[{"data":1,"prerenderedAt":2392},["ShallowReactive",2],{"research-\u002Fresearch\u002Fbrowser-telemetry-audit":3,"sidebar-research-\u002Fresearch\u002Fbrowser-telemetry-audit":958},{"id":4,"title":5,"author":6,"authorCredibility":7,"body":8,"category":855,"changelog":856,"date":858,"description":860,"extension":861,"image":862,"keyFindings":863,"lastUpdated":858,"meta":881,"navigation":882,"path":883,"readTime":884,"seo":885,"sources":886,"stem":955,"subtitle":956,"__hash__":957},"research\u002Fresearch\u002Fbrowser-telemetry-audit.md","Edge Sent 160,588 Packets on First Launch. Tor Sent Zero DNS Queries. We Tested 7 Browsers.","The Privacy Authority","Based on packet-level network analysis of 7 browsers across 21 test phases using tcpdump and tshark",{"type":9,"value":10,"toc":829},"minimark",[11,15,18,24,29,41,60,70,73,77,82,88,91,98,102,130,133,137,143,150,156,162,166,169,172,176,180,183,190,199,228,240,256,261,272,283,287,292,297,314,318,321,326,343,347,350,355,361,370,388,409,413,416,421,426,447,453,459,472,481,484,513,531,535,538,543,561,565,572,575,580,594,597,605,608,612,616,619,625,637,647,658,678,691,703,719,723,731,737,745,749,755,761,773,790,796,802,806,814,817],[12,13,14],"p",{},"We set up a test lab, installed seven browsers on fresh systems, and captured every packet they sent across three phases: cold start, idle, and browsing. No interaction during the first two. Just launching the browser and watching the network.",[12,16,17],{},"The results span a range that's wider than we expected. On one end, Microsoft Edge generated 160,588 packets and contacted 24 Microsoft domains before we touched the keyboard. On the other, Tor Browser produced zero DNS queries across the entire test. Between those two extremes, the other five browsers revealed exactly how much of the \"privacy-focused\" marketing holds up when you look at the wire.",[19,20],"stat-callout",{"label":21,"value":22,"suffix":23},"packets generated by Edge on first launch - the most of any browser tested","160588","",[25,26,28],"h2",{"id":27},"background","Background",[12,30,31,32,36,37,40],{},"In 2020, Douglas Leith at Trinity College Dublin published \"Web Browser Privacy: What Do Browsers Say When They Phone Home?\" ",[33,34],"source-annotation",{"id":35},"2",", testing Chrome, Firefox, Safari, Brave, Edge, and Yandex. The study found Brave was in a class of its own for privacy, while Edge and Yandex transmitted hardware-linked identifiers that persisted across fresh installs ",[33,38],{"id":39},"11",". The paper received significant attention and remains widely cited.",[12,42,43,44,47,48,51,52,55,56,59],{},"Six years have passed. Every browser on that list has shipped major changes. Chrome abandoned its plan to deprecate third-party cookies in favour of a user-choice model in April 2025 ",[33,45],{"id":46},"10",". Firefox introduced OHTTP relays for suggestion queries, and Brave developed the STAR protocol for privacy-preserving analytics ",[33,49],{"id":50},"5",". Safari gained iCloud Private Relay ",[33,53],{"id":54},"6",". Meanwhile, Edge added Copilot integration and kept expanding its Microsoft services footprint ",[33,57],{"id":58},"7",".",[12,61,62,63,66,67,69],{},"The sizeof(cat) project published a 2025 update ",[33,64],{"id":65},"3"," counting startup connections across browsers: Ungoogled Chromium and Tor Browser made zero, Brave made 17, Firefox 29, Vivaldi 11, Chrome 25, and Edge 48 ",[33,68],{"id":65},". That test counted connections. Ours counts packets, extracts domains, and extends the analysis through idle and browsing phases.",[12,71,72],{},"What appears to be missing from the existing literature is a full three-phase capture on 2026 browser versions that includes idle behaviour and browsing-phase telemetry alongside the cold start. This is that study, with the addition of Tor Browser and Vivaldi to the tested set.",[25,74,76],{"id":75},"methodology","Methodology",[78,79,81],"h3",{"id":80},"test-environment","Test environment",[12,83,84,85,59],{},"Three browsers (Firefox 150.0, Brave 147.1.89.141, Vivaldi 7.9.3970.59) were tested in Ubuntu 24.04 ARM64 virtual machines running on UTM (Apple Virtualisation Framework) on a MacBook Air M3. Each browser was installed in a clean VM clone, never launched, then snapshotted. Tests started from these pristine snapshots ",[33,86],{"id":87},"1",[12,89,90],{},"Four browsers (Chrome 146.0.7680.80, Safari macOS 26.3.1, Edge 147.0.3912.72, Tor Browser 15.0.10) were tested natively on macOS 26.3.1 using a clean user account with no prior browser usage. Native testing was necessary because Chrome and Edge lack ARM64 Linux builds, Safari is macOS-only, and Tor Browser's macOS universal binary was the most practical option.",[92,93],"data-table",{":headers":94,":rows":95,":sortable":96,"caption":97},"[\"Browser\",\"Version\",\"Engine\",\"Platform\",\"Install Method\"]","[[\"Chrome\",\"146.0.7680.80\",\"Chromium\u002FBlink\",\"macOS 26.3.1 (native)\",\"Pre-installed\"],[\"Edge\",\"147.0.3912.72\",\"Chromium\u002FBlink\",\"macOS 26.3.1 (native)\",\"microsoft.com pkg\"],[\"Firefox\",\"150.0\",\"Gecko\",\"Ubuntu 24.04 ARM64 (VM)\",\"mozilla.org tarball\"],[\"Safari\",\"macOS 26.3.1\",\"WebKit\",\"macOS 26.3.1 (native)\",\"Built-in\"],[\"Brave\",\"147.1.89.141\",\"Chromium\u002FBlink\",\"Ubuntu 24.04 ARM64 (VM)\",\"apt repo .deb\"],[\"Vivaldi\",\"7.9.3970.59\",\"Chromium\u002FBlink\",\"Ubuntu 24.04 ARM64 (VM)\",\"vivaldi.com .deb\"],[\"Tor Browser\",\"15.0.10\",\"Gecko (Firefox ESR)\",\"macOS 26.3.1 (native)\",\"torproject.org\"]]","true","Table 1. Browsers tested, versions, and platforms.",[78,99,101],{"id":100},"capture-method","Capture method",[12,103,104,105,109,110,113,114,117,118,121,122,125,126,129],{},"All traffic was captured using ",[106,107,108],"code",{},"tcpdump"," on the host network interface: ",[106,111,112],{},"bridge100"," for VM browsers, ",[106,115,116],{},"en0"," for native macOS browsers. Captures were analysed with ",[106,119,120],{},"tshark"," to extract DNS queries (",[106,123,124],{},"dns.flags.response == 0",") and TLS Server Name Indication fields (",[106,127,128],{},"tls.handshake.extensions_server_name",").",[12,131,132],{},"Native macOS captures include some operating system traffic (OCSP checks, iCloud, NTP). We identified and excluded these from browser-specific findings by cross-referencing Apple system domains across all native tests.",[78,134,136],{"id":135},"three-phase-protocol","Three-phase protocol",[12,138,139,140,142],{},"Each browser went through identical phases ",[33,141],{"id":87},":",[12,144,145,149],{},[146,147,148],"strong",{},"Phase 1 - Cold start (5 minutes)",": Launch the browser for the first time. No keyboard or mouse interaction. Accept default settings where prompted. This captures everything the browser does on its own.",[12,151,152,155],{},[146,153,154],{},"Phase 2 - Idle (5 minutes)",": Browser remains open. No interaction. This captures background telemetry cadence: how chatty is the browser when you're not using it?",[12,157,158,161],{},[146,159,160],{},"Phase 3 - Controlled browsing (5-12 minutes)",": Navigate to 10 predetermined sites, 30 seconds each (45 seconds for Tor Browser due to network latency). Sites chosen for diversity: example.com, Wikipedia, BBC News, Reddit, GitHub, Amazon, DuckDuckGo, NYTimes, Stack Overflow, The Guardian. Navigation was automated via shell scripts to ensure identical timing.",[78,163,165],{"id":164},"default-settings","Default settings",[12,167,168],{},"Every browser was tested with its out-of-the-box defaults. Where setup wizards appeared, we accepted the defaults. This means Chrome's \"Send usage statistics\" was checked (it is by default), Edge's \"Send diagnostic data\" was checked (it is by default), and Vivaldi's crash reports were unchecked (it is by default). We recorded these choices but did not alter them. The point is to measure what happens to someone who clicks through the setup without reading it.",[19,170],{"label":171,"value":58},"browsers tested across 21 capture phases, producing 1.1GB of pcap data",[25,173,175],{"id":174},"findings","Findings",[78,177,179],{"id":178},"cold-start-what-happens-before-you-do-anything","Cold start: what happens before you do anything",[12,181,182],{},"This is the most consequential phase. Every packet here was generated by the browser, not the user.",[184,185],"research-chart",{":datasets":186,":labels":187,"caption":188,"type":189},"[{\"label\":\"Packets on Cold Start\",\"data\":[160588,61590,37026,36290,29943,29503,6888]}]","[\"Edge\",\"Chrome\",\"Brave\",\"Vivaldi\",\"Tor\",\"Firefox\",\"Safari\"]","Figure 1. Total packets captured during first 5 minutes after launch. Edge generated nearly 3x more traffic than Chrome.","bar",[12,191,192,193,195,196,198],{},"Edge is the clear outlier, though much of this traffic is its MSN news feed new tab page and component downloads. 160,588 packets generating a 192MB capture ",[33,194],{"id":87},". For context, Chrome - placed in the middle tier in Leith's 2020 study ",[33,197],{"id":35}," - produced 61,590 packets and 69MB. Edge generated nearly three times the traffic of the browser it's forked from.",[12,200,201,202,204,205,208,209,212,213,216,217,220,221,224,225,227],{},"Where does all that traffic go? Edge contacted 24 Microsoft-owned domains on cold start, including three separate telemetry pipelines ",[33,203],{"id":58},": ",[106,206,207],{},"self.events.data.microsoft.com",", ",[106,210,211],{},"functional.events.data.microsoft.com",", and ",[106,214,215],{},"browser.events.data.msn.com",". The main telemetry domain, ",[106,218,219],{},"edge.microsoft.com",", was queried 21 times in five minutes. Edge also loaded comScore analytics (",[106,222,223],{},"sb.scorecardresearch.com",") on its new tab page ",[33,226],{"id":87}," - a third-party tracker, on cold start, before the user visited anything.",[12,229,230,231,233,234,237,238,59],{},"Every single TLS connection on Chrome's cold start went to a Google-owned server ",[33,232],{"id":87},". All 15 domains, all Google. The ",[106,235,236],{},"optimizationguide-pa.googleapis.com"," endpoint alone was queried 12 times. Usage statistics and crash reports were opted in by default ",[33,239],{"id":87},[12,241,242,243,208,246,208,249,252,253,255],{},"And here's an odd detail: Edge also contacted Google. Three Google domains appeared in Edge's cold start (",[106,244,245],{},"clients2.google.com",[106,247,248],{},"www.googleapis.com",[106,250,251],{},"clients2.googleusercontent.com",") via inherited Chromium code ",[33,254],{"id":87},". So on first launch, Edge contacts both Microsoft and Google.",[184,257],{":datasets":258,":labels":259,"caption":260,"type":189},"[{\"label\":\"Vendor Domains Contacted\",\"data\":[24,15,25,12,10,3,0]},{\"label\":\"Google Domains Contacted\",\"data\":[3,15,1,0,0,9,0]}]","[\"Edge\",\"Chrome\",\"Firefox\",\"Safari\",\"Brave\",\"Vivaldi\",\"Tor\"]","Figure 2. Vendor-owned and Google-owned domains contacted on cold start. Edge and Chrome lead in vendor domains. Vivaldi contacts 9 Google domains via Chromium inheritance.",[12,262,263,264,266,267,269,270,59],{},"Safari was the quietest at 6,888 packets and 5.1MB ",[33,265],{"id":87},", though its Siri Suggestions start page loaded content from around 15 third-party sites generating 38 DNS queries: X (5 domains), Facebook (2), LinkedIn (2), Yahoo (3), BBC, Google, Bing, Weather.com, TripAdvisor, and Yelp among them. Firefox loaded 56 publisher domains via Pocket sponsored content on its new tab ",[33,268],{"id":87}," - a UK-focused selection including BBC, Guardian, Mirror, Independent, Sky, Al Jazeera, Polygon, and YouTube, suggesting geo-targeted content delivery. Brave and Vivaldi loaded no third-party content on their