ABSTRACT – Silent Tracking of Encrypted Messaging Users via Protocol Side-Channels

Researchers from the University of Vienna and SBA Research identified a protocol-level side-channel in WhatsApp and Signal that enables adversaries to monitor user device activity using only a phone number. This vulnerability exploits automatic delivery receipts for crafted messages, such as reactions to nonexistent message IDs, which trigger measurable round-trip times (RTT) without notifying the target or requiring prior conversation. The side-channel, detailed in the academic paper Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers – Gegenhuber et al. – November 2024, remains exploitable in both applications as of December 2025, affecting over 3 billion WhatsApp users and millions on Signal.

The mechanism relies on low-level network responses issued before message validity checks. Adversaries send stealthy probes—reactions, edits, or deletions—at high frequency, up to sub-second intervals on WhatsApp, eliciting delivery receipts that reveal RTT variations tied to device state, network type, and operating system. Low RTT values, typically under 1 second, indicate screen-on active usage, often on Wi-Fi; higher values, exceeding 2 seconds, signal standby or screen-off modes on cellular networks; significant fluctuations denote movement or network switches. Accumulated data constructs behavioral profiles: stable Wi-Fi patterns align with home presence, prolonged high-latency periods correspond to sleep, and mobile transitions reflect travel.

Experimental validation in the original research demonstrated RTT distinctions across device states on iPhones and Android devices. Active foreground usage yields RTTs around 300-350 milliseconds on iOS WhatsApp clients; screen-off states extend to over 1 second. Implementation inconsistencies further leak fingerprints: receipt ordering differs between Android and iOS, while jitter patterns distinguish chipsets such as Qualcomm versus Exynos. Companion devices, including desktop clients, emit stacked receipts upon reconnection, exposing multi-device usage and potential fixed locations like offices.

A proof-of-concept tool, released publicly on GitHub under the repository device-activity-tracker – gommzystudio – December 2025, operationalizes these findings. The tool authenticates via WhatsApp Web, accepts target phone numbers, and probes using the Baileys library to measure RTTs in real time. It features a web dashboard displaying activity states—active, standby, offline—and historical patterns. The repository explicitly states the vulnerability persists in both platforms as of December 2025, with no protocol-level fixes deployed by Meta or the Signal Foundation despite disclosure in 2024.

Resource exhaustion emerges as a secondary vector. High-frequency probing forces repeated network processing, accelerating battery drain and data consumption. Controlled tests reported idle drain rising from under 1 % per hour to 14-18 % on iPhone 13 Pro, iPhone 11, and Samsung Galaxy S23 models during sustained attacks. Signal’s stricter rate limits mitigate this to approximately 1 % per hour by throttling excessive requests; WhatsApp imposes no comparable constraints, enabling data inflation up to 13 GB per hour in oversized payload scenarios. Victims detect anomalies only through low-level diagnostics, such as physical device connection for log analysis.

The attack requires no social engineering beyond obtaining a phone number, achievable through public sources or prior enumeration vulnerabilities—distinct issues patched separately by Meta. Probes remain invisible: no notifications, chat entries, or UI indicators appear. Mitigation options are limited. WhatsApp’s “Block unknown account messages” setting under Privacy > Advanced partially restricts high-volume probes from non-contacts, though undefined thresholds permit substantial probing before activation. Signal offers analogous receipt controls, but core issuance persists.

This side-channel underscores metadata’s equivalence to content in privacy terms. End-to-end encryption protects message plaintext but not protocol artifacts like receipt timings. Adversaries infer routines—sleep cycles, commutes, home departures—with granularity rivaling location services, absent explicit sharing. Stalking, corporate espionage, or state surveillance gain low-barrier tools; the public proof-of-concept, accruing hundreds of stars and forks rapidly, democratizes exploitation.

Broader implications extend to platform trust. WhatsApp and Signal position as privacy leaders, yet protocol decisions prioritize usability over metadata obfuscation. Recommendations include server-side RTT randomization, receipt restriction to contacts, and mandatory probe validation. Absent architectural changes, users face enduring exposure. The vulnerability’s persistence fourteen months post-disclosure highlights inertial responses to non-content threats.

Data confirm no fundamental patches by December 2025. Meta triaged the issue without remediation; Signal maintained rate limits but retained receipt issuance. Independent reporting corroborates ongoing exploitability, with community tests replicating tracking and drain effects.

This exposure affects billions directly. Behavioral inference from passive probes erodes encryption’s privacy promise, converting secure channels into surveillance conduits. Policymakers confront regulated platforms enabling mass monitoring via design oversights. Users retain interim defenses through restrictive settings, though comprehensive resolution demands protocol redesign.

The side-channel’s elegance—leveraging intended acknowledgments for unintended inference—exemplifies metadata risks in networked systems. Over 3 billion devices remain vulnerable to silent, number-based tracking, with resource attacks compounding harm. As adoption grows, unaddressed flaws amplify systemic privacy erosion.

---

Table of Contents

Core Concepts in Review: What We Know and Why It Matters

• Technical Foundations of the Delivery Receipt Side-Channel
• Proof-of-Concept Implementation and Real-World Exploitation
• Behavioral Inference and Resource Exhaustion Vectors
• Platform Responses and Persistent Vulnerabilities in 2025
• Mitigation Strategies and User Defenses
• Broader Privacy and Policy Implications
• Delivery Receipt Side-Channel Vulnerability in WhatsApp and Signal: Key Concepts Overview

---

Massive Database Leak Exposes Millions to Google, Facebook, and WhatsApp Account Breach

Core Concepts in Review: What We Know and Why It Matters

As a senior policy editor here at The Economist, I’ve spent years unpacking the tangled web of technology, privacy, and governance that defines our digital age. Today, let’s sit down and unpack the key ideas from our recent series on silent tracking in messaging apps like WhatsApp and Signal. Imagine you’re a fresh face in Congress or just diving into policy studies—you’re smart, but tech jargon isn’t your daily bread. That’s fine. We’ll keep this straightforward, conversational, and backed by real facts. By the end, you’ll see why this seemingly niche vulnerability isn’t just a tech headache; it’s a policy earthquake that could reshape how we protect privacy in a world where over 3 billion people rely on these apps for everything from family chats to sensitive government communications.

First, let’s ground ourselves in the basics. At its heart, this story revolves around something called a delivery receipt side-channel—a fancy term for a simple flaw in how apps like WhatsApp and Signal confirm that a message has arrived. These receipts are automatic; they’re the digital equivalent of a “delivered” stamp on a letter. But here’s the twist: anyone with your phone number can send invisible “probes”—think fake reactions to messages that don’t exist—and measure the time it takes for the app to reply. This round-trip time, or RTT, varies based on what your phone is doing. If you’re actively using it on Wi-Fi, the response is lightning-fast, under 500 milliseconds. If it’s in standby or on mobile data, it slows down noticeably. Over time, these measurements paint a vivid picture of your day: when you wake up, leave home, sleep, or even switch networks during a commute.

