Self-destructing messages don’t protect against the recipient – that was never the point
This week, Signal finally introduced self-destructing messages. Regrettably, many seem to miss the point of what they’re for. The point of a self-destructing message is not to protect against the recipient, it’s to protect the message from being read by somebody else than the recipient much later if the device is lost, seized, or otherwise compromised.
Signal has long been the go-to secure messaging for privacy activists – for long enough that I used to recommend it as TextSecure and RedPhone, before it merged to one app and changed names to Signal. The one lacking feature has been self-destructing messages, which is why I used Telegram in the most sensitive of environments, despite Telegram’s encryption being significantly weaker and not entirely best practice.
But as of last week, Signal finally added self-destructing messages. Unfortunately, most people seem to be missing the point as to their immense value, and even the Signal pages talk of “data hygiene” and a way to “keep message history tidy”, as if the self-destruct was mostly about not cluttering your phone memory with old messages.
The point of self-destructing messages is to prevent somebody else than the recipient from reading them, in case the device is compromised by an adversary later or much later. The intended recipient is not the adversary.
The point was never a SnapChat-like “you can see this once and never again” thing. After all, you’re sending a message to somebody and intending them to read it. Do you want to prevent them from re-experiencing reading a message? That’s… esoteric, but doesn’t really have a lot of security value: the message is in the recipient’s memory, and you don’t have access to changing their memory.
In other words, self-destructing messages are not intended to protect against the recipient reading it more than once. Such a notion has little value. You want the recipient to read it, after all; that’s the whole point of sending the self-destructing message to the recipient in the first place.
Take the following scenario, for example: Alice sends something personally sensitive but completely legal to Bob’s phone. Bob comes under suspicion of a crime, and police seize his phone. The messages in Bob’s phone become part of the court case and therefore the public record, now readable by anyone. Bob is later completely acquitted of the crime, having been the wrong person charged. Despite everybody in law enforcement doing what they were supposed to, Alice’s sensitive messages have now become public knowledge. (And even if the messages are excluded from the public court case, law enforcement officers will still have read them to determine this fact.)
This is the scenario that self-destructing messages prevent. This is why you should be using them.
And of course, in less… hospitable regimes, it may be illegal just to discuss the world we live in. Self-destruct comes in handy there, too. Legal isn’t always ethical, and ethical isn’t always legal.
Privacy remains your own responsibility.