start pages ",[33,271],{"id":87},[12,273,274,275,278,279,282],{},"Tor Browser's 29,943 packets were almost entirely encrypted Tor circuit establishment traffic. Zero DNS queries. Zero vendor domains. The two TLS connections to non-Apple domains were Tor guard nodes using domain fronting with randomised hostnames (",[106,276,277],{},"www.l6juis72lup7e2epp4b6zgry.com",") ",[33,280],{"id":281},"13",". A network observer watching Tor Browser's cold start sees encrypted traffic to IP addresses. Nothing else.",[78,284,286],{"id":285},"default-telemetry-opt-in","Default telemetry opt-in",[12,288,289,290,59],{},"Every browser except Vivaldi and Tor Browser opted users into some form of telemetry by default ",[33,291],{"id":87},[92,293],{":headers":294,":rows":295,":sortable":96,"caption":296},"[\"Browser\",\"Telemetry Default\",\"What It Means\"]","[[\"Chrome\",\"Opted IN\",\"Send usage statistics checked by default\"],[\"Edge\",\"Opted IN\",\"Send diagnostic data checked by default; Copilot offered\"],[\"Firefox\",\"Opted IN\",\"Telemetry enabled by default; Pocket sponsored content active\"],[\"Safari\",\"Opted IN\",\"Siri Suggestions active; iAd SDK contacted\"],[\"Brave\",\"Opted IN (but private)\",\"P3A enabled by default, but uses privacy-preserving STAR protocol\"],[\"Vivaldi\",\"Opted OUT\",\"Crash reports checkbox unchecked by default on first launch\"],[\"Tor Browser\",\"No telemetry\",\"No telemetry options shown; no data collection mechanisms\"]]","Table 2. Default telemetry opt-in state across browsers.",[12,298,299,300,302,303,306,307,310,311,59],{},"Brave deserves a footnote here. Its P3A telemetry is on by default, but the implementation is meaningfully different from Chrome's or Edge's. P3A uses the STAR protocol ",[33,301],{"id":50},", which according to Brave aggregates responses cryptographically so that individual measurements cannot be linked to specific users ",[33,304],{"id":305},"4",". The system collects bucketed histograms, not raw data. Whether \"privacy-preserving telemetry\" is still telemetry is a philosophical question, but the network traffic is verifiably different: aggregated buckets sent to ",[106,308,309],{},"collector.bsg.brave.com",", not per-page pings to ",[106,312,313],{},"content-autofill.googleapis.com",[78,315,317],{"id":316},"safe-browsing-who-checks-the-urls","Safe Browsing: who checks the URLs",[12,319,320],{},"Every browser except Tor checked URLs against a phishing\u002Fmalware database. How they do it varies more than you'd expect.",[92,322],{":headers":323,":rows":324,":sortable":96,"caption":325},"[\"Browser\",\"Safe Browsing Provider\",\"Privacy Implication\"]","[[\"Chrome\",\"Google Safe Browsing (direct)\",\"URLs sent to Google servers\"],[\"Edge\",\"Microsoft SmartScreen (3 domains)\",\"URLs sent to Microsoft via data-edge, nav-edge, telem-edge\"],[\"Firefox\",\"Google Safe Browsing (direct)\",\"URLs sent to Google\"],[\"Safari\",\"Apple Safe Browsing (token.safebrowsing.apple)\",\"URLs checked via Apple, not Google - unique among tested browsers\"],[\"Brave\",\"Brave proxy (safebrowsing.brave.com)\",\"Google Safe Browsing data fetched via Brave proxy, not direct to Google\"],[\"Vivaldi\",\"Google Safe Browsing (direct)\",\"URLs sent to Google (inherited Chromium behaviour)\"],[\"Tor Browser\",\"None visible\",\"All lookups routed through Tor network\"]]","Table 3. Safe Browsing implementations. Safari is the only browser using a non-Google service. Brave proxies through its own servers.",[12,327,328,329,332,333,335,336,339,340,59],{},"Safari is the only browser that doesn't use Google's Safe Browsing service at all, routing lookups through ",[106,330,331],{},"token.safebrowsing.apple"," instead ",[33,334],{"id":87},". Brave uses Google's data but proxies the requests through ",[106,337,338],{},"safebrowsing.brave.com",", preventing Google from seeing the requesting IP. Chrome, Firefox, and Vivaldi all send Safe Browsing requests directly to ",[106,341,342],{},"safebrowsing.googleapis.com",[78,344,346],{"id":345},"idle-what-happens-when-you-walk-away","Idle: what happens when you walk away",[12,348,349],{},"Phase 2 measures background noise. The browser is open, the user isn't touching it.",[184,351],{":datasets":352,":labels":353,"caption":354,"type":189},"[{\"label\":\"Browser-Initiated Packets During 5-Minute Idle\",\"data\":[0,0,253,744,831,1290,1460]}]","[\"Vivaldi\",\"Tor\",\"Brave\",\"Edge\",\"Firefox\",\"Safari\",\"Chrome\"]","Figure 3. Browser-initiated traffic during 5-minute idle phase. Vivaldi and Tor Browser produced zero browser-initiated packets. Chrome was the noisiest. Note: Safari and Chrome figures may include some macOS system traffic that could not be fully separated.",[12,356,357,358,360],{},"Vivaldi produced zero packets. Tor Browser's 1,985 total packets were entirely macOS system traffic (Apple telemetry, location services) with zero from the browser itself ",[33,359],{"id":87},". Both browsers were completely silent when idle.",[12,362,363,364,366,367,369],{},"Brave produced 253 packets, all P3A telemetry beacons to ",[106,365,309],{}," and the STAR randomness server ",[33,368],{"id":305},". Firefox sat at 831, continuing Pocket ad refreshes and OHTTP suggestion relays. Safari hit 1,290 (some macOS system-level traffic mixed in). At the top: Chrome with 1,460 packets, the noisiest idle browser we tested.",[12,371,372,373,376,377,379,380,383,384,387],{},"This is where it gets interesting. Chrome contacted ",[106,374,375],{},"ogads-pa.clients6.google.com"," during idle ",[33,378],{"id":87},". The domain name suggests ad-related infrastructure (the ",[106,381,382],{},"ogads"," prefix and ",[106,385,386],{},"clients6.google.com"," pattern are consistent with Google's advertising services). The browser was sitting open on a blank tab, doing nothing, and it reached out to what appears to be an ad-related server. Chrome was the only browser to do this. It also checked the Chrome Web Store and Google Play Store during idle, unprompted.",[12,389,390,391,394,395,397,398,401,402,405,406,408],{},"Safari contacted ",[106,392,393],{},"iadsdk.apple.com"," during idle - Apple's advertising SDK ",[33,396],{"id":87},". Firefox continued refreshing Pocket ad content via ",[106,399,400],{},"ads.mozilla.org",". Edge produced just 744 packets and contacted only ",[106,403,404],{},"edge-http.microsoft.com"," ",[33,407],{"id":87},", making it surprisingly quiet after its massive cold start.",[78,410,412],{"id":411},"browsing-who-follows-you-around","Browsing: who follows you around",[12,414,415],{},"Phase 3 measured what happens when you actually use the browser. We visited 10 sites. The question: how many additional domains does the browser load beyond what the page itself requests?",[19,417],{"label":418,"value":419,"suffix":420},"ad-tech domains loaded by Edge during a 10-site browsing session - more than any other browser","54","+",[184,422],{":datasets":423,":labels":424,"caption":425,"type":189},"[{\"label\":\"Ad-Tech Domains Loaded During Browsing\",\"data\":[54,47,20,20,5,0,0]}]","[\"Edge\",\"Chrome\",\"Safari\",\"Firefox\",\"Vivaldi\",\"Brave\",\"Tor\"]","Figure 4. Third-party ad-tech and cookie-sync domains loaded during browsing. Edge loaded the most. Brave and Tor loaded zero.",[12,427,428,429,431,432,434,435,438,439,208,441,212,444,129],{},"Edge loaded 54 ad-tech domains during browsing ",[33,430],{"id":87},". Chrome loaded 47. The overlap is striking: 42 of those ad-tech domains appeared in both browsers and in no other browser we tested. Same Chromium engine, same advertising surface. The shared domains include the full programmatic advertising stack: Google DoubleClick, AppNexus, PubMatic, Rubicon\u002FMagnite, Taboola, Amazon Ads, comScore, and dozens of cookie-sync services like BidSwitch, Sharethrough, and LoopMe. On top of the shared 42, Chrome added 15 of its own (including ",[106,433,313],{}," and ",[106,436,437],{},"mail.google.com","), while Edge added 16 (including ",[106,440,219],{},[106,442,443],{},"www.bing.com",[106,445,446],{},"xpaywalletcdn-prod.azureedge.net",[12,448,449,450,452],{},"Chrome has no built-in tracker blocking. Edge has a \"Balanced\" tracking prevention mode enabled by default ",[33,451],{"id":58},", but it only blocks trackers from sites you haven't visited. Trackers embedded in the pages you actually browse still load.",[12,454,455,456,458],{},"The middle of the pack told a more nuanced story. Safari and Firefox each loaded approximately 20 ad-tech domains ",[33,457],{"id":87},". Both have some built-in tracking protection: Safari's Intelligent Tracking Prevention (ITP) limits cross-site cookie access, and Firefox's Enhanced Tracking Protection (ETP) blocks known trackers from the Disconnect list. Despite these features, 20 ad-tech domains still appeared in the capture for each, suggesting their protection focuses on limiting what trackers can do with cookies rather than blocking connections outright.",[12,460,461,462,464,465,434,468,471],{},"Vivaldi's tracker blocker, enabled during setup, let about 5 through ",[33,463],{"id":87},", including ",[106,466,467],{},"graph.facebook.com",[106,469,470],{},"cdn.cxense.com",". Effective, but not watertight.",[12,473,474,475,478,479,59],{},"Then the clean end of the spectrum. Brave blocked everything. Zero ad-tech domains. Shields, enabled by default, prevented connections to every tracker that Chrome and Edge loaded. The only domains visible in Brave's browsing phase were ",[106,476,477],{},"brave.com"," subdomains (the P3A collector, STAR server, and update checker) ",[33,480],{"id":87},[12,482,483],{},"Tor also loaded zero, but through a different mechanism. Rather than blocking trackers, Tor routes all traffic through its network. The trackers may have loaded inside the Tor circuit, but a network observer sees only encrypted traffic to guard nodes. From a network privacy perspective, the result is the same: zero visible tracking.",[12,485,486,487,489,490,492,493,496,497,499,500,503,504,434,507,510,511,59],{},"Chrome's most persistent browser-initiated domain during browsing was ",[106,488,313],{},", queried 42 times across 10 sites ",[33,491],{"id":87},". According to Google, autofill sends form field structure metadata to Google's servers to match saved data to form fields ",[33,494],{"id":495},"9",". Google states the data is obfuscated ",[33,498],{"id":495},", but the connection happens on every page load regardless of whether the page has forms ",[33,501],{"id":502},"16",". Chrome also contacted ",[106,505,506],{},"ep1.adtrafficquality.google",[106,508,509],{},"ep2.adtrafficquality.google"," during browsing - Google's ad traffic quality verification service ",[33,512],{"id":87},[12,514,515,516,518,519,521,522,524,525,527,528,530],{},"Edge was no quieter. ",[106,517,219],{}," was queried 24 times, ",[106,520,207],{}," 15 times, and ",[106,523,443],{}," 15 times ",[33,526],{"id":87},". We weren't using Bing. It also contacted ",[106,529,446],{},", its wallet and payment CDN, without any payment-related user action.",[78,532,534],{"id":533},"the-chromium-inheritance-problem","The Chromium inheritance problem",[12,536,537],{},"Four of the seven browsers tested are built on Chromium: Chrome itself, Edge, Brave, and Vivaldi. How each fork handles inherited Google infrastructure is a useful measure of how much work they've done to de-Google themselves.",[92,539],{":headers":540,":rows":541,":sortable":96,"caption":542},"[\"Browser\",\"Google Domains on Cold Start\",\"Approach\"]","[[\"Chrome\",\"15\",\"Native - all Google infrastructure intact\"],[\"Vivaldi\",\"9\",\"Inherited - Safe Browsing, update infrastructure, Cloud Messaging all contact Google directly\"],[\"Edge\",\"3\",\"Partially replaced - Microsoft