Enable sender to delete own messages from all parties in the conversation

[jooize]

While I think this is an important feature, some people were opposed to self-destructing messages. I would take it even further and do similar to Gliph, where anyone in a conversation can delete messages. A risk with Gliph is their effectively central control*, which the TextSecure team seems to have solved very elegantly.

* Gliph is quite transparent, and have what they call Lockdown™ Privacy Protection. Unfortunately, the fact remains they are in control of the infrastructure and could theoretically capture the passphrase next time you login. Meaning we have to trust them.

Messages I send other people should disappear on my terms. The sender should have control over her messages, as she's the one providing the content after all.

Without much insight into the project, I'd like to share my ideas. Let's hope they are of value.

Scenarios to relate with

Imagine two journalists discussing some political issue over TextSecure, and one of them loses track of their phone. Say this journalist didn't care immensely and neglected security in a way that his messages are now available to read for anyone in possession of his phone. If the journalist's friend could trigger the phone to delete sensitive messages—provided the phone can reach the Internet—they could rest more peacefully.

In case you are not a top secret agent, something easier to relate to may be sending a message to the wrong person. If you realize you've sexted your family like around 10% in a poll by Recombu have you may want to have an undo button. (how do people accidentally do this?)

Friends and collegues

I care quite a bit about privacy and security, and although I've managed to make my friends care more than expected, there is a limit to what they'll endure. This suggestion would ease the pressure on them to control their habits. They won't use a very secure password if they have to enter it every time to read messages.

Implementation complicatedness

Putting this idea together into the product can get complicated. Should the recipient have the ability to disallow deletion? As he could already be in possession of the information, one could argue it may already be captured and that my idea gives a false sense of security to the sender. I think it's an issue with little impact to an otherwise very valuable feature. Anyway, if we let the recipient prevent such deletion, I would like the sender to be aware of that fact before submitting her message.

If the recipient doesn't agree with letting the sender delete their messages or having them expire, he could disable it for future messages. The recipient may have the ability to disallow deletion/expiry for (specific or all) senders, but the sender must always be aware of which before sending.

All this causes complexity and new UI considerations. It appears we do not want more of that. Everyone should easily understand their message's fate.

Solution

• Let the sender delete it's own contribution to the conversation.
• Allow manual locking of messages as suggested in #283.

That's a simple and in my opinion reasonable compromise resulting in an easy to understand model avoiding added complexity.

Model

Messages are owned by the sender, who can always delete them, but is also aware that removal from other devices (or human memories) cannot be guaranteed.

User interface

We have the following alternatives for deletion.

Delete message or conversation...

• ...from current device only.
• ...from current device and send deletion notice for own messages to other parties.
• ...from current device and send deletion notice to other parties, regardless of sender.
• ...from other parties only, by sending a deletion notice.

  Potential problems

How can messages be kept track of, and could this kind of ownership break the plausible deniability we currently enjoy? Would the ability to delete any message in a conversation solve that problem?

Future considerations

Let any party delete any message

People should manage to handle this as a social issue, where if someone disrespects the wishes of message retention, they're reprimanded appropriately. TextSecure has no role in this.

Expiring messages (requires UI modification)

Perhaps auto-deletion after recipient specified time period suits better for TextSecure.

Related issues

175, #176, #226, #283.

I love that Signal was just released for iPhone!

[tinloaf]

I don't like the idea, for multiple reasons:

• I want to be (the one and only) master over what is being deleted on my device, I imagine a rather large part of the (current) TS user base feels the same way. Thus I, and probably many others, would take action against this (see next point).
• It is technically impossible to do this in a "good" way. TextSecure is open source. Maintaining a patch set (and possibly publishing a patched version) that just rips out the "remote delete" part would be really easy, unless TS starts obfuscating parts of it's source code, which it definitely should not do.
• This leads to a false sense of security: Communicating to the users that the "remote delete" is nothing but a friendly question a la "please don't read my last message", there is no dependability and no way to know whether it worked is almost impossible. This will lead to problems (and outraged users that thought their message would be gone for good - after all, TextSecure always claims to be super-safe, right?)

[agrajaghh]

100% agree with @tinloaf

[jooize]

Thanks for an exhaustive response! I have to recognize those as valid points, but I still believe there is value in the general idea if it can be implemented in a way that makes sense. Perhaps that's impossible, but I'd like to find out. Please say if you know that attempts are futile.

