Social Media
Even years later, Twitter doesn’t delete your direct messages
When does “delete” really mean delete? Not always or even at all if you’re Twitter .
Security researcher Karan Saini found that Twitter retains your direct messages for years. That not only includes messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended. Saini found years-old messages found in a file from an archive of his data obtained through the website.
Saini told TechCrunch that he had “concerns” that the data was retained by Twitter for so long.
Direct messages once let users to “unsend” messages from someone else’s inbox, simply by deleting it from their own . Twitter changed this years ago, and now only allows a user to delete messages from their account. “Others in the conversation will still be able to see direct messages or conversations that you have deleted,” Twitter says in a help page. Twitter also says in its privacy policy that anyone wanting to leave the service can have their account “deactivated and then deleted.” After a 30-day grace period, the account disappears and along with its data.
But, in our tests, we could recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts. By downloading your account’s data, it’s possible to download all of the data Twitter stores on you.
Saini says this is a “functional bug” rather than a security flaw, but argued that the bug allows anyone a “clear bypass” of Twitter mechanisms to prevent accessed to suspended or deactivated accounts.
But it’s also a privacy matter, and a reminder that “delete” doesn’t mean delete — especially with your direct messages. That can open up users, particularly high-risk accounts like journalist and activists, to government data demands that call for data from years earlier.
That’s despite Twitter’s claim that once an account has been deactivated, there is “a very brief period in which we may be able to access account information, including tweets,” to law enforcement.
A Twitter spokesperson said the company was “looking into this further to ensure we have considered the entire scope of the issue.”
It’s similar to another bug, found by Saini a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient – though, the bug wasn’t able to retrieve messages from suspended accounts.
Retaining direct messages for years may put the company in a legal grey area ground amid Europe’s new data protection laws, which allows users to demand that a company deletes their data.
Neil Brown, a telecoms, tech and internet lawyer at U.K. law firm Decoded Legal, said there’s “no formality at all” to how a user can ask for their data to be deleted. Any request from a user to delete their data that’s directly communicated to the company “is a valid exercise” of a user’s rights, he said.
Companies can be fined up to four percent of their annual turnover for violating GDPR rules.
“A delete button is perhaps a different matter, as it is not obvious that ‘delete’ means the same as ‘exercise my right of erasure’,” said Brown. Given that there’s no case law yet under the new General Data Protection Regulation regime, it will be up to the courts to decide, he said.
When asked if Twitter thinks that consent to retain direct messages is withdrawn when a message or account is deleted, Twitter’s spokesperson had “nothing further” to add.
-
Entertainment6 days ago
‘Only Murders in the Building’ Season 4 ending explained: Who killed Sazz and why?
-
Entertainment7 days ago
Polling 101: Weighting, probability panels, recall votes, and reaching people by mail
-
Entertainment5 days ago
When will we have 2024 election results online?
-
Entertainment6 days ago
5 Dyson Supersonic dupes worth the hype in 2024
-
Entertainment4 days ago
Halloween 2024: Weekend debates, obscure memes, and a legacy of racism
-
Entertainment5 days ago
Social media drives toxic fandom. Is there a solution?
-
Entertainment4 days ago
Is ‘The Substance’ streaming? How to watch at home
-
Entertainment4 days ago
M4 MacBook Pro vs. M3 MacBook Pro: What are the differences?