One of the unique aspects of Gliph is that you can permanently delete messages and other data in the system. This blog entry explains how message deletion works on Gliph, how it is different from most messaging apps and why we believe the removal of data is part of a solid privacy experience.
What happens to Information We Put Online?
It is hard to understand what happens to data we store online. Every text we send, every picture that is transmitted, and every person we connect with is represented by data. This data is transmitted across the Internet and ultimately saved on one or many servers and sometimes multiple devices such as smartphones, desktop computers and laptops. What happens to this data?
Social platforms commonly offer “deletion” or “removal” features that make it appear that you can permanently remove stuff you have put online. Unfortunately, these services are often misrepresenting what actually happens with information.
For example, messaging services like GroupMe and Whatsapp offer to remove messages for you. But depending on the app, your unencrypted messages are saved in a database with a flag marked deleted. Services may be built in a way that they are unable to delete the message on the other person’s phone, instead only “hide” it from your end of the conversation.
For a long time, Facebook would not actually remove photos that you had deleted from your account. Now that Facebook has fixed their system, your photos actually be will be actually deleted within 30 days. Today, you can “Delete this Photo,” however Facebook’s platform may not actually delete it for weeks.
A lot of questions have been asked about how Snapchat handles removal of data. You send a photo to someone, and it is supposed to disappear within a short period of time. However, Snapchat has made it clear that images sent over the service will persist for up to 30 days or until all recipients of the image have opened the photo. More concerning to some is that snaps are not being removed properly from smartphones and can in fact be recovered.
Update (5/8/14): Snapchat settled charges from the FTC that it misrepresented how it was handling user data collection practices.
This is a pretty big problem, since if you don’t have a background in Computer Science, you must rely on what you’re being told in the interface. If it says “Delete,” does that mean right now, forever, from everywhere?
Behind the Scenes on Message Deletion on the Gliph Platform
When we first introduced message deletion on the Gliph platform, our focus was on clarifying why Gliph deletes from both sides rather than allowing complete archiving. (Please see “Our Thinking on Message Deletion“). What follows in this entry is a more general overview of what Gliph is doing with deleted messages.
When you send a message on Gliph, it originates from either the Gliph iPhone, Android or web applications. At that time, the message is stored in a “cache” (memory) of your device. The message is also stored encrypted on the server, and once it is received by the other Gliph user, it may be temporarily cached on their device as well.
If the same message is deleted, (by either the sender or the receiver), the Gliph app first removes the message visually and from the local cache and then tells the server, “remove this message right now!” The server responds by deleting the information from Gliph’s database. If the other person has the app open, and are looking at the conversation, they will not see the message removed immediately.
However, the next time they refresh the view, the app will realize that the data does not exist anymore. This causes their app to visually remove and also delete the message in the local cache. This completes deletion of a message or entire conversation of messages on the Gliph platform.
Nitty Gritty Details
There are a lot of details when it comes to how “cacheing” is handled, particularly around the security of data stored in a local cache. For example, what happens if you’ve deleted a message but the other person hasn’t opened up the app? Is the message still in the device cache and vulnerable?
The security of this area varies with the platform you’re using and what you’ve done to it. For example, iOS protects application data from being accessed using something called “sandboxing” but may be vulnerable if the device is rooted using “jailbreaking.” Android uses a similar sandbox to isolate application data. However, many Android users seek full control over their devices and “root” their phones.
Both jailbreaking on iOS and rooting on Android present important security implications, because these operations can allow apps to access data they otherwise should not be able to. Android users have access to a variety of tools that look for vulnerabilities in apps on rooted and non-rooted devices and attempt to collect data from these apps.
Gliph regularly wipes and re-loads the local cache on iPhone and Android to help reduce the likelihood that a jailbroken or rooted phone would have persistent message data. However, we strongly advise people to be aware of the security implications of using Gliph on jailbroken or rooted devices.
How Message Deletion on Gliph Works
There are three ways messages are deleted by the Gliph platform today. All of them follow a process outlined in “Behind the Scenes on Message Deletion on the Gliph Platform” outlined above.
Individual Message Deletion
Gliph’s iOS and web apps allow of you to delete individual Gliph messages. This happens when you swipe a message on the Gliph iPhone app to the left and choose delete. In the web app, you tap the Edit button in the top right of any conversation. On Android, Gliph does not currently offer individual message deletion.
All of Gliph’s apps allow you to delete all messages in a conversation at the same time. On iPhone, you can delete messages by swiping a conversation from the activity view. We have an animated gif showing this behavior in this blog entry.
On Android, the process has a few steps:
- Go into a conversation.
- Tap the ( i ) button in the action bar to go into the Gliph view.
- Tap the 3 dots icon in the action bar.
- Choose “clear all messages.”
On the web and iOS you can delete all messages by:
- Go into a conversation.
- Tap the center part of the title bar on the web or the ( i ) in the title bar of iOS to get to the Gliph View.
- Scroll down and choose “Clear Conversation.”
GliphMe (video demo) has its own special behavior in how it handles deletion of messages. Once someone starts a conversation with you using one of your links, Gliph keeps track of when the last message was sent. After 48 hours, Gliph automatically deletes the entire conversation and connection with the GliphMe link respondent. Connection data is permanently removed from the Gliph database as well.
Gliphme acts like this for two reasons: One, to reduce the clutter from conversations that you probably have no interest in continuing, and two to reduce the amount of unwanted private conversation data that Gliph is storing.
It is possible for GliphMe conversations to avoid this automatic removal after 48 hours. If someone who is not a Gliph user clicks a GliphMe link and uses that page to sign up for Gliph, the conversation will persist just like a normal conversation. At this time, we’re calling this “claiming” a conversation by the respondent. After a conversation has been claimed, the messages can still be deleted from that point using the same procedures outlined in “How Message Deletion on Gliph Works” above.
One area where message deletion is not supported is in a GliphMe conversation that has not been claimed. For example, if you reply to an inbound GliphMe message and then wish to delete that message. You can not do so if the respondent has not claimed the conversation yet. We recognize that this may be in conflict with expectations for uniform deletion behavior across Gliph and are still considering how best to handle this with GliphMe.
In the Gliph iOS and web apps, it is possible to set messages to expire after a period of time. This is very similar to how Gliph handles user-directed deletion of messages. Except in this case the server has set a particular time, when it will remove the data from the Gliph database. The next time either the sender or receiver opens the app after the message has been removed from the database, any existing local cache of the message is removed and it will no longer be visible on either user’s devices.
Data Impermanence and Privacy
When other internet services store your conversations permanently, unencrypted, it creates the possibility that that information will be hacked or even misused in the future. This is particularly concerning for messaging services that use advertising-based monetization, or are entertaining acquisition by an advertising-based company. This doesn’t need to happen.
At Gliph, we are designing software to avoid these issues. For example, the new product we released recently, GliphMe, uses automatic deletion of conversations after 48 hours. Another way we demonstrate commitment to this is by honoring what is implied in the interface. As in, “Delete” should mean stuff actually is deleted everywhere Gliph can, as promptly as possible.
The entire Gliph team feels there is a strong connection between privacy and impermanent or ephemeral online activity. This includes not only messages you’ve sent but who you have connected with online in the past.
This issue is particularly important as Gliph extends past simple messaging and into the realm of peer-to-peer transactions. We continue to think deeply about how we can empower people who use Gliph with both user experience and technical implementations that deliver privacy through data impermanence and beyond.
We love feedback! If you have comments on this blog entry or unanswered questions about deletion on Gliph, please send a message to the Support Gliph or to support [at] gli dot ph.