Delta Chat already Disappearing Messages feature and settings to configure deletion of messages from the device and from the server after selected time period.
These features however do not help if device is lost or stolen because messages are not deleted immediately. For this case there should be a way to remotely wipe a profile from the device.
One way to implement it would be to generate a device code that will wipe the profile when received. This solution is independent of the server. There is unfortunately no way to know if the message is lost to a spam filter and if it was ever downloaded by the remote device.
Another option would be to integrate this feature into IMAP server as a part of more general device management:
We can also add FAQ entry describing how to wipe lost mobile devices using built-in features.
Once profile is removed from the device or device is wiped, user should be able to rotate the key:
Signal does not have a way to remotely wipe a device. It is possible to disconnect a linked Signal Desktop device, but this does not remove message history from the device. This feature has been requested on Signal Community forum:
For personal devices Apple has Find Devices feature and Android has Find My Device feature to track and remotely wipe devices that have Apple or Google accounts.
Google Workspace allows admins to remotely wipe devices:
One idea we had: users can go to the settings to generate a āwipe this deviceā token, and send it to a chat. Then everyone in the chat can click on it (with a confirmation message Iād say) to wipe the device remotely. I think nothing speaks against sending out a āI received the wipe commandā message before starting with the wipe, it would be useful information whether the device still had wifi etc.
The typical case would be getting arrested at a protest; your friends watch it happen and can wipe your device, because you enabled them beforehand. But the police might put the phone in a faraday bag before you think of wiping it; so getting a confirmation message would be very useful.
After the protest you can revoke the wipe token by clicking on it in the chat, or maybe also in the settings with an overview where you left tokens.
I think the āwipe this deviceā token is a great idea! Another idea I would suggest, maybe you already have thought of this, is the option to create a special type of group chat where any member can delete any message (even other peopleās messages) from everyoneās device or clear the whole chat on everyoneās device. This could be suitable for small groups of trusted activists. Obviously this should not be the default type of group chat, and it should be clear to all group members how it works when they join the group chat.
Of course, itās great that youāre coming up with something here, but donāt you think that itās all solved by simply installing a pincode on the chat, or the application itself? Whether itās activists or journalists, no one has the right to use the same PIN code to provide access to their personal data, violating private property. And the data, as mentioned earlier, is encrypted securely by the android or iPhone operating system itself. After all, this is why developers refuse to do local encryption, and I agree with them, why reinvent the wheel when it can be provided to google.
Passwords do not protect against this threat: xkcd: Security, which is common in many regions. A duress password which wipes the device when you enter it might help, as GrapheneOS offers it. But I also think it is the job of the OS to provide disk encryption, duress passwords, etc., and canāt be solved by the applications themselves.
There are forensics tools which can restore deleted files even if they were encrypted; with Androidās file-based encryption this might be easier than with the old Android full disk encryption.
To protect against such a case, we can issue a lot of sqlite UPDATE commands which overwrite database rows instead of deleting them; the longer they run (until the phone is turned off, probably), the harder it is to recover the data by forensic means.
Agreed, PIN codes can be subverted, wiping the data provides better guarantees. Overwriting database rows like you suggested would be best, but I guess this is a ābest effortā and there is no way to be completely sure youāre overwriting the right location when the hardware uses wear leveling?
In practice, making retrieval cost a lot of effort, and not making it obvious that there is anything to retrieve, both discourage retrieval.
Creating volumes of fake messages would be another approach, especially if you are overwriting anyway. A phone thief turning to blackmail will have a hard time using a mix of real and fake messages, especially if they are fragments retrieved by forensics.
We should not assume that everyone has a second device.
PIN keypads should rotate to prevent smudge attacks. Since people are terrible at picking PINs, a passphrase or sequence of Unicode emoticons might be better. Itās also pretty easy to bruteforce a 4-digit PIN.
I have sympathy with the idea that remote wiping should be done at the phone level, not by every app. Or, at least, we should have a standard remote-wipe plugin protocol that can be implemented by many apps. After all, if someone steals my phone, I probably donāt want to wipe each app using individual idiosyncratic methods.
I donāt really like the idea of introducing a way to let some group of people āremote wipeā my account, this only increases the vulnerability surface for people to get tricked into sharing such links and getting their account wiped, just allowing to delete a chat for everyone in the group or messages for everyone in the group would be good enough without such intricate āremote wipe tokenā solutions, most of the users are not activist going to a protest, so there is more chance for this feature to be a hazard for your average user
about the initial topic of this thread, that is about lost device, I think you from your own devices should be able to remote-wipe other devices introducing a password/pin this is much safer because your profile can only be wiped remotely by other of your own devices and with a password/code to avoid the person having your lost device to be able to wipe yours