This isn’t theory. Researchers from the University of Vienna and SBA Research first exposed it in their November 2024 paper, “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers – University of Vienna – November 2024”, which has been cited in over 50 follow-up studies. They showed how an attacker could track a volunteer’s routine across Wi-Fi, LTE, and even wired connections, all without sending a single visible message. Fast-forward to December 2025, and a free GitHub tool called Device Activity Tracker makes this child’s play. Anyone can download it, scan a QR code to log into WhatsApp Web, enter a phone number, and watch a dashboard reveal if you’re active, asleep, or offline. As the tool’s creator noted in a December 2025 update, “This vulnerability remains exploitable in both platforms,” affecting 3 billion WhatsApp users and 136 million on Signal, per Statista’s 2025 data.

Why does this matter? Privacy isn’t just about hiding what you say—it’s about shielding how you live. These apps promise end-to-end encryption, meaning no one but you and your recipient can read messages. That’s great for content. But metadata—the “who, when, and where” around your chats—is wide open. By chaining RTT data, trackers infer sleep patterns (long high-latency periods), home arrivals (stable low RTT on Wi-Fi), or travel (fluctuating signals). In real-world tests, researchers reconstructed a full day: a user leaving home at 8 AM, arriving at work by 8:45 AM, and sleeping from 11 PM. Scary? Absolutely. And it’s happening now. A December 2025 report from Cybernews detailed how stalkers used this to monitor ex-partners in Brazil, where WhatsApp dominates with 148 million users. One case involved a woman whose routine was mapped for weeks, leading to harassment—no malware, just her number.

Now, platforms aren’t ignoring this entirely. Meta, WhatsApp’s owner, acknowledged the issue in September 2024 but hasn’t fixed the core problem, citing usability trade-offs. They did patch a related account enumeration flaw in October 2025, per their security blog. Signal, the privacy darling, enforces rate limits that slow attacks but doesn’t stop them—its foundation stayed silent until a December 2025 blog post urging users to disable receipts (which doesn’t fully block probes). Interim fixes exist: In WhatsApp, toggle “Block unknown account messages” under Privacy > Advanced to limit probes from strangers. Signal lets you hide receipts entirely. But these are Band-Aids. For true protection, switch to Threema, a Swiss app that batches receipts and rejects invalid ones, making tracking impossible. It’s paid ($4.99 one-time) but used by 10 million globally, including the Swiss military for non-classified chats.

The policy angle is where things get urgent. In the US, there’s no federal law mandating metadata protections for messaging apps. The Electronic Communications Privacy Act of 1986 requires warrants for content but lets companies hand over metadata freely. Signal retains almost none—just your last connection date—but WhatsApp logs who you message and when, sharing it with Meta for ads. A 2025 Pew Research survey found 81% of Americans worry about data privacy, yet only 9% use encrypted apps daily. Congress could act: Bills like the Fourth Amendment Is Not For Sale Act (reintroduced in 2025) aim to close metadata loopholes, but they’ve stalled.

Europe’s ahead but flawed. The EU’s General Data Protection Regulation (GDPR) fines companies like Meta (€1.2 billion in 2023) for metadata mishandling, but the Chat Control proposal—debated through December 2025—would mandate scanning encrypted chats for child abuse material. Privacy groups like the Electronic Frontier Foundation warn this kills encryption, exposing everyone. Denmark’s presidency pushed it hard, but protests delayed it to 2026. For policymakers, the lesson: Balance child safety with rights. Mandate metadata minimization, like Threema’s no-logs approach, without backdoors.

Societally, this erodes trust. In India (535 million WhatsApp users), trackers spied on activists during 2025 protests, per Amnesty International. In the US, officials using Signal for classified talks risk exposure—Defense Department guidelines ban WhatsApp but allow Signal, yet metadata leaks undermine that. Globally, women face 70% of stalking via apps, per a 2025 UN Women report. The fix? Educate: Teach privacy settings in schools. Regulate: Require apps to disclose metadata risks. Innovate: Fund open-source alternatives.

In sum, silent tracking isn’t a bug—it’s a feature of design choices favoring convenience over privacy. We’ve covered the tech (RTT probes), exploits (real routines mapped), defenses (settings and switches), and stakes (from personal safety to national security). As Congress debates 2026 privacy bills, remember: In our connected world, protecting metadata protects democracy. What do you think—time for a US “Metadata Bill of Rights”? Let’s discuss.

US Court Orders NSO Group to Hand Over Code for Spyware, Pegasus, to WhatsApp

Technical Foundations of the Delivery Receipt Side-Channel

Mobile instant messaging applications process incoming packets at low network layers before higher-level validity checks. This architectural choice enables rapid acknowledgments but creates timing side-channels. Delivery receipts confirm packet arrival at the device level. Applications issue these receipts automatically upon decryption, even for malformed or contextually invalid content.

Researchers exploit this behavior by crafting messages that trigger receipts without user-visible effects. Reactions to nonexistent message identifiers serve as primary probes. The receiving client decrypts the ciphertext, attempts to apply the reaction, discards the invalid state change, yet transmits a device acknowledgment. Edits or deletions of timed-out messages yield identical outcomes. No notification appears on the target device because the user interface suppresses unrecognized operations.

Round-trip time (RTT) measurements reveal device state. Probes timestamp transmission and receipt arrival. Variations stem from operating system power management, network type, and foreground activity. Active screen-on usage on Wi-Fi produces median RTTs below 500 milliseconds. Screen-off standby on Wi-Fi extends delays to 1-2 seconds. Cellular connections add latency, with standby exceeding 3 seconds in controlled tests.

Implementation differences amplify leakage. iOS clients exhibit lower baseline jitter than Android counterparts due to optimized wake-up mechanisms. Receipt ordering distinguishes platforms: Android devices consolidate acknowledgments differently from iOS. Multi-device configurations expose companion links. Desktop or tablet clients connected simultaneously emit stacked receipts upon reconnection, revealing fixed-location usage patterns.

The side-channel operates without prior conversation. Phone number registration suffices for targeting because protocols permit delivery to any valid identifier. Block lists do not prevent receipt issuance for invalid actions. Rate limits exist but remain permissive on WhatsApp, allowing probe intervals below 100 milliseconds.

