Disappearing Messages Don’t Work — And They’re Great

Disappearing messages features can’t actually guarantee message deletion, but what they do offer communicators is even better.

Daniel Kahn Gillmor, Senior Staff Technologist, ACLU Speech, Privacy, and Technology Project

Fifteen years ago it was unfathomable – and a bad idea – to imagine that your digital messages could automatically self-destruct.. Once your message is on someone else’s machine, you simply cannot guarantee that it will be destroyed when you want it to be. Fooling people into thinking they have more security and privacy than they really do can put them in harm’s way.

Today, however, modern messaging apps have built exactly this feature. Signal Private Messenger, WhatsApp, SimpleX Chat, DeltaChat, and Facebook Messenger all have a disappearing messages function. Wire has self-deleting messages, Telegram’s Secret Chats have self-destructing messages, and many more. These features establish a time frame – from minutes to hours to weeks – before all the messages in your conversation are supposed to disappear from the devices of all participants in that conversation.

From a security point of view, it’s impossible to guarantee deletion in this way. Are these products all lying or deluded, then? No. These mechanisms are actually a great step forward for the public conversation — as long as users are aware of their limitations. Rather than provide some impossible perfection, what they do is to automate and normalize agreements about how long to keep records of your conversations with another person or people.

Disappearing Messages Cannot Beat Cheaters

Why are these mechanisms inherently unreliable? Digital tools fundamentally work by making copies. You don’t actually “send” an instant message from one device to another, even though that’s how we talk about it. Rather, your device copies the message into the network and devices in the network make more copies of the message until a copy finally appears on the destination device. Modern instant messaging services encrypt the message before sending out copies, so the intermediate devices can’t see what is in the message. But the recipient’s device will decrypt the message so they can read it. This is called end-to-end encryption and it has become a fundamental part of today’s modern communication systems.

End-to-end encryption means that when you send a message, you don’t have to worry about anybody accessing the message between your device and your recipients’ –though your device itself could be vulnerable, which is a whole other cybersecurity issue. But, if you want to block the recipient from retaining a copy of the “disappearing” message, you’re out of luck. This is simply how the universe works: the sender of a message can’t actually control what happens when the recipient views their copy of the message.

To begin with, the recipient can always take a screenshot or make a backup of their app’s data. Also, even if the recipient’s device is somehow running completely locked-down software that prohibits screenshots and backups, the recipient can always point another camera at their screen when the disappearing message is displayed, or use another microphone to record a “disappearing” voice note. This is known as the “analog hole” — meaning that eventually digital data has to be translated into sights and sounds that we humans can perceive in the non-digital world and those sights and sounds can always be recorded.

Disappearing Messages Are Flawed. We Don’t Actually Want Perfection

It’s important to remember that if the disappearing messages feature was actually perfect, we might not actually be too happy. Imagine if someone could send you an abusive message and know that you could never show it to someone else who might be able to help to defend you.

Freedom, autonomy, and responsibility are good reasons why the recipient of any message should be in full control over their own endpoint, even if that means they might make a non-disappearing copy of an ostensibly disappearing message. In the case of an abusive disappearing message, and probably in other cases, the person “cheating” the system is actually in the right if they want to retain the message for non-nefarious reasons.

Disappearing Messages Normalize and Automate Data Destruction Policies

So even though disappearing messages can’t actually work reliably against someone determined to cheat the system, why are they still a great advance in public communications?

Before digital communications, messages were much less likely to stick around forever. There was often only a single copy of a message. In the past, a letter sent by the post office didn’t stay with the sender unless they deliberately made a copy first. In-person conversations also vanished as soon as they were spoken. As our society has digitized, however, more and more of our daily interactions leave a trail. Law enforcement agencies the world over seem to think that every human communication can and should now be permanently available to them whenever they’re interested. And old data left lying around on a device can also be misused by criminals, domestic abusers, or spies if they manage to get access to the device.

But if data is truly destroyed, it can’t be compromised, even if it was once available on your personal device, or the device of the person you were talking with. So one way to reduce the scope of this overreach is with a data retention/destruction policy, such as the disappearing messages feature. It’s possible to plan such a policy without a disappearing messages feature, for example, the people involved in a conversation could discuss and agree on when messages should be deleted, and check in with each other to ensure everyone involved remembers to go back and delete the old messages regularly. But negotiating such a policy among all participants in a chat can be difficult work. People chat to have a conversation about some specific topic, not about the conversation itself.

Automation Helps Us Make and Keep Promises

And even if you manage to get agreement from everyone in a chat on a data-destruction policy, getting people to follow through by actually deleting messages is a serious logistical challenge. The best time to delete a conversation is when it’s no longer important, and almost by definition at that point, the busy participants are usually already thinking about something else. But the disappearing messages feature delegates the task of following through to machinery that doesn’t get bored or distracted. This frees up human attention and energy to think about current problems and to not have to worry about older commitments.

A disappearing-messages feature in a messaging app serves two great purposes: 1) it normalizes and simplifies the act of agreeing on a data destruction policy; and 2) it helps honest participants keep their word. If all it did was help people negotiate an agreement on a data-destruction policy, that would be a win, but it wouldn’t be enough. Busy people need to find time to act on their agreements. Even the most well-meaning person can get distracted by other commitments and fail to follow up on what they had intended to do. But a tool with a disappearing-messages feature will follow through automatically, and the participants don’t need to think about it once the decision has been made.

These policies won’t stop someone who wants to break their promise about data deletion and sometimes it might even fail inadvertently. For example, someone might create a backup of their messages in a way that accidentally retains a message set for automatic deletion. But we know what it’s like when someone reneges on a commitment, or simply fails to follow through, and we have human ways of dealing with those scenarios.

These impossible, imperfect tools provide a healthy counterbalance to the disturbing trend of ever-increasing data retention. If you haven’t tried using them yet, now is a great time to start.