Although encryption hides the content of communications from third parties, metadata, i.e., the information attached to the content (such as the size or timing of communication) can be a rich source of details and context. In this dissertation, we demonstrate the power of metadata analysis. We illustrate ways in which we can use metadata analysis to protect privacy, by addressing two problems in the areas of network and web privacy. In the first problem, we study recently standardized protocols such as encrypted DNS and QUIC. We show how metadata analysis can be used by adversaries to perform website-fingerprinting attacks against these protocols and to infer websites visited by a user, thereby compromising their privacy. We use the insights from our analysis to identify the requirements for developing effective countermeasures and to improve the resistance of these protocols to website fingerprinting. We find that hiding metadata is challenging. In the second problem, we address the issue of online advertising and tracking services (ATS) that are constantly evolving to evade privacy protections established by browser vendors. We demonstrate how the very fact of metadata being hard to hide can be useful to defenders. Defenders can use metadata analysis to build ATS-detection systems that are more robust against adversarial evasion by capturing behavioral metadata of ATS. We use our findings to detect and counter the emergence of tracking via first-party cookies.