Summary: As we can't guarantee deletion, the risk of instilling a false sense of security is considered greater than the potential benefits. (correct?)

Would any implementation of message deletion have to be local (and never remote) to be considered? I can think of alternative solutions, but if I'm working against a brick wall here it would save time to know. :)

I feel that if the other party cannot be trusted with actually deleting messages, there is a larger issue in that relationship. What are your thought about this? The problem with deletion notice possibly never reaching the device is still present, but awareness for the sender could be remedied with a confirmation notice (in that case never reaching the sender).

Alternatives

• Let parties suggest and agree on a message retention policy for the conversation. Relies on trusting the other not to be dishonest as the protocol can be silently broken.
• Flexible local deletion policy. Delete after being read and x time passed, only keep last 5 previously read messages, and such. Should cause least visible UI and be compatible with your wishes to remain in control.
• Alternative passphrase to unlock fake messages.

[mcginty]

From a security perspective while you can prove you possess something, there's no such thing as proving you or other parties do not possess something. Because of that, any ephemeral messaging solution will, at best, be considered one party politely asking the other to "do the right thing."

Given that, I really like the socio-psychological effect that ephemeral communication apps like Snapchat have. While especially with flash memory "deleted" contents are hardly truly deleted, it's not entirely ineffective and I think it'd be kind of fun, however not a top priority by any stretch of the imagination.

PSA - anyone looking to experiment with this would be best served proposing ideas on the mailing list before sending any PRs out.

[Basti420]

In my opinion an auto selfdestruct option for messages would be awesome. After x minutes or after x times the message was read

[javadch]

I am not asking for forced deletion of the message at any given time, based on the sender request. Instead what I am looking for is a message that arrives with a time frame. The time frame is shown to the receiver and the message is then destructed. So its not hidden from the receiver(s), Its not something the sender can do later (potentially silently). It is alike an agreement that I am sending you some information for a specific amount of time. The second part of my feature request was to delete the message even when unread (if requested). This does not mean that all the messages have to be sent with a time box, but it can be an optional checkbox that the sender can activate (and then enter a time frame in seconds, other). So if a sender does not like it or does not need it in all the cases, he/she can simply stay with the default, ...

[c0dered-]

encryption is one thing self destruct is other thing. It is possible to be done through the app, for example I send encrypted sms with a code in it or some kind of signal so that the recipients text secure application will notice that I send self destruction code and the app removes the sms by it self after the recipient opens it. He can save the raw message but not the full sms.

[ghostbar]

I would like this feature. Is specially useful for political activists in authoritarian countries. Having the ability to avoid torture by writing your password and having no traces of your messages are a good idea.

(In Venezuela this would be really useful, they force you to show your messages from your devices)

[mcginty]

While it's something that could be interesting, it's not going to happen in the immediate future. For those who have higher requirements to remove sensitive content from their devices, you can still manually delete messages or turn on trimming to only keep the last N messages in your conversation.

[jooize]

Trimming sounds useful, thanks for mentioning it! Would like that or something similar to Signal iOS. Preferably that it trims after both number of (read?) messages and time, whichever comes first.

@ghostbar For that purpose, perhaps another password unlocking a collection of custom messages would be even better? An empty log could be considered suspicious. One might also want to consider what should happen when new messages come in while you're in that “secret public” collection. Imagine if they force one to show that it works properly.

Another idea is a panic gesture that instantly clears everything. Destructive, and would have to work reliably of course.

[TheStash]

I believe this feature could be implemented as an opt-in feature, Silent Text has this feature and it is pretty cool (link: https://support.silentcircle.com/customer/portal/articles/1645090-what-is-the-%E2%80%98burn-notice%E2%80%99-and-how-do-i-use-it- )

The user want to be the master of his communication: It could be an opt-in feature per chat/group chat or globally; sometimes an oppressive regime people need this feature as when a political opponent is caught the government forces him to hand his phone and password - you can't negotiate it, those kind of people would agree to enable this feature to protect their own selves... what they are doing doesn't have to be wrong, but the government can take this and use against him and chat participants whether it is a group or one-to-one chat.

It is technically impossible to do this in a "good" way: only developers and technically minded people could build their own builds and could disable this kind of feature, so having this feature as opt-in would preserve your right and would not encourage someone to opt-in this conversation.

This leads to a false sense of security: i believe that it is pretty doable to receive a delete confirmation from devices in which the message got deleted.