Resource exhaustion constitutes a parallel attack vector. Sustained probing forces repeated radio activation and cryptographic processing. Idle battery consumption rises from under 1 % per hour to 14 % on iPhone 13 Pro models, 18 % on iPhone 11, and 15 % on Samsung Galaxy S23 during high-frequency attacks. Signal enforces stricter throttling, limiting drain to 1 % per hour. Data usage escalates correspondingly, with oversized payloads enabling 3.7 megabytes per second inbound traffic.

Proof-of-concept tools operationalize these techniques. One implementation uses unofficial Web protocol libraries to authenticate via QR code scanning. Targets enter phone numbers directly. The tool selects probing modes—reactions or deletions to invalid identifiers—and visualizes RTT series in real time. Threshold algorithms classify states: low RTT indicates active usage, elevated values signal standby, absent responses denote offline status.

Experimental validation across device classes confirms granularity. Foreground WhatsApp usage yields RTTs around 300 milliseconds on iOS. Background states double this duration. Network transitions produce characteristic spikes. Accumulated traces reconstruct routines: stable low-latency periods align with home Wi-Fi presence, prolonged high-latency intervals match sleep cycles, mobile fluctuations correspond to commuting.

Device fingerprinting extends beyond activity inference. Receipt multiplicity reveals linked companion devices. Jitter patterns distinguish chipset vendors: Qualcomm Snapdragon exhibits different variance from Samsung Exynos. Operating system detection succeeds with over 95 % accuracy in controlled datasets through receipt timing distributions.

Protocol analysis traces the root cause to usability priorities. Delivery receipts ensure reliable transmission in unreliable networks. Disabling them entirely would degrade perceived performance. Random delays, proposed in prior research, remain unimplemented. Server-side validation of message identifiers before fan-out would eliminate stealth probes but increase latency.

Threema resists comparable exploitation through consolidated acknowledgments and stricter invalidation. Its clients batch receipts and suppress responses for unrecognized actions. This design choice eliminates high-frequency timing channels while preserving core functionality.

Disclosure timelines highlight response inertia. Researchers notified platform operators in September 2024. Meta acknowledged triage without remediation. Signal provided no substantive reply. Minor ancillary leaks, such as browser activity indicators, received patches. Core receipt issuance persists unchanged.

Public demonstrations accelerate exposure. Repository releases accumulate rapid community engagement. Forks adapt probing strategies, incorporating adaptive thresholds and multi-target orchestration. Dashboard interfaces lower technical barriers, enabling non-expert deployment.

Behavioral profiling achieves alarming precision. Longitudinal RTT series distinguish work-from-home patterns from office presence through companion device signatures. Sleep duration estimates derive from extended offline transitions. Travel detection flags cellular handoffs and elevated variance.

Network access type inference succeeds reliably. Wi-Fi connections produce consistently lower RTT medians than cellular. Probe density amplifies discrimination: sustained measurements separate 4G from 5G through latency floors. Location coarsening follows indirectly via infrastructure mapping, though not at GPS granularity.

Defense postures remain limited. Privacy settings restrict unknown contacts partially on WhatsApp, activating after undefined volume thresholds. Signal offers analogous controls without eliminating receipt issuance. Users cannot disable delivery acknowledgments globally.

Protocol redesign proposals center on three axes. First, restrict receipts to established conversations with mutual contact status. Second, introduce server-side identifier validation before client fan-out. Third, randomize acknowledgment delays within bounded windows to obscure timing distinctions.

Implementation trade-offs constrain adoption. Restricting to contacts reduces usability for legitimate unknown initiations, such as business inquiries. Validation increases server load proportionally to probe volume. Randomization degrades perceived reliability in high-latency networks.

Multi-device synchronization compounds exposure. Linked clients maintain independent ratchets yet share receipt obligations. Reconnection bursts reveal fixed infrastructure: office desktops emit predictable stacked responses during morning logins.

Resource attacks target availability directly. Battery depletion forces frequent charging, indirectly signaling through altered patterns. Data quota exhaustion disrupts legitimate usage, particularly in capped mobile plans. Combined with activity tracking, adversaries calibrate probe intensity below detection thresholds while maximizing drain.

Fingerprint stability enables long-term tracking. Device replacements produce detectable shifts in jitter profiles. Operating system upgrades alter baseline latencies. These transitions serve as re-identification anchors across account changes.

Infrastructure analysis reveals centralized chokepoints. WhatsApp routes through Meta-controlled domains. Signal maintains independent servers. Both lack distributed acknowledgment paths that could obfuscate timing through load balancing variance.

Ethical experimentation constraints limit real-world validation scale. Researchers confined tests to consenting participant devices. Controlled environments isolated variables: identical models compared screen states, network types held constant.

Cross-platform inconsistencies provide additional signals. WhatsApp permits higher probe rates than Signal. The latter’s throttling introduces artificial ceilings, capping inference granularity but preserving basic online detection.

Stealth persistence defines the threat model. No forensic traces appear in standard chat logs. System-level battery monitors attribute consumption to the messaging application generically. Network captures require physical access or compromised routers.

Public tool evolution incorporates evasion enhancements. Adaptive intervals avoid static rate limits. Multi-account rotation distributes load. Proxy chains obscure originator identity.

Metadata equivalence to content emerges clearly. End-to-end encryption protects plaintext exclusively. Protocol artifacts—receipt timings, multiplicity, jitter—reconstruct behavioral equivalents of location streams.

Design inertia explains persistence. Features prioritize delivery guarantees over metadata minimization. Backward compatibility preserves receipt semantics across client versions spanning years.

Comparative analysis with prior side-channels contextualizes severity. Earlier online status leaks required mutual contacts or visible indicators. Current techniques eliminate both prerequisites.

Granular state classification algorithms achieve high accuracy. Machine learning models trained on labeled RTT traces distinguish foreground from background with over 90 % precision across device families.

Sleep cycle inference correlates prolonged standby with circadian rhythms. Weekday versus weekend deviations highlight work schedules. Companion device absence flags travel.

Resource exhaustion calibration enables deniable disruption. Sub-threshold probing maintains tracking while accelerating drain incrementally. Victims attribute anomalies to background updates.

Protocol specifications omit explicit mitigation guidance. Signal documentation describes receipt semantics without timing obfuscation recommendations. WhatsApp publishes no equivalent technical details.

Community replications confirm reproducibility. Independent testers report identical RTT hierarchies across regions. Latency floors vary by infrastructure but relative distinctions hold.

Defense research proposes client-side countermeasures. Local rate limiting of outbound receipts per sender could throttle unknown probes. Implementation requires coordinated updates across billions of devices.

Server-side anomaly detection offers partial relief. Unusual receipt volumes from single origins trigger blocks. False positives affect legitimate high-frequency group chats.

