Kin

"The Social Graph Problem: Why Encrypting Your Messages Isn't Enough"

A

AJ, Founder @ JouleWorx

May 25, 2026·8 Minute Read

Encryption protects your words. It was never designed to protect your relationships.

An itemized phone bill does not contain a single word you said. It lists only who you called, when, and for how long. And yet hand a stranger one month of it and they will know the person you cannot get through the day without, the week you stopped speaking to someone, the night something went wrong. The words were never the revealing part. A privacy-focused messaging app protects them anyway, and leaves the rest in plain view.

Encryption protects the contents of a message. What it does not protect is the fact of the message: who sent it, who received it, when, how often, and in what configuration with every other message ever exchanged between those two people. That pattern has a name in systems design. It is called the social graph. And in many circumstances, it is more sensitive than anything the messages themselves contain.

What Encryption Actually Covers

End-to-end encryption is a genuine and meaningful protection. When a message is encrypted end-to-end, the content is scrambled before it leaves your device and can only be unscrambled by the recipient. The servers that carry it see only indecipherable noise. So does the messaging company that operates them, and so would anyone who intercepted the signal in transit. This is not a marketing claim. It is a technical property of the cryptographic protocol, and it is real.[1]

But the sealed envelope analogy, which is often used to explain encryption, is more revealing than it is usually allowed to be. The envelope's contents are sealed. The envelope's existence is not. Whoever runs the postal system still sees that an envelope was sent. They see the sender's address and the recipient's. They record the time of dispatch and the frequency: daily, weekly, a cluster of letters in a single fortnight, then silence for six months, then daily again. They know which city each letter came from and on what device, or in the physical analogy, at which post office it was deposited. None of this is inside the envelope. It is all visible to the infrastructure that carries it, recorded as a matter of course.

This is what the word metadata means. Not data that reveals what was said, but data that reveals the shape of the saying: the pattern of contact between two people across time. Encryption leaves this metadata fully exposed, by design. The protocol was built to protect content. Protecting the graph of relationships was a separate problem, and most messaging systems were never built to solve it.[2]

The Social Graph, and Why It Is Often More Sensitive Than the Messages

A social graph is the network of relationships encoded by communication patterns: who talks to whom, how often, at what times, in what configuration with other people, across what span of time. The phrase comes from computer science and graph theory, where relationships between entities are modelled as edges connecting nodes. In the context of a messaging app, the nodes are people, and the edges are drawn by their interactions.

The social graph is often more sensitive than the content of any individual message. This is not a theoretical concern. It is the operational assumption of intelligence agencies that have, for decades, considered relationship mapping more valuable than transcript collection.[3] Documents disclosed by Edward Snowden in 2013 exposed the NSA's bulk metadata collection programmes, which were built on exactly this insight: that you do not need to read a message to understand what it encodes. The pattern of who contacts whom, when, and how often tells you most of what you need to know about the nature of a relationship, and sometimes far more than the words exchanged.[4]

Bring this down to an ordinary scale. A teenager's contact graph reveals the shape of their confidences more precisely than any individual conversation would. The hours they talk to certain people at night, the names that have never come up at home: these say more than the words of any one exchange. An employee's communication pattern across weeks shows which colleagues they trust outside of official channels, and in which direction that trust runs. A journalist's graph of contacts, reconstructed from frequency and timing alone, without reading a single message, can identify sources with a reliability that courts have found legally meaningful.[5]

The sensitivity here is not hypothetical. People edit what they say. Almost nobody edits the rhythm of who they speak to, and that rhythm is often more revealing than the words.

The Record That Already Exists

Most people's social graphs are already fully mapped. Not as a future capability, or a theoretical vulnerability, but as an existing record, held now, in a queryable form, by the companies whose services they use daily.

WhatsApp's privacy policy, as of May 2026, specifies what this includes.[6] It collects your phone number when you register. If you enable the contact-upload feature and grant contacts permission, it also collects the phone numbers stored in your device's address book. It logs the time, frequency, and duration of exchanges, when users are active, when they last connected, the cadence of their replies. It records the IP address, which typically resolves to a city or region. It notes the phone model, operating system, and mobile network. It tracks which features are used and for how long.

