Author here. I'm seeing the same comment in 4 different places on here, worded with various amounts of hostility. I now wish I had addressed this in the FAQ on the post.
There's the suggestion that an exploding feature is worthless, given your partner can just take a screenshot or video of what you sent.
This suggestion is missing (1) that your relationship with a partner is disproportionately okay at the time you sent something (i.e., you trust them THEN) and (2) there's a whole different class of adversary who compromises your or your partners' devices in the future.
SnapChat, as far as I know, has none of the cryptographic implementation of Keybase. And yet it has likely protected hundreds of thousands of kids from severe bullying. Consider the teen girl who sends the goofy sexy pic to her boyfriend. Before the advent of exploding messages, he might've iMessaged or emailed that to a friend, just one friend, his best friend, out of pride. And that friend sent it to a few more, and so on. Not out of malice, but suddenly the whole school has seen her pic of god knows what and she literally wants to die. But with Snapchat, taking a screenshot is knowingly violating a social agreement. It's also violating the trust of his current girlfriend - everyone knows it's not okay to screenshot that shit. And the number of people who would do that is much tinier. Second, consider the far worse scenario: she dumps him a month later and until then he has been NiceGuy. But then he becomes r/niceguy, the guy who will look through the old pictures and spread them around.
Finally, let's not forget that your device can be compromised by loss, theft, or hackers, at any time. Exploding messages are gone when that happens.
People can be tricked, compelled, coerced, blackmailed, and hacked. Or just turn evil. All in the future. Which is what a timed message protects against. This is why Keybase is doing this. Paired with encryption it's quite powerful.
The most important purpose of these exploding message capabilities is destruction of data that doesn’t need to be archived.
The primary threat is compromise of a device. Keybase allows you to revoke keys but that assumes you are aware that the device has been compromised. Which is already too late for sensitive messages.
The average user doesn’t understand data persistence, or secure destruction of data. Manafort is a good example of this. I wish apps just expired messages by default. I don’t understand why WhatsApp doesn’t have this feature.
As a user of messaging services, I nearly never want to delete a message. I want to be able to use my digital memory extension (phone) to store messages so that I can easily recall my conversations. Rarely do I want to delete a message. In fact, I would only want to delete it if it's sensitive: I rarely message such sensitive things. Most people fall into this camp. It's rare for someone to never want any message to be kept.
Why do you want your messages deleted by default when you use one of these secure messaging clients?
Plenty of people feel exactly the opposite, and avoid using messaging services for many purposes because of it. They want the bulk of what they say to fade away, because it is ephemeral, and they don't want to worry about it forever. More and more people are aware that, even if what you say today is perfectly benign, tomorrow it may be a problem. And why create potential problems, when there is absolutely no benefit to you in putting your request to your partner to buy some eggs on the way home on a permanent record?
You might worry about not being able to find something you said. Others worry about being able to find something they said.
I personally chose my defaults appropriately, with work stuff getting archived and everything else not even getting backed up. And realistically, even the work stuff is completely useless after a couple of years; a problem I have is not finding information, but finding current, useful information.
Ephemerality is liberating. A large portion of social media use is not about exchanging information (which would be useful to persist) but about socializing. Just as you probably wouldn’t feel comfortable if every conversation you had with your friends while hanging out were recorded, a lot of users (particularly young users) feel more comfortable expressing themselves when they know with reasonable certainty that their communications are not being recorded online. Its often for sharing moments and making jokes and hanging out, not for conveying actionable information.
I deliberately don't pay for Slack because of this. The 10,000 message limit is perfect for "enough memory to be useful, not enough to be dangerous". I'd love to see it as a feature in other messaging apps (i.e. "permanently erase all messages over 6 months old")
Does Slack actually do that, though? Or just soft-deletes the older messages, hiding them from the UI? (I don't think they make a statement either way)
My understanding is that it just hides them from the UI; if you upgrade your plan, you get access to all your old messages and files that were previously "gone".
Yes this is correct. In fact even without a paid subscription you can access all files that have been added to a Slack through the web UI (myslack.slack.com/files). You can't see the related messages, but all the files (images, snippets, etc) are available as one big list.
Hell, I wish messaging services made conversation much more searchable. I hate having to scroll and scroll to find some past conversation topic that maybe had interesting thoughts/links/shared media.
