But wait – it gets much, much worse
As I was finishing up the above post, I noticed something a little strange in the code – something I’d glossed over earlier. There are a ton of references to what looks to be functions related to Google’s #Firestore database.
It’s not about metadata exchange, but metadata exposure.
Two of those platforms use self-hosted node servers. Behind a VPN with multiple customers, this is virtually untraceable. And certainly far less easily traced than by giving away your cell phone number to a company.
This is why I said it is for developers and users to decide what is acceptable. The sensitivity of what you are doing, and the required threat model, determines what elements are acceptable to leak.