The Record

When “encrypted”
wasn't enough.

Real, documented cases where private apps still exposed people — almost never because the encryption broke, and almost always because of metadata, backups, default settings, endpoint compromise, or who held the keys. Every claim here links to its source.

How we source

Every post links to reputable reporting and describes only what the source says. We don't claim encryption was “cracked” when the real story is metadata, a cloud backup, or a default setting — that distinction is the whole point.

Not E2E by Default

Telegram isn't end-to-end encrypted by default — and after Durov's arrest, it started handing over user data

Telegram's regular chats have never been end-to-end encrypted; only opt-in “Secret Chats” are. Weeks after CEO Pavel Durov's August 2024 arrest in France, Telegram updated its policy to disclose users' IP addresses and phone numbers to authorities on valid legal requests.

Read the case
Metadata

WhatsApp is end-to-end encrypted — but reporting a message sends it (and the preceding ones) to human moderators

A 2021 ProPublica investigation detailed how WhatsApp employs more than 1,000 contract moderators who review user-reported content, and how its parent company collects metadata — complicating the impression of near-total privacy.

Read the case
Phone Number

Signal's encryption held — but a vendor breach still exposed users because accounts are tied to phone numbers

In August 2022, a phishing attack on Signal's SMS-verification vendor Twilio exposed the phone numbers of about 1,900 Signal users. No message contents were touched — the weakness was the phone number itself.

Read the case
Honeypot

ANOM: the “encrypted” phone network that was secretly run by the FBI

Operation Trojan Shield wasn't a broken cipher — it was a honeypot. The FBI and Australian Federal Police covertly operated the ANOM “secure” messaging network, copying every message and arresting over 800 people worldwide in June 2021.

Read the case
Endpoint / Device

EncroChat: how police read “uncrackable” messages by going after the devices, not the crypto

In 2020, French and Dutch investigators compromised the EncroChat network at the device/server level, harvesting millions of messages in real time and triggering more than 6,500 arrests across Europe.

Read the case
Cloud Backups

iMessage is encrypted — but your iCloud backup hands Apple the key (unless you turn on Advanced Data Protection)

iMessage is end-to-end encrypted, but by default the iCloud backup of those messages is encrypted with a key Apple holds — meaning Apple can produce them under legal process. Apple's Advanced Data Protection closes the gap, but it's opt-in.

Read the case
Metadata

The government didn't need to read the messages — it subpoenaed journalists' phone and email metadata

In leak investigations, the U.S. Justice Department secretly obtained phone logs and email metadata of reporters at CNN, The New York Times, and The Washington Post — revealing who talked to whom without ever touching message content.

Read the case

Want the short version, on demand?

Ask Cipher — the assistant in the corner — about any of these cases, or join the waitlist.

Join the waitlist →