Deleting messages and time-to-live: This message will self-destruct in…
Digital conversations are fundamentally different to real-world conversations. When you have a conversation over text, you’re creating a record. The record you create will persist long into the future, and there are a lot more details etched into that record that you’re probably not thinking about every time you send a ‘how’s it going’ or a ‘let’s catch up soon’.
Those details—like when a message is sent, who it’s sent to, and what’s in the message—can quickly paint a high fidelity picture about your life, especially when you consider just how many different conversations you’re having over text every single day. Chats and channels with our friends, family, and work colleagues are flooding our notification centre at all hours of the day. Each ding and buzz signals another entry into your digital record. Messaging apps can go to great lengths—using complicated encryption and networking protocols—to keep the info about you and your messages between you and your friends and family, but as long as that record exists in your DMs, there isn’t a 100% guarantee that info can’t (or won’t) be leaked.
Most people are carrying enormous records around with them in their pockets all the time, records of conversations from years, maybe even decades ago. My most active group chats can rack up tens of thousands of posts a year, and I’m in a bunch of them. Sometimes this can be seen as a good thing, letting us look back at old messages and reminisce about the good ol’ days, but there is another, darker side to the coin.
As long as that record exists, you’re effectively stuck trusting everyone you’ve messaged to keep that information private FOREVER! To be clear, I’m not saying you need to be wary of any Days of Our Lives style backstabs where your friends post your entire chat history online for all to see (although I’m also not saying you shouldn’t be worried), but there are lots of different ways that record could be compromised — by hacks, legal authorities, or a voluntary leak.
Message hoarders: Messaging apps that never forget
Every time you send a message using a messaging app, you actually send a message to that company’s servers, and they then forward that message onto your recipient. This is just a practical necessity for any (non peer-to-peer) messaging solution, there isn’t anything suspicious or nefarious about it, although if your messages are stored long-term—which is a common practice for things like cloud back-ups—then it could leave you vulnerable in case those servers are ever compromised for any reason.
In the case of messengers like Signal and Session, you can rest easy knowing that any messages stored on server are encrypted, and can’t be read by the company at all. In the case of Session, there is also something called time-to-live, which goes an extra step further.
Session is decentralised, so its servers are owned and operated by lots of different people all over the world. This leads to lots of awesome privacy benefits, and prevents the formation of large data honeypots that might catch the eye of hackers — but it also leads to some added complexity over centralised solutions, like Signal.
Session servers will only ever store your message for two weeks — known as the message’s time-to-live (TTL). This means that even if a server was somehow compromised, only information about the newest messages (which would remain encrypted) could be seen, not entire chat histories. This also means that if your recovery phrase is compromised, an attacker wouldn’t be able to restore your entire conversation history upon backup. The obvious downside of this is that when you are restoring using your recovery phrase, you can’t (currently) retrieve old messages. That sacrifice is made to help ensure message privacy remains intact at all times — remember that every time you’re able to load all your old messages onto a new device or login, that’s because they’re permanently stored in a data centre in a faraway place.
Ticking time bomb: Self-deleting messages
Self-deleting messages have become one of the most popular features in private messaging apps. Some apps, like Wickr, even have this feature turned on by default. This makes all conversations completely ephemeral, and makes that permanent text record a little more temporary — so conversations end up feeling more like in-person, face-to-face conversations.
Session’s disappearing messages live inside the conversation settings for each of your contacts. This means that you can switch on disappearing messages for one conversation, but keep a record in another (perhaps less sensitive) conversation. When you’ve got disappearing messages enabled, they will automatically delete from both devices once they’ve been seen by the members of the chat.
If you want to, you can also delete all of your locally stored messages by going into your app settings and tapping Clear Conversation History. This will delete all the messages stored on your device in case it’s compromised. If you want to completely erase all of your contacts as well as your Session ID, you can also hit the big red button in your settings that says Clear Data — once you hit this button, it’ll be like nothing was ever there. Keep in mind that this won’t delete messages your chat partners have stored on their devices.
Final words: Don’t store data you don’t need
If you’ve got data sitting around on your phone or desktop, don’t be afraid to take the Marie Kondo method and start discarding and decluttering those hard drives. Data that’s (properly) deleted can’t be leaked, so it’s a good habit to clear out your backlogs every now and then.
Avoid using applications and services that are clingy with your data. Depending on jurisdictions, some companies may be compelled to store data for a certain amount of time, or delete it after a certain amount of time — or both! Do your research, and don’t be afraid to keep notes about the digital record you are leaving behind when you use your tech.
Session Release Roundup #13: It’s all about the UX
September 16, 2021
Why are phone numbers a privacy problem?
September 14, 2021
On the recent Australian surveillance legislation
September 09, 2021
Contact discovery: Finding friends without foes
August 09, 2021
Privacy propaganda: The war on encryption
June 23, 2021