Basically I am looking for a messaging platform like signal or? but with anonymous signup, perfect forward secrecy, capable of video chat, sending photos the usual uses in today’s life. But with a panic button. So that any party member could use said button to wipe all other members devices of any data instantly inside the messaging app. So if one member gets compromised, or lost their device, stolen device ect, any other member could wipe all chats, call log, and any other data strictly inside the messaging client instantly for everyone involved. Disolving the group like it never existed rendering the data unrecoverable. Amazons Wickr used to have most of these features but it is being discontinued December 2023 and who trusts amazon with their data. Does something like this exist? Sorry if I’m not explaining it well I’ll do my best to clarify and update this post. I am not trying to delete the whole device. Just the data inside the messaging app. If that does not exist. What about a separate app that could delete the entire messaging platform from the device when triggered. Assume all necessary requirements are met and this is for daily use. Between a group of trusted parties.

Updated wording to clarify the objective as replies where getting misunderstood.

  • User account data is stored on the homeserver, yes, but the plaintext metadata that gets transmitted to every other server will allow an attacker to deduce what people are talking to what other people how often in what rooms, and in some cases it’ll also leak metadata like “this message is a reply to thst other message”.

    There’s no technical requirement for storing all data on the client device (in theory you could write a slow client that will download messages every time) but in most clients the messages get stored in a local database. E2EE search requires a local database that gets indexed on the client side.

    Restarting the server without old rooms will trigger failure states in clients. The rooms may be gone on the server but they will still be known on the client, and how the client deals with that isn’t reliably specified. The UI may or may not hide the rooms, but I have no idea if the underlying database is actually cleared when that happens. You wouldn’t want your entire account to get cleared our when the server admin mistypes the path to a key file during maintenance, so I’m guessing the data is kept for the same amount of time it takes for a server key to get invalidated (days).

    There have been prototypes of peer to peer Matrix setups, where every phone runs its own server, but those lack your panic button requirement.

    It’s not finished yet, but in terms of forensic protection and privacy perhaps something like Veilid Chat serves your needs better. It’ll work peer to peer over a network with Tor-like security.

    On Android you could also try finding apps that work with Ripple which is intended to be a panic button other apps can integrate with (though you’ll have to grab it from F-Droid because it hasn’t been updates for ages). Perhaps you can convince the Veilid devs or Matrix devs to integrate with Ripple? I don’t know how open they would be to your use case, you may need to write the code yourself.