services primary, but clients2.google.com and googleapis.com still present\"],[\"Brave\",\"0\",\"Fully replaced - Safe Browsing proxied, update infrastructure replaced, no Google domains contacted\"]]","Table 4. Google domain contact on cold start across Chromium-based browsers.",[12,544,545,546,548,549,552,553,556,557,560],{},"Brave is the only Chromium fork that contacted zero Google domains ",[33,547],{"id":87},". It replaced the update infrastructure, proxied Safe Browsing, and stripped Google Cloud Messaging. Vivaldi, despite having zero telemetry of its own, still contacted 9 Google domains through inherited Chromium code, including ",[106,550,551],{},"mtalk.google.com"," (Google Cloud Messaging) and ",[106,554,555],{},"android.clients.google.com"," (queried 12 times) ",[33,558],{"id":559},"12",". Edge replaced most Google infrastructure with Microsoft equivalents but still contacts three Google domains via inherited Chromium code.",[78,562,564],{"id":563},"the-dns-gap","The DNS gap",[12,566,567,568,571],{},"Blocking a tracker connection is not the same as hiding that you tried to load it. When a page embeds a resource from ",[106,569,570],{},"pagead2.googlesyndication.com",", the browser first resolves the domain via DNS, then opens a TLS connection. A tracker blocker can prevent the connection, but the DNS query has already happened. Your ISP, your corporate network, or your DNS resolver saw the lookup.",[12,573,574],{},"We compared DNS queries against TLS connections during the browsing phase. Any domain that appeared in the DNS capture but not in the TLS handshake was resolved but never connected to - a DNS-only leak.",[184,576],{":datasets":577,":labels":578,"caption":579,"type":189},"[{\"label\":\"DNS-Only Domains (resolved, no connection)\",\"data\":[52,24,23,17,17,17,0]},{\"label\":\"Connected Domains\",\"data\":[76,62,68,147,146,100,0]}]","[\"Safari\",\"Brave\",\"Vivaldi\",\"Chrome\",\"Edge\",\"Firefox\",\"Tor\"]","Figure 5. DNS-only vs connected domains during browsing. Safari had the most DNS-only lookups (52). Brave blocked connections but still leaked 24 domain lookups. Tor had zero DNS leakage because all resolution happens inside the Tor network. Chrome and Edge connected to nearly everything they resolved.",[12,581,582,583,585,586,208,588,212,591,593],{},"Safari tops the list with 52 DNS-only domains during browsing ",[33,584],{"id":87},". ITP prevented cookies from being shared across those connections, but the DNS queries still went out. Domains like ",[106,587,570],{},[106,589,590],{},"securepubads.g.doubleclick.net",[106,592,223],{}," all appeared in Safari's DNS capture without corresponding TLS connections. Your network observer knows which ad networks the pages you visited tried to load.",[12,595,596],{},"Brave and Vivaldi showed a similar pattern: 24 and 23 DNS-only domains respectively. Brave Shields blocked the connections, but the DNS prefetch had already fired. Chrome and Edge had 17 each, though this is less meaningful for them since they connected to most domains anyway.",[12,598,599,600,208,602,604],{},"Firefox also logged 17 DNS-only domains. Its ETP blocks known trackers from the Disconnect list, but several analytics domains (",[106,601,470],{},[106,603,570],{},") still got DNS lookups without connections.",[12,606,607],{},"Tor Browser is the only browser that avoids this entirely. All DNS resolution happens inside the Tor network. A network observer sees zero domain queries - not for visited sites, not for trackers, not for anything. The DNS gap doesn't exist when there's no local DNS.",[25,609,611],{"id":610},"discussion","Discussion",[78,613,615],{"id":614},"the-privacy-spectrum","The privacy spectrum",[12,617,618],{},"The data produces a clear ranking, but the gaps between browsers are more interesting than the order.",[184,620],{":datasets":621,":labels":622,"caption":623,"type":624},"[{\"label\":\"Tor Browser\",\"data\":[8,10,10,10,10]},{\"label\":\"Brave\",\"data\":[6,9,10,10,10]},{\"label\":\"Vivaldi\",\"data\":[6,10,8,10,3]},{\"label\":\"Safari\",\"data\":[10,7,4,8,10]},{\"label\":\"Firefox\",\"data\":[8,7,4,5,9]},{\"label\":\"Chrome\",\"data\":[3,5,1,3,1]},{\"label\":\"Edge\",\"data\":[1,7,1,2,8]}]","[\"Cold Start Quietness\",\"Idle Quietness\",\"Tracker Blocking\",\"Vendor Domain Count (inverted)\",\"Google Independence\"]","Figure 6. Multi-dimensional privacy comparison. Scores are editorial assessments normalised 1-10 based on the quantitative data above, where 10 is best for privacy. Tor and Brave lead across most dimensions. Edge and Chrome trail.","radar",[626,627,631],"tier-card",{":stats":628,"name":629,"tier":630},"[\"0 DNS queries\",\"0 vendor domains\",\"113,197 browsing packets\"]","Tor Browser","S",[12,632,633,634,636],{},"In a category of its own, as Brave was in Leith's 2020 study ",[33,635],{"id":35},". Zero DNS queries, zero vendor telemetry, zero visible browsing traffic. The trade-off is real. Tor adds latency to every request, and the browsing phase produced the highest packet count because all content funnels through circuit relays. This is a privacy tool, not an everyday browser for most people.",[626,638,641],{":stats":639,"name":640,"tier":630},"[\"0 Google domains\",\"0 ad-tech domains\",\"37,026 cold start packets\"]","Brave",[12,642,643,644,646],{},"Credit where it's due. Brave sends telemetry, but the P3A\u002FSTAR system is architecturally different from traditional analytics ",[33,645],{"id":305},". Zero Google domains. All trackers blocked. The 37,026 cold start packets look high, but most of that is component downloads (ad-block filter lists, HTTPS rules). The traffic that makes the blocking work.",[626,648,652],{":stats":649,"name":650,"tier":651},"[\"0 own telemetry\",\"0 idle packets\",\"9 Google domains via Chromium\"]","Vivaldi","A",[12,653,654,655,657],{},"A paradox. Vivaldi sends zero telemetry of its own, generates zero idle traffic, and leaves crash reports unchecked by default. But it still contacted 9 Google domains on cold start via inherited Chromium code ",[33,656],{"id":87},". The work to remove its own tracking is done. The work to excise Google's isn't. And the tracker blocker, while functional, isn't as aggressive as Brave Shields.",[626,659,663],{":stats":660,"name":661,"tier":662},"[\"6,888 cold start\",\"87,554 browsing\",\"20 ad-tech domains\"]","Safari","B",[12,664,665,666,405,668,671,672,674,675,677],{},"Safari's own Safe Browsing is a privacy-positive alternative to Google's, iCloud Private Relay ",[33,667],{"id":54},[33,669],{"id":670},"15"," is a genuine feature, and Intelligent Tracking Prevention limits cross-site cookie tracking by default. But there's a contradiction hiding in Safari's numbers. It had the quietest cold start of any browser (6,888 packets), then produced 87,554 during browsing - more than Chrome (68,081) or Edge (69,672) ",[33,673],{"id":87},". ITP restricts what trackers can do with cookies, not whether they connect, and 20 ad-tech domains still appeared. Add ",[106,676,393],{}," during idle, and the picture is more complicated than \"Apple = privacy.\"",[626,679,682],{":stats":680,"name":681,"tier":662},"[\"25 Mozilla domains\",\"56 Pocket publisher domains\",\"ads.mozilla.org on launch\"]","Firefox",[12,683,684,685,687,688,59],{},"25 Mozilla domains on cold start. Pocket loaded content from 56 publisher domains on the new tab page. ",[106,686,400],{}," was contacted on launch. The OHTTP relay system for suggestions is a genuinely good architectural choice, but Mozilla's own telemetry footprint is larger than you'd guess from a browser that markets itself on privacy ",[33,689],{"id":690},"17",[626,692,696],{":stats":693,"name":694,"tier":695},"[\"42 autofill queries\",\"47 ad-tech domains\",\"idle ad infrastructure\"]","Chrome","D",[12,697,698,699,702],{},"Chrome's 42 autofill queries, idle ad infrastructure contact, and 47 ad-tech domains during browsing are consistent with a browser that ships no built-in tracker blocking by default ",[33,700],{"id":701},"18",". No surprises here. Without built-in blocking, every tracker connection the page requests goes through.",[626,704,707],{":stats":705,"name":706,"tier":695},"[\"160,588 cold start\",\"54 ad-tech domains\",\"216x idle drop-off\"]","Edge",[12,708,709,710,712,713,405,716,718],{},"Edge does everything Chrome does and more: three telemetry pipelines, 160,588 cold start packets, 54 ad-tech domains, and comScore on the new tab page. One ratio puts it in perspective: Edge's cold-start-to-idle drop-off is 216x (160,588 to 744). Chrome's is 42x. Safari's is 5x. That cold start is a 533-packet-per-second burst ",[33,711],{"id":87},". The 2020 finding that Edge had the most extensive telemetry of any browser tested ",[33,714],{"id":715},"8",[33,717],{"id":39}," still holds six years later in our data.",[78,720,722],{"id":721},"what-changed-since-2020","What changed since 2020",[12,724,725,726,728,729,59],{},"Leith's 2020 study ranked browsers in three tiers ",[33,727],{"id":35},". Brave alone occupied the top tier. Chrome, Firefox, and Safari fell in the middle group, with varying degrees of telemetry. Edge and Yandex were the worst, transmitting persistent hardware-linked identifiers ",[33,730],{"id":39},[12,732,733,734,59],{},"Our 2026 data suggests the ranking has shifted. Brave has maintained its position and arguably improved it with the STAR protocol. Vivaldi, not in the 2020 study, slots in behind Brave as a low-telemetry Chromium option with an incomplete de-Googling. Safari has gained Private Relay but still loads trackers. Firefox remains talkative. Chrome remains Chrome. Edge remains the noisiest browser tested, in both our data and Leith's 2020 study. A 2024 academic study by Radivojevic et al. independently reached a similar conclusion, testing 14 browsers and placing Brave, LibreWolf, and Tor in the highest privacy tier, with Chrome and Edge in the lowest ",[33,735],{"id":736},"19",[12,738,739,740,742,743,59],{},"The sizeof(cat) 2025 connection count data ",[33,741],{"id":65}," aligns with our packet-level findings. Their Edge count of 48 startup connections maps to our observation of the largest cold start traffic of any browser ",[33,744],{"id":65},[78,746,748],{"id":747},"limitations","Limitations",[12,750,751,754],{},[146,752,753],{},"Platform inconsistency",": Three browsers were tested in Linux VMs, four on native macOS. The native macOS captures include operating system traffic (OCSP, iCloud, NTP) that's absent from the VM captures. We identified and noted these, but some contamination is possible. The ideal setup would test all browsers on the same platform, which ARM64 browser availability prevented.",[12,756,757,760],{},[146,758,759],{},"Single run",": Each browser was tested once. Network conditions, CDN routing, and server-side A\u002FB tests could affect results. A repeat test might produce slightly different numbers, though the domain lists and relative rankings would likely hold.",[12,762,763,766,767,769,770,772],{},[146,764,765],{},"No payload inspection",": We captured packet metadata (DNS queries, TLS SNI, packet counts) but did not decrypt HTTPS payloads for this study. We know Chrome contacted ",[106,768,313],{}," 42 times, but we did not inspect what was in those requests beyond what Google's documentation describes ",[33,771],{"id":495},". Future work with mitmproxy could reveal payload contents where certificate pinning allows.",[12,774,775,778,779,434,782,785,786,789],{},[146,776,777],{},"Browsing automation",": The ",[106,780,781],{},"open -a",[106,783,784],{},"osascript"," automation for native macOS browsers opened URLs in new tabs rather than navigating in the same tab. For VM browsers, ",[106,787,788],{},"xdotool"," typed URLs