And if so, why exactly? It says it's end-to-end encrypted. The metadata isn't. But what is metadata and is it bad that it's not? Are there any other problematic things?
I think I have a few answers for these questions, but I was wondering if anyone else has good answers/explanations/links to share where I can inform myself more.
They would just say that they have a different definition of E2EE, or quietly opt you out of it and bury something in their terms of service that says you agree to that. You might even win in court, but that will be a wrist slap years later if at all.
No single individual will beat a corporation as large as Facebook in a court battle. You could have all the evidence in the world and they'll still beat you in court and destroy your life in the process. It took a massive class action lawsuit to hold them accountable for the Cambridge Analytica case, and the punishment was still pennies to them.
Look at the DuPont case. There was abundant evidence that they were knowingly poisoning the planet, and giving people cancer, and they still managed to drag that case on for 30 years before a judgement. In the end they were fined less than 3% of their profit from a single year. That was their punishment for poisoning 99% of all life on planet earth, knowingly killing factory workers, bribing government agencies, lying, cheating, and just all around being evil fucks. 3% of their profit from a single year.
They don't really need the actual contents of your messages if they have the associated metadata, since it is not encrypted, and provides them with plenty of information.
So idk, I honestly don't see why I shouldn't believe them. Don't get me wrong though, I fully support the scepticism.
It can be fully end to end encrypted and still drop keyword-based metadata into the envelope. But also, I am pretty sure that the feds can access the keys if they need to. It's e2e encrypted, but that doesn't mean the key stays on your device.
This is what I came to express as well. Unless the software is open source, both client and server, what they say is unverifiable and it's safest to assume it's false. Moreover, the owning company has a verifiable and well known history of explicitly acting against user privacy. There is no reason to trust them and every reason not to.