No single item on this list feels particularly sensitive. Taken together, they are the raw material of a person's social world: their closest contacts, their most frequent correspondents, the rhythm of who they reach for and when. Whatever is retained, and for however long, the categories WhatsApp collects are sufficient to describe that world in detail. You could delete every message you have ever sent, and the metadata record would be unaffected.[7]

Under the policy, the data WhatsApp shares with the wider Meta companies can be used to show you relevant offers and ads for Meta products. This sharing is disclosed, legal, and unremarkable by industry standards. That is precisely the point. The data that most precisely describes the people you trust and depend on is the same data that, under different ownership, regulation, or political conditions, could be used against you.

WhatsApp says it does not use the data it collects to build advertising profiles, and that it does not keep logs of who its users message. The categories of data it discloses collecting, however, are a matter of its own published policy, and the argument here concerns what those categories make possible, not any single use of them today.

When Safety and Communication Overlap

There is a particular category of communication where the social graph problem becomes acute: when people use messaging apps not for conversation but for safety. Letting someone know you arrived home. Checking in on an elderly parent who lives alone. A journalist confirming she is okay with her editor after a difficult day in the field. A family member waiting for a signal that the long drive is over.

These interactions are not conversations. They are signals, deliberately minimal and deliberately closed. One person sends something. The loop closes. No reply is needed or expected. The meaning is entirely in the fact of the signal, not its content.

But when these signals pass through a messaging infrastructure that maps relationships, something else happens alongside the reassurance. The system records that this person checks in on that person. It records the frequency: daily, always at the same hour; or irregular, clustering around moments of anxiety. It records the rhythm of dependency: who initiates, who responds, what the cadence of care looks like across weeks and months.

A safety check-in is, by definition, a signal of dependency and concern. Aggregated, those signals describe something more intimate than most people would consciously choose to disclose: the precise architecture of who you are responsible for, who is responsible for you, and how the weight of that responsibility moves through time. The social graph of care, the record of who checks in on whom and how often, is among the most private information a person generates. It is almost never treated as such by the infrastructure it passes through.

What Graph-Private Design Actually Requires

Most privacy-preserving technology focuses on content. Encrypted messages. Disappearing texts. Zero-knowledge storage. These are meaningful protections, and they are not nothing. But graph privacy is a different problem. Protecting the map of who contacts whom requires something architecturally different, and considerably harder.

A system that cannot reconstruct its users' social graphs must be built, from the ground up, to avoid retaining the data that graphs are made of. This means no persistent contact lists stored in a queryable form on the server. No frequency or timing logs retained beyond what is required for immediate delivery. No cross-session identifiers that allow relationships to be reconstructed retrospectively. No business model that creates an incentive to retain what could be discarded.[8]

Signal comes closest among mainstream messaging apps. When the Signal Foundation has been subpoenaed by US law enforcement, it has been able to produce only two items: the date a user created their account, and the date of their last connection to the service. Nothing more, because nothing more is retained.[9] The Signal Foundation is a non-profit, with no advertising revenue and no investors whose returns depend on user data. Its architecture and its economics point in the same direction: minimum data, minimum retention, as a structural commitment rather than a policy promise.[10]

But this is still a messaging system. It was built for conversation, not for the specific problem of quiet, one-directional safety signals: the I'm okay that closes a loop without opening a thread. The graph-privacy problem in a messaging context is different from the graph-privacy problem in a safety context. In a messaging system, the graph is a side-effect of the primary use. In a safety app, it is the only thing being generated.

What We're Doing Instead

The social graph is not, in the end, an abstract object. The intelligence programmes are its legible extreme, but the thing itself is ordinary and close: the map of the people you depend on. At its most concentrated it is not a population, or a network of suspects. It is a family: the small, repeating set of people you check in on, and who check in on you.

That is the part of the graph Kin exists to protect. We did not set out to build a defence against any of the actors in this piece; a family check-in app does not stand between anyone and a grand jury, and we will not pretend otherwise. We set out to prove something narrower, and we think more useful: that the most intimate version of the social graph, the daily traffic of care between people who love one another, does not have to be assembled in order to be served. Data minimisation as a matter of craft, rather than compliance.