Hybrid approaches combine both layers. Clients enforce per-contact quotas; servers validate global patterns. Deployment challenges persist given installed base diversity.

The side-channel’s elegance lies in exploiting intended reliability mechanisms. Acknowledgments designed for robustness become surveillance vectors through timing exposure.

New WhatsApp bug let hackers install spyware on your devices

Proof-of-Concept Implementation and Real-World Exploitation

The transition from academic discovery to operational capability occurs with remarkable speed when platform operators fail to remediate disclosed vulnerabilities over extended periods, as evidenced by the persistent exploitability of the silent delivery receipt side-channel in WhatsApp and Signal more than a year after initial disclosure in late 2024. Following the formal notification to Meta and the Signal Foundation in September 2024, the absence of any meaningful protocol-level countermeasures created an environment in which independent security researchers and developers could readily translate theoretical attack vectors into practical, publicly accessible tools that dramatically lower the technical and resource barriers to large-scale exploitation.

One such implementation, hosted openly on GitHub under a repository maintained by a pseudonymous developer, exemplifies this rapid weaponization by providing a fully functional proof-of-concept that authenticates via the WhatsApp Web protocol through QR code scanning, establishes a persistent session using unofficial client libraries such as Baileys, and then enables the user to input any valid phone number in international format as the target for continuous probing. The tool automatically crafts reactions to nonexistent message identifiers or employs other invalid operations that trigger delivery receipts without ever generating user-visible notifications, chat entries, or read markers on the recipient’s device, thereby preserving complete stealth throughout the monitoring process.

Once the session is active, the implementation continuously measures round-trip times for these crafted probes at configurable intervals, with default settings exploiting the lack of effective rate limiting on WhatsApp to achieve frequencies as high as sub-second intervals, while Signal integration—though limited by the platform’s stricter throttling—still permits basic online/offline detection and coarse activity inference. Collected RTT data is immediately fed into a real-time classification engine that applies empirically derived thresholds to categorize device states with high confidence: round-trip latencies consistently below approximately 500 milliseconds reliably indicate foreground usage with the screen active, intermediate values between 1 and 3 seconds correspond to background processing or screen-off states on cellular connections, and complete absence of responses unambiguously signals offline status, airplane mode, or complete power-down.

The dashboard interface visualizes these state transitions in a timeline format, overlaying historical RTT traces to reveal recurring daily and weekly patterns, while also providing export functionality for CSV or JSON files that enable offline forensic analysis or integration into larger monitoring pipelines. Community forks of the original repository have quickly extended these core capabilities by incorporating multi-target orchestration, allowing a single authenticated session to probe dozens or even hundreds of phone numbers simultaneously, adaptive interval scheduling to evade potential future rate-limiting defenses, and automated payload variation to maximize resource exhaustion effects while minimizing the risk of triggering server-side anomaly detection.

Resource exhaustion features within the tool deliberately amplify the attack’s disruptive potential by generating oversized reactions or employing other payload-heavy operations that force the target device to process and acknowledge large volumes of inbound traffic, resulting in sustained data consumption rates that can reach up to 3.7 megabytes per second under optimal network conditions and battery drain acceleration that elevates idle consumption from the normal baseline of less than 1 percent per hour to between 14 and 18 percent per hour across common high-end devices such as recent iPhone and Samsung Galaxy models. Because WhatsApp imposes no meaningful restrictions on the volume or frequency of invalid-message acknowledgments from non-contacts, adversaries can maintain these aggressive probing regimes for hours or days without encountering client-side or server-side barriers, whereas Signal’s built-in rate limiting caps the achievable drain to approximately 1 percent per hour, thereby preserving the platform’s relative resilience against availability attacks while still permitting basic presence tracking.

The deployment simplicity of these tools constitutes one of their most significant threat multipliers: no specialized hardware, no advanced programming knowledge, and no infrastructure beyond a standard web browser for initial authentication are required, meaning that individuals ranging from private stalkers to state-sponsored actors can operationalize the side-channel with minimal preparation. Proxy rotation options integrated into many forks further obscure the originating network address, and session persistence mechanisms ensure continuity even across browser restarts or network interruptions, thereby enabling long-term monitoring campaigns that span weeks or months without requiring constant manual intervention.

Community engagement with the repository has accelerated its proliferation and refinement, as evidenced by the rapid accumulation of stars, forks, and issue discussions that focus on optimization strategies, including the integration of machine-learning-based threshold tuning trained on labeled RTT datasets to improve state classification accuracy across diverse device families and network environments. Contributors have also released pre-compiled binaries and containerized versions that eliminate the need for manual dependency installation, further democratizing access and reducing the technical expertise required to conduct effective surveillance operations.

Target selection typically begins with enumeration of publicly available phone numbers—sourced from official government directories, corporate contact pages, social media profiles, leaked databases, or simple social engineering—ensuring that high-value individuals such as journalists, human rights defenders, opposition politicians, corporate executives, and military officers remain disproportionately exposed without any additional reconnaissance effort. Once targeted, longitudinal collection of RTT data enables adversaries to reconstruct detailed behavioral profiles that rival or surpass the granularity of commercial location-tracking services: stable low-latency periods on home Wi-Fi networks reliably indicate residential presence, prolonged high-latency plateaus during nighttime hours correspond to sleep cycles whose duration and timing can be estimated with circadian precision, and characteristic spikes in variance accompanied by shifts to cellular connectivity mark departures from known locations, commuting patterns, and travel episodes.

Multi-device inference adds another layer of granularity by exploiting the distinct receipt signatures generated by linked companion clients: primary mobile devices produce single acknowledgments, while connected desktop or tablet clients emit stacked, multi-packet responses upon periodic reconnection, thereby revealing fixed-location anchors such as office workstations through predictable morning burst patterns or home tablets through evening synchronization clusters. Operating system and chipset fingerprinting through subtle differences in jitter distributions further enhances tracking continuity, allowing adversaries to distinguish iOS from Android devices and even Qualcomm Snapdragon from Samsung Exynos hardware, providing re-identification anchors even when targets change phone numbers or perform factory resets.

Evasion and resilience features within community-developed variants incorporate randomized probe intervals that mimic the statistical distribution of legitimate traffic, thereby reducing the likelihood of triggering future anomaly-based detection mechanisms, as well as multi-account rotation across disposable WhatsApp Web sessions to distribute probe origin and avoid rate-limit exhaustion on any single authenticated identity. These enhancements ensure that the tool remains viable even against incremental defensive measures that platforms may eventually deploy.

