POLL: Future Data Retention Policy

[Dread Pirate Roberts]

Staff are currently discussing some matters behind the scenes concerning user security. I would like to ask you all to answer the following poll so we may make a more informed decision. Comments may be placed down below but we will not respond to inquiries. This poll is only asking for how long YOU need to retain data on-site.

Edit: The poll is only the time users and vendors will store messages. Staff will have access to them for a longer period but in an encrypted form so if the server is seized, they will still be unreadable to law enforcement or hackers. Therefore the retention period above has no effect on resolutions.

[Burning Babylon]

Staff are currently discussing some matters behind the scenes concerning user security. I would like to ask you all to answer the following poll so we may make a more informed decision. Comments may be placed down below but we will not respond to inquiries. This poll is only asking for how long YOU need to retain data on-site.

I'm not sure how many Vendors operated as us on Silk Road but the reason we can't simply give a specific answer is we kept the conversations until whatever was discussed got resolved which varied wildly depending on the Topic at hand. So for example say a function to Label conversations were to be introduced with predefined options like "Answered", "Awaiting Information", "In Transit" etc. one could assign each Label a different Retention Policy based on how sensitive the Topic at hand is. Looking at it from purely a Security Perspective the riskiest conversations were those where one arranged a re-ship to Buyers without taking it to Resolution, when we were done shipping those and had deleted the Address it should have been considered an extremely High Risk Message compared to a casual conversation just answering some Questions about a Product. However Silk Road treated all messages the same as far as I know which means even the deleted messages with Addresses in them were Retained for three to five months.

While I'm not quite yet able to Conceptually describe how to intertwine the Communications Aspect into Orders this would solve it by being able to Deleting Sensitive Data instantly. What I mean by that is if a Buyer messages me about a re-ship it would be ideal if I could attach that message to the order so it updates the order-status by changing it from "in transit" to "reship" and then re-adds the order into the System as any normal Order with the Address specified - the Retention Policy for that message would then be until the instant that Order has been "Finalized/Completed".

Beyond Practical Solutions all the Options Listed are better than the 3-5 months Retention Silk Road utilized before.

[Mr.X]

I feel it is best to have messages last however long it takes to go through the resolution center in the case of a dispute. That would be about 14-28 days, correct? I never had a long, drawn out dispute so I don't know how long someone could be in the resolution center though. The messages could be used as evidence in case there was an argument between vendor and buyer

[notmyname]

How about a system which checks the data to see if it is encrypted =it should be simple to write an algorithm for this (e.g. encrypted data should look like noise / measures of entropy / compression)= if the message is not encrypted it is kept 1 week. If it is encrypted it is kept 2 weeks. This will further encourage the use of PGP for all communications, which is how it should be. Stylometry could otherwise be used... or people might be writing their addresses in the clear.

What about a feature which monitors for addresses and refuses to send the message if there is an address there? This should be possible as well.

[monoxide]

I think around the 1 month mark. I am basing this on the fact that when it comes to vendor/buyer disputes some messages may come in handy when going to resolution and the 1 month mark is usually the longest possible amount of time before a package is genuinely 'lost'..

[Rastaman Vibration]

It all depends on whether the message has been read or not. Some vendors (and buyers) go on vacation or whatnot, and it would be very counterproductive to delete any messages they haven't read.

That being said, I think you should institute a PGP only message policy. With mandatory 4096 bit keys. Sure its a bit of a pain in the ass, but it will keep everyone safer in the long run.

[El Presidente]

28 days seems reasonable unless the user manually purges earlier in which case it should be instant.

Not wanting to teach you to suck eggs but a good way of purging from the database is to encrypt the data with a unique key per message - the key is also held in the database. When it is time to delete the data you delete the key and the encrypted message on the basis that it is much harder to extract the key and then decrypt the original message from a subsequently imaged disk than a plain text message should it ever be seized. Not a very strong control but better than storing plain text messages which jump out on a disk image.

[FrogAndToad69]

14 days is solid. Vendors are on at least once a day, Shouldn't take more than 2 weeks to respond to a message. It should be 17 or 18 days really. About the same amount of time it takes before you have to finalize your order.

[jayblunted]

21 days. Enough time if that there was a resolution in progress it would be resolved before a message is deleted.
Myself although I rarely used PGP for messages I did frequently clean out my sent message and inbox. Once whatever the information being shared is handled or finished with all messages were removed by myself on my account side. I recommend everyone does this as just standard housekeeping. 21 days should be enough for any matter and if the information is valuable for anything after 21 days one could copy and paste message contents onto a word processor removing any usernames etc.

[orange]

The options for:

Not at all after confirming the reception
Less than 24h
24h/1day
48h/2days
72h/3days

are missing...

