
Your Facebook Pokes Are Stored For Two Days. Encryption Keys Then Deleted - iProject
http://techcrunch.com/2012/12/22/your-facebook-pokes-are-stored-for-two-days-then-their-encryption-keys-are-deleted/
======
sbisker
Wait, my engineer-sense is tingling. Why are they just deleting the key? If
they _really_ couldn't access the Poke after deleting the key, wouldn't they
want to save storage costs by deleting the encrypted message contents too?

Unless, of course, the key isn't the only way the message can be decrypted.

~~~
vidarh
My engineer-sense says that every item of data written is at risk of being
copied into places you wouldn't think to delete them from.

Note that they are not saying they are not deleting the encrypted message
contents too. What they are saying simply indicates that what they _promise_
is that they delete the keys.

There are practical reasons to do it this way: You only need to _ensure_ that
you delete one key per user (you keep a "current" key, that is anything up to
two days old, and a previous key that you delete once it reaches two days),
vs. deleting a possibly much larger amount of data entries that might also be
more likely to be cached all over the place.

If I were to design a system like that, I'd try to delete the contents, but
assume that I'd miss something, and aim to delete the keys too. I'd probably
also make at least portion of the key depend on a site-specific set of secret
rolling over with time that it should be policy not to log etc. to make it
even less likely that the full key would survive longer than it should.

~~~
sbisker
Agreed that that's a good reason not to _promise_ to delete the data. However,
they don't even say they'll try to delete it, do they?

Of course, "trying" is legally just a terrible way to not promise and still
get sued. I get why their lawyers would want them not even mention the data
itself.

Still...Facebook is not exactly trusted when it comes to the privacy of just
about anything. They're trying to operate a service in the grey area between
what they want to do and reality, and doing so depends heavily on people's
trust in their intentions. You can guess how much I trust Facebook to keep my
data private right now (if not from my timeline, then from the government,
etc.)

------
captainobv
I don't get the commotion. In light of the analog hole [1], isn't this whole
thing with Poke's privacy/encryption just a big pointless media/PR circus?

Unless I misunderstand something here, the other party can store your data
indefinitely, and no amount of DRM lockdown can really change that.

[1] <http://en.wikipedia.org/wiki/Analog_hole>

------
rayiner
What is Facebook's monetization strategy for a feature that will be used
primarily for 15 year olds sending each other naked pics? I can't believe they
don't have one.

------
DanBC
> _is Facebook saving these potentially embarrassing photos and videos? No.
> It’s deleting them. Pokes are encrypted, and Facebook deletes the encryption
> keys two days after they’re read so they’re unreadable. Key backups are
> destroyed within 90 days, making a poke completely inaccessible._

Please could someone with familiarity with English / EU law say if this is
legal or not?

~~~
loxs
See my explanation here <https://news.ycombinator.com/item?id=4957817>

It might or might not be legal. But because of laws of physics and mathematics
it's impossible for them to do it any other way.

~~~
001sky
_But because of laws of physics and mathematics..._

\-- you mean cost/benefit.

Nothing is impossible, if one is willing to pay the price.

~~~
ars
That's nonsense. There are plenty of impossible things that people want really
really badly.

~~~
001sky
Well, wants are not constrained by physics or mathematics either. So this is a
throwaway comment.

------
mikegioia
I'm still a little confused. It seems the "poke" is encrypted, so they encrypt
the picture that's sent. But then the encryption key is deleted.

Does that mean the "encrypted photo" is deleted after 2 days, or is the
photo's "identification key" (like a hash or ID) deleted after 2 days?

~~~
ConstantineXVI
They're (explicitly) deleting the key; provided they're not using ancient or
horribly broken encryption, the image itself is effectively indistinguishable
from gibberish. I'd assume the images themselves get deleted as well, but
without a key they're worthless anyway.

------
grandpoobah
Seems somewhat silly, the idea that it's difficult for a company to not store
your stuff.

~~~
sweis
Think about availability. A large web site is going to keep replicated copies
of data across many geographic locations, plus backed up in long term storage.
Those data are stored in hardware that is continually coming in and out of
service. It's actually very hard to say with certainty that every copy of a
particular piece of data has been deleted.

~~~
cma
Why should it ever be written to permanent storage?

~~~
loeg
Because RAM is orders of magnitude more expensive than spinning rust, or even
SSDs.

~~~
cma
These are messages that last 20 seconds, there is no time that they will be on
disk and not cached to ram anyway.

(edit: well I guess it is 20 seconds after it is received)

~~~
loeg
The messages are stored for two days. Backups for 90…

And: writing to (spinning) disk takes on the order of milliseconds. 20 seconds
of RAM storage time (versus milliseconds) means several orders of magnitude
larger working set size, which may well be larger than you can afford…

------
michaelhoffman
Wouldn't it be trivial for the recipient to take a screenshot of the private
content and therefore retain access to it for years later?

~~~
sandis
App hides the content as soon as you try to take a screenshot and it notifies
the sender of your attempt.

~~~
Devilboy
Like any DRM this is easily defeated. I could run the app in a virtual machine
and take the screenshot from the hypervisor or host machine instead. Or I can
capture the network traffic. Or I can take a photo of my phone. And so on and
so on.

~~~
dotmanish
The "take a photo of my phone" is the one that non-geeks can easily remember
to do. And they will.

~~~
jlgreco
And I imagine on any phone with a face-facing camera _(would that be "forward
facing", or "rear facing"?)_ doing that with another application and a
portable makeup mirror should be trivial.

All you need is an application that takes a picture without altering what is
on the screen when you press both volume buttons, or something. Maybe even
just takes a picture once a second for the next 30 seconds?

You could make an application explicitly for this purpose, and even build in
the mirrored image logic. Only one person needs to do it, then every non-
technical user can use it.

------
white_devil
Yeah, _far_ be it from Facebook to use the pictures you post to gather
personal data on you.

------
recursive
Am I using the same facebook? For me, pokes don't seem to contain any
information other than who sent them, who the target is, and when it was sent.
I know I've seen pokes older than two days. They stick around for months.

~~~
audeyisaacs
Facebook has launched a new image chat service also called Poke. It confuses
me too.

"The Poke app for iPhone is a simple and fun way to say hello to your friends.
You can send pokes, along with messages, photos and videos, to a friend or
multiple friends at once. When you send messages, photos and videos, you can
choose how long they'll be available for your friends to view up to 10
seconds. After that, they disappear from the app."

<http://www.facebook.com/help/397568030328686/>

------
mooneater
And we believe them... why?