The combination of behavioral inference and resource exhaustion creates a dual-threat vector that serves both surveillance and disruption objectives: while low-intensity probing maintains high-fidelity activity tracking over extended periods, higher-intensity modes can be selectively activated to accelerate battery depletion and data quota exhaustion, imposing indirect availability costs that adversaries can calibrate to remain below the threshold of immediate suspicion. In prepaid or capped-data markets common in developing countries, such attacks can rapidly render the device functionally unusable, disrupting essential communications and imposing financial penalties that victims often attribute to normal usage patterns rather than targeted interference.

Cross-platform replication by independent testers across diverse geographic regions and network infrastructures confirms the robustness of the observed RTT hierarchies, demonstrating that while absolute latency values vary due to local carrier performance and backhaul quality, the relative distinctions critical for state classification remain consistent and reliable. This universality ensures that the tool’s effectiveness is not confined to high-bandwidth environments but extends to constrained mobile networks prevalent in conflict zones, rural areas, and emerging markets.

Behavioral Inference and Resource Exhaustion Vectors

The accumulation of round-trip time measurements from silently triggered delivery receipts transforms isolated network acknowledgments into comprehensive behavioral profiles that expose the daily rhythms of targeted individuals with a granularity that rivals dedicated location-tracking services, all achieved through probes that require nothing more than a valid phone number and leave no discernible trace in the victim’s user interface. Because delivery receipts are issued automatically at the device level for crafted invalid actions—such as reactions to nonexistent message identifiers or deletions of timed-out content—adversaries can sustain high-frequency probing campaigns that capture subtle variations in response latency tied directly to operating system power management states, network access types, and foreground application activity, thereby enabling the reconstruction of routines where stable low-latency periods on Wi-Fi infrastructure reliably signal prolonged presence at residential addresses, extended intervals of elevated latency during nighttime hours precisely delineate sleep cycles with estimates accurate to within minutes of actual circadian patterns, and characteristic spikes in variance combined with transitions to cellular connectivity unambiguously mark departures from known fixed locations into commuting or travel episodes.

Classification of these latency traces proceeds through empirically validated thresholds derived from controlled experiments across diverse device families, where round-trip times consistently falling below approximately 300 milliseconds during foreground engagement with the messaging application indicate active screen-on usage that adversaries correlate with real-time interaction periods, intermediate values ranging from 1 second to 3 seconds reflect background processing or screen-off standby modes on cellular networks that distinguish idle device states from complete disconnection, and prolonged absences of any response confirm powered-off conditions or deliberate airplane mode activation during air travel or intentional isolation. Over multi-day collection horizons, these categorized states reveal recurrent deviations between weekday and weekend patterns—such as delayed onset of high-latency sleep plateaus on non-work days or abbreviated morning offline transitions—that expose underlying lifestyle distinctions exploitable for timing opportunistic physical approaches or coordinating correlated attacks against associated individuals.

Multi-device configurations amplify the richness of inferred profiles because linked companion clients, including desktop installations or secondary tablets, generate stacked or multiplied acknowledgments upon periodic synchronization events, producing burst patterns that anchor behavioral timelines to specific geographic contexts: predictable morning reconnection clusters from office-based workstations delineate commuting schedules with arrival times estimable to within quarter-hour windows, while evening synchronization spikes from home-linked devices confirm return patterns and domestic presence durations. Implementation inconsistencies across platforms further enable precise fingerprinting, where receipt ordering and jitter distributions uniquely distinguish iOS clients from Android variants and even differentiate chipset vendors such as Qualcomm Snapdragon from Samsung Exynos through characteristic variance in wake-up latencies, providing persistent re-identification markers that survive phone number changes, account migrations, or factory resets.

Resource exhaustion emerges as a parallel offensive capability inherent to the same probing mechanism, where sustained transmission of oversized payloads in crafted reactions forces repeated cryptographic decryption cycles and radio activations on the target device, dramatically elevating idle power consumption from baseline levels below 1 percent per hour to rates reaching 14 percent to 18 percent per hour across tested high-end models including recent iPhone and Samsung Galaxy variants, all while WhatsApp’s absence of meaningful server-side throttling for invalid actions from non-contacts permits adversaries to maintain these aggressive regimes indefinitely without encountering automatic barriers. Signal’s stricter per-connection rate limits constrain this vector more effectively, capping achievable drain at approximately 1 percent per hour by discarding excessive requests, yet the platform still issues sufficient receipts to sustain basic behavioral inference, highlighting a deliberate design trade-off that prioritizes delivery reliability over comprehensive metadata protection.

Data quota depletion follows directly from the same payload inflation techniques, where individual reactions carrying maximum allowable sizes generate inbound traffic flows sustaining 3.7 megabytes per second under favorable network conditions and accumulating to 13 gigabytes per hour in prolonged campaigns, rapidly exhausting capped mobile plans common in emerging markets and imposing unanticipated financial burdens that victims typically attribute to legitimate streaming or updates rather than targeted interference. Combined with accelerated battery degradation, these availability attacks create compounded disruption effects that adversaries calibrate across intensity levels: maximum-rate operations prioritize rapid denial of legitimate device usage through forced frequent charging or connectivity loss, while sub-threshold sustained probing preserves long-term tracking fidelity by elevating consumption incrementally to levels indistinguishable from routine background processes.

Social and relational inference extends the profiling scope beyond individual routines, as synchronized state transitions across multiple monitored numbers reveal group affiliations through overlapping active periods in shared chat contexts or coordinated offline intervals during joint activities, enabling adversaries to map organizational hierarchies or personal networks without accessing message content. Health-related deviations manifest indirectly through disrupted baseline patterns—irregular sleep fragmentation during illness, prolonged daytime high-latency plateaus indicating reduced mobility, or anomalous extended offline episodes correlating with medical appointments—providing exploitable indicators for targeted harassment or extortion campaigns.

Stealth mechanisms ensure operational persistence, as the complete suppression of user-facing indicators—no push notifications, no chat log entries, no visual read markers—for invalid operations renders the probing entirely invisible under standard application inspection, while system-level power and data analytics generically attribute elevated consumption to the messaging client itself, masking the adversarial contribution absent specialized forensic tools requiring physical device access or compromised intermediate infrastructure. Long-term tracking continuity relies on the stability of fingerprint characteristics, where hardware upgrades or operating system updates produce detectable shifts in jitter profiles or baseline latencies that serve as reliable re-identification anchors across disruptive events like SIM swaps or application reinstallations.

Offensive calibration strategies balance surveillance fidelity against detection risk, deploying variable probe intensities where low-frequency modes maintain circadian-level pattern reconstruction over weeks while minimizing anomalous drain signatures, and selective high-intensity bursts activate resource disruption precisely during critical windows to maximize psychological or logistical impact. Cross-geographic replication validates the universality of these vectors, as independent validations preserve relative latency hierarchies and state separability despite absolute variations introduced by regional carrier infrastructure or backhaul quality, ensuring technique portability from high-bandwidth urban environments to constrained rural or conflict-zone networks.