[GGGreenbud]

  Vendor/User Purge, 48hr PM delete /w read/respond confirmation, 28 day max.
Thanks for asking, DPR, you are awesome!
I knew they didn't get the real DPR, they got the fake one,
jokes on the feds(lolz!) when do we get to try and hang the traitors?
who wants to walk the plank? where the fuck is Astor? I never liked him.

[Dread Pirate Roberts]

The above poll is only for how long users and vendors should have access to messages. Staff will have access to messages for a longer period of time in encrypted form so resolutions will not be effected by the retention period.

[BlueGiraffe]

Staff are currently discussing some matters behind the scenes concerning user security. I would like to ask you all to answer the following poll so we may make a more informed decision. Comments may be placed down below but we will not respond to inquiries. This poll is only asking for how long YOU need to retain data on-site.

I'm not sure how many Vendors operated as us on Silk Road but the reason we can't simply give a specific answer is we kept the conversations until whatever was discussed got resolved which varied wildly depending on the Topic at hand. So for example say a function to Label conversations were to be introduced with predefined options like "Answered", "Awaiting Information", "In Transit" etc. one could assign each Label a different Retention Policy based on how sensitive the Topic at hand is. Looking at it from purely a Security Perspective the riskiest conversations were those where one arranged a re-ship to Buyers without taking it to Resolution, when we were done shipping those and had deleted the Address it should have been considered an extremely High Risk Message compared to a casual conversation just answering some Questions about a Product. However Silk Road treated all messages the same as far as I know which means even the deleted messages with Addresses in them were Retained for three to five months.

While I'm not quite yet able to Conceptually describe how to intertwine the Communications Aspect into Orders this would solve it by being able to Deleting Sensitive Data instantly. What I mean by that is if a Buyer messages me about a re-ship it would be ideal if I could attach that message to the order so it updates the order-status by changing it from "in transit" to "reship" and then re-adds the order into the System as any normal Order with the Address specified - the Retention Policy for that message would then be until the instant that Order has been "Finalized/Completed".

Beyond Practical Solutions all the Options Listed are better than the 3-5 months Retention Silk Road utilized before.

^ I like some of these suggestions ^

Messages should not contain any PII anyway, so there should not be any security risk associated with them - except in cases where there is a re-ship, or a last-minute address change/correction, and the buyer chooses to send their address in plaintext (which will happen, guaranteed).

In that instance it would be the responsibility of the buyer and the vendor to each manually delete that particular mail on both sides - which may or may not be done. As I see it the data-rentention policy only really needs to address these kinds of events from a security perspective.

Apart from that, and from the purely functional perspective of a vendor, longer is better. Ideally one would want to have access to messages for as long as a single order cycle takes to totally complete itself. If there is a re-ship involved this could go well beyond 28 days.

So I would say err on the longer side for functionality, but also address the security aspect that results from plaintext addresses being sent - perhaps even having another kind of "channel" available for the sending of addresses for re-ships (similar to the original "order" channel, where the message is deleted the moment the order is marked in transit) might be a solution.

If something like this was there and easy to use, people would likely make use of it - and thereby cut down, if not largely eliminate, the possibility of plaintext addresses lying about in messages longer than they need to.

If this aspect could be well-managed then it would allow for a more functional message retention policy, while still being secure. And good that you're keeping messages encrypted for a longer period as well.

BG

[Quizitix]

I would say a maximum of 5 days is more than enough, as a buyer anyway.

A vendor may need more time?

[flwrchlds9]

7 days after marked read.

[orange]

The above poll is only for how long users and vendors should have access to messages. Staff will have access to messages for a longer period of time in encrypted form so resolutions will not be effected by the retention period.

How long are you planning on keeping encrypted message logs?
Not giving the users/verndors access to their messages until they are fully deleted (even in encrypted form) might give people a false sense of security.
"Oh my messages are long gone" - When in reality they are still on the server or elsewhere.

[AlternateReality]

7 - 14 days seems fair to me.

[BoxofShapes]

If I was told I had a week or less to read a message I would adjust and be fine with it.  We have all had the biggest reminder we can get of how important it is to protect ourselves, and would more so now be fine with little extra efforts to be safe.

I know people now that wouldn't learn pgp for the life of them before, and now they are fluent.

A question you should include for yourself, along with our opinion, is what kind of community do you want.  Ones that don't mind a little inconvenience with utility for safety or ones that want things as easy as a vending machine.  The market is forever divided at this point so now is the chance to attract the specific audience you want.  Before SR was accommodating almost everyone. 

