Consider disappearing sources and submissions

[redshiftzero]

Description

Inspired by Signal's disappearing messages, we could consider something similar for SecureDrop sources. The possible options here are:

1. Opt-in disappearing sources: By default, everything is kept forever. However, admins can opt-in to a configurable disappearing source time.
2. Disappearing sources by default: We pick some reasonable time frame, likely somewhere in the range of 6-12 months or so, and auto-delete sources or submissions that haven't seen activity (either replies from a journalist or further submissions from the source) in that time period. Again, the disappearing source time is configurable, so admins can turn it off if they decide it's annoying, or they can reduce the disappearing time if they think 6-12 is too long.

(Note: I'm filing this just for discussion since it's been mentioned a bunch of times by SecureDroppers and there isn't a ticket for it.)

Advantages

1. Cleans up stale sources that are no longer active.
2. Can encourage admins to make sure journalists are checking the server frequently as the sources literally will disappear if they don't.
3. If a short disappearing time is configured, it reduces the impact of the submission key being compromised.

Disadvantages

1. Unintentional data loss.

[heartsucker]

I think the default time should be configurable as in there's a minimum time the source will be visible (as in can't disappear in under a week). Then, the source can select when they want their messages to expire (1 week, 1 month, 3 months) from a drop down. This should also be able to be changed after the conversation starts as well as enabled/disabled.

Also, this would need to be made visible on the journalist interface so that journalists can see which sources are disappearing and how many days until the source disappears so they can prioritize.

[zenmonkeykstop]

Still a good idea, research required before proceeding.