Signal-desktop: Feature request: Ability to set default message expiry time

I read The Metadata Trap on the Intercept and started wondering about disappearing messages more. The article makes recommendation:

It’s not enough that these apps encrypt messages. They also need to do better at promptly deleting data that’s no longer needed. End-to-end encryption protects messages as they travel from one phone to another, but each phone still has a copy of the plain text of all these messages, leaving them vulnerable to physical device searches. Disappearing messages features are a great start, but they need to be improved. Users should have the option to automatically have all their chats disappear without having to remember to set disappearing messages each time they start a conversation, and they should be asked if they’d like to enable this when they first set up the app. And when all messages in a conversation disappear, all forensic traces that a conversation with that person happened should disappear too.

There is also a problem that currently enabling disappearing messages doesn't seem to affect previous messages and I don't know if a non-technical user would think of that and that they have to long touch all their chats and press the :wastebasket: / remove selected button. It also took me some thinking as at first I just used the settings for maximum message retention and set it to 5 to have less messages to remove, but I still had 5 messages in every chat until I thought of the long touch method.

In Keybase selecting message expiry also affects existing messages and there is a warning about that before the feature is enabled. Could Signal implement similar behaviour? I do like how Signal's message expiry gets synced to both/all parties without having to do that together.

The current “disappearing messages” should be enough already. If we were to add a feature such as “Ability to set default message expiry time” users would be less prone to use “disappearing messages”. That would work against the goal. Disappearing messages should be encouraged over message expiration because disappearing messages are deleted from the recipients device as well. Many users would prefer to switch of a global default message expiry setting. The combinations of users turning the expiring off, and less messages being set as disappearing, would work against the goal.

Users should set the disappearing message timer on any conversation they think might contain information which could be used against them.

There is also a problem that currently enabling disappearing messages doesn't seem to affect previous messages and I don't know if a non-technical user would think of that and that they have to long touch all their chats and press the 🗑 / remove selected button.

I agree there is a security concern in messages exchanged before the time was set. However, default message expiry is not a good solution to that problem.

It’s not enough that these apps encrypt messages. They also need to do better at promptly deleting data that’s no longer needed.

What is needed and what is not needed, is for the user himself to determine. A default expiration means that the developer made the decision if he hasn't done so yet. That is not the role of developers, it could cause users to unexpectedly lose messages which were important to them.

This is a feature that is incredibly important for journalists. As Signal has become more widely used, journalist sources often use Signal as a way to contact reporters securely. But the lack of ability for journalists to set a default expiry time means that there will always be a trace of that first contact on the reporters phone -- even if they set an expiration after the first contact.

This "First contact" problem is a well-known journalist risk -- see articles such as this one for background https://freedom.press/training/blog/first-time-they-reach-out-protect-sources-themselves/ -- and is the reason that SecureDrop exists to allow sources to send documents to journalists without leaving a trace. However, SecureDrop not designed to enable communications - which is why it sources often use Signal for first contact. This is why I strongly urge Signal to allow users to set a default expiry time for all of their conversations as a default.

There is no downside that I can see to allowing users to set their own default expiration for all conversations. There is no reason that the global expirations need to be turned on by default. But allowing users to do it would be a huge advantage for newsrooms, particularly in an era where the press and their sources are increasingly under attack.

The current “disappearing messages” should be enough already. If we were to add a feature such as “Ability to set default message expiry time” users would be less prone to use “disappearing messages”. That would work against the goal. Disappearing messages should be encouraged over message expiration because disappearing messages are deleted from the recipients device as well. Many users would prefer to switch of a global default message expiry setting. The combinations of users turning the expiring off, and less messages being set as disappearing, would work against the goal.

What if you enabled an option to auto-reject new contacts with disappearing messages not enabled or with an expiration period > t. This functions as a global expiration. The initial message is rejected so no traces on the journalists device. This handles both the sender and the receiver.

There is also a problem that currently enabling disappearing messages doesn't seem to affect previous messages and I don't know if a non-technical user would think of that and that they have to long touch all their chats and press the 🗑 / remove selected button.

Another idea: What if, whenever a user turns on disappearing messages for a particular conversation, the user is then prompted whether they want to delete all the previous messages in that conversation? Or the slightly more complex prompt of: "Would you like all previous messages in this conversation to disappear after [X amount of time]?"

That said, I would use a default/global message expiry time setting if it was an option!