into the address bar. Both approaches are valid but produce slightly different browser behaviour (tab count, memory usage).",[12,791,792,795],{},[146,793,794],{},"Default settings only",": Every browser was tested with its out-of-the-box defaults. We did not disable telemetry, change privacy settings, or install extensions. Whether opting out actually stops the traffic is a separate question.",[12,797,798,801],{},[146,799,800],{},"Start page variability",": Safari and Firefox load content from third-party sites on their start pages (Siri Suggestions and Pocket respectively). The specific sites loaded may vary by region, time of day, and user. Our captures reflect what loaded in the UK on 23 April 2026.",[25,803,805],{"id":804},"what-you-can-do","What you can do",[12,807,808,809,813],{},"Chrome with default settings contacts dozens of vendor domains, loads ad infrastructure during idle, and has no built-in tracker blocking. Edge contacts even more vendor domains and, while its Balanced tracking prevention blocks some third-party trackers, still loaded 54 ad-tech domains in our test. Switching to ",[810,811,640],"a",{"href":812},"\u002Fcompare\u002Fbrowsers"," eliminates most of this. Switching to Tor Browser eliminates all of it, at the cost of speed.",[12,815,816],{},"For those who can't switch browsers, the minimum steps are: disable telemetry and crash reporting in settings, install a tracker blocker extension (uBlock Origin where supported), and turn off autofill if you don't use it. These won't achieve what Brave or Tor do architecturally, but they reduce the surface area.",[12,818,819,820,824,825,828],{},"For a broader assessment of your browser's privacy posture, try our ",[810,821,823],{"href":822},"\u002Ftools\u002Fprivacy-checkup","Privacy Checkup"," tool, or see our full ",[810,826,827],{"href":812},"browser comparison"," for detailed grades across all major browsers.",{"title":23,"searchDepth":830,"depth":830,"links":831},2,[832,833,840,849,854],{"id":27,"depth":830,"text":28},{"id":75,"depth":830,"text":76,"children":834},[835,837,838,839],{"id":80,"depth":836,"text":81},3,{"id":100,"depth":836,"text":101},{"id":135,"depth":836,"text":136},{"id":164,"depth":836,"text":165},{"id":174,"depth":830,"text":175,"children":841},[842,843,844,845,846,847,848],{"id":178,"depth":836,"text":179},{"id":285,"depth":836,"text":286},{"id":316,"depth":836,"text":317},{"id":345,"depth":836,"text":346},{"id":411,"depth":836,"text":412},{"id":533,"depth":836,"text":534},{"id":563,"depth":836,"text":564},{"id":610,"depth":830,"text":611,"children":850},[851,852,853],{"id":614,"depth":836,"text":615},{"id":721,"depth":836,"text":722},{"id":747,"depth":836,"text":748},{"id":804,"depth":830,"text":805},"Data Study",[857],{"date":858,"description":859},"2026-04-24","Initial publication. Methodology: packet capture (tcpdump) and TLS\u002FDNS extraction (tshark) on 7 browsers across three phases (cold start, idle, browsing), fresh profiles, April 2026.","We captured every packet 7 browsers sent on fresh installs. Edge: 160,588 packets. Tor: zero DNS queries. Brave: zero trackers. Full data.","md","\u002Fimages\u002Fresearch\u002Fbrowser-telemetry-audit.jpg",[864,868,871,875,878],{"text":865,"sourceIds":866},"Edge generated 160,588 packets on first launch, nearly three times Chrome's 61,590. Its cold start capture was 192MB.",[867],1,{"text":869,"sourceIds":870},"Tor Browser produced zero DNS queries across all three test phases. Every packet was routed through the Tor network, invisible to a network observer.",[867],{"text":872,"sourceIds":873},"Chrome's autofill service contacted content-autofill.googleapis.com 42 times during a 10-site browsing session, averaging over 4 queries per page.",[867,874],9,{"text":876,"sourceIds":877},"Edge loaded 54 ad-tech and cookie-sync domains during browsing, more than Chrome's 47. Neither browser's default settings prevented these connections.",[867],{"text":879,"sourceIds":880},"Brave blocked every third-party tracker during browsing. Vivaldi and Tor Browser also produced zero browser-initiated idle traffic.",[867],{},true,"\u002Fresearch\u002Fbrowser-telemetry-audit",12,{"title":5,"description":860},[887,891,894,897,901,905,909,913,917,920,924,928,931,935,939,943,947,951],{"id":867,"title":888,"url":889,"accessDate":890},"The Privacy Authority Browser Telemetry Lab - Extracted Data (DNS queries, TLS SNI, per-browser summaries)","\u002Fdata\u002Fresearch\u002Fbrowser-telemetry-audit.zip","2026-04-23",{"id":830,"title":892,"url":893,"accessDate":890},"Leith, D.J. 'Web Browser Privacy: What Do Browsers Say When They Phone Home?' - Trinity College Dublin (2020)","https:\u002F\u002Fwww.scss.tcd.ie\u002FDoug.Leith\u002Fpubs\u002Fbrowser_privacy.pdf",{"id":836,"title":895,"url":896,"accessDate":890},"sizeof(cat): Web Browser Telemetry - 2025 Edition (original site offline; summary via Privacy Guides Community)","https:\u002F\u002Fdiscuss.privacyguides.net\u002Ft\u002Fbrowser-connected-domains-telemetry-test-2025-by-sizeofcat\u002F26866",{"id":898,"title":899,"url":900,"accessDate":890},4,"Brave: Privacy-Preserving Product Analytics (P3A)","https:\u002F\u002Fbrave.com\u002Fblog\u002Fprivacy-preserving-product-analytics-p3a\u002F",{"id":902,"title":903,"url":904,"accessDate":890},5,"Brave: STAR - Privacy-Preserving Data Collection","https:\u002F\u002Fbrave.com\u002Fprivacy-updates\u002F19-star\u002F",{"id":906,"title":907,"url":908,"accessDate":890},6,"Apple: About iCloud Private Relay","https:\u002F\u002Fsupport.apple.com\u002Fen-us\u002F102602",{"id":910,"title":911,"url":912,"accessDate":890},7,"Microsoft Learn: User Data and Privacy in Microsoft Edge (Privacy Whitepaper)","https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fmicrosoft-edge\u002Fprivacy-whitepaper",{"id":914,"title":915,"url":916,"accessDate":890},8,"BleepingComputer: Research Finds Microsoft Edge Has Privacy-Invading Telemetry (2020)","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fresearch-finds-microsoft-edge-has-privacy-invading-telemetry\u002F",{"id":874,"title":918,"url":919,"accessDate":890},"Google Chrome Help: How Chrome Protects Your Autofill and Password Data","https:\u002F\u002Fsupport.google.com\u002Fchrome\u002Fanswer\u002F14271924?hl=en",{"id":921,"title":922,"url":923,"accessDate":890},10,"Google: Next Steps for Privacy Sandbox and Tracking Protections in Chrome (April 2025)","https:\u002F\u002Fprivacysandbox.google.com\u002Fblog\u002Fprivacy-sandbox-next-steps",{"id":925,"title":926,"url":927,"accessDate":890},11,"CPO Magazine: Brave Ranked Most Private Browser, Edge and Yandex Least Private (2020)","https:\u002F\u002Fwww.cpomagazine.com\u002Fdata-privacy\u002Fbrave-ranked-the-most-private-browser-while-microsoft-edge-and-yandex-the-least-private-due-to-privacy-invading-telemetry\u002F",{"id":884,"title":929,"url":930,"accessDate":890},"Vivaldi Browser: Privacy Policy","https:\u002F\u002Fvivaldi.com\u002Fprivacy\u002Fbrowser\u002F",{"id":932,"title":933,"url":934,"accessDate":890},13,"Tor Project: Tor Browser Design Document","https:\u002F\u002Fspec.torproject.org\u002Ftorbrowser-design",{"id":936,"title":937,"url":938,"accessDate":890},15,"Apple: iCloud Private Relay Security Overview (December 2021)","https:\u002F\u002Fwww.apple.com\u002Ficloud\u002Fdocs\u002FiCloud_Private_Relay_Overview_Dec2021.pdf",{"id":940,"title":941,"url":942,"accessDate":890},16,"Stoutner Redmine: Bug #723 - Connects to content-autofill.googleapis.com When Tapping on an Input Field","https:\u002F\u002Fredmine.stoutner.com\u002Fissues\u002F723",{"id":944,"title":945,"url":946,"accessDate":890},17,"Mozilla Wiki: Telemetry Data Collection Policy","https:\u002F\u002Fwiki.mozilla.org\u002FTelemetry",{"id":948,"title":949,"url":950,"accessDate":890},18,"PCWorld: Chrome Tracks More Than You Realize - Here's How to Take Back Your Privacy (2025)","https:\u002F\u002Fwww.pcworld.com\u002Farticle\u002F2941324\u002Fchrome-tracks-more-than-you-realize-heres-how-to-take-back-your-privacy.html",{"id":952,"title":953,"url":954,"accessDate":890},19,"Radivojevic et al. 'Defending Novice User Privacy: An Evaluation of Default Web Browser Configurations' - Computers & Security, Vol 140 (2024)","https:\u002F\u002Fwww.sciencedirect.com\u002Fscience\u002Farticle\u002Fabs\u002Fpii\u002FS0167404824000853","research\u002Fbrowser-telemetry-audit","A packet-level network audit of Chrome, Edge, Firefox, Safari, Brave, Vivaldi, and Tor Browser on fresh install","qPK4h9IfOemzGxbDjFYNJrl-FJazkJXtNwUBQVjnhS0",[959,1494],{"id":4,"title":5,"author":6,"authorCredibility":7,"body":960,"category":855,"changelog":1460,"date":858,"description":860,"extension":861,"image":862,"keyFindings":1462,"lastUpdated":858,"meta":1473,"navigation":882,"path":883,"readTime":884,"seo":1474,"sources":1475,"stem":955,"subtitle":956,"__hash__":957},{"type":9,"value":961,"toc":1436},[962,964,966,968,970,976,986,992,994,996,998,1002,1004,1006,1008,1022,1024,1026,1030,1034,1038,1042,1044,1046,1048,1050,1052,1054,1056,1062,1078,1086,1096,1098,1106,1112,1114,1118,1120,1130,1132,1134,1136,1146,1148,1150,1152,1156,1162,1172,1184,1186,1188,1190,1192,1206,1210,1214,1222,1228,1230,1248,1260,1262,1264,1266,1276,1278,1282,1284,1286,1296,1298,1304,1306,1308,1310,1312,1314,1320,1326,1332,1344,1352,1358,1368,1370,1376,1380,1386,1388,1392,1396,1404,1414,1418,1422,1424,1428,1430],[12,963,14],{},[12,965,17],{},[19,967],{"label":21,"value":22,"suffix":23},[25,969,28],{"id":27},[12,971,31,972,36,974,40],{},[33,973],{"id":35},[33,975],{"id":39},[12,977,43,978,47,980,51,982,55,984,59],{},[33,979],{"id":46},[33,981],{"id":50},[33,983],{"id":54},[33,985],{"id":58},[12,987,62,988,66,990,69],{},[33,989],{"id":65},[33,991],{"id":65},[12,993,72],{},[25,995,76],{"id":75},[78,997,81],{"id":80},[12,999,84,1000,59],{},[33,1001],{"id":87},[12,1003,90],{},[92,1005],{":headers":94,":rows":95,":sortable":96,"caption":97},[78,1007,101],{"id":100},[12,1009,104,1010,109,1012,113,1014,117,1016,121,1018,125,1020,129],{},[106,1011,108],{},[106,1013,112],{},[106,1015,116],{},[106,1017,120],{},[106,1019,124],{},[106,1021,128],{},[12,1023,132],{},[78,1025,136],{"id":135},[12,1027,139,1028,142],{},[33,1029],{"id":87},[12,1031,1032,149],{},[146,1033,148],{},[12,1035,1036,155],{},[146,1037,154],{},[12,1039,1040,161],{},[146,1041,160],{},[78,1043,165],{"id":164},[12,1045,168],{},[19,1047],{"label":171,"value":58},[25,1049,175],{"id":174},[78,1051,179],{"id":178},[12,1053,182],{},[184,1055],{":datasets":186,":labels":187,"caption":188,"type":189},[12,1057,192,1058,195,1060,198],{},[33,1059],{"id":87},[33,1061],{"id":35},[12,1063,201,1064,204,1066,208,1068,212,1070,216,1072,220,1074,224,1076,227],{},[33,1065],{"id":58},[106,1067,207],{},[106,1069,211],{},[106,1071,215],{},[106,1073,219],{},[106,1075,223],{},[33,1077],{"id":87},[12,1079,230,1080,233,1082,237,1084,59],{},[33,1081],{"id":87},[106,1083,236],{},[33,1085],{"id":87},[12,1087,242,1088,208,1090,208,1092,252,1094,255],{},[106,1089,245],{},[106,1091,248],{},[106,1093,251],{},[33,1095],{"id":87},[184,1097],{":datasets":258,":labels":259,"caption":260,"type":189},[12,1099,263,1100,266,1102,269,1104,59],{},[33,1101],{"id":87},[33,1103],{"id":87},[33,1105],{"id":87},[12,1107,274,1108,278,1110,282],{},[106,1109,277],{},[33,1111],{"id":281},[78,1113,286],{"id":285},[12,1115,289,1116,59],{},[33,1117],{"id":87},[92,1119],{":headers":294,":rows":295,":sortable":96,"caption":296},[12,1121,299,1122,302,1124,306,1126,310,1128,59],{},[33,1123],{"id":50},[33,1125],{"id":305},[106,1127,309],{},[106,1129,313],{},[78,1131,317],{"id":316},[12,1133,320],{},[92,1135],{":headers":323,":rows":324,":sortable":96,"caption":325},[12,1137,328,1138,332,1140,335,1142,339,1144,59],{},[106,1139,331],{},[33,1141],{"id":87},[106,1143,338],