In the wake of the Snowden disclosures, more and more apps are making a promise that people want desperately to believe: You can still control emails, texts, photos, and videos even after you’ve sent them to other people.
We want the digital world to be like the physical world that we learned first. Just as we can show someone a photograph or a page of our diary and then take it back, we sometimes want to send someone an email that they can read only once—while we hold it open for them, as it were.
Every time a politician is embarrassed by text messages he never meant to be made public, every time a high official is brought down by emails that unexpectedly come to light, the demand for apps that can guarantee our safe passage goes up a bit. The makers of apps like Confide (“confidential messages that self-destruct”), Snapchat (“after a snap has been opened … it is deleted from the device’s storage”), and many others understand this demand very well, and they capitalize on it. It’s why such apps tend to attract a disproportionate amount of attention when they launch.
But what makes the promise so dangerous is that it is false. Not just false in practice, but in principle, for reasons that won’t change even as technology improves.
The problem isn’t that the NSA can defeat any app’s security. (Sometimes it can, but not always.) Nor is it that the makers of the apps are untrustworthy and build in “back doors” that would allow them, or those with whom they cooperate, to listen in when they want to. These are legitimate concerns, but they are not the real issue.
The real issue is that this promise depends on something that cannot be depended on: a sender somehow having control over the device on which a message is received. I will explain this technically, but it may be best grasped by analogy: “I’m going to whisper a secret to you, but it will self-destruct in 10 seconds and you won’t have it after that.”
That, in essence, is the marketing pitch for these apps.
Of course, your cellphone and your laptop are not your mind. But they are yours, and that turns out to be the important thing. When someone sends you a message sent from one of these apps, and the receiving app—the app that is running on your device—wants the photo or text or whatever was sent to self-destruct, here’s what it does: It sends an electronic request to your device, saying “Please, I humbly ask that you delete that thing over there.” That’s it.
The app is now completely at the mercy of your device. If your phone decides not to obey the request, then the photo will stay. Similarly, an app that promises (as Confide does) to let the sender know if someone attempts to take a screenshot relies completely on the receiving device obeying the request “Please let me know if the user tries to take a screenshot.”
The device is always free to lie to the app. Your phone could claim to have deleted a file successfully when it actually didn’t delete the file at all; it could claim that it has temporarily turned off screenshot capability when in fact it is recording everything displayed on the screen to a video file for later review.
There’s simply no way for an app to know.
This is because apps by themselves don’t have any ability to write images to the screen, or turn the microphone on and off, or delete files, or do any other device-level tasks. Apps rely on the phone’s underlying operating system—the core software the phone ships with, such as Google’s Android or Apple’s iOS—for those things, and apps must have faith that the phone (or tablet, laptop, etc.) performs the tasks as requested.
With more and more apps coming out that make promises based on that faith, we are staring at an arms race: It is just a matter of time before some manufacturer realizes that security for the sender and security for the receiver are two different things and offers a smartphone with a “save everything” mode, in which every pixel displayed to the screen and every piece of information that flies through the device’s memory is logged for a short period, and the owner is given a chance to review the log and preserve anything she wants.
This feature would be especially easy for Android-based devices to add, because the operating system is already open source—the software code is already published and documented and available for anyone to customize when building a new device. (This is no doubt why the new Blackphone decided to base its operating system on Android, and if its manufacturers are serious that the phone “prioritizes the user’s privacy and control,” then I would expect them to be the first ones off the starting block in this particular arms race.)
In the meantime, everyone should understand these apps for what they are: tools to help your friends avoid accidentally saving private messages from you. When you send messages to people you have no reason to trust, you have no reason to trust their devices either.