[ikeboy]

>If one side enabled this "use E2E encryption for everything" feature

That's not what I'm suggesting. I want E2E to be separate from the "delete chats when I'm finished" feature.

Wanting an E2E chat that stays on my device when I'm done should be fine.

I'm fine with having E2E require a separate mode, but that shouldn't be bundled with the incognito feature of not remembering history.

[mike_hearn]

I see. In that case, yes it'd make sense to have such a feature, probably implemented as an archive button in the incognito window (with a warning that archiving such a chat makes it non-private).

[ikeboy]

Are you assuming that all storage ends up on Google's servers (because that's what hangouts does, maybe)?

Why can't it store E2E chats locally and never upload to google, or even encrypt with a passphrase like Chrome sync does?

[ComodoHacker]

Congrats, you have dug it down to the core. Google just doesn't need chats that it can't mine for useful data.

[ikeboy]

Then why build E2E at all?

[ComodoHacker]

To stay competitive (or perceived so).

[ikeboy]

So you're suggesting Google crippled the feature so it doesn't get used? This seems unlikely.

[tremon]

Wanting an E2E chat that stays on my device when I'm done should be fine.

Only if all other participants in that chat are fine with it. So you'd end up with an implementation that only allows saving to disk if all parties allow saving. That's a lot more complexity than simply a separate checkbox.

I still agree with you, there is value in allowing the features to be controlled separately.

[ikeboy]

Why? I could always screenshot it, there's never a guarantee when you send information that it won't be retained by others with access. Letting me keep it without screenshotting is just a local convenience feature.

[tremon]

Sure, you could screenshot it. You can make a screencast too. But that would be your choice and your effort, not the tool's. There is a difference between a conversation partner that spends effort to violate the (possibly implicit) rules for that conversation, and a conversational tool that encourages subversion without effort.

In other words, it would be bad for Whisper to allow saving confidential conversations for two reasons:

- the user chooses to not save the conversation, but can't be sure if other partners save it regardless

- the user chooses to save the conversation, but can't be sure if the tool will really do so because of other partners' choices

Either of the options above will lead to more end-user questions (and necessary UI to prevent those) than simply combining E2E and persistence in one option.