital privacy and cybersecurity, including research into VPNs, stalkerware, and methods for removing personal information from online people-search services. She also manages the organization’s Security Planner, a resource designed to help consumers improve their online security. Grauer has previously contributed investigative tech reporting to publications including The Atlantic, Ars Technica, and Wired, and holds a master’s degree in journalism from Arizona State University.
