Basically I am looking for a messaging platform like signal or? but with anonymous signup, perfect forward secrecy, capable of video chat, sending photos the usual uses in today’s life. But with a panic button. So that any party member could use said button to wipe all other members devices of any data instantly inside the messaging app. So if one member gets compromised, or lost their device, stolen device ect, any other member could wipe all chats, call log, and any other data strictly inside the messaging client instantly for everyone involved. Disolving the group like it never existed rendering the data unrecoverable. Amazons Wickr used to have most of these features but it is being discontinued December 2023 and who trusts amazon with their data. Does something like this exist? Sorry if I’m not explaining it well I’ll do my best to clarify and update this post. I am not trying to delete the whole device. Just the data inside the messaging app. If that does not exist. What about a separate app that could delete the entire messaging platform from the device when triggered. Assume all necessary requirements are met and this is for daily use. Between a group of trusted parties.
Updated wording to clarify the objective as replies where getting misunderstood.
You can never guarantee that other client’s data will be deleted. Assume that once your data gets sent, it can potentially be archived forever.
The greatest weakness in any Enterprise are the people, not the technology.
You just have to look at all of the people who recorded signal chats in both the ftx, and the Trump trials. As soon as people think they’re in danger, they’re going to look for anything they can use as leverage. They’ll use another phone to take a photo of their first phone.
Even if you communicate with people using ephemeral read once messages, that doesn’t stop them from recording it themselves. There’s no guarantee the data gets deleted on the other end, they could be using a modified client, the desktop app is a horrendous security nightmare, if they view that ephemeral message on the desktop app there’s no guarantee it’s actually deleted.
Depending on your threat model, you can incorporate technology with ephemeral messaging into your use case. But you have to be very clear, about what your threats are, and what your tolerances are.
There’s a reason certain highly sensitive organizations use skifs… Only organics are allowed to go in, and only organics are allowed to leave.
There’s a reason certain highly sensitive organizations use skifs… Only organics are allowed to go in, and only organics are allowed to leave.
…flat bottom open boats? Like, on a lake or something?
https://en.m.wikipedia.org/wiki/Sensitive_compartmented_information_facility
SCIF not skif, sorry, voice to text typo.
Using scifs is widely known and of course a good addition to certain threat models. But doesn’t account for distance of individuals. My post was inferring distance between parties. That is why I talked about messaging clients and their features. For times when parties cannot possible be in person, also this is for everyday use not one time, I’m asking about a messaging client and feature set. Otherwise very good info here for others to learn and read on. Good post! FYI its worth reading on Pegasus and their zero click infection capabilities and multiple zero day exploits.
I understand your point of view. I share that philosophy to some degree. However nothing is a guarantee. But a high degree of certainty is achievable. But that doesn’t answer my question. Is there a messaging platform with a panic button that deletes the chat log and call logs from all user involved which can be triggered from any member.
Edit wording and update. This got downvoted because of a misinterpretation of what I was saying when I said high degree of certainty. All I meant was this isn’t supposed to a fool proof blanket feature and the world doesn’t run on absolutes of course. For instance signal works with a high degree of certainty that youll be secure. I was conveying its highly probable this feature under correct parameters would function correctly. Simply a step in the chain of failsafes. None the less. Thanks for your replies.
High degree of certainty
I wouldn’t agree with that. Whats stopping the other user screenshotting it? Taking a photo with another device? Or even simply disconnecting from the network so the device can’t even receive the “kill switch command”?
I hate relying on anything big corp for privacy. Thanks for the reply and I’ll keep this in mind. It seems so far matrix chat is the only e2e chat that can remove the conversation from an individuals device once their removed from a room. I will have to do deeper research into matrix to see it it fits my use cases. I’m just not sure how it stacks up against other big name chat platforms as far as security/privacy goes. I’ve heard of it before. Never deep dived into the data.
Its my understanding the metadata is only stored on the home server that runs for the clients, so under a self host scenario the hoster would be the only party that could access such metadata. One big con to Matrix is that it lacks ephemeral messaging so I’m not sure if chat history is stored on client side once the server goes offline? I cannot find an answer through browser search or documentation. Couldn’t the hosted server be restarted anytime and it would essentially delete the metadata generated each cycle and chat history as well because the chat room would be deleted? Or ran inside say persistent Tails and with a device shutdown or unplug all data would be wiped due to its ram only nature while persistence only keeps the base setup of matrix not a full carbon copy so a new chat would be generated each power cycle. Similar to VPN services running on ram. Thoughts anyone?
I think the closest normal use case to your scenario is revocable sexting. Like a shared document folder in bitwarden or whatever that anybody could delete the keys for. So two romantic partners when they part could revoke access.
From a military perspective, your scenario really means you shouldn’t be storing that data at all. If it’s sensitive it shouldn’t be deployed in the field. If one element of an operation is compromised, they should not have any data to expose the rest of the operation. Compartmentalization.
I believe telegram secret chats will let members delete the chat for everyone. But that’s best effort and certainly not something you would want to put your life at stake over. It’s just data hygiene
Many replies here have misconstrued the total objective from my post… Of course someone could screenshot or disconnect their device. I am not looking for a foolproof feature or system. I understand compartmentalization. I do not need scenarios listed where this type of feature is useful. I understand my threat model and this is for a chat messenger not in person. You mention revokable access. But does that still leave the file on the lost,stolen device? Revoking access simply sounds like locking a file with encrypted keys. Thus it still exists on the stolen or lost device. Which means at some point or time future or otherwise a 3rd party could gain access. By all means correct me if I don’t understand.
You can use matrix/element and if someone loses her phone, you can remove her from the room. The room will disappear from the other phone if it’s connected to the internet
I’ve been interested in looking at matrix due to its decentralyzed nature, and self host capability. But as much as I love to self host certain things. Self hosting isn’t always the shining example its portrayed as. That comes with its own security/privacy flaws. I will do some reading on matrix and learn about the features. Thanks for shedding some light on the actual topic at hand.
Edit for matrix info which can be found here for those wanting to learn more. -> https://matrix.org
You don’t have to selfhost. You can use anyone’s server. It’s all e2e. The social graph may be visible. Selfhosting is easy. Look for an install with docker.
Will do thanks. I don’t care about social graph being visible so long as there isn’t identifiable info during sign up. I’d much rather self host as needed. But what if matrix was self hosted on a hostile network. Under VPN from both sides. Say matrix was running from a hotel WiFi. How would one secure the service.
Doesn’t signal do that? I thought they had a wipe as messages are sent like snapchat where if you leave and go back, they’re gone
They have ephemeral messaging where one can set a timer to delete a message when it is read or from the time it was sent. But that isn’t always so easy to gauge with life. Often times a chat log is needed when people don’t check it often or right away. So the group must set a long timer like 24h ect ect. It’s customizable. But if a group members device gets lost or stolen ect. It is of no use. Signal by default stores all call logs in the app. Even if the ephemeral timer is short. Call logs require manual deletion and the group is still formed showing who was in that group but the chat will be empty. Edit was wording.
Often times a chat log is needed when people don’t check it often or right away.
I think the timer on each device starts from when the person who has the devices sees the message.
So if you send the message and the timer is 5 minutes, the message on your account (on all of your devices) will be deleted in 5 minutes from now, while the recipient will first see the message (maybe in an hour) and then after 5 minutes it will be deleted from their devices too.
