A feature of various end-to-end encrypted (E2EE) messaging apps and other non E2EE social media messaging are disappearing messages, which automatically delete after a set period of time. This feature may be useful for general privacy within your extended network, high-risk users, and preemptively clearing side conversations easily within linear chats. However, different messaging apps handle deleted and disappearing messages a little differently, in particular when it comes to quoted messages, chat backups, and screenshot notifications. It’s important to note that this isn’t a vulnerability in the software, but it could cause someone to change their threat model—the way that they think about protecting their data and privacy. Below, we note the variance that exists between different apps.
How Signal Handles Deleted and Disappearing Messages in Replies
When a user on Signal deletes a message, if that message was quoted previously in a reply, the app still shows around 70 characters of the message.
If a disappearing message time was changed while someone replies, the quoted message remains for the amount of new time set on the reply.
All the apps we looked at have manual deletion options for messages, but auto deletion intervals varied. For Signal, the shortest auto deletion period is 30 seconds. Chat backups in Signal are automated on a 24-hour window or on demand. If a user enables chat backups, then any messages visible during a period of time can potentially be in their backup file. Thankfully both Signal and WhatsApp have encrypted backups for added protection in cases where a third party might try to access this information.
How WhatsApp Handles Deleted and Disappearing Messages in Replies
WhatsApp acknowledges the quoted reply scenario in their FAQ. Signal should do this in its documentation too.
“When you reply to a message, the initial message is quoted. If you reply to a disappearing message, the quoted text might remain in the chat after the duration you select.”
WhatsApp’s shortest automated disappearing interval is 24 hours. This extended time period can enable backups of WhatsApp auto-removed messages to be more common.
How Facebook Messenger Handles Deleted and Disappearing Messages in Replies
In FB Messenger Secret (E2EE) Conversations, original messages are removed in quoted text after a message is deleted or disappears. However, the message does stay past its auto-delete timer if neither user types or leaves the chat. Not as worrying in practice, but this is a notable quirk.
Secret Conversation also offers screenshot notifications when messages are set to auto disappear. The shortest interval is 5 seconds for auto-deletion, the shortest time out of the three messengers. There are also no chat backup mechanisms available to the user on the phone but it is saved on the Facebook platform. Disappearing messages also are removed from local storage soon after.
Documentation Is Key
We focused mainly on E2EE-based apps, but there are other social media apps like Snapchat that offer disappearing messages. We did not test this reply quirk in Snapchat. However, similar to other apps we looked at, you can save messages or take screenshots.
This is not a software vulnerability, but pointing out the differences on how ephemeral messages are treated is worth the trouble since major E2EE apps apply different parameters. Messages should be removed when they expire or manually deleted. Small mistakes occur all the time in group chats that you might want deleted immediately with no historical evidence, including quotes. For example, accidentally pasting a password in a large group chat where you may not know everyone too well, or more severe cases, where someone might potentially be reported to law enforcement for seeking reproductive care.
Even when paired with the concern that someone can take screenshots of conversations, ephemeral messages are a very useful feature for many different scenarios, and in today’s climate, where private communications are regularly attacked, improving these features, and their documentation, and using E2EE communications will remain an important necessity for exercising your right to privacy.