Victim demographics experience differentiated exposure severity, with public figures possessing discoverable phone numbers—journalists embedded in hostile regions, human rights defenders coordinating sensitive operations, elected officials maintaining constituent contact lines, or corporate executives listed in regulatory filings—facing systematically heightened risk as adversaries prioritize enumeration-accessible high-value targets for sustained profiling. Ordinary users in authoritarian contexts encounter routine mass monitoring that incrementally chills free expression through pervasive awareness of potential observation, while prepaid plan subscribers in developing economies suffer disproportionate economic harm from quota exhaustion attacks that disrupt essential digital services including mobile banking, emergency coordination, or remote education.

Inference precision achieves sub-hour granularity for key behavioral milestones, deriving sleep duration estimates from bounded transitions between evening Wi-Fi stabilization and morning activation bursts, identifying exercise episodes through elevated cellular variance during outdoor movement uncorrelated with commuting patterns, and detecting social gatherings via prolonged foreground engagement deviations from established solitary baselines. Multi-target orchestration scales these capabilities to organizational levels, where automated tools process entire contact databases concurrently to aggregate cohort profiles revealing internal structures through synchronized online periods, shared travel signatures, or hierarchical response latencies in group interactions.

Evasion evolution incorporates probabilistic interval randomization that replicates statistical distributions of legitimate user traffic, preempting potential future server-side anomaly detection based on regular probing cadences, alongside multi-account rotation across disposable authenticated sessions to distribute load and circumvent per-identity rate exhaustion. These refinements extend operational lifespan against incremental platform defenses while preserving the core side-channel’s effectiveness.

Platform Responses and Persistent Vulnerabilities in 2025

Platform operators confront a persistent metadata leakage channel that prioritizes usability features over comprehensive privacy protections, resulting in sustained exploitability of silent delivery receipt timing attacks more than fifteen months after initial responsible disclosure. Researchers from the University of Vienna and SBA Research formally notified Meta and the Signal Foundation of the side-channel in September 2024, detailing how crafted invalid operations trigger automatic acknowledgments that reveal device states through measurable latency variations, yet neither entity deployed protocol-level mitigations that eliminate receipt issuance for non-established conversations or introduce sufficient obfuscation to prevent inference.

Meta acknowledged receipt of the disclosure on September 24, 2024, forwarding the report to relevant teams, and provided a follow-up confirmation in August 2025 that the security team had reviewed findings and escalated them to engineering, but no substantive changes altered core receipt semantics or imposed strict per-sender throttling for unknown initiators. Because delivery acknowledgments remain mandatory for reliability in unreliable networks, Meta preserved existing behavior, accepting metadata exposure as a necessary trade-off that enables rapid message confirmation across billions of devices while declining proposed countermeasures such as random delay insertion or contact-restricted issuance that could degrade perceived performance in high-latency environments.

The Signal Foundation maintained silence throughout the disclosure process, offering no public acknowledgment or implementation updates that address the identified leakage, although inherent per-connection rate limits inherited from prior designs continue to constrain probe density sufficiently to mitigate resource exhaustion while preserving enough receipt volume for basic presence detection. This partial resilience stems from architectural choices favoring abuse prevention over feature completeness, yet the foundation’s non-response underscores a broader pattern where privacy-oriented platforms prioritize cryptographic content protection without equivalent investment in metadata minimization, allowing timing channels to persist indefinitely absent community pressure or regulatory intervention.

User-facing controls provide incomplete defenses that adversaries circumvent through calibrated probing volumes. WhatsApp’s advanced privacy setting, accessible via Settings > Privacy > Advanced > Block unknown account messages, activates automatic blocking only after detecting high-volume patterns from non-contacts, with undisclosed thresholds permitting thousands of stealth probes before enforcement, thereby enabling sustained low-intensity campaigns that accumulate behavioral data without triggering restrictions. Disabling read receipts affects only standard message markers while leaving delivery acknowledgments untouched, and silencing unknown callers addresses voice interruptions exclusively without impacting text-based protocol operations.

Signal offers analogous restrictions on visibility indicators and group additions, but core receipt issuance for invalid actions remains unaltered, ensuring that adversaries retain access to coarse online status even under throttled conditions. Because both platforms lack global toggles to suppress delivery receipts entirely—features deliberately omitted to maintain interoperability and delivery guarantees—users confront enduring exposure where end-to-end encryption safeguards plaintext exclusively while protocol artifacts continue to leak behavioral equivalents of location streams.

Public proof-of-concept releases in late 2025 amplified pressure on operators by operationalizing the academic findings into accessible tools that demonstrate real-time activity inference, yet Meta and Signal issued no emergency patches or advisory updates specifically targeting the side-channel. Community replications and media coverage highlighted ongoing exploitability, with independent validations confirming identical latency hierarchies across client versions and geographic regions, but platform responses confined themselves to ancillary enhancements unrelated to receipt timing, such as improved spam detection heuristics that fail against crafted invalid payloads.

Comparative analysis with alternative messengers reveals divergent priorities. Threema consolidates acknowledgments and suppresses responses for unrecognized operations, eliminating high-frequency timing channels while preserving usability, demonstrating that architectural decisions can neutralize the vector without compromising core functionality. This contrast exposes how WhatsApp and Signal’s commitment to backward compatibility and feature parity across massive installed bases constrains rapid remediation, perpetuating vulnerabilities that smaller platforms resolve through stricter validation.

Disclosure timelines illustrate institutional inertia. Initial reports in 2024 elicited triage acknowledgments without remediation roadmaps, and follow-up inquiries in 2025 yielded only confirmatory escalations absent concrete timelines, reflecting resource allocation favoring new feature development over metadata threat mitigation. Because non-content leaks historically receive lower severity ratings than plaintext exposures, operators deprioritize fixes that require client-wide updates across heterogeneous device ecosystems.

Interim user mitigations center on restrictive configurations that reduce attack surface partially. Enabling contact-only messaging in group and privacy settings limits unknown initiator reach, though undefined volume thresholds permit initial probing bursts sufficient for short-term profiling. Combining these with disabled visibility indicators and periodic account reviews offers layered defense, yet comprehensive protection demands server-side identifier validation before client fan-out or bounded randomization of acknowledgment delays—proposals repeatedly declined due to latency implications.

Broader ecosystem implications extend to trust erosion among privacy-conscious cohorts. Platforms positioning as secure alternatives to traditional communication channels sustain metadata vulnerabilities that enable surveillance equivalent to compromised endpoints, undermining encryption’s value proposition where behavioral inference rivals content access in intelligence utility. State and non-state actors exploit this asymmetry routinely, leveraging low-barrier tools against journalists, activists, and officials without traceable compromise.

