Self-Destructing Messages (Long-Term)

Koinu 8 years ago updated by RyuuKishi 8 years ago 4

You should be able to send messages in a way that will cause them to be eventually expunged from the database after a set period of time (months or years—the shortest option should probably be at least a couple weeks.)

Thinking about privacy and security in the long term, one of the most potentially harmful things that could be gleaned from a compromise of an individual's FN account is the Messages conversations they're party to (as either sender or recipient). This is not just about RL-identifying information (like telling an artist your real-name PayPal email address, or providing info for a room share at a con with someone), but also discussions of non-public personal interests, etc...

Implementing an option to delete messages manually does not address this concern, unless it's done such that any participant in a messages conversation can cause the message to be removed from all participant's view on the site. (If FN did choose to go that route with message deletion and work out a timed two-phase delete so abuse can still be investigated—that'd be awesome!)

Anyway, I think it would be great if there was an option to send a message with a (long-term) self-destruct timer such that eventually, barring the occurrence of a particular administrative reason to preserve specific users' data (abuse case/subpoena/etc...), all copies of the message would be deleted in time, disappearing first from both the sender and recipients' view of the site and later from the database entirely.

This is not about guarding against malicious intent on the part of any participant in a private conversation. Trying to secure content against the intent of someone you're sending it to is a complete waste of time, so please don't bother bringing up "but they can screenshot it" lines of reasoning about this. This is about making it so that your intent to have a message be ephemeral can be clearly communicated and automatically executed. (The will of people you're chatting with are not the threat this (or anything) can guard against—it's all about the bastards who get passwords from hacking some other site then get into your correspondent's FN account because of password re-use.)

This is a great idea. Perhaps a checkbox "This message contains sensitive information" next to a send button would be sufficient.

Hey there Koinu,

This is indeed a great suggestion - especially as I recently discovered there's not actually a way to delete messages you've sent or received via the messaging system right now.

One of the reasons I can think of from a moderation/administrative side for retaining messages would be in the case of harassment or abuse of the messaging system - but I don't think this precludes users from being able to delete their messages. Given that the moderation team would likely hear about abuse shortly after it happened, simply retaining the messages administratively for 30 days after they're deleted by the user would likely be sufficient.

Taking your mentioned attack vector of "the site gets hacked, and all old private messages get leaked", I'd wonder if a "Delete Conversation" button, or - as you say - a long-term 'self destruct' timer - would be best. The 'self destruct" timer is kind of a loaded concept nowadays with services like Telegram intending them to be used as a form of non-recording instant message - and so I'd be concerned users would have unrealistic expectations of privacy when using the feature.

This also doesn't cover permission to delete from the other party - would it require 'mutual consent' - and if not, how would the other user be notified someone is trying to remove records of their conversation?

Any other ideas for how we could implement this? So far, the best one I can think of is "Delete Conversation", with a notice that it'll be kept for 30 days - but that doesn't address the mutual approval problem. It all gets a bit complicated, very quickly.

I still want the ability to keep permanent messages, I don't want stuff I send to suddenly disappear after all.

A delete option for manually deleting conversations, private messages, and chat history.

An option to tag a private message to be deleted after x amount of time. Default being no auto delete.

I strongly advise anyone to use proper secure end-to-end messaging systems or PGP if sensitive information is being exchanged.

Website software can easily be compromised since it's combined by several 3rd party libraries and software.

Often the owner does not even know about this (man-in-the-middle attack) and over a period of time messages and such can be tunneled from the site to an external stash where those messages will remain no matter what happens here

I'd rather tell the user that messages can be read and compromised instead of giving false security hopes.

While i am really sure that Varka and his team will do his best to avoid it, things like the last exploit from ImageMagik or the HeartBleed are a reoccurring fact. It will happen given enough time!

So FN should push this behavior instead of trying to find the holy grail of message security.

Thus my downvote on this motion.