Deleting messages and time-to-live: This message will self-destruct in…

Digital conversations are fundamentally different to real-world conversations. When you have a conversation over text, you’re creating a record. The record you create will persist long into the future, and there are a lot more details etched into that record that you’re probably not thinking about every time you send a ‘how’s it going’ or a ‘let’s catch up soon’.

Those details—like when a message is sent, who it’s sent to, and what’s in the message—can quickly paint a high fidelity picture about your life, especially when you consider just how many different conversations you’re having over text every single day. Chats and channels with our friends, family, and work colleagues are flooding our notification centre at all hours of the day. Each ding and buzz signals another entry into your digital record. Messaging apps can go to great lengths—using complicated encryption and networking protocols—to keep the info about you and your messages between you and your friends and family, but as long as that record exists in your DMs, there isn’t a 100% guarantee that info can’t (or won’t) be leaked.

Most people are carrying enormous records around with them in their pockets all the time, records of conversations from years, maybe even decades ago. My most active group chats can rack up tens of thousands of posts a year, and I’m in a bunch of them. Sometimes this can be seen as a good thing, letting us look back at old messages and reminisce about the good ol’ days, but there is another, darker side to the coin. 

As long as that record exists, you’re effectively stuck trusting everyone you’ve messaged to keep that information private FOREVER! To be clear, I’m not saying you need to be wary of any Days of Our Lives style backstabs where your friends post your entire chat history online for all to see (although I’m also not saying you shouldn’t be worried), but there are lots of different ways that record could be compromised — by hacks, legal authorities, or a voluntary leak.

Message hoarders: Messaging apps that never forget

Every time you send a message using a messaging app, you actually send a message to that company’s servers, and they then forward that message onto your recipient. This is just a practical necessity for any (non peer-to-peer) messaging solution, there isn’t anything suspicious or nefarious about it, although if your messages are stored long-term—which is a common practice for things like cloud back-ups—then it could leave you vulnerable in case those servers are ever compromised for any reason. 

In the case of messengers like Signal and Session, you can rest easy knowing that any messages stored on server are encrypted, and can’t be read by the company at all. In the case of Session, there is also something called time-to-live, which goes an extra step further. 

Session is decentralised, so its servers are owned and operated by lots of different people all over the world. This leads to lots of awesome privacy benefits, and prevents the formation of large data honeypots that might catch the eye of hackers — but it also leads to some added complexity over centralised solutions, like Signal. 

Session servers will only ever store your message for two weeks — known as the message’s time-to-live (TTL). This means that even if a server was somehow compromised, only information about the newest messages (which would remain encrypted) could be seen, not entire chat histories. This also means that if your recovery phrase is compromised, an attacker wouldn’t be able to restore your entire conversation history upon backup. The obvious downside of this is that when you are restoring using your recovery phrase, you can’t (currently) retrieve old messages. That sacrifice is made to help ensure message privacy remains intact at all times — remember that every time you’re able to load all your old messages onto a new device or login, that’s because they’re permanently stored in a data centre in a faraway place. 

Ticking time bomb: Self-deleting messages

Self-deleting messages have become one of the most popular features in private messaging apps. Some apps, like Wickr, even have this feature turned on by default. This makes all conversations completely ephemeral, and makes that permanent text record a little more temporary — so conversations end up feeling more like in-person, face-to-face conversations. 

Session’s disappearing messages live inside the conversation settings for each of your contacts. This means that you can switch on disappearing messages for one conversation, but keep a record in another (perhaps less sensitive) conversation. When you’ve got disappearing messages enabled, they will automatically delete from both devices once they’ve been seen by the members of the chat. 

If you want to, you can also delete all of your locally stored messages by going into your app settings and tapping Clear Conversation History. This will delete all the messages stored on your device in case it’s compromised. If you want to completely erase all of your contacts as well as your Session ID, you can also hit the big red button in your settings that says Clear Data — once you hit this button, it’ll be like nothing was ever there. Keep in mind that this won’t delete messages your chat partners have stored on their devices. 

Side note: If you want to delete a message manually, you can long-press and tap 'Delete for me and [conversation partner]' to delete the message from your device, their device, and the network.

A note on 'time-to-live' (TTL)

Decentralisation has a lot of benefits, like protecting metadata and removing trust on first use — but there are some downsides. One of the big ones is guaranteeing delivery. In a centralised structure, a service can guarantee delivery by just...storing your messages and waiting for you to connect. In a decentralised structure, it's not so simple — what if you are offline when a message is sent to you? How will you retrieve it? Who will store your message for you? And how will you know where to find it?

The answer: time-to-live (TTL). Messages sent to you over Session are stored by some servers in the network for a period of 14 days. That means that even if you're offline when a message is sent to you, you'll still be able to retrieve it once you're back online.

Just like all Session messages, all your data is encrypted, message origins are obfuscated using onion-routing — so the service nodes don't have any of your personal data, they've just got a bunch of encrypted 'blobs' of data. After the TTL expires, the messages are deleted from the network forever.

Self-deleting messages are client-side — so your encrypted messages will remain in the network even if they delete from the device. Here's why that's important: whenever you restore your account, your client will fetch your recent messages from the network. This might include self-deleting messages which had been previously deleted from your client but remained on the network — which means they will re-appear on your device. We're planning to change this functionality in the future so that self-deleting messages also delete form the network.

Unsend messages will completely erase the message from both the device and the network.

Final words: Don’t store data you don’t need

If you’ve got data sitting around on your phone or desktop, don’t be afraid to take the Marie Kondo method and start discarding and decluttering those hard drives. Data that’s (properly) deleted can’t be leaked, so it’s a good habit to clear out your backlogs every now and then. 

Avoid using applications and services that are clingy with your data. Depending on jurisdictions, some companies may be compelled to store data for a certain amount of time, or delete it after a certain amount of time — or both! Do your research, and don’t be afraid to keep notes about the digital record you are leaving behind when you use your tech.