We Read 73,759 Words of Messaging App Privacy Policies So You Don't Have To

We read the privacy policies of eight messaging apps. All of them. Cover to cover. The combined text is 73,759 words, which is longer than The Great Gatsby. Reading them back to back took 4 hours and 55 minutes.

The exercise produced two findings that weren't obvious beforehand. First, every single policy exceeds the average adult reading level. Zero out of eight are readable by the population they're written for. Second, what these documents say and what independently documented evidence shows are, in several cases, different things.

Background

Privacy policies exist because GDPR, CCPA, and similar regulations require them. The legal theory is informed consent: you read the terms, understand the trade-off, decide whether to accept. In practice, a 2018 JMIR study [18] found the average app privacy policy requires a 12th-grade reading level. The average American adult reads at 8th grade. The mechanism is broken at the most basic level.

Messaging apps are a useful test case because the data they handle is uniquely personal - private conversations, group chats, media shared in confidence. If any category of software should have transparent data practices, it's this one.

Prior work exists but is either outdated or methodologically limited. The EFF published a Secure Messaging Scorecard in 2014, received criticism, and never updated it. Surfshark's 2026 comparison [10] relies on App Store privacy labels, which are self-reported. Mozilla found [25] most of those labels to be "false or misleading." Kaspersky published messenger rankings [29] in 2025, though a Russian security company ranking apps on privacy is a dataset worth contextualising.

What appears to be missing is a systematic readability and transparency analysis of the actual policy texts, scored against a consistent rubric and cross-referenced with independent sources. That's what this is.

Methodology

Selection was by install base. The eight most-used messaging apps globally:

We retrieved the full English text of each policy in April 2026. Two analyses were applied.

Computational readability: Python's textstat library produced six standard readability metrics:

• Flesch-Kincaid Grade Level - maps text difficulty to US school grades based on sentence length and syllable count. Grade 8 = average adult reading level.
• Flesch Reading Ease - 0-100 scale, higher = easier. Consumer documents should target 60-70. Academic papers typically score 10-30.
• Gunning Fog Index - estimates years of formal education needed. Weights complex words (3+ syllables) more heavily than Flesch-Kincaid.
• SMOG Index - similar to Gunning Fog but uses polysyllable density. Considered more accurate for healthcare and legal texts.
• Coleman-Liau Index - uses character count rather than syllables, making it less sensitive to domain-specific terminology.
• Automated Readability Index - character and word count based. Designed for automated assessment of US military technical manuals.

We also ran custom regex analysis to measure hedge word frequency ("may", "might", "could"), pronoun balance ("we/our" vs "you/your"), and passive voice density.

Manual transparency scoring: each policy was evaluated against eight dimensions, scored 0-10:

1. Readability - required grade level
2. Brevity - word count relative to scope
3. Data collection transparency - specificity of what's collected
4. Retention clarity - concrete timelines vs vague phrasing
5. Third-party transparency - whether data recipients are named
6. Encryption disclosure - accuracy and completeness of E2EE documentation
7. Law enforcement disclosure - what the policy says about law enforcement access
8. Honesty gap - alignment between the policy and independent evidence

The eighth dimension is the most interesting. We cross-referenced each policy against the FBI's own internal document on messaging app data access [12] (released via FOIA in 2021), FTC surveillance reports [11], breach disclosures, and regulatory enforcement actions.

A note on Meta: their policy is a JavaScript application that doesn't render static text. We pulled content from mbasic.facebook.com (identical text, static HTML). TechPolicy.Press [16] counted 168+ sub-pages linked from the main policy, describing the structure as "probably hundreds of indigestible pieces." Our analysis covers the core document only.

Findings

Readability

Every policy in the dataset exceeds the average adult reading level. The lowest Flesch-Kincaid grade was Telegram at 11.2. The highest was LINE at 18.2 - postgraduate level. A reader would need more formal education to parse LINE's privacy policy than to enter most law programmes.

Flesch Reading Ease tells the same story from the other direction. The scale runs 0-100, higher being easier. Consumer documents should target 60-70. The dataset average was 34.3. LINE scored 20.6, which places it in the territory of academic journals.

Word count

Signal's entire legal page - terms of service and privacy policy combined - is 2,084 words [1]. Meta's privacy policy alone is 31,194 words [3]. The ratio is 15:1. We verified the count twice because the number seemed like a parsing error. It wasn't.

Viber reaches 12,669 words [8] because Rakuten uses a single policy to cover messaging, payments, a dating service, communities, and business tools. LINE is 8,062 words [9] because LY Corporation's corporate policy covers their entire product portfolio. Finding the messaging-specific terms requires reading through sections about financial services, AI research, and advertising platforms.