Any client with proper log files (many IRC clients, Pidgin, etc) is much better than Slack, which uses word indexing rather than full search, meaning it doesn't find the message "helloworld.com" when you search for "world".
I have never searched my message text history with the exception of trying to find images sent to me. Never content. Most companies I’ve worked at have a similar policy of not archiving text messages from internal chat. No reason to keep content, minimizing the amount of data you archive is a core element of security and risk mitigation for a number of reasons. Plenty of large organizations don’t archive employees Lync/internal chat messages for similar reasons. And from a threat perspective you don’t know ahead of time what information an attacker will find useful.
Sure, as a recipient I want to keep a history of everything. But as a sender, I might want sometimes to send a message with some guarantees that it will self destruct after a period of time, mission impossible style.
Because WhatsApp is done with the endeavor. The founders would have wanted this kind of feature but they've since parted ways after selling out to FB, probably because FB isn't interest in such features and privacy.
> SnapChat, as far as I know, has none of the cryptographic implementation of Keybase. And yet it has likely protected hundreds of thousands of kids from severe bullying.
Is this true? (Asking with no implication of criticism or being a leading question - I just genuinely don't know the answer)
I can believe both that these teens were going to sext each other anyway and Snapchat is keeping them safer, or that they weren't going to and Snapchat has convinced them that it can be done more safely than it can actually be done.
Has anyone done studies on this? (Is it even possible to do studies? I suppose you'd either need information from Snapchat itself on how often they detect screenshots, or from high schools on bullying cases over time and whether Snapchat is involved + hope that bullying cases that get escalated to adults at high schools is a meaningful proxy for actual bullying.)
I'm inclined to buy your argument that because of the implementation making stored pictures not the default, and the social pressure not to take screenshots, probably Snapchat's disappearing messages are better than iMessage. But this seems like the sort of thing that's dangerous enough (in either direction! if the technology works and we refuse to deploy it, that's bad too) that hard data would be useful.
Sexting on Snapchat is rampant in high school today (I'm a current high school student). The self-destruction principle has allowed for people to feel comfortable about sending explicit photos to eachother -- in relationships, it's almost ubiquitous.
That isn't saying that Snapchat has removed the potential of spreading explicit content. As someone mentioned in another comment, screenshotting the snap circumvents the system. It's also just as easy to take a photo of the screen with another device -- both an untraceable and permanent record of the photo.
As a whole, Snapchat has had a net positive effect for people my age. I can attest that teenagers make unwise decisions now and again, and Snapchat has helped in that those rash decisions are less likely to bite us in the future. While I don't have the data to back up the claim that hundreds of thousands of kids have been protected due to Snapchat's impermanence, I certainly wouldn't be surprised if it was true. It's the most popular social network in my demographic for a reason -- it oozes the ephemeral teenage spirit.
> "Risk compensation is a theory which suggests that people typically adjust their behavior in response to the perceived level of risk, becoming more careful where they sense greater risk and less careful if they feel more protected. Although usually small in comparison to the fundamental benefits of safety interventions, it may result in a lower net benefit than expected."
> "In the run-up to the crash, consumers and even policymakers had come to believe that smart regulators and forward-thinking bankers had made the world of money a much safer place.
> "The fundamental insight of Ip’s new book, Foolproof, is that this very belief was a key factor in the lead up to the crash. When people believe they are safe, they take more risks – they drive faster, in motoring terms – and “speed makes everything worse”. Or as the economist Hyman Minsky, whose work Ip revisits, put it: “Stability is destabilising.”
There are applications in our field too:
- safety features for users might make them behave less safely (e.g. exploding messages)
- better reliability of systems might lead us to put more trust in them, leading to even bigger outages when they occur (e.g. centralising trust in cloud providers)
It's interesting to see things like Chaos Engineering (https://principlesofchaos.org/) introducing intentional "danger" into a system in order to improve system-wide stability. Of course, maybe Chaos Engineering will give us more trust in our systems which may lead us to take even bigger risks...
Yup, that's basically what I'm getting at, thanks for the links!
