吃瓜大本营

Fifteen years ago it was unfathomable 鈥� and a bad idea 鈥� to imagine that your digital messages could automatically self-destruct.. Once your message is on someone else鈥檚 machine, you simply cannot guarantee that it will be destroyed when you want it to be. Fooling people into thinking they have more security and privacy than they really do can put them in harm鈥檚 way.

Today, however, modern messaging apps have built exactly this feature. , , , , and all have a disappearing messages function. has self-deleting messages, 鈥檚 Secret Chats have self-destructing messages, and many more. These features establish a time frame 鈥� from minutes to hours to weeks 鈥� before all the messages in your conversation are supposed to disappear from the devices of all participants in that conversation.

From a security point of view, it鈥檚 impossible to guarantee deletion in this way. Are these products all lying or deluded, then? No. These mechanisms are actually a great step forward for the public conversation 鈥� as long as users are aware of their limitations. Rather than provide some impossible perfection, what they do is to automate and normalize agreements about how long to keep records of your conversations with another person or people.

Why are these mechanisms inherently unreliable? Digital tools fundamentally work by making copies. You don鈥檛 actually 鈥渟end鈥� an instant message from one device to another, even though that鈥檚 how we talk about it. Rather, your device copies the message into the network and devices in the network make more copies of the message until a copy finally appears on the destination device. Modern instant messaging services encrypt the message before sending out copies, so the intermediate devices can鈥檛 see what is in the message. But the recipient鈥檚 device will decrypt the message so they can read it. This is called end-to-end encryption and it has become a fundamental part of today鈥檚 modern communication systems.

End-to-end encryption means that when you send a message, you don鈥檛 have to worry about anybody accessing the message between your device and your recipients鈥� 鈥搕hough your device itself could be vulnerable, which is a whole other cybersecurity issue. But, if you want to block the recipient from retaining a copy of the 鈥渄isappearing鈥� message, you鈥檙e out of luck. This is simply how the universe works: the sender of a message can鈥檛 actually control what happens when the recipient views their copy of the message.

To begin with, the recipient can always take a screenshot or make a backup of their app鈥檚 data. Also, even if the recipient鈥檚 device is somehow running completely locked-down software that prohibits screenshots and backups, the recipient can always point another camera at their screen when the disappearing message is displayed, or use another microphone to record a 鈥渄isappearing鈥� voice note. This is known as the 鈥溾�� 鈥� meaning that eventually digital data has to be translated into sights and sounds that we humans can perceive in the non-digital world and those sights and sounds can always be recorded.

It鈥檚 important to remember that if the disappearing messages feature was actually perfect, we might not actually be too happy. Imagine if someone could send you an abusive message and know that you could never show it to someone else who might be able to help to defend you.

Freedom, autonomy, and responsibility are good reasons why the recipient of any message should be in full control over their own endpoint, even if that means they might make a non-disappearing copy of an ostensibly disappearing message. In the case of an abusive disappearing message, and probably in other cases, the person 鈥渃heating鈥� the system is actually in the right if they want to retain the message for non-nefarious reasons.

So even though disappearing messages can鈥檛 actually work reliably against someone determined to cheat the system, why are they still a great advance in public communications?

Before digital communications, messages were much less likely to stick around forever. There was often only a single copy of a message. In the past, a letter sent by the post office didn鈥檛 stay with the sender unless they deliberately made a copy first. In-person conversations also vanished as soon as they were spoken. As our society has digitized, however, more and more of our daily interactions leave a trail. Law enforcement agencies the world over seem to think that every human communication can and should now be permanently available to them whenever they鈥檙e interested. And old data left lying around on a device can also be misused by criminals, domestic abusers, or spies if they manage to get access to the device.

But if data is truly destroyed, it can鈥檛 be compromised, even if it was once available on your personal device, or the device of the person you were talking with. So one way to reduce the scope of this overreach is with a data retention/destruction policy, such as the disappearing messages feature. It鈥檚 possible to plan such a policy without a disappearing messages feature, for example, the people involved in a conversation could discuss and agree on when messages should be deleted, and check in with each other to ensure everyone involved remembers to go back and delete the old messages regularly. But negotiating such a policy among all participants in a chat can be difficult work. People chat to have a conversation about some specific topic, not about the conversation itself.

And even if you manage to get agreement from everyone in a chat on a data-destruction policy, getting people to follow through by actually deleting messages is a serious logistical challenge. The best time to delete a conversation is when it鈥檚 no longer important, and almost by definition at that point, the busy participants are usually already thinking about something else. But the disappearing messages feature delegates the task of following through to machinery that doesn鈥檛 get bored or distracted. This frees up human attention and energy to think about current problems and to not have to worry about older commitments.

A disappearing-messages feature in a messaging app serves two great purposes: 1) it normalizes and simplifies the act of agreeing on a data destruction policy; and 2) it helps honest participants keep their word. If all it did was help people negotiate an agreement on a data-destruction policy, that would be a win, but it wouldn鈥檛 be enough. Busy people need to find time to act on their agreements. Even the most well-meaning person can get distracted by other commitments and fail to follow up on what they had intended to do. But a tool with a disappearing-messages feature will follow through automatically, and the participants don鈥檛 need to think about it once the decision has been made.

These policies won鈥檛 stop someone who wants to break their promise about data deletion and sometimes it might even fail inadvertently. For example, someone might create a backup of their messages in a way that accidentally retains a message set for automatic deletion. But we know what it鈥檚 like when someone reneges on a commitment, or simply fails to follow through, and we have human ways of dealing with those scenarios.

These impossible, imperfect tools provide a healthy counterbalance to the disturbing trend of ever-increasing data retention. If you haven鈥檛 tried using them yet, now is a great time to start.