Encryption Is Just a Promise

Most privacy advice asks the wrong question. It asks how much a vendor collects today, or how privacy-friendly the company seems. The question that actually predicts your risk is different: what can this vendor be compelled to produce? End-to-end encryption limitations live here. The crypto is a promise about software the vendor controls — and software changes. In Part 1 we showed that encryption protects content, not metadata. This is Part 2: what happens when a court compels the vendor.

Here are three real cases of Meta handing customer data to law enforcement under pressure. The content-versus-metadata line from Part 1 runs straight through them.

A pen register for the shape

Natalie Edwards, a Treasury official, used WhatsApp specifically because she trusted it. When she was investigated for leaking documents, a DOJ pen-register order pulled the metadata, not the content. Investigators only needed the pattern: roughly 70 messages exchanged with a reporter's number in a 20-minute window. That shape helped convict her.^[2] The reporter was Jason Leopold of BuzzFeed News. The encryption held perfectly, and it did not matter.

A warrant for the content

In a 2022 Nebraska prosecution, police served Facebook with a warrant for a mother and daughter's private chats. This was content. Meta produced the actual Messenger messages in response, and they became central evidence in the case.^[1]

Metadata, near real time

Handover is not rare or slow. A FOIA'd FBI "lawful access" document shows WhatsApp produces a target's metadata roughly every 15 minutes under a pen register — near real time — while content stays encrypted.^[3] That is not an exception scrambled together for one case. It is an operationalized pipeline. And compliance is the norm: Meta produces at least some data for roughly 80% of US government requests.^[4]

ANY company big enough to be subpoenaed answers subpoenas.

The trust boundary is the vendor

So where is the real boundary? Not the cipher. The boundary is the vendor. Plaintext exists on the device — and the device runs code the vendor signs and updates.

This is the capability thesis. Any vendor that signs and updates the app on your device could, in principle, be compelled to ship code that reaches plaintext before encryption applies. The point is structural: "we don't collect that today" is a policy, not a guarantee, because the same pipeline that delivers a feature can deliver a demand.

The cleanest hedge is a vendor that designed itself to have little to surrender — when Signal is subpoenaed, it can hand over almost nothing because it keeps almost nothing.^[5]

Part 3 turns this into a practical threat model for everyday messaging.

If you judged your messaging tool not by what it collects today but by what it could be compelled to produce tomorrow, would your answer change?

References

1. NBC News — Facebook turned over chat messages in a Nebraska abortion case
2. ProPublica — How Facebook undermines privacy protections for WhatsApp users (Natalie Edwards / FinCEN)
3. Rolling Stone — FBI document on WhatsApp metadata access near real time
4. Meta Transparency Center — US government data requests
5. Signal — Government requests / transparency