So, I'm okay with risk compensation if people are net doing better. I don't think that "if even one person is hurt by this, that's too much" is a meaningful basis for decisions, especially when there's a risk that even one person will be hurt by not doing the thing. So at the risk of reducing people to numbers, if, say, 100 teenagers send sexts when they otherwise wouldn't have and get screenshotted, but 1,000 teenagers send sexts when they otherwise would have sent them to a non-disappearing-by-default client, and now their photos don't get copied because of social pressure / high-but-not-impossible technical barriers, that still seems like a clear win.
That's the sort of data that I think would be very interesting to inform good engineering decisions, and also pretty impossible to get.
I would also expect people's propensity to take screenshots to be correlated to how sensitive the image is. For example, I would expect many people to take a screenshot of a nude pic their partner sent just so they can look at it for longer than the default timeout of a snapchat message; this is even more likely for teenagers who may be less mature about not betraying the other person's trust.
Indeed, that's the digital equivalent of the $5 padlock. Sure, you could pry it open with a crowbar, but most people won't. IMHO the situation is more of "opportunity makes a thief" rather than "keeping honest people honest" - crossing the line is very explicit in both cases, analog and digital.
I don’t think you can turn back the clock and do studies with any sort of control nowadays. The generation using Snapchat is the one prior to mine - they saw the value from my generation getting bit over and over from text logs and pics getting posted. Sexting existed the second the technology was there for it.
> I can believe both that these teens were going to sext each other anyway and Snapchat is keeping them safer, or that they weren't going to and Snapchat has convinced them that it can be done more safely than it can actually be done.
I guess I quoted poorly - I meant "Is it true that Snapchat has likely protected hundreds of thousands of kids from severe bullying," not "Is it true that Snapchat does not use encyption in its implementation of disappearing messages".
I think it is possible that Snapchat has net caused more kids to get bullied as a result of ill-advised sexting, by being the company advising ill. I can see both arguments and I don't know which one is actually true.
slightly unrelated note but you both are also talking about the way the official Snapchat app chooses to handle snaps (opt in and notifying the user) when theres a multitude of workarounds and non-official snap apps only a google away that make it extremely simple to save a picture someone sent to you without the sender knowing.
Preventing phone-screen capture isn't really something you can't get around but Snapchat could certainly afford to put their money where the mouth is and try to provide their users with a safer experience by cracking down on 3rd party apps.
> But with Snapchat, taking a screenshot is knowingly violating a social agreement.
My exposure to SnapChat suggests that this is not the case. Screenshoters are treated more like rascals than felons. This may depend on the content of the message though. My incoming messages tend to be more silly faces than nudes.
Edit: Or rather, it is the case, but the social agreement is a lightly enforceable one. Closer to not holding an elevator door than eating a coworker's lunch.
This is what people don't seem to get, exploding messages aren't an airtight solution to the risks of sharing sensitive information with someone. You're always taking a risk when you do that. Exploding messages change the default way that sensitive information is handled, and changing the default can have a profound impact, for all the reasons you lay out.
My issue is with the way they are marketed. I would be cool with just a “don’t retain” flag that does just that.
But making a big deal about “exploding” is dangerously incorrect that many users will make incorrect assumptions.
I’m not worried about screenshots, I’m worried about my plugin that archvives all text inbound to me that then requires me to respond to subpeona, etc.
From a security standpoint, this feature should not impact behavior since it is meaningless. If users don’t understand this, then it will cause heartache.
I don’t see your point. If you archive all inbound text, this feature is clearly not for you. This is like saying a door lock isn’t useful for anyone because you keep your window open.
The people I chat with do not know that I archive (nor should the) and will have an inaccurate and misleading expectation of behavior.
To use your door analogy, it’s like telling someone that a door lock keeps people out when there’s an invisible teleported that also gets installed with the door lock.
It’s a hard analogy to follow because me retaining information you sent me is different than me breaking into your house. If you send me info, it’s mine. The weird mental model is that you still control what you give to me.
A use case I run into often is with people I trust, so I don't fear they will take screenshots, etc, but I don't want to keep that data in the chat history. Most of the time I turn to protonmail using their expire option, now I can use keybase.
Most of the time is when I need to pass a password to coworkers.
I hate to use this adjective, but this feature is cute. I love the little bomb. I love the concept. I love how you've applied it to several types of things. And I love how you've taken something that could be complicated and made it simple.
