There is security research paper “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers”
https://arxiv.org/pdf/2411.11194
Video highlighting key points: https://youtu.be/B9Syj555RQc
This research was targeted on other messengers, but the same method probably may be used for gathering information on DC clients.
I’m curious, what can be achieved with ‘hidden’ system messages on DC?
Delta Chat does not have delivery receipts.
The only kind of invisible automatically replied messages are part of SecureJoin. If you show someone a QR code or give them invite link, then your device needs to process requests for the keys (vc-request/vg-request) messages before 1:1 chat is created or before you add them to a group.
Users who never don’t have your invite link and have not scanned your QR code, e.g. contacts that are just in the same chat as you or who got your contact via someone as a vCard cannot check if you are online this way.
I have opened Prevent silent probing of device online status · Issue #7555 · chatmail/core · GitHub with technical details.
There is another well known type of attack which uses read receipts to make traffic analysis attacks easier:
Suggested mitigations for this include small timing delays in notifications and adding cover traffic, but the perfect solution is not obvious.