{},[106,1145,342],{},[78,1147,346],{"id":345},[12,1149,349],{},[184,1151],{":datasets":352,":labels":353,"caption":354,"type":189},[12,1153,357,1154,360],{},[33,1155],{"id":87},[12,1157,363,1158,366,1160,369],{},[106,1159,309],{},[33,1161],{"id":305},[12,1163,372,1164,376,1166,379,1168,383,1170,387],{},[106,1165,375],{},[33,1167],{"id":87},[106,1169,382],{},[106,1171,386],{},[12,1173,390,1174,394,1176,397,1178,401,1180,405,1182,408],{},[106,1175,393],{},[33,1177],{"id":87},[106,1179,400],{},[106,1181,404],{},[33,1183],{"id":87},[78,1185,412],{"id":411},[12,1187,415],{},[19,1189],{"label":418,"value":419,"suffix":420},[184,1191],{":datasets":423,":labels":424,"caption":425,"type":189},[12,1193,428,1194,431,1196,434,1198,438,1200,208,1202,212,1204,129],{},[33,1195],{"id":87},[106,1197,313],{},[106,1199,437],{},[106,1201,219],{},[106,1203,443],{},[106,1205,446],{},[12,1207,449,1208,452],{},[33,1209],{"id":58},[12,1211,455,1212,458],{},[33,1213],{"id":87},[12,1215,461,1216,464,1218,434,1220,471],{},[33,1217],{"id":87},[106,1219,467],{},[106,1221,470],{},[12,1223,474,1224,478,1226,59],{},[106,1225,477],{},[33,1227],{"id":87},[12,1229,483],{},[12,1231,486,1232,489,1234,492,1236,496,1238,499,1240,503,1242,434,1244,510,1246,59],{},[106,1233,313],{},[33,1235],{"id":87},[33,1237],{"id":495},[33,1239],{"id":495},[33,1241],{"id":502},[106,1243,506],{},[106,1245,509],{},[33,1247],{"id":87},[12,1249,515,1250,518,1252,521,1254,524,1256,527,1258,530],{},[106,1251,219],{},[106,1253,207],{},[106,1255,443],{},[33,1257],{"id":87},[106,1259,446],{},[78,1261,534],{"id":533},[12,1263,537],{},[92,1265],{":headers":540,":rows":541,":sortable":96,"caption":542},[12,1267,545,1268,548,1270,552,1272,556,1274,560],{},[33,1269],{"id":87},[106,1271,551],{},[106,1273,555],{},[33,1275],{"id":559},[78,1277,564],{"id":563},[12,1279,567,1280,571],{},[106,1281,570],{},[12,1283,574],{},[184,1285],{":datasets":577,":labels":578,"caption":579,"type":189},[12,1287,582,1288,585,1290,208,1292,212,1294,593],{},[33,1289],{"id":87},[106,1291,570],{},[106,1293,590],{},[106,1295,223],{},[12,1297,596],{},[12,1299,599,1300,208,1302,604],{},[106,1301,470],{},[106,1303,570],{},[12,1305,607],{},[25,1307,611],{"id":610},[78,1309,615],{"id":614},[12,1311,618],{},[184,1313],{":datasets":621,":labels":622,"caption":623,"type":624},[626,1315,1316],{":stats":628,"name":629,"tier":630},[12,1317,633,1318,636],{},[33,1319],{"id":35},[626,1321,1322],{":stats":639,"name":640,"tier":630},[12,1323,643,1324,646],{},[33,1325],{"id":305},[626,1327,1328],{":stats":649,"name":650,"tier":651},[12,1329,654,1330,657],{},[33,1331],{"id":87},[626,1333,1334],{":stats":660,"name":661,"tier":662},[12,1335,665,1336,405,1338,671,1340,674,1342,677],{},[33,1337],{"id":54},[33,1339],{"id":670},[33,1341],{"id":87},[106,1343,393],{},[626,1345,1346],{":stats":680,"name":681,"tier":662},[12,1347,684,1348,687,1350,59],{},[106,1349,400],{},[33,1351],{"id":690},[626,1353,1354],{":stats":693,"name":694,"tier":695},[12,1355,698,1356,702],{},[33,1357],{"id":701},[626,1359,1360],{":stats":705,"name":706,"tier":695},[12,1361,709,1362,712,1364,405,1366,718],{},[33,1363],{"id":87},[33,1365],{"id":715},[33,1367],{"id":39},[78,1369,722],{"id":721},[12,1371,725,1372,728,1374,59],{},[33,1373],{"id":35},[33,1375],{"id":39},[12,1377,733,1378,59],{},[33,1379],{"id":736},[12,1381,739,1382,742,1384,59],{},[33,1383],{"id":65},[33,1385],{"id":65},[78,1387,748],{"id":747},[12,1389,1390,754],{},[146,1391,753],{},[12,1393,1394,760],{},[146,1395,759],{},[12,1397,1398,766,1400,769,1402,772],{},[146,1399,765],{},[106,1401,313],{},[33,1403],{"id":495},[12,1405,1406,778,1408,434,1410,785,1412,789],{},[146,1407,777],{},[106,1409,781],{},[106,1411,784],{},[106,1413,788],{},[12,1415,1416,795],{},[146,1417,794],{},[12,1419,1420,801],{},[146,1421,800],{},[25,1423,805],{"id":804},[12,1425,808,1426,813],{},[810,1427,640],{"href":812},[12,1429,816],{},[12,1431,819,1432,824,1434,828],{},[810,1433,823],{"href":822},[810,1435,827],{"href":812},{"title":23,"searchDepth":830,"depth":830,"links":1437},[1438,1439,1445,1454,1459],{"id":27,"depth":830,"text":28},{"id":75,"depth":830,"text":76,"children":1440},[1441,1442,1443,1444],{"id":80,"depth":836,"text":81},{"id":100,"depth":836,"text":101},{"id":135,"depth":836,"text":136},{"id":164,"depth":836,"text":165},{"id":174,"depth":830,"text":175,"children":1446},[1447,1448,1449,1450,1451,1452,1453],{"id":178,"depth":836,"text":179},{"id":285,"depth":836,"text":286},{"id":316,"depth":836,"text":317},{"id":345,"depth":836,"text":346},{"id":411,"depth":836,"text":412},{"id":533,"depth":836,"text":534},{"id":563,"depth":836,"text":564},{"id":610,"depth":830,"text":611,"children":1455},[1456,1457,1458],{"id":614,"depth":836,"text":615},{"id":721,"depth":836,"text":722},{"id":747,"depth":836,"text":748},{"id":804,"depth":830,"text":805},[1461],{"date":858,"description":859},[1463,1465,1467,1469,1471],{"text":865,"sourceIds":1464},[867],{"text":869,"sourceIds":1466},[867],{"text":872,"sourceIds":1468},[867,874],{"text":876,"sourceIds":1470},[867],{"text":879,"sourceIds":1472},[867],{},{"title":5,"description":860},[1476,1477,1478,1479,1480,1481,1482,1483,1484,1485,1486,1487,1488,1489,1490,1491,1492,1493],{"id":867,"title":888,"url":889,"accessDate":890},{"id":830,"title":892,"url":893,"accessDate":890},{"id":836,"title":895,"url":896,"accessDate":890},{"id":898,"title":899,"url":900,"accessDate":890},{"id":902,"title":903,"url":904,"accessDate":890},{"id":906,"title":907,"url":908,"accessDate":890},{"id":910,"title":911,"url":912,"accessDate":890},{"id":914,"title":915,"url":916,"accessDate":890},{"id":874,"title":918,"url":919,"accessDate":890},{"id":921,"title":922,"url":923,"accessDate":890},{"id":925,"title":926,"url":927,"accessDate":890},{"id":884,"title":929,"url":930,"accessDate":890},{"id":932,"title":933,"url":934,"accessDate":890},{"id":936,"title":937,"url":938,"accessDate":890},{"id":940,"title":941,"url":942,"accessDate":890},{"id":944,"title":945,"url":946,"accessDate":890},{"id":948,"title":949,"url":950,"accessDate":890},{"id":952,"title":953,"url":954,"accessDate":890},{"id":1495,"title":1496,"author":6,"authorCredibility":1497,"body":1498,"category":2280,"changelog":2281,"date":2283,"description":2285,"extension":861,"image":2286,"keyFindings":2287,"lastUpdated":2283,"meta":2304,"navigation":882,"path":2305,"readTime":2300,"seo":2306,"sources":2307,"stem":2389,"subtitle":2390,"__hash__":2391},"research\u002Fresearch\u002Fmessaging-app-privacy-policies.md","We Read 73,759 Words of Messaging App Privacy Policies So You Don't Have To","Based on computational linguistic analysis of 8 privacy policies totalling 73,759 words",{"type":9,"value":1499,"toc":2265},[1500,1503,1506,1510,1512,1524,1527,1562,1565,1567,1570,1575,1578,1581,1593,1657,1660,1666,1717,1736,1747,1749,1752,1757,1760,1765,1768,1772,1777,1786,1795,1804,1808,1811,1818,1823,1838,1846,1855,1858,1902,1907,1911,1914,1928,1952,1958,1964,1968,1986,1995,2008,2031,2066,2072,2081,2086,2090,2093,2096,2128,2131,2136,2141,2144,2147,2149,2155,2161,2173,2218,2221,2223,2226,2229,2232,2235,2238],[12,1501,1502],{},"We read the privacy policies of eight messaging apps. All of them. Cover to cover. The combined text is 73,759 words, which is longer than The Great Gatsby. Reading them back to back took 4 hours and 55 minutes.",[12,1504,1505],{},"The exercise produced two findings that weren't obvious beforehand. First, every single policy exceeds the average adult reading level. Zero out of eight are readable by the population they're written for. Second, what these documents say and what independently documented evidence shows are, in several cases, different things.",[19,1507],{"label":1508,"value":1509,"suffix":420},"total words across 8 privacy policies","73759",[25,1511,28],{"id":27},[12,1513,1514,1515,405,1521,1523],{},"Privacy policies exist because GDPR, CCPA, and similar regulations require them. The legal theory is informed consent: you read the terms, understand the trade-off, decide whether to accept. In practice, ",[810,1516,1520],{"href":1517,"rel":1518},"https:\u002F\u002Fmhealth.jmir.org\u002F2018\u002F1\u002Fe26\u002F",[1519],"nofollow","a 2018 JMIR study",[33,1522],{"id":701}," found the average app privacy policy requires a 12th-grade reading level. The average American adult reads at 8th grade. The mechanism is broken at the most basic level.",[12,1525,1526],{},"Messaging apps are a useful test case because the data they handle is uniquely personal - private conversations, group chats, media shared in confidence. If any category of software should have transparent data practices, it's this one.",[12,1528,1529,1530,1535,1536,405,1541,1543,1544,405,1549,1552,1553,405,1558,1561],{},"Prior work exists but is either outdated or methodologically limited. The EFF published a ",[810,1531,1534],{"href":1532,"rel":1533},"https:\u002F\u002Fwww.eff.org\u002Fpages\u002Fsecure-messaging-scorecard",[1519],"Secure Messaging Scorecard"," in 2014, received criticism, and never updated it. ",[810,1537,1540],{"href":1538,"rel":1539},"https:\u002F\u002Fsurfshark.com\u002Fresearch\u002Fchart\u002Fmessaging-apps-privacy",[1519],"Surfshark's 2026 comparison",[33,1542],{"id":46}," relies on App Store privacy labels, which are self-reported. ",[810,1545,1548],{"href":1546,"rel":1547},"https:\u002F\u002Fwww.mozillafoundation.org\u002Fen\u002Fblog\u002Fmozilla-study-data-privacy-labels-for-most-top-apps-in-google-play-store-are-false-or-misleading\u002F",[1519],"Mozilla found",[33,1550],{"id":1551},"25"," most of those labels to be \"false or misleading.\" ",[810,1554,1557],{"href":1555,"rel":1556},"https:\u002F\u002Fwww.kaspersky.com\u002Fblog\u002Fmessengers-privacy-rating-2025\u002F54665\u002F",[1519],"Kaspersky published messenger rankings",[33,1559],{"id":1560},"29"," in 2025, though a Russian security company ranking apps on privacy is a dataset worth contextualising.",[12,1563,1564],{},"What appears to be missing is a systematic readability and transparency analysis of the actual policy texts, scored against a consistent rubric and cross-referenced with independent sources. That's what this is.",[25,1566,76],{"id":75},[12,1568,1569],{},"Selection was by install base. The eight most-used messaging apps globally:",[92,1571],{":headers":1572,":rows":1573,"caption":1574},"[\"App\",\"Parent Company\",\"User Base\",\"Default E2EE\"]","[[\"WhatsApp\",\"Meta\",\"2B+\",\"Yes\"],[\"Messenger\",\"Meta\",\"1B+\",\"Yes (since Dec 2023)\"],[\"Telegram\",\"Telegram FZ-LLC\",\"900M+\",\"No (opt-in Secret Chats)\"],[\"iMessage\",\"Apple\",\"1.5B+ devices\",\"Yes\"],[\"Discord\",\"Discord Inc.