I love this! And I love the bomb gif. I still miss your original logo, but have come to like the little girl.
Anyway, maybe it's just me, but I never communicate anything to anyone that would be hugely problematic if published. That is, for that persona. Which is carefully compartmentalized from other personas. So Mirimir has rather restrictive limits. My meatspace identity has even more restrictive limits. But some of my personas have no limits, and are basically throw-aways.
Edit: And that's basically how accounts work on HN, right? I mean, throwaway use seems quite common, and accepted.
Well, it has been for me, so far. But then, it's my main hobby these days, and I take extreme care.
If you're interested, I explore that and related issues in one of my series on the IVPN website.[0] There's also an old guide on nesting VPNs and Tor with VMs.[1] And a tribute to Kevin Mitnick, featuring onion SSH hosts for chaining.[2]
The tl;dr is that compartmentalization is the key. At all levels. At physical levels such as hosts and VMs, LANs and vLANs, and uplinks and proxy chains. And at behavioral levels, such as interests, forums and social media, projects, and language and writing style.
Mirimir is my only main persona that writes about privacy issues. He has temporarily had a few secondary personas for particular projects, just for casual deniability. But none of my other personas have written at length in English.
You send a message to someone whom you trust (and therefore won't screenshot). If their device is later compromised, forward secrecy ensures the message can't be retrieved.
Even revoking the compromised device is insufficient, as they could retrieve your chat history long before the user realizes they've been pwned.
These are great rationale, but I think they belong in the feature marketing and UI, not just the FAQ.
As publicized (by Keybase and every other platform), exploding messages appear to put control of post-receipt management in the hand of the sender. This is especially credible coming from Keybase, since you guys are educating a lot of people about possibilities with careful crypto (e.g. forward secrecy). This has risks... you mention the Snapchat user who was protected from bullying, but what about the teen who wouldn't have sent that pic in the first place but felt safer because of SnapChat -- only to be bullied over a screenshot anyway?
Your description here is that exploding messages make it easier for both sides to announce and abide by a social contract about deletion. A name like "flag messages for auto-delete" (I'm sure someone can do better) would set the right impression.
Don't forget a major reason for message accumulation: laziness. People often just don't bother to delete private messages. Especially true after long conversations because there might be stuff to keep in there somewhere.
I don't think anyone's being as hostile as you make it out to be. They're just talking about how you can't really guarantee safety, which is true.
And I find it weird that you're comparing yourself with Snapchat. Snapchat is a casual app, targeted at a completely different audience than the people Keybase targets (at least that's the impression I got so far)
Also Snapchat is mobile only product, which makes all the difference. It's much easier to detect screenshotting on mobile than desktop. And as far as I know, Keybase is desktop-first app. So it's kind of ridiculous that you're comparing yourself to snapchat.
I don't know if you are aware of above distinctions or not, but if you're not aware of this, there's something wrong here. You guys are supposed to be completely aware of all these subtle differences. And if you ARE aware of this, why are you trying to make these claims pretending there's nothing wrong?
I have nothing against Keybase, I'm just pointing out the faulty logic in this specific comment you're making (which happens to be hostile towards those who are just pointing out the issue with no trolling intent)
> And I find it weird that you're comparing yourself with Snapchat. Snapchat is a casual app, targeted at a completely different audience than the people Keybase targets (at least that's the impression I got so far)
I don't think they're comparing themself to Snapchat; I think they're using a hypothetical situation that everyone can understand in order to explain the threats that an "exploding message" protects against; Snapchat is used merely because the scenario is easy to understand.
Keybase may have started from the technical community b/c of its foundation with how it handles identity and encryption, but I definitely don't view it as an app targeted at a different audience. It is an app that can be used by the general public and I use the mobile version quite often. I don't find the comparison odd at all.
Fwiw, as a non-security at risk casual user; I really enjoy ephemeral chat. I don't like snapchat as a main chat application (ie, Telegram-esque replacement), and aside from that I don't have many options. I think we're going to try Keybase out, assuming it has native desktop clients.
I will suggest that if you add this to the FAQ, you spend more time talking about things like your device can be compromised by loss, theft, or hackers, at any time. Exploding messages are gone when that happens. and less time talking about how people can go from seemingly a Nice Guy to r/niceguy when a relationship ends. Make relationship drama a footnote, not your primary emphasis.
