Sending texts and messages are ubiquitous now, but deleting them is nearly impossible because they are saved in the cloud or on someone's phone.
While you might delete texts from your smartphone or edit messages on Slack, the messaging platforms have likely retained backups in the cloud like iCloud, Otavio Freire, CTO of SafeGuard Cyber, a Charlottesville, Va.-based cybersecurity company specializing in security and compliance solutions for digital communications platforms, told TheStreet.
“When you delete data, you are only deleting it from the device,” he said. “Once you hit send, your data is out there.”
Some members of the Secret Service said the texts they received and sent on Jan. 6, 2021 were not retained. The Department of Homeland Security inspector general started a criminal investigation into the issue.
Why Texts, Data Can Be Retrieved
Data that was deleted can still be found because "the intermediate parties and others listening in can capture and keep that data,” Sounil Yu, chief information security officer at JupiterOne, a Morrisville, N.C.-based provider of cyber asset management and governance solutions, told TheStreet.
Texts are stored by cell phone providers, but the length of time will vary.
Some phone carriers will retain messages for 90 days and in other cases they only have the pen register data which shows which two phones were communicating with each other, Chris Pierson, CEO of BlackCloak, an Orlando, Fla.-based executive digital protection company, told TheStreet.
“If a notice for the preservation of text messages was received by phone carriers for certain numbers these would be preserved for as long as necessary,” he said.
Messaging Services
Messaging apps such as WhatsApp and Signal are popular options for people to send messages to each other.
Signal provides end-to-end encryption by default and the company does not keep records of your communications on its servers. A Signal spokesperson told TheStreet that the company "doesn’t have access to what you send or with whom you communicate with and does not have any influence on the content anyone receives. Every call and message sent through Signal is encrypted by default."
Messages on WhatsApp are also secure and end-to-end encryption is on by default.
"All personal messages and calls on WhatsApp are end-to-end encrypted and messages are stored on your device and not WhatsApp servers after they are delivered," a WhatsApp spokesperson said.
Hosted messaging services such as Discord, Facebook Messenger, Slack and LinkedIn will retain backups for disaster recovery purposes, Yu said.
“For Facebook Messenger and LinkedIn, messages would need to be deleted by both the sender and recipients,” he said. “For Discord and Slack, depending upon the configuration by administrators, all messages, including edits and deleted messages, can be captured and retained.”
Messaging services that operate with end-to-end encryption such as iMessage, WhatsApp, Signal and Telegram offer greater protection to consumers.
“Even if the data were saved, it would generally be inaccessible unless one had either access to the device or a backup of the data on the device,” Yu said. “If the device were wiped without a backup, then that data would be practically irretrievable.”
What Happens to Email, Photos, Data on the Cloud
Some forms of communication exist for long periods of time. Email is not a secure mode of communication unless both parties are using encryption, Pierson said.
Most email service providers have access to the names of the parties, subject, timeline information and content of the messages, he said.
All emails, texts and other documents on your computer are simply bits in storage on a hard drive, Sammy Migues, principal scientist at Synopsys Software Integrity Group, a Mountain View, Calif.-based provider of integrated software solutions, told TheStreet.
After a file is deleted, the operating system and the drive management software work to mark that drive space as reusable. Computer systems do not immediately overwrite the space on the drive that your file is occupying until new data needs the same space "which could be days or months later depending on how busy the device is,” he said.
How Consumers Can Protect Themselves
The bottom line is there is no way to know for sure if data is truly deleted because an app could be less-than-honest about data retention, the devices may retain it and someone took a screenshot, John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based security and operations analytics SaaS company, told TheStreet.
“Just like the real world, the only way to get a secret safe is for three people to know it and for two of them to be dead,” he said. “Ultimately if they want information hidden the best way is to do what the mob does… only communicate verbally and in-person.”
Even if you trust the receiver because it is a friend, copies of your messages can exist in other local devices, in immediate cloud storage and in backup storage, Freire said.
“Basically, it will live forever,” he said. “We have seen phones hammered or thrown into lakes, and the data is still recoverable. The information exists elsewhere, and there are multiple ways to recover it. It’s rare that digital forensics can’t find a way to recover data. Even on the device, copies of data exist in memory until they are overwritten, and that can serve as an access point for investigators.”
Consumers should encrypt their devices if the sensitivity of the data is high and the devices “should be wiped using secure data removal tools, such as Darik's Boot and Nuke (DBAN),” Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, told the Street. These tools ensure that data cannot be recovered from devices.
The best advice consumers can follow is that if something is private, do not email, text or message it, Alex Hamerstone, advisory solutions director at TrustedSec, a Fairlawn, Ohio-based ethical hacking and cyber incident response company, told TheStreet.
“Just about every single thing that is done on a device or sent is recoverable given enough time and money,” he said. “Once your data is out there, there really is very little you can do to control it. Even if a service promises to delete your data, how can you really know? Users aren’t able to audit these services.”