[Bungee54]

Buyers 7 days
Vendors 21-30 days

Option to move messages to an folder called " automatic recall"  ( maybe messages going here can be auto-encrypted to vendors key)
Option for 1 custom folder with custom preference      ( maybe messages going here can be auto-encrypted to vendors key) 

YES WE KNOW THAT NO ONE SHOULD TRUST THE SERVER FOR ENCRYPTION but in this case it should be viable as retention times still apply.


ALSO VERY IMPORTANT ->

Please aggregate the message history !   make a "conversations from it " " not message by message"
That means if we as vendors answer a customer auto-include his messages at the bottom so we can make sense of it !


Please excuse if we did not see serious reasons that speak against these.

Cheers!

[This_is_not_NCA]

21 days - that accounts for most absences due to holidays etc. Important to remember that accessing messages is not something you can necessarily do down at the internet cafe. Ideally configurable from 1 - 21 days on a per-user basis.

You need to absolutely fucking nuke the message though when deleting - and somebody should test whatever mechanism you come up by deleting a bunch of message/content on an indicative server, pulling the plug and then forensically imaging the disk to make sure there is no recoverable data.

[flwrchlds9]

Keep the messages longer after user delete by encrypting will not be safe from live server image because keys will be in memory or on disk during live image.

[Dread Pirate Roberts]

Keep the messages longer after user delete by encrypting will not be safe from live server image because keys will be in memory or on disk during live image.

That would be true if the private key was kept on the server but we would only keep the public key on the server to encrypt the data to and any messages or data which needs reviewing will be later manually decrypted by staff since they will hold the private key not the server.

[rollresponsibly]

Allow a toggle feature that will let the user specify how many days to keep messages (with a default of about 21 days) or allow to turn off message deletion feature.

Some vendors may want 14 days for a while, but then go on vacation for 2 months and can now toggle off message deletion.

allow the following features.
1. purge all messages.
2. delete all previous messages to a specific user dialog (which would probably be used once a dialog has been finished.)

[Sarge]

Allow a toggle feature that will let the user specify how many days to keep messages (with a default of about 21 days) or allow to turn off message deletion feature.

Some vendors may want 14 days for a while, but then go on vacation for 2 months and can now toggle off message deletion.

allow the following features.
1. purge all messages.
2. delete all previous messages to a specific user dialog (which would probably be used once a dialog has been finished.)

I like this feature.. Toggle between say 1, 7, 14, 28 days.. or "Destruct after reading"

[MisterSister]

Allow a toggle feature that will let the user specify how many days to keep messages (with a default of about 21 days) or allow to turn off message deletion feature.

Some vendors may want 14 days for a while, but then go on vacation for 2 months and can now toggle off message deletion.

allow the following features.
1. purge all messages.
2. delete all previous messages to a specific user dialog (which would probably be used once a dialog has been finished.)

THIS.
I like this feature.. Toggle between say 1, 7, 14, 28 days.. or "Destruct after reading"

[aussieoutlaw]

Sub

[Cornelius23]

I'm with those who see no need for most messages to be automatically deleted. My PMs are usually short, non-sensitive bits of chat that would be unnecessarily fiddly to encrypt and decrypt (especially if I then discover that a received encrypted message had merely been spam). I like the idea of being able to mark messages as sensitive or to set individual expiry times.

[Quixote]

Allow a toggle feature that will let the user specify how many days to keep messages (with a default of about 21 days) or allow to turn off message deletion feature.

Some vendors may want 14 days for a while, but then go on vacation for 2 months and can now toggle off message deletion.

allow the following features.
1. purge all messages.
2. delete all previous messages to a specific user dialog (which would probably be used once a dialog has been finished.)

I like this feature.. Toggle between say 1, 7, 14, 28 days.. or "Destruct after reading"

Yes!

[doppler]

why not implement a forced certificate system?
setup the new SR as a CA when registering you publish your public key.
private keys are still kept private all people see is encrypted data.. people can decrypt client side only.. nothing plain text is ever stored or submitted..
its really not that complex.

[TheMadHatter]

Well I'd say unread messages should be able to stay for a longer period of time, say 14 days. Then if the time limit has exceeded, an automated "I did not read your PM within the 14 days, could you please resend" could be sent. Or maybe not even automated, but just as a kind of notification that you didn't read this message from XXX and it's not deleted.

Otherwise read messages should be deleted within 7 days. And of course you should make a manual delete button

A good safety measure would be to overwrite deleted messages with either random bits or zeros so it would be more difficult to restore

Best regards, TheMadHatter

[AfternoonDelight]

If you have a long term data retention policy, it'd be best not to rely on staff to keep the keys/passwords private.  As was the case with SR 1.0, someone had a falling out with DPR which lead him to want to snuff him.

I would say, for resolution purposed, long term, like maybe 1 or two months access to staff, then it could go into cold storage, encrypted yet again with only a key DPR has access to.