They always push features to their limits and then criticize. Even telegram’s “screenshot taken” notification can be overcomed by taking a photo/video of the chat with an another phone. But the hassle of doing that is not worth it sometimes, so one can estimate the expectation of the leak, while being completely unsafe before “special forces”. We figured it out in one of in-house intrigues, but didn’t do it even having three phones on the table. Boring, unproductive and shady methods were high enough barriers to stop. Do a good thing and don’t care about pedants.
I agree that a feature doesn't have to be 100% foolproof to be beneficial. I also agree that leaving sensitive things lying around "by default" is a poor approach to security, and think that software should facilitate automated cleanup. However, I fundamentally object to the subversion of my will by my device or any program running on it. In my opinion, DRM in any form is not a solution - it in inherently evil.
I wouldn't mind messages that were flagged for automatic deletion after some time interval, if I were also provided with controls for when and when not to honor such requests. But currently Signal, SnapChat, Keybase, and others don't provide me with such a choice - they do what the sender requested, regardless of whether or not I approve.
It goes without saying that providing such an easily accessible option would almost certainly result in it being used at times in socially inappropriate or distasteful ways. But consider, do you really want to give up control of how your device behaves in an attempt to prevent others from behaving poorly? Perhaps applications should focus on providing practical security (ie facilitating, not forcing, automated removal), and leave the social aspects up to the humans to sort out.
I would be hesitant to trust a controversial screenshot of text because I know that can be faked so easily. A lot of people don't have that awareness, though.
Another feature of Keybase's exploding messages is that when they expire, the text is replaced by the md5sum of the message. So a faked screenshot can (potentially; I haven't verified this) be proven to be faked by appealing to the md5sum in its place, crucially, without needing to reveal the contents of the original message.
That would only work if everything else about the photo was identical - device, resolution, carrier, time, battery level. Seems very unlikely one could substitute even identical text in a screenshot with enough accuracy to get the same hash from an image file.
I'm not a Snapchat user but doesn't that app, at least on Android, alert senders when a receiver takes a screenshot? You can still take a picture with a second device and that functionality isn't totally portable, but interesting feature. Do you think that concept has any utility here?
if someones determined they'll root their android and capture them anyway.
I think it's a great feature if you think of it (exploding messages) not as an assurance against someone who shouldn't be trusted, but that they won't forget to clean the trash.
Can you make that disclaimer obvious in the software? "Keybase exploding messages only work if who you're chatting with doesn't have a hostile client or intent"
That would come uncomfortably close to the toothpick instructions in the Hitchhiker's Guide to the Galaxy series (http://hitchhikers.wikia.com/wiki/Wonko_the_Sane). Does anyone think that technology can stop people from divulging secrets?
There's the suggestion that an exploding feature is worthless, given your partner can just take a screenshot or video of what you sent.
This suggestion is missing (1) that your relationship with a partner is disproportionately okay at the time you sent something (i.e., you trust them THEN) and (2) there's a whole different class of adversary who compromises your or your partners' devices in the future.
SnapChat, as far as I know, has none of the cryptographic implementation of Keybase. And yet it has likely protected hundreds of thousands of kids from severe bullying. Consider the teen girl who sends the goofy sexy pic to her boyfriend. Before the advent of exploding messages, he might've iMessaged or emailed that to a friend, just one friend, his best friend, out of pride. And that friend sent it to a few more, and so on. Not out of malice, but suddenly the whole school has seen her pic of god knows what and she literally wants to die. But with Snapchat, taking a screenshot is knowingly violating a social agreement. It's also violating the trust of his current girlfriend - everyone knows it's not okay to screenshot that shit. And the number of people who would do that is much tinier. Second, consider the far worse scenario: she dumps him a month later and until then he has been NiceGuy. But then he becomes r/niceguy, the guy who will look through the old pictures and spread them around.
Finally, let's not forget that your device can be compromised by loss, theft, or hackers, at any time. Exploding messages are gone when that happens.
People can be tricked, compelled, coerced, blackmailed, and hacked. Or just turn evil. All in the future. Which is what a timed message protects against. This is why Keybase is doing this. Paired with encryption it's quite powerful.