Technology

Twitter doesn’t really delete your old DMs

Published

6 years ago

February 16, 2019

Uh-oh, this doesn’t look good.

You know how when you delete a Twitter DM and you’re expecting it to, like, be erased and non-retrievable ever again? Turns out Twitter’s still keeping archives of deleted DMs according to a security researcher who shared his discovery with TechCrunch.

Speaking with TechCrunch, security researcher Karan Saini discovered he was able to retrieve old Twitter DMs he had deleted years ago.

Saini says he found his old deleted Twitter messages from recipient archive folders belonging to Twitter accounts that were deleted. Twitter lets senders delete their DM messages, but the messages are only deleted from their end and not the recipient’s (and vice versa).

“DMs are never ‘deleted’—rather only withheld from appearing in the UI,” Saini said on Twitter after TechCrunch published the story. “The archive feature lets you view these DMs, as well as any others with now suspended, or deactivated users.”

He was also able to use a now-deprecated Twitter API to recover old direct messages from both the sender and recipient.

Previously, it was possible to use the “direct_messages/show” endpoint (which is now deprecated) for the same purpose. I submitted the report for this to Twitter in January of 2018, and at the time, the team accepted the residual implications of the issue.

— Karan Saini (@iasni) February 16, 2019

Saini’s discovery flies against Twitter privacy policy, which says data is only stored for “up to 30 days after deactivation” to allow users to restore their accounts.

Twitter's privacy policy says data should be deleted after 30 days of deactivating an account. — Twitter’s privacy policy says data should be deleted after 30 days of deactivating an account.

After 30 days, if a user hasn’t restored their account, the data should be gone… for good. Except Saini and TechCrunch’s findings insist this isn’t the case. TechCrunch reporters said they were able to “recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts.” One example showed they were able to retrieve deleted messages from 2016.

Mashable has reached out to Twitter for clarification on why the company’s still keeping archives to DMs that were deleted years ago and we’ll update this story if we receive a response.

As it stands, this discovery is another reason to be mindful of the amount of data social media services collect. Social media platforms like Twitter make it easier than ever to share and communicate with others instantly, but the extent of their reach is now being contested. Can you really trust a company that that doesn’t delete your data when you think you’ve deleted it?

Uploads%252fvideo uploaders%252fdistribution thumb%252fimage%252f90429%252f1d73d86b 3832 4d72 8bad 05ddbc08d14e.jpg%252foriginal.jpg?signature=sjw7ekt5bwv6twdq3h8qqg3au4s=&source=https%3a%2f%2fblueprint api production.s3.amazonaws