Identity Leakage in Encrypted IM Call Services: An Empirical Study of Metadata Correlation

Instant messaging (IM) applications are ubiquitous, and while end-to-end encryption protects message content, traffic metadata remains observable. This paper proposes a traffic correlation framework for IM call services under a passive ISP-level threat model to infer communication parties from encrypted traffic. The framework extracts and matches metadata from sustained, bidirectional call flows and jointly analyzes endpoint identifiability, shared server connectivity, symmetry in call duration and traffic volume, and service type indicators to derive correlation artifacts for matching. The framework is instantiated and evaluated on WhatsApp, Facebook Messenger, and Snapchat across diverse user behavior scenarios and commonly deployed network settings. Experimental results show that the method reliably links caller and callee flows, revealing edges in users’ social graphs without decrypting any packets. Under typical data retention regimes, these findings indicate that metadata-based correlation provides a practical basis for deanonymization and represents a persistent privacy risk for users of IM calling.