So the record of who checks in on whom, how often, and in what rhythm is treated here as the most protected information in the product, not the least.

The signal a person sends when they check in on someone they love is not metadata to be optimised around; it is the most intimate thing the product touches. By design, we do not retain a map of who checks in on whom, and our architecture is built to make that retention unnecessary. Routing data is the minimum required to deliver a signal, it expires within thirty days, and the message payload is end-to-end encrypted and unreadable to us. We do not derive commercial value from any of it. The commitment is architectural, backed by a business model that gives us no reason to retain more.

For honesty: Kin uses phone-number authentication, the same primitive WhatsApp does. We use it because contact-list filtering needs a shared namespace, and we hold the phone number only at the authentication layer. It is not replicated into Kin's own database, and it is not used for any purpose beyond identity and spam prevention. The difference between Kin and a messaging app is not that we found a way to avoid this. It is what we choose to do, and not do, with what we collect.

Early Access

Kin is in early access.

If this is a feeling you recognize, we'd love to have you with us from the beginning.

Sources

1. WhatsApp Security Whitepaper: WhatsApp's implementation of the Signal Protocol provides end-to-end encryption for messages, calls, and media. The cryptographic properties are technically documented by Open Whisper Systems.

2. Electronic Frontier Foundation, Surveillance Self-Defence: "Why Metadata Matters": The distinction between content and metadata is foundational to modern communications privacy law and technology. EFF's guide explains why metadata can be as revealing as content, often more so.

3. David Cole, New York Review of Books, May 10, 2014: "We Kill People Based on Metadata": Former NSA Director Michael Hayden, in an April 1, 2014 debate with David Cole at Johns Hopkins University, said: "We kill people based on metadata." Hayden's remark referred to overseas operations and was qualified as distinct from domestic NSA programs.

4. Glenn Greenwald, The Guardian, June 2013: NSA bulk metadata collection programme: NSA bulk metadata collection programme exposed via Snowden documents. The programme targeted communication patterns (who contacted whom, when, and from where) rather than message content.

5. Ramya Krishnan and Trevor Timm, Knight First Amendment Institute at Columbia University, 2019: Report on the DoJ's seizure of AP phone records: Report on the US Department of Justice's 2013 seizure of Associated Press telephone toll records as part of a leak investigation. The DoJ issued 30 subpoenas covering 30 phone numbers, including AP bureau trunk lines and the main number for AP reporters covering Congress, with the stated purpose of identifying the AP's confidential sources. The records sought were metadata only: call timing, frequency, and routing, not content.

6. WhatsApp Privacy Policy: Categories of data collected include account and contact phone numbers, usage frequency and timing, IP address, device model, operating system, battery level, signal strength, mobile network, and app usage behaviour. Data shared with the wider Meta companies may be used to show relevant offers and ads for Meta products; WhatsApp does not run third-party banner ads in the app.

7. James Risen and Laura Poitras, The New York Times, September 28, 2013: "N.S.A. Gathers Data on Social Connections of U.S. Citizens": Documents disclosed by Edward Snowden show that since 2010 the NSA has used phone and email metadata to build sophisticated social graphs of Americans, identifying associates, locations, and traveling companions, all without accessing the content of any communication.

8. Micah Lee, The Intercept, June 22, 2016: "Battle of the Secure Messaging Apps: How Signal Beats WhatsApp": A detailed technical comparison of what Signal, WhatsApp, and Allo each retain at the infrastructure level, and what the structural differences in architecture mean for graph privacy.

9. Signal Foundation — published subpoena responses: When subpoenaed by US law enforcement, in 2016 (Eastern District of Virginia) and as recently as the District of Columbia case disclosed in March 2026 (covering 37 phone numbers), Signal was able to produce only two items: the date a user created their account and the date of their last connection. No message content, no contact graph, no metadata logs. Published by Signal as transparency documents.

10. Signal Foundation: Signal Foundation 501(c)(3) non-profit status and funding model: Signal is funded by donations and grants, with no advertising business. Its architecture and economics are structurally aligned with minimum data retention.

Note on comment: WhatsApp's representatives engaged with this piece ahead of publication on background, and their position is reflected above. They declined to provide an on-the-record statement.