Meta's 31,194 is only the core document. The 168 linked sub-pages are additional. TechPolicy.Press [16] described the structure as featuring "confusing hyperlinks, circular references to documents, no ability to comprehensively and functionally search across documents, and misleading or inaccurate statements."

Hedging language

A pattern emerged during the read-through: the word "may" appeared at a frequency that seemed deliberate. "We may collect." "We may share." "We may retain." In a legal document, "may" means the company reserves the right to do something without committing to disclosing when or whether it actually does. Maximum legal cover, minimum transparency obligation.

We constructed a hedge ratio: the frequency of hedging words ("may", "might", "could", "in some cases") divided by definitive words ("will", "must", "always", "never").

Discord scored 3.61 [7] - 3.6 hedging words per definitive statement. Apple: 2.68 [5]. Meta: 2.80 [3]. Telegram scored 0.64 [4], meaning more definitive statements than hedged ones. The app most commonly associated with privacy concerns has the most direct privacy policy in the dataset.

The word "may" appears 101 times in Viber's policy [8]. Signal uses it 17 times [1].

Retention language follows the same pattern. "As long as necessary." "For a reasonable period." "From time to time." These phrases communicate nothing about actual retention timelines. Viber uses 15 such phrases. Meta uses 14. Telegram states concrete numbers: 12 months for metadata, 48 hours for deleted supergroup messages, 18 months of inactivity before account deletion [4]. Specificity is possible. Most companies choose not to provide it.

The table below consolidates all metrics. Column definitions:

• Words - total word count of the policy text
• FK Grade - Flesch-Kincaid grade level (years of education needed to read comfortably)
• Flesch Ease - Flesch Reading Ease score (0-100, higher = easier; 60-70 is the target for consumer documents)
• Read Time - estimated reading time at 250 words per minute
• Hedge Ratio - hedging words ("may", "might", "could", "in some cases") divided by definitive words ("will", "must", "always", "never")
• Uses of May - raw count of the word "may" in the policy
• Vague Retention - count of non-specific data retention phrases ("as long as necessary", "for a reasonable period", "from time to time", and similar)

Encryption transparency

Every app in the dataset mentions encryption on its marketing pages. Padlock icons, reassuring copy about "protected" messages. The privacy policies tell a different story.

Apple's main privacy policy [5] - linked from the App Store, from iPhone settings, from the apple.com legal footer - contains zero mentions of encryption. We searched for "encrypt", "end-to-end", and "E2E". Nothing. iMessage has had end-to-end encryption since 2011. The technical details are on a separate page [6] in Apple's legal section, not linked from the main policy. You'd find it only if you already knew to look.

LINE built an E2EE protocol called Letter Sealing, enabled by default since 2015 [28], with a published technical whitepaper [24]. The phrase "Letter Sealing" appears zero times in their privacy policy [9]. There is one reference to "provision of encryption feature of messages" with no further explanation. The words "end-to-end" don't appear. They engineered a privacy feature and omitted it from the privacy document.

Telegram is direct about its architecture [4]. Secret Chats use E2EE (opt-in, 1-on-1 only). Regular Cloud Chats don't - Telegram holds the keys. The distinction is clearly documented. The consequence is that the default experience for most users, and all group chats, are not end-to-end encrypted. The most readable policy in the dataset describes the least private default configuration.

Discord states plainly that text messages aren't end-to-end encrypted [7]. Voice and video are. It's the only app in the dataset without text E2EE, and the only one not claiming capabilities it doesn't have.

Law enforcement access

The FBI maintains an internal reference document listing what data each messaging app provides to law enforcement. It was released via FOIA [12] by Property of the People. Rolling Stone published an analysis [13]. The document is dated January 2021.

Signal provides registration date and last connection time [12]. Nothing else. The data doesn't exist on their servers. This isn't a policy decision - there's nothing to hand over.

WhatsApp, per the FBI document, has pen register capability [13]. This means law enforcement can receive a real-time feed of who messages whom, when, and how frequently. Not message content - metadata. In real time. WhatsApp's privacy policy does not mention this capability.

Apple retains 25 days of iMessage contact lookup data - who you searched for and who searched for you. The Intercept reported [17] the actual retention is 30 days. iMessage content is end-to-end encrypted, but iCloud Backup is enabled by default on most iPhones. When messages are backed up to iCloud, the encryption keys are held by Apple. Per Apple's own law enforcement guidelines [26], backed-up message content is available with a valid legal request. The encryption is functionally bypassed by a default setting most users never change.

Telegram's trajectory is the most significant finding in the dataset. Before August 2024, data sharing was limited to confirmed terrorism cases. 14 requests. 108 users [14]. In August 2024, CEO Pavel Durov was arrested in France [15] on charges including complicity in cybercrime and refusal to assist with lawful interceptions. Telegram rewrote its privacy policy [23] within weeks. By end of 2024 [14]: 900 US requests fulfilled, 2,253 users' IP addresses and phone numbers disclosed. From 108 to 2,253 in twelve months. A single arrest restructured the entire data-sharing framework.