\",\"200M+ MAU\",\"No\"],[\"Viber\",\"Rakuten\",\"260M+\",\"Yes\"],[\"LINE\",\"LY Corporation\",\"200M+\",\"Yes (Letter Sealing)\"],[\"Signal\",\"Signal Foundation\",\"100M+ downloads\",\"Yes\"]]","Messaging apps included in the analysis, sorted by user base.",[19,1576],{"label":1577,"value":715},"messaging apps analysed, covering 6+ billion user accounts",[12,1579,1580],{},"We retrieved the full English text of each policy in April 2026. Two analyses were applied.",[12,1582,1583,1586,1587,1592],{},[146,1584,1585],{},"Computational readability",": Python's ",[810,1588,1591],{"href":1589,"rel":1590},"https:\u002F\u002Fgithub.com\u002Ftextstat\u002Ftextstat",[1519],"textstat"," library produced six standard readability metrics:",[1594,1595,1596,1607,1617,1627,1637,1647],"ul",{},[1597,1598,1599,1606],"li",{},[146,1600,1601],{},[810,1602,1605],{"href":1603,"rel":1604},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FFlesch%E2%80%93Kincaid_readability_tests",[1519],"Flesch-Kincaid Grade Level"," - maps text difficulty to US school grades based on sentence length and syllable count. Grade 8 = average adult reading level.",[1597,1608,1609,1616],{},[146,1610,1611],{},[810,1612,1615],{"href":1613,"rel":1614},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FFlesch%E2%80%93Kincaid_readability_tests#Flesch_reading_ease",[1519],"Flesch Reading Ease"," - 0-100 scale, higher = easier. Consumer documents should target 60-70. Academic papers typically score 10-30.",[1597,1618,1619,1626],{},[146,1620,1621],{},[810,1622,1625],{"href":1623,"rel":1624},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FGunning_fog_index",[1519],"Gunning Fog Index"," - estimates years of formal education needed. Weights complex words (3+ syllables) more heavily than Flesch-Kincaid.",[1597,1628,1629,1636],{},[146,1630,1631],{},[810,1632,1635],{"href":1633,"rel":1634},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FSMOG",[1519],"SMOG Index"," - similar to Gunning Fog but uses polysyllable density. Considered more accurate for healthcare and legal texts.",[1597,1638,1639,1646],{},[146,1640,1641],{},[810,1642,1645],{"href":1643,"rel":1644},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FColeman%E2%80%93Liau_index",[1519],"Coleman-Liau Index"," - uses character count rather than syllables, making it less sensitive to domain-specific terminology.",[1597,1648,1649,1656],{},[146,1650,1651],{},[810,1652,1655],{"href":1653,"rel":1654},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAutomated_readability_index",[1519],"Automated Readability Index"," - character and word count based. Designed for automated assessment of US military technical manuals.",[12,1658,1659],{},"We also ran custom regex analysis to measure hedge word frequency (\"may\", \"might\", \"could\"), pronoun balance (\"we\u002Four\" vs \"you\u002Fyour\"), and passive voice density.",[12,1661,1662,1665],{},[146,1663,1664],{},"Manual transparency scoring",": each policy was evaluated against eight dimensions, scored 0-10:",[1667,1668,1669,1675,1681,1687,1693,1699,1705,1711],"ol",{},[1597,1670,1671,1674],{},[146,1672,1673],{},"Readability"," - required grade level",[1597,1676,1677,1680],{},[146,1678,1679],{},"Brevity"," - word count relative to scope",[1597,1682,1683,1686],{},[146,1684,1685],{},"Data collection transparency"," - specificity of what's collected",[1597,1688,1689,1692],{},[146,1690,1691],{},"Retention clarity"," - concrete timelines vs vague phrasing",[1597,1694,1695,1698],{},[146,1696,1697],{},"Third-party transparency"," - whether data recipients are named",[1597,1700,1701,1704],{},[146,1702,1703],{},"Encryption disclosure"," - accuracy and completeness of E2EE documentation",[1597,1706,1707,1710],{},[146,1708,1709],{},"Law enforcement disclosure"," - what the policy says about law enforcement access",[1597,1712,1713,1716],{},[146,1714,1715],{},"Honesty gap"," - alignment between the policy and independent evidence",[12,1718,1719,1720,405,1725,1727,1728,405,1733,1735],{},"The eighth dimension is the most interesting. We cross-referenced each policy against the ",[810,1721,1724],{"href":1722,"rel":1723},"https:\u002F\u002Fwww.justsecurity.org\u002F79549\u002Fwe-now-know-what-information-the-fbi-can-obtain-from-encrypted-messaging-apps\u002F",[1519],"FBI's own internal document on messaging app data access",[33,1726],{"id":559}," (released via FOIA in 2021), ",[810,1729,1732],{"href":1730,"rel":1731},"https:\u002F\u002Fwww.ftc.gov\u002Fnews-events\u002Fnews\u002Fpress-releases\u002F2024\u002F09\u002Fftc-staff-report-finds-large-social-media-video-streaming-companies-have-engaged-vast-surveillance",[1519],"FTC surveillance reports",[33,1734],{"id":39},", breach disclosures, and regulatory enforcement actions.",[12,1737,1738,1739,405,1744,1746],{},"A note on Meta: their policy is a JavaScript application that doesn't render static text. We pulled content from mbasic.facebook.com (identical text, static HTML). ",[810,1740,1743],{"href":1741,"rel":1742},"https:\u002F\u002Fwww.techpolicy.press\u002Fmetas-privacy-policies-designed-badly-by-design\u002F",[1519],"TechPolicy.Press",[33,1745],{"id":502}," counted 168+ sub-pages linked from the main policy, describing the structure as \"probably hundreds of indigestible pieces.\" Our analysis covers the core document only.",[25,1748,175],{"id":174},[78,1750,1673],{"id":1751},"readability",[19,1753],{"label":1754,"value":1755,"suffix":1756},"average reading grade level required - the US average adult reads at Grade 8","14.6","th grade",[12,1758,1759],{},"Every policy in the dataset exceeds the average adult reading level. The lowest Flesch-Kincaid grade was Telegram at 11.2. The highest was LINE at 18.2 - postgraduate level. A reader would need more formal education to parse LINE's privacy policy than to enter most law programmes.",[184,1761],{":datasets":1762,":labels":1763,"caption":1764,"type":189},"[{\"label\":\"Flesch-Kincaid Grade Level\",\"data\":[11.2,12.4,12.6,14.4,14.6,16.8,17.0,18.2]},{\"label\":\"Average adult reading level (Grade 8-9)\",\"data\":[8.5,8.5,8.5,8.5,8.5,8.5,8.5,8.5],\"type\":\"line\",\"borderDash\":[6,4],\"pointRadius\":0,\"borderWidth\":3,\"borderColor\":\"rgba(239, 68, 68, 0.8)\",\"backgroundColor\":\"rgba(239, 68, 68, 0.8)\"}]","[\"Telegram\",\"Discord\",\"Signal\",\"WhatsApp\",\"Apple\",\"Viber\",\"Meta\",\"LINE\"]","Figure 1. Reading grade level required for each privacy policy. The red line marks the average adult reading level (Grade 8-9). Every policy exceeds it.",[12,1766,1767],{},"Flesch Reading Ease tells the same story from the other direction. The scale runs 0-100, higher being easier. Consumer documents should target 60-70. The dataset average was 34.3. LINE scored 20.6, which places it in the territory of academic journals.",[78,1769,1771],{"id":1770},"word-count","Word count",[184,1773],{":datasets":1774,":labels":1775,"caption":1776,"type":189},"[{\"label\":\"Word Count\",\"data\":[2084,4140,4457,5391,5762,8062,12669,31194]}]","[\"Signal\",\"WhatsApp\",\"Apple\",\"Telegram\",\"Discord\",\"LINE\",\"Viber\",\"Meta\"]","Figure 2. Privacy policy word count by messaging app. Meta's policy (31,194 words) is 15 times longer than Signal's (2,084 words).",[12,1778,1779,1780,1782,1783,1785],{},"Signal's entire legal page - terms of service and privacy policy combined - is 2,084 words ",[33,1781],{"id":87},". Meta's privacy policy alone is 31,194 words ",[33,1784],{"id":65},". The ratio is 15:1. We verified the count twice because the number seemed like a parsing error. It wasn't.",[12,1787,1788,1789,1791,1792,1794],{},"Viber reaches 12,669 words ",[33,1790],{"id":715}," because Rakuten uses a single policy to cover messaging, payments, a dating service, communities, and business tools. LINE is 8,062 words ",[33,1793],{"id":495}," because LY Corporation's corporate policy covers their entire product portfolio. Finding the messaging-specific terms requires reading through sections about financial services, AI research, and advertising platforms.",[12,1796,1797,1798,405,1801,1803],{},"Meta's 31,194 is only the core document. The 168 linked sub-pages are additional. ",[810,1799,1743],{"href":1741,"rel":1800},[1519],[33,1802],{"id":502}," described the structure as featuring \"confusing hyperlinks, circular references to documents, no ability to comprehensively and functionally search across documents, and misleading or inaccurate statements.\"",[78,1805,1807],{"id":1806},"hedging-language","Hedging language",[12,1809,1810],{},"A pattern emerged during the read-through: the word \"may\" appeared at a frequency that seemed deliberate. \"We may collect.\" \"We may share.\" \"We may retain.\" In a legal document, \"may\" means the company reserves the right to do something without committing to disclosing when or whether it actually does. Maximum legal cover, minimum transparency obligation.",[12,1812,1813,1814,1817],{},"We constructed a ",[146,1815,1816],{},"hedge ratio",": the frequency of hedging words (\"may\", \"might\", \"could\", \"in some cases\") divided by definitive words (\"will\", \"must\", \"always\", \"never\").",[184,1819],{":datasets":1820,":labels":1821,"caption":1822,"type":189},"[{\"label\":\"Hedge Ratio (hedging words per definitive word)\",\"data\":[0.64,0.80,0.91,1.08,1.56,2.68,2.80,3.61]}]","[\"Telegram\",\"Signal\",\"LINE\",\"Viber\",\"WhatsApp\",\"Apple\",\"Meta\",\"Discord\"]","Figure 3. Hedging language ratio. Higher values indicate more evasive language. Discord uses 3.6 hedging words for every definitive statement.",[12,1824,1825,1826,1828,1829,1831,1832,1834,1835,1837],{},"Discord scored 3.61 ",[33,1827],{"id":58}," - 3.6 hedging words per definitive statement. Apple: 2.68 ",[33,1830],{"id":50},". Meta: 2.80 ",[33,1833],{"id":65},". Telegram scored 0.64 ",[33,1836],{"id":305},", meaning more definitive statements than hedged ones. The app most commonly associated with privacy concerns has the most direct privacy policy in the dataset.",[12,1839,1840,1841,1843,1844,59],{},"The word \"may\" appears 101 times in Viber's policy ",[33,1842],{"id":715},". Signal uses it 17 times ",[33,1845],{"id":87},[12,1847,1848,1851,1852,1854],{},[146,1849,1850],{},"Retention language"," follows the same pattern. \"As long as necessary.\" \"For a reasonable period.\" \"From time to time.\" These phrases communicate nothing about actual retention timelines. Viber uses 15 such phrases. Meta uses 14. Telegram states concrete numbers: 12 months for metadata, 48 hours for deleted supergroup messages, 18 months of inactivity before account deletion ",[33,1853],{"id":305},". Specificity is possible. Most companies choose not to provide it.",[12,1856,1857],{},"The table below consolidates all metrics. Column definitions:",[1594,1859,1860,1866,1872,1878,1884,1890,1896],{},[1597,1861,1862,1865],{},[146,1863,1864],{},"Words"," - total word count of the policy text",[1597,1867,1868,1871],{},[146,1869,1870],{},"FK Grade"," - Flesch-Kincaid grade level (years of education needed to read comfortably)",[1597,1873,1874,1877],{},[146,1875,1876],{},"Flesch Ease"," - Flesch Reading Ease score (0-100, higher = easier; 60-70 is the target for consumer documents)",[1597,1879,1880,1883],{},[146,1881,1882],{},"Read Time"," - estimated reading time at 250 words per minute",[1597,1885,1886,1889],{},[146,1887,1888],{},"Hedge Ratio"," - hedging words (\"may\", \"might\", \"could\", \"in some cases\") divided by definitive words (\"will\", \"must\", \"always\", \"never\")",[1597,1891,1892,1895],{},[146,1893,1894],{},"Uses of May"," - raw count of the word \"may\" in the policy",[1597,1897,1898,1901],{},[146,1899,1900],{},"Vague Retention"," - count of non-specific data retention phrases (\"as long as necessary\", \"for a reasonable period\", \"from time to time\", and similar)",[92,1903],{":headers":1904,":rows":1905,"caption":1906,":sortable":96},"[\"App\",\"Words\",\"FK Grade\",\"Flesch Ease\",\"Read Time\",\"Hedge Ratio\",\"Uses of May\",\"Vague Retention\"]","[[\"Signal\",\"2,084\",\"12.6\",\"36.8\",\"8 min\",\"0.80\",\"17\",\"3\"],[\"WhatsApp\",\"4,140\",\"14.4\",\"33.7\",\"17 min\",\"1.56\",\"28\",\"5\"],[\"Apple (iMessage)\",\"4,457\",\"14.6\",\"30.8\",\"18 min\",\"2.68\",\"44\",\"5\"],[\"Telegram\",\"5,391\",\"11.2\",\"50.1\",\"22 min\",\"0.64\",\"31\",\"3\"],[\"Discord\",\"5,762\",\"12.4\",\"41.5\",\"23 min\",\"3.61\",\"75\",\"2\"],[\"LINE\",\"8,062\",\"18.2\",\"20.6\",\"32 min\",\"0.91\",\"61\",\"3\"],[\"Viber\",\"12,669\",\"16.8\",\"30.7\",\"51 min\",\"1.08\",\"101\",\"15\"],[\"Meta (Messenger)\",\"31,194\",\"17.0\",\"29.9\",\"125 min\",\"2.80\",\"68\",\"14\"]]","Table 1. Complete readability and linguistic analysis. Sorted by word count. Click column headers to re-sort.",[78,1908,1910],{"id":1909},"encryption-transparency","Encryption transparency",[12,1912,1913],{},"Every app in the dataset mentions encryption on its marketing pages. Padlock