TLS 1.3, the newest version of the Transport Layer Security (TLS) protocol, provides stronger authentication and confidentiality guarantees than prior TLS version. Despite additional encryption of handshake messages, some parts of the TLS 1.3 handshake, including the ClientHello, are still in the clear. For example, the protocol reveals the identity of the target server to network attackers, allowing the passive surveillance and active censorship of TLS connections. A recent privacy extension called Encrypted Client Hello (ECH, previously called ESNI) addresses this problem and offers more comprehensive handshake encryption and privacy for TLS 1.3. Surprisingly however, although the security of the TLS 1.3 handshake has been comprehensively analyzed in a variety of formal models, the privacy guarantees of handshake encryption have never been formally studied. This gap has resulted in several mis-steps: several of the initial designs for ECH were found to be vulnerable to passive and active network attacks. In this paper, we present the first mechanized formal analysis of privacy properties for the TLS 1.3 handshake. We study all standard modes of TLS 1.3, with and without ECH, using the symbolic protocol analyzer ProVerif. We discuss attacks on ECH, some found during the course of this study, and show how they are accounted for in the latest version. Our analysis has helped guide the standardization process for ECH and we provide concrete privacy recommendations for TLS implementors. We also contribute the most comprehensive model of TLS 1.3 to date, which can be used by designers experimenting with new extensions to the protocol. Ours is one of the largest privacy proofs attempted in ProVerif and our modeling strategies may be of general interest to protocol analysts.