Most instant messaging applications are providing enriched link summaries (as shown next with Telegram link previews), including description and a preview image of the website.

Depending on the implementation these nice-to-have features could become privacy intrusive: indeed, it might force your client into downloading some remote content from an untrusted third party, hence leaking your IP address and OS version (User-Agent).

How does it work?

The application (client side or server side) will grab the webpage and look for metadata through the Open Graph protocol. These are simple HTML tags included in the <head> section, like so:

Let’s find out how major instant messengers are dealing with these.

Twitter Direct Messages

When you share a URL to someone using Twitter DM, the server shall see at least two probes: one request coming from Twitter (AS13414) that will load the URL to get the card and, strangely, a second request coming from a Amazon EC2 server with a random mobile User-Agent. Most likely this is done to check for virus/phishing (Twitter will display a warning upon suspicious links on new messages).

Privacy: URL is known to the server, no IP addresses leak (message isn’t E2E encrypted anyway)

iMessages

Upon sending a link, your mobile device will generate a preview card. All data appear to be processed locally from your device. The receiver will not grab the URL but will have the preview data, meaning either data is cached on Apple server, or data is directly sent to the receiver through the encrypted channel.

Privacy: fair

WhatsApp

WhatsApp will have the same design as iMessage: the sender will generate the link preview (grabbing metadata from the URL) and send this data to the recipient through the server. This will occur even when end-to-end encryption is enabled but it doesn’t seem to violate E2E (URL is grabbed from the client, not the server).

Privacy: fair

Signal

Signal does not have any enriched link preview, neither the client nor server are grabbing the URL. 👍

Privacy: good

Telegram

The Telegram mobile application will generate the preview server-side. From an app that claims to have E2E this is kind of a big issue.

Privacy: URL is known to the server, no IP addresses leak

Wire

Wire will generate a preview locally (from your mobile device). Interestingly, the Wire web app (on desktop) won’t generate any preview. Worth pointing out you can disable link preview in the application settings, good move.

Privacy: fair

FB Messenger

Facebook servers will grab the URL to display the preview card. Haven’t tested with Secret Conversations.

Privacy: URL is known to the server, no IP addresses leak

Skype

Skype servers will generate the link preview as well.

Privacy: URL is known to the server, no IP addresses leak

Slack

Slack app is generating the link preview server-side.

Privacy: URL is known to the server, no IP addresses leak

Discord

Same thing with discord (tested on Discord web app).

Privacy: URL is known to the server, no IP addresses leak

Please feel free to send me a message on Twitter if you found other interesting results!