What the disappearing-messages saga tells us about governance - and why we built Sentinel PiNG to be the exact opposite.
Every few months, the same story resurfaces with a different name attached to it.
When the UK Covid-19 Inquiry sat in Edinburgh, it heard that Nicola Sturgeon had retained no pandemic WhatsApp messages whatsoever. She later admitted she had deleted them herself. Boris Johnson did not retain his either, and fought the question of disclosure all the way to court - and lost. And only last week, Downing Street confirmed that Sir Keir Starmer uses WhatsApp's disappearing-messages function, which can erase a conversation in as little as 24 hours, meaning his exchanges with Lord Mandelson were only partially recoverable when the "Mandelson files" were laid before Parliament.
Different parties. Different governments. Different decades. The same mechanism every time: messages that vanish.
It is worth pausing on how consistent this pattern is, because it tells you something. When the convenient thing and the transparent thing point in opposite directions, transparency tends to lose.
The defence offered is always a version of the same argument, and it is a clever one.
Under government transparency rules, ministers are told to decide for themselves which messages should be preserved on the record. Only "substantive" decisions are supposed to be kept. So, the reasoning goes, deleting messages does not breach the rules of disclosure, because there is no system suppressing records - there is simply an individual exercising judgement about which messages count as records in the first place.
That distinction does a lot of work. It is the difference between an institutional cover-up and a personal housekeeping habit, and it is why the people involved can say, quite truthfully, that they have broken no rules.
But look at what the distinction actually delivers. It hands the single person with the most to lose from disclosure complete discretion over what survives to be disclosed. The lead-up to a decision - the doubts, the lobbying, the half-formed reasoning, the people who were really in the room - can be made to disappear, while the tidy final outcome is kept for the record. It is selective memory, dressed up as data hygiene.
And it matters, because the public has a legitimate interest in understanding not just what was decided, but how, when, why, and by whom. That is the whole point of an audit trail. A decision you cannot explain after the event is a decision you cannot defend, learn from, or be held accountable for.
This is the problem we set out to solve when we designed the chat system inside Sentinel, and it led us to an architecture that is deliberately different from a consumer messaging app.
On WhatsApp, a message is end-to-end encrypted between two individuals. No central party reads it, no central party stores it - which is precisely why there is no authoritative record of it. The privacy is the point, and the absence of a record is a direct consequence of that design.
Sentinel PiNG works differently. A message is encrypted the instant it is sent and travels encrypted in transit to the central server. There it is decrypted, immediately re-encrypted, and stored at rest in encrypted form. It is then re-encrypted again and delivered to the recipient, where it is decrypted and read. The entire journey takes milliseconds, and the user experience is no slower than any other chat tool.
The crucial difference is the one in the middle: a permanent, central record of the conversation exists. Access to that record is tightly controlled by central permissions, and it can be made available to a regulator when one is entitled to see it. In effect, chat is given the same status as corporate email — a channel of record, not a channel of shadows.
This is not just a compliance feature. It changes the culture of communication, and almost always for the better.
When people understand that what they write is recorded, they take the conversation seriously. There is less straying into territory that has no business being there. And - this is the part that organisations consistently underestimate - there is far less of the bullying and intimidation that has become so common in WhatsApp groups. That behaviour thrives in the shadows.
The cases that ever come to light usually do so only because one recipient happened to screenshot or record an exchange; the rest stays buried. A channel of record removes the shadows, and with them a great deal of the worst behaviour. People can be part of working groups and conversation threads without fear.
There is a sharp irony in selective deletion that politicians and executives tend to overlook: it can hurt the very person who relies on it.
If you send a disappearing message and the person at the other end quietly screenshots it, they now hold a record and you do not. Should that exchange ever surface in a dispute or a court case, you are at a severe disadvantage — your counterpart can produce exactly what was said, while you have nothing to corroborate your own account.
We have already seen this play out. At the Covid Inquiry, some of Nicola Sturgeon's deleted messages were not lost at all - they were recovered from the records of the person she had been messaging, and used in evidence. Deletion did not protect her. It simply meant the only surviving version of events was the one held by someone else.
A transparent, centrally-held record protects everyone in the conversation equally, precisely because no single party controls what survives.
Let me be clear about what Sentinel PiNG is not trying to do. Off-the-record conversations between senior people will always happen, and frankly they always should. They have happened since ancient Greece, where you held the sensitive conversation behind a pillar; today you hold it in a coffee shop or on a walk. If a conversation genuinely needs to be off the record, there are mechanisms for that - and that is entirely legitimate.
The point of transparency-by-design is not to abolish private discussion. It is to ensure that the conversations an organisation runs on - the working groups, the operational decisions, the incident response - leave a proper audit trail. For governance, that distinction is everything.
So we will say plainly what most software vendors would never admit. If what you want is the freedom to be selective about what ends up on the record, Sentinel PiNG is not the platform for you. It is built to do the opposite.
It is for organisations that want to be transparent and compliant by design: that want better decisions made in the open, better learning after a crisis is over, and a clear, honest position to give a regulator or an insurer about who was involved in a decision and why it was taken. For a critical-infrastructure operator managing a live incident, that record is not a liability - it is one of the most valuable things you own.
We think that is the right architecture. It is founded in the principle of transparency, and transparency, in the end, makes for better organisations.
Which is exactly why some people will never want it.