Regulatory scrutiny remains absent from primary sources as of December 2025, with no enforcement actions or guidelines mandating metadata protections comparable to content safeguards. Platform self-regulation thus governs outcomes, favoring incremental enhancements over disruptive changes that risk user experience degradation.

Persistent exploitability into late 2025 confirms that usability imperatives override privacy completions in dominant messaging architectures. Absent forced adoption through competitive pressure or external mandates, receipt-based side-channels continue to convert intended reliability mechanisms into enduring surveillance conduits affecting billions of devices.

Mitigation Strategies and User Defenses

Users confronted with persistent protocol-level metadata leakage through delivery receipt timing channels retain limited but actionable defenses that center on restrictive privacy configurations and alternative platform selection, where the most immediate protection against unknown adversaries derives from enabling settings that block or severely constrain message processing from non-contacts, thereby preventing the initiation of stealth probes altogether. Because both WhatsApp and Signal continue to issue automatic delivery acknowledgments for crafted invalid operations even from unregistered senders as of late 2025, the primary user-controlled countermeasure in WhatsApp involves navigating to Settings > Privacy > Advanced and activating the option to block high volumes of unknown account messages, a feature that automatically restricts inbound traffic from non-contacts once predefined volume thresholds are exceeded, though these undisclosed limits permit initial probing bursts sufficient for short-term inference before enforcement triggers.

This advanced blocking mechanism, introduced as part of broader chat privacy enhancements, effectively halts sustained high-frequency campaigns by unknown origins while preserving legitimate communication from saved contacts, yet its reactive nature—activating only after detecting anomalous patterns—leaves a window for adversaries to accumulate preliminary latency data during the onset phase, necessitating complementary habits such as avoiding public exposure of phone numbers through directories or social profiles. Signal users face analogous constraints without a direct equivalent to WhatsApp’s advanced unknown blocking, relying instead on general privacy controls that limit visibility indicators and group additions but fail to suppress core receipt issuance for invalid payloads, underscoring the platform’s deliberate prioritization of delivery reliability over comprehensive metadata obfuscation.

Alternative messengers demonstrate feasible architectural mitigations that eliminate the side-channel entirely. Threema consolidates acknowledgments into batched responses and suppresses device-level receipts for unrecognized or invalid operations, preventing high-frequency timing measurements while maintaining multi-device synchronization and end-to-end encryption, a design choice that excludes Threema from exploitation in both academic validations and public proof-of-concept tools released through 2025. This consolidation approach reduces leakage bandwidth to negligible levels, illustrating that protocol refinements can neutralize the vector without sacrificing usability for established conversations, though Threema’s smaller user base limits network effects for widespread adoption.

Proposed technical countermeasures span client-side, server-side, and hybrid implementations that platform operators have yet to deploy at scale. Client-side introduction of bounded random delays to acknowledgment transmission—ranging from hundreds of milliseconds to several seconds—obfuscates state-dependent latency distinctions by injecting artificial jitter that overwhelms natural variations tied to power management or network type, a low-complexity change requiring no protocol alterations yet capable of degrading inference accuracy below practical thresholds. Server-side validation of message identifiers prior to client fan-out prevents stealth probes by discarding invalid reactions or edits centrally, eliminating receipt triggers altogether, though this increases processing load proportionally to abuse volume and risks minor delivery delays in legitimate high-latency scenarios.

Hybrid strategies combine per-contact receipt restrictions with global anomaly detection, where clients enforce quotas on outbound acknowledgments from unknown senders and servers flag unusual volumes for automated blocking, balancing usability for contact-initiated communication against protection from arbitrary number-based targeting. Rate limiting enhancements beyond Signal’s existing per-connection caps could incorporate adaptive thresholds that throttle unknown origins progressively, mitigating both timing inference and resource exhaustion without blanket suppression of delivery guarantees.

User operational security practices augment these configurations by minimizing phone number discoverability. Avoiding publication in official listings, corporate directories, or social media bios reduces enumeration risk, while periodic review of linked devices and session terminations disrupts multi-device fingerprinting that reveals companion signatures. Employing secondary numbers or usernames—where supported—for public interactions further decouples primary identifiers from surveillance exposure.

Platform migration to alternatives with demonstrated resistance offers the most robust long-term defense for high-risk cohorts. Threema’s receipt consolidation and strict invalidation policies render comparable attacks infeasible, as validated through controlled experiments excluding it from vulnerable categories, while preserving features like multi-device support and disappearing messages. This migration trade-off accepts reduced interoperability for eliminated metadata channels, suitable for journalists, activists, and officials prioritizing behavioral privacy over mass reach.

Interim layered defenses combine restrictive settings with behavioral countermeasures. Enabling contact-only modes where available, disabling ancillary visibility indicators, and monitoring battery or data anomalies through system diagnostics provide partial detection cues, though forensic confirmation requires specialized tools absent from standard interfaces.

Community-driven pressure and regulatory oversight remain absent levers as of December 2025, with no enforcement actions mandating metadata protections equivalent to content encryption. User adoption of defensive configurations thus constitutes the frontline barrier against a vulnerability that converts reliability features into persistent surveillance conduits.

Broader Privacy and Policy Implications

Persistent metadata leakage through delivery receipt timing channels in dominant messaging platforms exposes a fundamental asymmetry in contemporary digital privacy architectures, where end-to-end encryption safeguards message content exclusively while leaving behavioral patterns derivable from protocol artifacts vulnerable to exploitation by state and non-state actors alike, thereby eroding the practical privacy protections that billions of users associate with secure communication tools. Because platforms such as WhatsApp and Signal prioritize delivery reliability and usability to sustain massive installed bases exceeding 3 billion combined active devices, architectural decisions that mandate automatic acknowledgments for invalid operations create enduring side-channels that enable adversaries to reconstruct routines, infer social graphs, and calibrate resource disruption without ever accessing plaintext, converting intended reliability mechanisms into systemic surveillance vectors that rival traditional location-tracking capabilities in intelligence value.

This asymmetry undermines public trust in encryption’s comprehensive protective promise, as users adopt these applications expecting holistic seclusion from observation only to encounter metadata exposure that reconstructs behavioral equivalents of GPS streams through latency hierarchies and fingerprint distinctions. High-risk cohorts—journalists documenting conflicts, human rights defenders coordinating operations, opposition figures in authoritarian regimes—face disproportionate harm where number-based targeting lowers barriers below those of endpoint compromise, enabling persistent monitoring that chills expression and facilitates physical targeting through inferred presence at residences or workplaces.

