On leaving and deleting groups in Signal
short rewrite of first point:
note that the expiration clock does not start until the conversation is opened and the message is seen. Another reason to keep important group chats restricted to people actively monitoring. But either way if we’re trying to keep messages out of cops hands, once we know a phone is no longer secure, the safest thing is for everyone to go through each message they sent and “delete for everyone”— leaving and deleting the chat does not delete your messages, and admins cannot delete other people’s messages, so the only sure delete of your messages is to do it yourself one-by-one 😭
That is only good for messages you sent within the past three hours, though. (If the group knows of the compromised phone in reasonable time
I was wondering something about loops. There are definitely a couple where we set the messages to disappear right away as opposed to nuking the group and starting over. What are your thoughts on that?
more thoughts than i have time for and… frustratingly i think i’ve typed them all out before into a Signal loop where the messages then disappeared 😭 😢
- there is currently no way to “remote delete” messages. Even if you remove someone, they can still see their old messages.
- the metadata of who is still in a group (inc. phone numbers), and the non-disappearing “So-and-so joined”/left notices stay in the group, even if a person left/is removed
Given that there’s no way to remotely delete a group, disappearing messages are the only way to have any kind of hygiene— but note that if someone is in a group but isn’t opening Signal / viewing messages, they will receive all those “disappear in 12 hours” messages a whole month later!
We currently don’t see much value in nuking a group and starting over— it really doesn’t do anything on a technical level, although the social level of re-confirming “do i know this person? Are they active? Should they be in this group?” can be very useful (but isn’t necessarily done in the nuke and start over cycle anyway), and we should probably try to encourage that practice
There is value in someone who is taking their phone to an action where they might get arrested / lose it where fash could pick it up, or otherwise knows in advance there is an increased risk of losing control of their phone— there’s value in that context of such specific people leaving and fully deleting.
with a plan to re-add them when it’s known they are safe
But otherwise there’s not really much value in telling everyone to “leave and delete”, group admins can now do the “leave” part to specific people as needed and the “delete” was always dependent on each individual person doing it; an already compromised phone or infiltrator has no more or less access to groups with a “leave and delete” call that goes out to the group than if they are removed by a group admin.