icons, reassuring copy about \"protected\" messages. The privacy policies tell a different story.",[12,1915,1916,1917,1919,1920,405,1925,1927],{},"Apple's main privacy policy ",[33,1918],{"id":50}," - linked from the App Store, from iPhone settings, from the apple.com legal footer - contains zero mentions of encryption. We searched for \"encrypt\", \"end-to-end\", and \"E2E\". Nothing. iMessage has had end-to-end encryption since 2011. The technical details are on a ",[810,1921,1924],{"href":1922,"rel":1923},"https:\u002F\u002Fwww.apple.com\u002Flegal\u002Fprivacy\u002Fdata\u002Fen\u002Fmessages\u002F",[1519],"separate page",[33,1926],{"id":54}," in Apple's legal section, not linked from the main policy. You'd find it only if you already knew to look.",[12,1929,1930,1931,405,1936,1939,1940,405,1945,1948,1949,1951],{},"LINE built an E2EE protocol called Letter Sealing, ",[810,1932,1935],{"href":1933,"rel":1934},"https:\u002F\u002Ftechcrunch.com\u002F2015\u002F10\u002F12\u002Fline-adds-end-to-end-encryption-to-its-mobile-messaging-app\u002F",[1519],"enabled by default since 2015",[33,1937],{"id":1938},"28",", with a published ",[810,1941,1944],{"href":1942,"rel":1943},"https:\u002F\u002Fscdn.line-apps.com\u002Fstf\u002Flinecorp\u002Fen\u002Fcsr\u002Fline-encryption-whitepaper-ver2.1.pdf",[1519],"technical whitepaper",[33,1946],{"id":1947},"24",". The phrase \"Letter Sealing\" appears zero times in their privacy policy ",[33,1950],{"id":495},". There is one reference to \"provision of encryption feature of messages\" with no further explanation. The words \"end-to-end\" don't appear. They engineered a privacy feature and omitted it from the privacy document.",[12,1953,1954,1955,1957],{},"Telegram is direct about its architecture ",[33,1956],{"id":305},". Secret Chats use E2EE (opt-in, 1-on-1 only). Regular Cloud Chats don't - Telegram holds the keys. The distinction is clearly documented. The consequence is that the default experience for most users, and all group chats, are not end-to-end encrypted. The most readable policy in the dataset describes the least private default configuration.",[12,1959,1960,1961,1963],{},"Discord states plainly that text messages aren't end-to-end encrypted ",[33,1962],{"id":58},". Voice and video are. It's the only app in the dataset without text E2EE, and the only one not claiming capabilities it doesn't have.",[78,1965,1967],{"id":1966},"law-enforcement-access","Law enforcement access",[12,1969,1970,1971,405,1975,1977,1978,405,1983,1985],{},"The FBI maintains an internal reference document listing what data each messaging app provides to law enforcement. It was ",[810,1972,1974],{"href":1722,"rel":1973},[1519],"released via FOIA",[33,1976],{"id":559}," by Property of the People. ",[810,1979,1982],{"href":1980,"rel":1981},"https:\u002F\u002Fwww.rollingstone.com\u002Fpolitics\u002Fpolitics-features\u002Fwhatsapp-imessage-facebook-apple-fbi-privacy-1261816\u002F",[1519],"Rolling Stone published an analysis",[33,1984],{"id":281},". The document is dated January 2021.",[12,1987,1988,1991,1992,1994],{},[146,1989,1990],{},"Signal"," provides registration date and last connection time ",[33,1993],{"id":559},". Nothing else. The data doesn't exist on their servers. This isn't a policy decision - there's nothing to hand over.",[12,1996,1997,2000,2001,2004,2005,2007],{},[146,1998,1999],{},"WhatsApp",", per the FBI document, has ",[146,2002,2003],{},"pen register"," capability ",[33,2006],{"id":281},". This means law enforcement can receive a real-time feed of who messages whom, when, and how frequently. Not message content - metadata. In real time. WhatsApp's privacy policy does not mention this capability.",[12,2009,2010,2013,2014,405,2019,2021,2022,405,2027,2030],{},[146,2011,2012],{},"Apple"," retains 25 days of iMessage contact lookup data - who you searched for and who searched for you. ",[810,2015,2018],{"href":2016,"rel":2017},"https:\u002F\u002Ftheintercept.com\u002F2016\u002F09\u002F28\u002Fapple-logs-your-imessage-contacts-and-may-share-them-with-police\u002F",[1519],"The Intercept reported",[33,2020],{"id":690}," the actual retention is 30 days. iMessage content is end-to-end encrypted, but iCloud Backup is enabled by default on most iPhones. When messages are backed up to iCloud, the encryption keys are held by Apple. ",[810,2023,2026],{"href":2024,"rel":2025},"https:\u002F\u002Fwww.apple.com\u002Flegal\u002Fprivacy\u002Flaw-enforcement-guidelines-us.pdf",[1519],"Per Apple's own law enforcement guidelines",[33,2028],{"id":2029},"26",", backed-up message content is available with a valid legal request. The encryption is functionally bypassed by a default setting most users never change.",[12,2032,2033,2036,2037,2040,2041,405,2046,2048,2049,405,2054,2057,2058,405,2063,2065],{},[146,2034,2035],{},"Telegram's"," trajectory is the most significant finding in the dataset. Before August 2024, data sharing was limited to confirmed terrorism cases. 14 requests. 108 users ",[33,2038],{"id":2039},"14",". In August 2024, CEO Pavel Durov was ",[810,2042,2045],{"href":2043,"rel":2044},"https:\u002F\u002Fwww.cnn.com\u002F2024\u002F09\u002F23\u002Ftech\u002Ftelegram-ceo-durov-arrest-user-data-changes",[1519],"arrested in France",[33,2047],{"id":670}," on charges including complicity in cybercrime and refusal to assist with lawful interceptions. Telegram ",[810,2050,2053],{"href":2051,"rel":2052},"https:\u002F\u002Fwww.malwarebytes.com\u002Fblog\u002Fnews\u002F2024\u002F09\u002Ftelegram-will-hand-over-user-details-to-law-enforcement",[1519],"rewrote its privacy policy",[33,2055],{"id":2056},"23"," within weeks. ",[810,2059,2062],{"href":2060,"rel":2061},"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Flegal\u002Ftelegram-hands-over-data-on-thousands-of-users-to-us-law-enforcement\u002F",[1519],"By end of 2024",[33,2064],{"id":2039},": 900 US requests fulfilled, 2,253 users' IP addresses and phone numbers disclosed. From 108 to 2,253 in twelve months. A single arrest restructured the entire data-sharing framework.",[19,2067],{"label":2068,"value":2069,"delta":2070,"delta-direction":2071},"Telegram users whose data was shared with US law enforcement in 2024, up from 108 the previous year","2253","+1987%","up",[12,2073,2074,2077,2078,2080],{},[146,2075,2076],{},"Discord"," provides subscriber information, usage data, and message content on request ",[33,2079],{"id":58},". There's no encryption layer to complicate the process. 200 million monthly active users treat it as private messaging. The architecture doesn't support that assumption.",[92,2082],{":headers":2083,":rows":2084,"caption":2085,":sortable":96},"[\"App\",\"What Law Enforcement Gets\",\"Message Content Accessible?\",\"Notable\"]","[[\"Signal\",\"Registration date, last connection date\",\"No\",\"Least data of any app\"],[\"Telegram\",\"IP address, phone number (post-Sept 2024)\",\"Cloud chats: theoretically yes (keys held by Telegram)\",\"20x surge in 2024 after Durov arrest\"],[\"WhatsApp\",\"Metadata + pen register (real-time who-messages-whom)\",\"Via iCloud\u002FGoogle Drive backups\",\"Only app with pen register\"],[\"iMessage\",\"25 days of contact lookup data, subscriber info\",\"Via iCloud backup (enabled by default)\",\"Backup is the backdoor\"],[\"Discord\",\"Subscriber info, usage data, message content\",\"Yes (no text E2EE)\",\"Full content access\"],[\"Viber\",\"Activity data, identifiers\",\"No (E2EE)\",\"Per FBI document\"],[\"LINE\",\"Limited metadata\",\"Limited\",\"Per FBI document\"],[\"Meta (Messenger)\",\"Per Meta LE process\",\"E2EE messages: no. AI chats, reported messages: yes.\",\"Dec 2025 policy: AI chat data feeds ads\"]]","Table 2. What law enforcement can actually obtain from each messaging app. Based on the FBI's FOIA document (2021), updated with post-2024 developments.",[78,2087,2089],{"id":2088},"overall-transparency-ranking","Overall transparency ranking",[12,2091,2092],{},"The sections above examined individual metrics in isolation: readability, word count, hedging, encryption disclosure, law enforcement access. This section combines them into a single score per app.",[12,2094,2095],{},"Each of the eight dimensions from the methodology (readability, brevity, data collection transparency, retention clarity, third-party transparency, encryption disclosure, law enforcement disclosure, and honesty gap) was scored 0-10. The total is out of 80. We converted totals to letter grades using a standard academic scale:",[1594,2097,2098,2104,2110,2116,2122],{},[1597,2099,2100,2103],{},[146,2101,2102],{},"A (70-80)",": Transparent, specific, honest. No app achieved this.",[1597,2105,2106,2109],{},[146,2107,2108],{},"B (56-69)",": Above average. Meaningful gaps remain.",[1597,2111,2112,2115],{},[146,2113,2114],{},"C (40-55)",": Average. Significant omissions or obfuscation.",[1597,2117,2118,2121],{},[146,2119,2120],{},"D (25-39)",": Below average. More hidden than disclosed.",[1597,2123,2124,2127],{},[146,2125,2126],{},"F (0-24)",": No app scored this low, though two came close.",[12,2129,2130],{},"No app scored above B+. The highest score in the dataset is 55 out of 80.",[184,2132],{":datasets":2133,":labels":2134,"caption":2135,"type":189},"[{\"label\":\"Signal (B+, 54\u002F80)\",\"data\":[5,8,8,3,6,9,5,10]},{\"label\":\"Telegram (B+, 55\u002F80)\",\"data\":[6,5,8,7,8,7,8,6]},{\"label\":\"Meta (D+, 26\u002F80)\",\"data\":[1,0,5,3,4,5,5,3]}]","[\"Readability\",\"Brevity\",\"Data Clarity\",\"Retention\",\"Third Parties\",\"Encryption\",\"LE Disclosure\",\"Honesty\"]","Figure 4. Transparency scores by dimension (0-10). Comparing the two highest-scoring apps against the lowest. Signal and Telegram lead for different reasons; Meta trails in every dimension.",[92,2137],{":headers":2138,":rows":2139,"caption":2140,":sortable":96},"[\"App\",\"Score \u002F80\",\"Grade\",\"Strongest dimension\",\"Weakest dimension\"]","[[\"Telegram\",\"55\",\"B+\",\"Third-party transparency (8\u002F10)\",\"Brevity (5\u002F10)\"],[\"Signal\",\"54\",\"B+\",\"Honesty (10\u002F10)\",\"Retention clarity (3\u002F10)\"],[\"Discord\",\"41\",\"C+\",\"Data clarity (7\u002F10)\",\"Retention clarity (2\u002F10)\"],[\"Apple (iMessage)\",\"41\",\"C+\",\"Brevity, third parties (6\u002F10)\",\"Readability (3\u002F10)\"],[\"WhatsApp\",\"38\",\"C\",\"Encryption disclosure (7\u002F10)\",\"Retention clarity (3\u002F10)\"],[\"Viber\",\"36\",\"C\",\"Encryption disclosure (7\u002F10)\",\"Readability (1\u002F10)\"],[\"Meta (Messenger)\",\"26\",\"D+\",\"Data clarity (5\u002F10)\",\"Brevity (0\u002F10)\"],[\"LINE\",\"26\",\"D+\",\"Data clarity, third parties (5\u002F10)\",\"Readability (0\u002F10)\"]]","Table 3. Transparency audit results. Sorted by total score.",[12,2142,2143],{},"The two B+ scores come from different strengths. Signal scored 10\u002F10 on honesty - zero gap between what the policy states and what independent evidence shows. It lost points on retention clarity because the policy is short enough that it doesn't specify deletion timelines. Telegram scored highest on retention clarity (concrete numbers: 12 months, 48 hours, 18 months) and third-party transparency (names Google, Microsoft, and lists jurisdictions). It lost points on encryption because the default chat mode isn't E2EE.",[12,2145,2146],{},"At the bottom, Meta and LINE both scored 26\u002F80. Meta received 0\u002F10 on brevity - a 31,194-word policy across 168+ pages is not a transparency tool. LINE received 0\u002F10 on readability - grade 18.2 means a postgraduate education is the minimum to parse it.",[25,2148,611],{"id":610},[12,2150,2151,2152,2154],{},"There's an inverse correlation in this dataset between user count and policy quality. This isn't a coincidence - it's an incentive structure. Messenger (1B+ users) has the longest, most fragmented, lowest-scoring policy. WhatsApp (2B+ users) omits the pen register capability documented in the FBI's own reference materials ",[33,2153],{"id":281},". iMessage (1.5B+ devices) omits encryption. Signal (100M downloads) has the shortest, most honest policy. When you don't collect much data, the document explaining what you do with it can be short.",[12,2156,2157,2158,2160],{},"Telegram's trajectory warrants separate attention. The shift from 108 to 2,253 users' data shared in twelve months, triggered by a single arrest ",[33,2159],{"id":2039},", demonstrates how quickly privacy commitments can be restructured under external pressure. The revised policy is technically more transparent than its predecessor. But every user who chose Telegram because \"they don't cooperate with governments\" made that decision based on a commitment that no longer exists. The question this raises is how many other privacy policies are one enforcement action away from a similar reversal.",[12,2162,2163,2164,405,2169,2172],{},"Meta made a quieter change in December 2025 affecting Messenger. ",[810,2165,2168],{"href":2166,"rel":2167},"https:\u002F\u002Fwww.snopes.com\u002Ffact-check\u002Fmeta-dms-privacy-policy\u002F",[1519],"Snopes verified",[33,2170],{"id":2171},"27"," that private message handling didn't change. But conversations with Meta AI - embedded in Messenger, WhatsApp, Instagram, and Facebook - now feed ad targeting. The distinction between \"your private messages\" and \"your conversation with the AI assistant inside the messaging app\" is precisely the kind of boundary that a product legal team constructs to be as narrow as possible while remaining technically defensible.",[12,2174,2175,2176,405,2181,2184,2185,405,2190,2193,2194,405,2199,2202,2203,405,2208,2210,2211,405,2215,2217],{},"The consequences of these practices are documented. Nigeria ",[810,2177,2180],{"href":2178,"rel":2179},"https:\u002F\u002Fwww.techpolicy.press\u002Fwhat-nigerias-challenge-to-whatsapps-data-policy-means-for-global-majority-countries\u002F",[1519],"fined Meta $220 million",[33,2182],{"id":2183},"22"," over WhatsApp's 2021 policy update (upheld on appeal). LY Corporation ",[810,2186,2189],{"href":2187,"rel":2188},"https:\u002F\u002Fwww.lycorp.co.jp\u002Fen\u002Fnews\u002Fannouncements\u002F007715\u002F",[1519],"disclosed a breach",[33,2191],{"id":2192},"21"," of 440,000 records including ",[810,2195,2198],{"href":2196,"rel":2197},"https:\u002F\u002Fwww.cpomagazine.com\u002Fcyber-security\u002Fdata-breach-on-the-largest-japanese-messaging-app-line-leaks-440k-records\u002F",[1519],"22,000+ user messages",[33,2200],{"id":2201},"20"," via a compromised affiliate. Discord ",[810,2204,2207],{"href":2205,"rel":2206},"https:\u002F\u002Fwww.eff.org\u002Fdeeplinks\u002F2026\u002F02\u002Fdiscord-voluntarily-pushes-mandatory-age-verification-despite-recent-data-breach",[1519],"lost 70,000 users' government IDs and selfies",[33,2209],{"id":736}," through a support contractor breach. The ",[810,2212,2214],{"href":1730,"rel":2213},[1519],"FTC characterised",[33,2216],{"id":39}," multiple platforms including Discord as conducting \"vast surveillance\" with \"lax privacy controls.\"",[12,2219,2220],{},"None of these incidents are mentioned in the current privacy policies of the companies involved.",[78,2222,748],{"id":747},[12,2224,2225],{},"The readability metrics (Flesch-Kincaid, Gunning Fog, SMOG) measure syntactic complexity - sentence length, syllable count, word frequency. They don't capture conceptual obfuscation. A policy could score at an 8th-grade level and still be incomprehensible because it defines \"personal data\" inconsistently across sections. That said, the policies scoring worst on readability are also the ones most difficult to parse on a plain reading.",[12,2227,2228],{},"Only English-language versions were analysed. WhatsApp maintains separate EU and UK policies that may differ in substance. Regional variations were not examined.",[12,2230,2231],{},"Three scoring dimensions - encryption disclosure, law enforcement disclosure, honesty gap - involved editorial judgement. The rubric and reasoning are documented here so disagreement can be specific.",[12,2233,2234],{},"Technical notes: Signal's word count includes their Terms of Service (same page; the privacy-specific text is approximately 900 words). Meta's word count was extracted from mbasic.facebook.com because the main site renders content via JavaScript. The 31,194 figure likely understates the total, as the live version hides content behind expandable sections.",[12,2236,2237],{},"This analysis reflects April 2026 policy texts. Policies change; updates will be noted in the changelog.",[12,2239,2240,2241,208,2245,208,2248,208,2252,2256,2257,2261,2262,59],{},"For related comparisons: ",[810,2242,2244],{"href":2243},"\u002Fcompare\u002Fvpns","VPNs",[810,2246,2247],{"href":812},"browsers",[810,2249,2251],{"href":2250},"\u002Fcompare\u002Femail-providers","email providers",[810,2253,2255],{"href":2254},"\u002Fcompare\u002Fpassword-managers","password managers",". To test your own browser's privacy exposure: ",[810,2258,2260],{"href":2259},"\u002Ftools\u002Fbrowser-fingerprint","fingerprint test"," or ",[810,2263,2264],{"href":822},"privacy checkup",{"title":23,"searchDepth":830,"depth":830,"links":2266},[2267,2268,2269,2277],{"id":27,"depth":830,"text":28},{"id":75,"depth":830,"text":76},{"id":174,"depth":830,"text":175,"children":2270},[2271,2272,2273,2274,2275,2276],{"id":1751,"depth":836,"text":1673},{"id":1770,"depth":836,"text":1771},{"id":1806,"depth":836,"text":1807},{"id":1909,"depth":836,"text":1910},{"id":1966,"depth":836,"text":1967},{"id":2088,"depth":836,"text":2089},{"id":610,"depth":830,"text":611,"children":2278},[2279],{"id":747,"depth":836,"text":748},"Policy Analysis",[2282],{"date":2283,"description":2284},"2026-04-22","Initial publication. Methodology: computational readability analysis via textstat (Flesch-Kincaid, Gunning Fog, SMOG, Coleman-Liau, ARI) on full policy texts fetched April 2026, plus manual transparency scoring against 8-dimension rubric.","We analysed 73,759 words of privacy policies across 8 messaging apps. Every single one exceeds the average adult reading level.","\u002Fimages\u002Fresearch\u002Fmessaging-app-privacy-policies.jpg",[2288,2291,2294,2297,2301],{"text":2289,"sourceIds":2290},"All 8 policies exceed the average US adult reading level (Grade 8). The average grade level is 14.6, requiring a college education to understand.",[948],{"text":2292,"sourceIds":2293},"Meta's Messenger privacy policy is 31,194 words long, fragmented across 168+ linked pages, and takes over 2 hours to read.",[836,940],{"text":2295,"sourceIds":2296},"Apple mentions encryption zero times in its main privacy policy. iMessage E2EE details are siloed in a separate page.",[902,906],{"text":2298,"sourceIds":2299},"Telegram's law enforcement data sharing surged from 108 users to 2,253 in one year after CEO Pavel Durov's arrest.",[2300,936],14,{"text":2302,"sourceIds":2303},"WhatsApp is the only app with pen register capability, allowing real-time surveillance of who messages whom.",[884,932],{},"\u002Fresearch\u002Fmessaging-app-privacy-policies",{"title":1496,"description":2285},[2308,2311,2314,2317,2320,2323,2325,2328,2331,2334,2336,2338,2340,2342,2344,2346,2348,2350,2352,2354,2357,2360,2363,2366,2369,2373,2376,2379,2382,2385],{"id":867,"title":2309,"url":2310,"accessDate":2283},"Signal Privacy Policy","https:\u002F\u002Fsignal.org\u002Flegal\u002F",{"id":830,"title":2312,"url":2313,"accessDate":2283},"WhatsApp Privacy Policy","https:\u002F\u002Fwww.whatsapp.com\u002Flegal\u002Fprivacy-policy?lang=en",{"id":836,"title":2315,"url":2316,"accessDate":2283},"Meta Privacy Policy (covers Messenger)","https:\u002F\u002Fwww.facebook.com\u002Fprivacy\u002Fpolicy\u002F",{"id":898,"title":2318,"url":2319,"accessDate":2283},"Telegram Privacy Policy","https:\u002F\u002Ftelegram.org\u002Fprivacy",{"id":902,"title":2321,"url":2322,"accessDate":2283},"Apple Privacy Policy","https:\u002F\u002Fwww.apple.com\u002Flegal\u002Fprivacy\u002Fen-ww\u002F",{"id":906,"title":2324,"url":1922,"accessDate":2283},"Apple iMessage & FaceTime Privacy",{"id":910,"title":2326,"url":2327,"accessDate":2283},"Discord Privacy Policy","https:\u002F\u002Fdiscord.com\u002Fprivacy",{"id":914,"title":2329,"url":2330,"accessDate":2283},"Viber Privacy Policy","https:\u002F\u002Fwww.viber.com\u002Fen\u002Fterms\u002Fviber-privacy-policy\u002F",{"id":874,"title":2332,"url":2333,"accessDate":2283},"LY Corporation (LINE) Privacy Policy","https:\u002F\u002Fwww.lycorp.co.jp\u002Fen\u002Fcompany\u002Fprivacypolicy\u002F",{"id":921,"title":2335,"url":1538,"accessDate":2283},"Surfshark: Messaging Apps That Commit to Your Privacy (2026)",{"id":925,"title":2337,"url":1730,"accessDate":2283},"FTC: A Look Behind the Screens - Surveillance Report (September 2024)",{"id":884,"title":2339,"url":1722,"accessDate":2283},"FBI Law Enforcement Access to Encrypted Messaging Apps (FOIA, January 2021)",{"id":932,"title":2341,"url":1980,"accessDate":2283},"Rolling Stone: FBI Can Get WhatsApp Data in Real Time",{"id":2300,"title":2343,"url":2060,"accessDate":2283},"Bleeping Computer: Telegram Hands Over Data on Thousands of Users to US Law Enforcement",{"id":936,"title":2345,"url":2043,"accessDate":2283},"CNN: After CEO Arrest, Telegram Changes User Data Policy",{"id":940,"title":2347,"url":1741,"accessDate":2283},"TechPolicy.Press: Meta's Privacy Policies - Designed Badly, by Design?",{"id":944,"title":2349,"url":2016,"accessDate":2283},"The Intercept: Apple Logs Your iMessage Contacts and May Share Them with Police",{"id":948,"title":2351,"url":1517,"accessDate":2283},"JMIR mHealth and uHealth: Privacy Policy Readability of Youth-Targeted Apps (2018)",{"id":952,"title":2353,"url":2205,"accessDate":2283},"EFF: Discord Pushes Mandatory Age Verification Despite Data Breach (February 2026)",{"id":2355,"title":2356,"url":2196,"accessDate":2283},20,"CPO Magazine: Data Breach on LINE Leaks 440K Records",{"id":2358,"title":2359,"url":2187,"accessDate":2283},21,"LY Corporation: Notice and Apology Regarding Information Leakage",{"id":2361,"title":2362,"url":2178,"accessDate":2283},22,"TechPolicy.Press: What Nigeria's Challenge to WhatsApp's Data Policy Means",{"id":2364,"title":2365,"url":2051,"accessDate":2283},23,"Malwarebytes: Telegram Will Hand Over User Details to Law Enforcement (September 2024)",{"id":2367,"title":2368,"url":1942,"accessDate":2283},24,"LINE Encryption Overview Technical Whitepaper v2.1 (November 2021)",{"id":2370,"title":2371,"url":2372,"accessDate":2283},25,"Mozilla Foundation: *Privacy Not Included - Messaging Apps","https:\u002F\u002Fwww.mozillafoundation.org\u002Fen\u002Fprivacynotincluded\u002F",{"id":2374,"title":2375,"url":2024,"accessDate":2283},26,"Apple Legal Process Guidelines - US Law Enforcement (October 2025)",{"id":2377,"title":2378,"url":2166,"accessDate":2283},27,"Snopes: Fact-Check on Meta December 2025 Privacy Policy Update",{"id":2380,"title":2381,"url":1933,"accessDate":2283},28,"TechCrunch: LINE Adds End-to-End Encryption to Messaging App (2015)",{"id":2383,"title":2384,"url":1555,"accessDate":2283},29,"Kaspersky: Privacy Rankings of Popular Messaging Apps 2025",{"id":2386,"title":2387,"url":2388,"accessDate":2283},30,"Digital Information World: Facebook Messenger Collects 32 of 35 Data Types (April 2026)","https:\u002F\u002Fwww.digitalinformationworld.com\u002F2026\u002F04\u002Fis-your-messaging-app-private-and-secure.html","research\u002Fmessaging-app-privacy-policies","A readability and transparency audit of the 8 most popular messaging apps","D-PWdgUDQgxC5T8y0GPdiH3sGzyZU-wHQp3tbuHp3IA",1776986532508]