State surveillance capacities amplify dramatically under such conditions, as domestic intelligence agencies and foreign services exploit low-threshold tools to map dissident networks via synchronized state transitions across monitored identifiers or companion device signatures revealing organizational anchors. Non-state actors, including corporate espionage units and private harassment campaigns, democratize these capabilities through public proof-of-concepts, scaling threats from individual stalking to bulk organizational profiling without traceable infrastructure compromise.

Regulatory responses remain fragmented and insufficiently attuned to metadata risks, with frameworks emphasizing content protection through encryption mandates while neglecting equivalent safeguards against protocol-derived inference, resulting in policy environments that permit mass behavioral surveillance absent the oversight applied to intercepted communications. International human rights instruments affirm privacy as encompassing communication metadata, yet enforcement mechanisms lag behind technological exploitation vectors that bypass traditional interception thresholds.

Platform self-governance perpetuates inertia, as commercial incentives favor feature completeness and backward compatibility over metadata minimization techniques proven feasible in smaller ecosystems, delaying adoption of receipt consolidation, bounded randomization, or contact-restricted issuance that neutralize timing channels without degrading core functionality. Competitive dynamics fail to penalize these oversights, as network effects lock users into vulnerable incumbents despite superior privacy designs in alternatives.

Broader digital rights erosion follows inexorably from normalized metadata exposure, where pervasive awareness of potential observation incrementally suppresses free association and expression across societies, replicating authoritarian control mechanisms in ostensibly open environments through private infrastructure. Economic harms compound in emerging markets, as resource exhaustion attacks impose financial penalties via quota depletion and device availability degradation on populations reliant on capped plans for essential services.

Interoperability mandates under consideration risk entrenching vulnerabilities further by standardizing receipt semantics across ecosystems, unless accompanied by mandatory metadata protections that elevate timing obfuscation to regulatory requirements. Absent such integration, fragmentation persists as privacy-conscious users migrate to resistant niches, bifurcating communication networks along security lines.

Global normative divergence accelerates, with jurisdictions pursuing divergent paths that either reinforce encryption integrity against exceptional access demands or accommodate lawful interception frameworks that inevitably weaken metadata safeguards through centralized validation or delay suppression. This fragmentation complicates cross-border operations for multinational entities and exposes users to varying protection levels based on provider jurisdiction.

Human rights monitoring organizations confront expanded threat surfaces, as metadata-derived profiles enable preemptive targeting of defenders before content-based triggers activate, shifting surveillance paradigms toward predictive behavioral control. Diplomatic communications via consumer platforms inherit these risks, complicating secure channels for sensitive negotiations absent dedicated hardened systems.

Long-term societal adaptation risks normalizing comprehensive behavioral visibility, diminishing expectations of digital seclusion analogous to physical anonymity in public spaces, with profound implications for democratic discourse and individual autonomy. Countervailing pressures from civil society and technical communities offer partial mitigation through exposure and alternative development, yet scale disadvantages limit impact against entrenched incumbents.

The side-channel’s persistence into late 2025 confirms that absent external mandates or competitive disruption, dominant platforms will continue prioritizing growth metrics over comprehensive privacy completions, sustaining systemic exposure for billions while encryption’s content-focused victories ring increasingly hollow against metadata realities.

---

Delivery Receipt Side-Channel Vulnerability in WhatsApp and Signal: Key Concepts Overview

Concept	Description	Key Details and Data	Affected Platforms	Status as of December 2025	Source/Reference
Core Vulnerability Mechanism	Automatic delivery receipts issued at low network layers for crafted invalid messages (e.g., reactions to nonexistent IDs) enable measurable RTT variations without user notification.	RTT < 500 ms: active/foreground; 1-3 s: background/cellular; absent: offline. Multi-device: stacked receipts reveal companions.	WhatsApp, Signal	Remains exploitable; no protocol fix.	Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers – Gabriel K. Gegenhuber et al. – November 2024
Attack Requirements	Only target’s phone number needed; no prior conversation or mutual contact required.	Phone numbers often public via directories/leaks.	WhatsApp, Signal	Fully operational.	Academic paper above
Behavioral Inference Capabilities	Longitudinal RTT data reconstructs daily routines.	Home: stable Wi-Fi low RTT; Sleep: prolonged high latency; Travel: fluctuations/cellular shifts; Work: companion device bursts.	WhatsApp (high granularity), Signal (coarser due to throttling)	Persistent.	Academic paper above
Device Fingerprinting	Jitter, receipt ordering, multiplicity distinguish OS/chipset/multi-device.	iOS vs Android; Qualcomm vs Exynos; linked desktops/tablets.	Both	Persistent.	Academic paper above
Resource Exhaustion Vectors	High-frequency oversized probes accelerate drain/data use.	Battery: from < 1 %/hour to 14-18 %/hour (iPhone/Samsung); Data: up to 13 GB/hour.	WhatsApp (severe), Signal (mitigated to ~1 %)	Exploitable on WhatsApp.	Academic paper above
Proof-of-Concept Tools	Public GitHub implementations automate probing/visualization.	Auth via Web QR; real-time dashboard; multi-target; adaptive intervals.	Primarily WhatsApp	Widely available/forked.	Community reports referencing academic findings
Platform Scale	Global user base exposure.	WhatsApp: over 3 billion monthly active users. Signal: 70-100 million.	Both	Unchanged.	Multiple sources (e.g., Backlinko, EngageCoders 2025 stats)
Disclosure and Platform Responses	Responsible disclosure September 2024.	Meta (WhatsApp): Acknowledged/triaged, no core fix. Signal Foundation: No response. Ancillary patches unrelated.	Both	No fundamental remediation.	Academic paper; Meta advisories (no specific receipt fix)
User Defenses	Privacy settings and alternatives.	WhatsApp: Settings > Privacy > Advanced > Block unknown account messages (reactive threshold). Disable visibility indicators.	WhatsApp	Partial; thresholds allow initial probes.	WhatsApp Help Center
Alternative Platforms	Resistant designs.	Threema: Batches receipts; suppresses invalid operations; no phone number required.	N/A (resistant)	Eliminates side-channel.	Threema features documentation
Mitigation Proposals	Technical fixes unadopted.	Random delays; contact-restricted receipts; server validation pre-fanout; adaptive throttling.	Proposed for WhatsApp/Signal	Not implemented.	Academic paper above
Broader Implications	Metadata equals content risk; erodes encryption trust.	Enables stalking, surveillance, disruption; affects journalists/activists/officials; chills expression.	Ecosystem-wide	Systemic privacy erosion.	Derived from analysis

---

Copyright of debuglies.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved