A childhood friend of mine, who does not have a technology or information security background, recently asked me whether or not apps that promise messages, photos, videos, and anything else sent through them will completely disappear were to be trusted. She referenced several different proclaimed “disappearing messages” apps that are currently available and asked, “So what do you think of these disappearing apps? The messages are not really gone?” She is responsible for the care of an adult relative, and wanted to be able to communicate with his healthcare providers securely, and to not have any of the communications to linger and had been using one of these apps.
I then had a great conversation with her about this, letting her know all the ways in which those messages can be saved that are outside the control of those apps. Since so many healthcare organizations are now communicating with their patients by using these tools, as well as a wide variety of other businesses who are communicating with their customers, it is important that all using them know the associated ways in which those messages will not be disappearing. Here are the four most significant ways.
- The recipient can make a screenshot of the message
Unless one of these disappearing messages apps has built in the capability to disable screen shot capabilities of the device it is received on, the app cannot make a valid guarantee that it can permanently make the messages disappear. And I have not found any such apps that can do such disabling. There are some creative apps that put bars, imperceptible to the viewer, over the images to keep them from being seen when capturing a screenshot, but it only works on certain types of devices, and only if both sender and receiver are using it. And I’m not convinced these will always work even both sender and receiver are using it, and that the person taking the screenshot will not figure out how to time it to avoid those image-covering bars. It is also not known how those bars would prevent people using auto-saving apps can keep them from seeing the original image. Another app tries to prevent screenshots by allowing only small portions of a message to be viewed at one time. That may work if you are only interested in text secrecy, but it does not seem to be something that would work for photos or videos.
- Others nearby can snap an image with their phone
When you travel, or are in public places, do you notice what those around you are doing? I do. I find it fascinating to people watch, and to see what people do to put their own privacy at risk, in addition to seeing what people do to invade others’ privacy. While traveling in September, and waiting for over an hour for my connecting flight, I noticed one young man walking behind a row of travelers, all of which were looking down at their smartphones and tablets, and he stopped, pointed his smartphone, and appeared to take a few photos of what one of them was viewing, and those he was targeting appeared oblivious.
Situations like this are dicey. Should you act upon what may, or may not, be someone digitally scooping up other people’s screen images? Or, shake your head and fuhgettaboutit? I took an approach somewhere in the middle. I got up, walked towards the young man, but looked past him, like I was looking out the window behind him. I stopped within a few feet, and as he looked at me, I made eye contact, smiled, and said to him, “Lots to see in [city name], isn’t there?” He turned and hurried away. I’ve also seen people watching others’ screens on airplanes, in restaurants, and at public entertainment events. If anyone is around you when you get a disappearing message, remember that they could be taking a photo of it unbeknownst to you. Then they can basically post it online for the world to see wherever, and whenever, they choose.
- Software can copy the messages
There are a variety of software tools and apps that exist that can be surreptitiously loaded onto smartphones (for example, as a result of phishing, malicious sites, via malware, peer-to-peer sharing, etc.) and copy all those so-called disappearing photos, videos and messages, before they “disappear,” to a different location on the Internet, or to someone else’s phone or computer. For example, in 2014 it was shown how Snapchat photos could be obtained from Android phones using widely-available forensics software and removing a “.NoMedia” file extension that was keeping the photos from being viewed on the device. There are also apps you can use to automatically make copies of the messages and images sent from people using such disappearing apps, and the sender will not be notified in any way that you are using a tool to copy that disappearing message before it actually disappears.
- Copies of messages are often left in memory and/or storage
The fact is, whenever a computing device, like a smartphone or tablet, sends or receives messages, photos, videos, and so on, there are logs generated by the device to indicate some type of activity has occurred. And often, depending upon settings of the device, and how the software sending or receiving the messages are written, copies of the message may be temporarily stored in memory, or even on the storage disk, even after the original message itself has been deleted. Earlier this year a digital forensics expert did “a very basic experiment” to determine the types of data that are discoverable after the messages were supposedly erased. He learned as he did additional experiments and research that it was possible to find “certain messages – perhaps all messages” on the devices. This is really not surprising given the way in which technology works. But, it is important to know also given the claims and promises made by these self-erasing apps and tools.
Good security practices are necessary
As businesses and healthcare organizations start using these types of self-deleting apps and tools as part of their communications with customers and patients, it is very important that those using them not only know and understand the four facts described above, but they must also practice good, effective security practices beyond those limitations of the apps and tools. Otherwise they are putting the messages, photos and videos at risk of unauthorized access.
I won’t go over every security practice that should be in place within an organization; this is covered extensively in thousands of other books, articles, and blog posts. But with regard to the use of disappearing messaging apps and tools, make sure you do the following:
- Establish procedures to ensure those you correspond with using these apps and tools are trustworthy. If you know the patient or customer, and know that they are as motivated to be safe and secure with the messages as you are, that will help to ensure one of the four risks described above are not exploited.
- Use anti-malware software, and remove all unused apps from your device. The fewer apps and files on your device the better. Otherwise some of those apps and tools could be making copies of messages and photos without your knowledge.
- Be aware of those around you when you are using disappearing messaging apps and tools. Make sure no one is peeping onto your screen that is within viewing distance.
- Create policies and supporting procedures for the use of such disappearing apps and tools within your organization. Especially how they are used in communicating with customers. And certainly, in the U.S. with regard to healthcare, you need to make sure you use them in compliance with all HIPAA requirements.
- Provide training to all those within your organization for how to use such apps and tools in the most secure and privacy-protecting way possible.
Bottom line…
Self-deleting messages appeal to a very wide range of demographic groups, in part because they make those using them feel they have control over those messages. My long-time friend wants to feel in control of the messages she shares with her relative’s health care providers. Teens want to feel in control of the messages they send to their friends. Feeling in control is a critical component of privacy protection; giving control to individuals of their own personal information and associated actions.
But, no those messages will not self-delete. The fact is no message or image can be guaranteed to disappear completely if it is sent to others, and then appears on a computing device screen. There are unlimited numbers of screen grab tools that can immediately take what is shown and make a copy of it. Promises that they will disappear are often misleading; they can only promise that their app and the way the app has control to store the message/image will be deleted. They have absolutely no control over those other screen grab tools, or the associated situations in which those messages could be viewed.
Keep these things in mind as you are considering the use of disappearing messages within your business, or your personal life, to help protect your private photos, videos and messages.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: apps, awareness, Dell, disappearing apps, healthcare, policies and procedures, power more, powermore, privacy, privacy awareness, privacy professor, privacyprof, Rebecca Herold, risk management, security awareness, Snapchat, technology, teen privacy, training