My first job in IT was at a small company, “A,” that researched telephone data for a very large company, “B.” You see, company “B” was a huge multinational conglomerate with offices all over the world. This meant they had several telephony providers that charged them not only for actual phone usage but also for the phone ports in the PBX.

That meant I spent days each week researching which phone ports were actually used by calling the phone numbers with little or no usage. It was boring and tedious, to say the least, but at least I got to listen to some awesome podcasts when podcasts first started becoming popular.

Soon after, we expanded our reach to include a helpdesk function. Since we had access to all of the call detail records, we were able to set up a chargeback system for the department managers, giving them access to their department’s phone usage. We didn’t have access to the content of their calls, only the metadata about their calls: Who called which number at what time, on which day, how much it cost the company, etc. Half of my job became helping people and providing application support for this new website. Occasionally, I was contacted by corporate security to provide details about a specific person. We could only provide the CDRs, aka the metadata about the calls, but I was told that often those records were sent directly to law enforcement.

Metadata is incredibly powerful information. Even if you believe that your calls, texts, etc. are fully end-to-end encrypted, there is still metadata that gets recorded. This is why I am wary of services that are too loved by the security community, like Signal, which has closed-source components. What happens to the metadata for each communication? The discussion might be end-to-end encrypted, but what about the metadata? Where does it go, and who gets it?