When people think about privacy, they usually think about content — the body of a message, the photo, the document. Metadata is the layer around that content: who, when, how often, from where, on what device, in what context. Content can be encrypted and still leak a great deal through its metadata.
This article is a plain-language tour of the metadata categories that matter for everyday privacy thinking. Not every app collects every type. The point is to understand what the categories can reveal so that decisions about which apps to trust, and which features to enable, become easier to make.
What metadata is
Metadata is information about an interaction rather than its contents. A few quick examples to anchor the term:
- A message has a body (content) and a sender, recipient, timestamp, size, and delivery route (metadata).
- A photo has the image (content) and the time it was taken, the device that took it, sometimes a location, and a thumbnail (metadata).
- A web request has a payload (content) and a source IP, time, duration, user agent, and request size (metadata).
Most metadata is generated automatically and does not require the user to do anything. It is the byproduct of communication, not the message itself.
Timestamps and frequency
Timestamps alone reveal more than most users expect. Patterns in when something happens often reveal more than what the thing was.
- A regular spike at the same time every weekday morning is a workday-pattern signature.
- A cluster of activity in a narrow time window across multiple apps suggests a single attention session.
- A long quiet stretch followed by a sudden burst can imply travel, illness, or a context shift.
Frequency adds another axis: how often you interact with a given contact, app, or service over a period of time. Two contacts you message a similar amount form a different signal from one contact you message daily and another monthly, even if the message contents are identical.
Device and software fingerprint
Device metadata covers properties of the hardware and software you are using at the moment of interaction. Common pieces:
- Device model and operating system version.
- Browser or app version.
- Screen size, language, time zone.
- Installed fonts, audio devices, supported features.
Each individual property is low-entropy on its own. Combined, they form a "fingerprint" that can identify a device across sessions even without persistent identifiers like cookies. The amount of information required to identify most devices is smaller than people usually think.
Location hints
Even apps without explicit location permission can pick up location hints. A few common channels:
- IP address — usually maps to a city or region.
- Network metadata — the WiFi network you are connected to, the cell tower, or a list of nearby networks.
- Time zone — your device's locale and time zone settings.
- Behavioral hints — language preferences, currency, or content recommendations specific to a region.
None of these alone gives precise coordinates, but together they often narrow location to a useful range. The takeaway is not that an app without location permission is "blind" — it is that location hints exist outside the explicit permission system.
Contact graph
The contact graph is the network of who you interact with and how often. Even without reading message contents, an app that has access to who you message and how frequently learns a lot:
- Your closest contacts are the ones you message daily.
- Your work contacts cluster in working hours.
- Family contacts often sit on a different rhythm from work contacts.
- New contacts that suddenly enter the graph signal life events.
This is why "we cannot read your messages" is not the same as "we have no information about you." Metadata about who-talks-to-whom is often as informative as the content of those conversations.
File and message metadata
Files carry metadata that travels with them. Common pieces:
- File name and path components.
- Creation and modification timestamps.
- Author, software, and device fields embedded in the file format.
- For images: camera model, lens, exposure, and sometimes location coordinates.
Messages carry their own metadata layer:
- Sender and recipient identifiers.
- Timestamps for sent, delivered, and read events.
- Message size.
- Routing information (which servers the message passed through).
Tools that send files or forward messages often preserve this metadata by default. If a file is sensitive, it is worth checking what metadata travels with it before sharing.
Session patterns
Session metadata describes how you use an app over time:
- Session length.
- Time between sessions.
- Most-used features.
- Device used per session.
- Network type per session.
Session patterns are a strong behavioral signal. Habit changes, stress, sleep disruption, and life transitions all show up as session-pattern shifts long before they show up as anything the user explicitly reports.
What metadata reveals without content
A useful mental check is to ask: "If someone had only the metadata about my activity for the past month, what would they be able to infer?"
Realistically:
- Roughly when you wake up, work, eat, and sleep.
- Who your closest contacts are.
- Where you typically are during the week.
- What apps and devices you depend on.
- When your routine breaks (travel, illness, stress).
This is not theoretical. It is what metadata patterns mean by construction. Whether any specific app actually performs this kind of analysis depends on the app, but the data shape supports it.
What to reduce
A practical short list:
- Audit which apps have access to your contacts and revoke unnecessary access.
- Strip location metadata from photos before sharing them with anyone you would not want to share location with (most operating systems offer a one-tap option).
- Limit "delivered" and "read" receipts where the app supports disabling them, if reducing timing-pattern signal matters to you.
- Review which apps are allowed to run in the background and restrict the ones that do not need it.
- Be cautious about granting access to message history, even when the app promises content encryption — content and metadata are often handled by different systems with different protections.
Summary
The phrase "we do not see your content" is a meaningful technical claim, but it is not the same as "we have no information about you." Metadata routinely reveals patterns that people assume only content could expose. Understanding the categories — timestamps, frequency, device fingerprint, location hints, contact graph, file metadata, session patterns — makes it easier to evaluate which apps to trust with which features, and which side channels are worth closing.