RFC: Archiving of edited, redacted, and ephemeral messages

Modern chat networks/apps allow the authors of messages to edit them delete them manually, and even delete them automatically after some amount of time after being read. These abilities are great, and we intend to support them, but libpurple allows their users to log messages locally and that creates a dilemma when it comes to these messages.

The message authors will expect these messages to behave like they do in the official app/protocol implementation, but there are libpurple users that would like to keep a history of these messages.

From the libpurple side we absolutely must implement these features in the expected fashion, but
there isn’t actually much we can do to stop a plugin from being able to save the old message. We need to tell user interfaces about deleted/edited messages and a plugin could hook into that API, look up the previous message before it’s deleted/edited and then store it separately anyways.

So the question becomes how transparent we want to be about this ability to all users, not just libpurple/pidgin users and should we make it easily available to anyone. Bad actors will figure it out and use it regardless with any client. We can and will post something here or on the website documenting all of this, but in reality most users won’t see/read any of that, but that is the least we could do.

So the question becomes how easily should we make it to save these deleted messages?

We could make this as easy as a preference, something named like “archive original and deleted messages” which would default to off. This would make it very obvious to anyone going through the preferences and would explicitly state that this is possible while still doing the expected thing by default

The other option is to implement this via a plugin. That plugin could be in our source tree or external. Conceptually there’s not much difference between an in tree plugin and a preference, except that the plugin might be a bit harder to find so instead lets focus on an external plugin.

An external plugin would work just like an in tree plugin but it would be harder for people to discover. That’s probably a good thing in this specific case, but it would also be harder for people that would be victimized by the feature too.

I’ve been thinking about this all day and am actually kind of leaning towards the preference option defaulting to off, but would really like to hear the opinions of others. As such, please feel free to vote on which you think is the best option and provide any comments you may have!

People can already screenshot messages before they are deleted or ‘expire’. I’m not sure how logging them would be much different.

Perhaps messages could only be logged on read, so the message archive is an archive of messages the end user saw/read not simply every message sent?

Regardless my thought is that you’re overthinking this because bad actors already archive messages via screenshot in the native applications.

I want to add I have voted in good faith supposing the case isn’t “bad actors already archive messages anyway.”

Logging of them means they all get backed up and aren’t dependent on someone screen shoting them before they disappear.

Logging on read would complicate a lot of stuff. For example, what happens when a message gets marked as unread?

As I stated earlier, this is a question about how easy do we make it for users as bad actors are going to find away regardless. If we make it super simple for users what we’re really doing is making them aware that it is even a possibility because most users aren’t expecting that behavior.