Discord provides subscriber information, usage data, and message content on request [7]. There's no encryption layer to complicate the process. 200 million monthly active users treat it as private messaging. The architecture doesn't support that assumption.

Overall transparency ranking

The sections above examined individual metrics in isolation: readability, word count, hedging, encryption disclosure, law enforcement access. This section combines them into a single score per app.

Each of the eight dimensions from the methodology (readability, brevity, data collection transparency, retention clarity, third-party transparency, encryption disclosure, law enforcement disclosure, and honesty gap) was scored 0-10. The total is out of 80. We converted totals to letter grades using a standard academic scale:

• A (70-80): Transparent, specific, honest. No app achieved this.
• B (56-69): Above average. Meaningful gaps remain.
• C (40-55): Average. Significant omissions or obfuscation.
• D (25-39): Below average. More hidden than disclosed.
• F (0-24): No app scored this low, though two came close.

No app scored above B+. The highest score in the dataset is 55 out of 80.

The two B+ scores come from different strengths. Signal scored 10/10 on honesty - zero gap between what the policy states and what independent evidence shows. It lost points on retention clarity because the policy is short enough that it doesn't specify deletion timelines. Telegram scored highest on retention clarity (concrete numbers: 12 months, 48 hours, 18 months) and third-party transparency (names Google, Microsoft, and lists jurisdictions). It lost points on encryption because the default chat mode isn't E2EE.

At the bottom, Meta and LINE both scored 26/80. Meta received 0/10 on brevity - a 31,194-word policy across 168+ pages is not a transparency tool. LINE received 0/10 on readability - grade 18.2 means a postgraduate education is the minimum to parse it.

Discussion

There's an inverse correlation in this dataset between user count and policy quality. This isn't a coincidence - it's an incentive structure. Messenger (1B+ users) has the longest, most fragmented, lowest-scoring policy. WhatsApp (2B+ users) omits the pen register capability documented in the FBI's own reference materials [13]. iMessage (1.5B+ devices) omits encryption. Signal (100M downloads) has the shortest, most honest policy. When you don't collect much data, the document explaining what you do with it can be short.

Telegram's trajectory warrants separate attention. The shift from 108 to 2,253 users' data shared in twelve months, triggered by a single arrest [14], demonstrates how quickly privacy commitments can be restructured under external pressure. The revised policy is technically more transparent than its predecessor. But every user who chose Telegram because "they don't cooperate with governments" made that decision based on a commitment that no longer exists. The question this raises is how many other privacy policies are one enforcement action away from a similar reversal.

Meta made a quieter change in December 2025 affecting Messenger. Snopes verified [27] that private message handling didn't change. But conversations with Meta AI - embedded in Messenger, WhatsApp, Instagram, and Facebook - now feed ad targeting. The distinction between "your private messages" and "your conversation with the AI assistant inside the messaging app" is precisely the kind of boundary that a product legal team constructs to be as narrow as possible while remaining technically defensible.

The consequences of these practices are documented. Nigeria fined Meta $220 million [22] over WhatsApp's 2021 policy update (upheld on appeal). LY Corporation disclosed a breach [21] of 440,000 records including 22,000+ user messages [20] via a compromised affiliate. Discord lost 70,000 users' government IDs and selfies [19] through a support contractor breach. The FTC characterised [11] multiple platforms including Discord as conducting "vast surveillance" with "lax privacy controls."

None of these incidents are mentioned in the current privacy policies of the companies involved.

Limitations

The readability metrics (Flesch-Kincaid, Gunning Fog, SMOG) measure syntactic complexity - sentence length, syllable count, word frequency. They don't capture conceptual obfuscation. A policy could score at an 8th-grade level and still be incomprehensible because it defines "personal data" inconsistently across sections. That said, the policies scoring worst on readability are also the ones most difficult to parse on a plain reading.

Only English-language versions were analysed. WhatsApp maintains separate EU and UK policies that may differ in substance. Regional variations were not examined.

Three scoring dimensions - encryption disclosure, law enforcement disclosure, honesty gap - involved editorial judgement. The rubric and reasoning are documented here so disagreement can be specific.

Technical notes: Signal's word count includes their Terms of Service (same page; the privacy-specific text is approximately 900 words). Meta's word count was extracted from mbasic.facebook.com because the main site renders content via JavaScript. The 31,194 figure likely understates the total, as the live version hides content behind expandable sections.

This analysis reflects April 2026 policy texts. Policies change; updates will be noted in the changelog.

For related comparisons: VPNs, browsers, email providers, password managers. To test your own browser's privacy exposure: fingerprint test or privacy checkup.