I'd just like to second Julia's comment. And I would add: This is not only an issue with sources, but also with everyone with whom a journalist might discuss a story, including colleagues at their news outlet, lawyers, etc. Every conversation about the original source/story on Signal becomes an opportunity to fail to properly set disappearing messages, or to have an inbound contact fail to set them, and thus a possible accidental retention of sensitive information. Because Signal is a strong and growing platform (certainly at my publication), used more and more, this becomes a greater concern.

(Just to acknowledge a strength - One reason we use Signal so much is that it at least offers this feature when others do not -- and kudos and thanks for that.)

The current “disappearing messages” should be enough already. If we were to add a feature such as “Ability to set default message expiry time” users would be less prone to use “disappearing messages”. That would work against the goal. Disappearing messages should be encouraged over message expiration because disappearing messages are deleted from the recipients device as well. Many users would prefer to switch of a global default message expiry setting. The combinations of users turning the expiring off, and less messages being set as disappearing, would work against the goal.

What if you enabled an option to auto-reject new contacts with disappearing messages not enabled or with an expiration period > t. This functions as a global expiration. The initial message is rejected so no traces on the journalists device. This handles both the sender and the receiver.

One thing that journalists definitely do NOT want to do is REJECT incoming requests from sources. The risk is too high that they wouldn't try again and wouldn't know why they were rejected. So I do not think this would work.

The current “disappearing messages” should be enough already. If we were to add a feature such as “Ability to set default message expiry time” users would be less prone to use “disappearing messages”.

Just to chime in here. I help run training sessions around Signal usage with journalists and others. In the past few years of doing that, very very few, maybe less than 10% of trainees using Signal have ever heard of disappearing messages. It's close to 0% outside the Acela corridor. The lack of awareness about the existence of the feature already means users are not using it.

A global default setting for having disappearing messages enabled and set to a given timeframe would be super helpful to, at the very least, introduce the concept to people and give them the option to keep or remove it. Right now the anecdotal observations I have for its usage inform me that it is not being used, and as they say, when you're at the bottom, the only place to go is up.

I am also a new Signal user, and wish I'd known about disappearing messages, sooner. If there were a global "Disappear" option with a per-conversation option to override that on a per-message basis, I would adore that... but would also comfortably default to all messages expiring after a set time.

The current “disappearing messages” should be enough already. If we were to add a feature such as “Ability to set default message expiry time” users would be less prone to use “disappearing messages”. That would work against the goal. Disappearing messages should be encouraged over message expiration because disappearing messages are deleted from the recipients device as well. Many users would prefer to switch of a global default message expiry setting. The combinations of users turning the expiring off, and less messages being set as disappearing, would work against the goal.

What if you enabled an option to auto-reject new contacts with disappearing messages not enabled or with an expiration period > t. This functions as a global expiration. The initial message is rejected so no traces on the journalists device. This handles both the sender and the receiver.

One thing that journalists definitely do NOT want to do is REJECT incoming requests from sources. The risk is too high that they wouldn't try again and wouldn't know why they were rejected. So I do not think this would work.

Let's do it a different way lets presume you have the setting set and any message sent from a new peep gets "blah blah has requested to upgrade this conversation to disappearing messages with t expiration. Do you agree?" If both sides agree Signal handles both of initial messages like all other disappearing messages and of course all subsequent messages. If that's not too annoying on the coding side. This does leave you in that half deleted state I think Metriod was trying to avoid.

@Julia-Angwin said:

But the lack of ability for journalists to set a default expiry time means that there will always be a trace of that first contact on the reporters phone -- even if they set an expiration after the first contact.
This "First contact" problem is a well-known journalist risk

From the article Mikaela quoted:

End-to-end encryption protects messages as they travel from one phone to another, but each phone still has a copy of the plain text of all these messages, leaving them vulnerable to physical device searches.

So both devices are a risk.
What you guys want is positive deniability that communication ever took place. The best thing would be to delete messages not only on the devices of the journalist but also on the device of the person contacting him.

So this is not about "Conversation length limit", but this is about "Disappearing messages". Just wanted to make sure we are all on the same page there.

There is a security concern in messages exchanged before the time was set. So what you guys want is to offer the user of the app an option to set a default value for the disappearing message timer on all new conversation.

There is no reason that the global expiration needs to be turned on by default.

On installation of the app the default is "off" but the user can change his own default for new conversations, before those conversations even take place. Disappearing messages will still work the same way, both sides of the conversation can change the timer at any time.

I propose we continue this feature request in one single place, which covers not only the desktop app but also the Android and iOS apps:
https://community.signalusers.org/t/set-disappearing-messages-by-default-on-all-new-conversations/5144/9?u=meteor0id