[dragonwriter]

> There's no reason to only allow those two features to be used together.

UX simplicity is, in fact, a reason.

[ikeboy]

Then have the default incognito be as described, with an option in settings to separate the two features.

[mike_hearn]

I don't think you've thought this through.

If one side enabled this "use E2E encryption for everything" feature, then the other side would presumably no longer have access to any of the smart assistant features. And it would not be obvious why.

Additionally, it would be hard to explain why you'd ever want to enable such a feature which means nobody would do it. I suspect you want default E2E encryption for political reasons. Such things don't work unless it's on by default.

[ikeboy]

>If one side enabled this "use E2E encryption for everything" feature

That's not what I'm suggesting. I want E2E to be separate from the "delete chats when I'm finished" feature.

Wanting an E2E chat that stays on my device when I'm done should be fine.

I'm fine with having E2E require a separate mode, but that shouldn't be bundled with the incognito feature of not remembering history.

[mike_hearn]

I see. In that case, yes it'd make sense to have such a feature, probably implemented as an archive button in the incognito window (with a warning that archiving such a chat makes it non-private).

[ikeboy]

Are you assuming that all storage ends up on Google's servers (because that's what hangouts does, maybe)?

Why can't it store E2E chats locally and never upload to google, or even encrypt with a passphrase like Chrome sync does?

[ComodoHacker]

Congrats, you have dug it down to the core. Google just doesn't need chats that it can't mine for useful data.

[tremon]

Wanting an E2E chat that stays on my device when I'm done should be fine.

Only if all other participants in that chat are fine with it. So you'd end up with an implementation that only allows saving to disk if all parties allow saving. That's a lot more complexity than simply a separate checkbox.

I still agree with you, there is value in allowing the features to be controlled separately.

[ikeboy]

Why? I could always screenshot it, there's never a guarantee when you send information that it won't be retained by others with access. Letting me keep it without screenshotting is just a local convenience feature.

[tremon]

Sure, you could screenshot it. You can make a screencast too. But that would be your choice and your effort, not the tool's. There is a difference between a conversation partner that spends effort to violate the (possibly implicit) rules for that conversation, and a conversational tool that encourages subversion without effort.

In other words, it would be bad for Whisper to allow saving confidential conversations for two reasons:

- the user chooses to not save the conversation, but can't be sure if other partners save it regardless

- the user chooses to save the conversation, but can't be sure if the tool will really do so because of other partners' choices

Either of the options above will lead to more end-user questions (and necessary UI to prevent those) than simply combining E2E and persistence in one option.