People using smart phones at the table sending Twitter direct messages
Potential Security Flaw Involving Twitter Direct Messages Sparks Concern About User Privacy

Potential Security Flaw Involving Twitter Direct Messages Sparks Concern About User Privacy

The world’s largest social media companies continue to deal with data privacy breaches and potential security flaws on a regular basis. The latest flaw involves social media giant Twitter and direct messages (DMs) that are exchanged between users. According to security researcher Karan Saini, Twitter retains direct messages for years, including messages that you or others have deleted. And that’s even the case if Twitter direct messages are sent to or from an account that has been suspended or deactivated.

The security flaw was first reported via HackerOne, a bug bounty platform. Internet security researcher Karan Saini found the direct messages (DMs) stored in a Twitter data archive. Since then, that security flaw has been replicated elsewhere, confirming that it appears to be a systemic issue affecting all Twitter accounts, rather than an isolated occurrence affecting only a single user. Twitter, as might be expected, described this archiving of Twitter direct messages for years as a “functional bug” rather than a “security flaw.”

Potential implications for Twitter

That terminology of “flaw” or “bug” might seem like a game of semantics, but it actually has very real implications for what the implications from this security flaw might be for Twitter. According to the European General Data Protection Regulation (GDPR), for example, users should be able to demand that a company delete all data, and for that request to be honored. Any request, no matter how informal, needs to be taken seriously by a company. Thus, if Twitter direct messages were not deleted properly, that could raise a number of interesting issues under the European GDPR. According to security experts briefed on the issue involving Twitter direct messages, no case law yet exists for determining whether hitting the “delete” button on Twitter constitutes a legal exercise of “the right to be deleted.”

There are also questions about what needs to be deleted, and when. If, for example, a Twitter user deletes a DM, should that message be immediately deleted from the entire Twitter platform, or just from the account of the Twitter user? And how long does Twitter have to comply with that request? What the security researcher found was that nothing was actually deleted – it was possible to find years-old messages in a file from the data archive. Moreover, Twitter direct messages were not deleted from the platform, even when the user specifically instructs Twitter to deactivate an account. Twitter essentially holds on to the “deleted” Twitter direct messages, regardless of any steps a user takes.

Twitter direct messages and Twitter’s privacy policy

This would appear to be, at very least, a violation of Twitter’s own privacy policy. This policy states, if anyone wants to leave the platform, it is possible to have the Twitter account deactivated and then deleted. There is a 30-day grace period, and then after that, all data from the account should be deleted forever. This is what “the right to be forgotten” on the Internet should imply – that, at any point in time, you can simply walk away from a social media platform and have your content disappear so that there is not a record forever of your presence on that platform.

Right now, Twitter says it is looking into the matter further, in order to see how serious this issue might actually be. At one point in time, Twitter actually let users “unsend” messages after hitting the send button – this action had the net result of deleting Twitter direct messages from someone else’s inbox, as long as you deleted these Twitter direct messages from your account. But Twitter later reversed course on the matter. After all, wouldn’t you find it odd if you went to your Twitter account to message someone back, and suddenly found that all previous messages were somehow missing?

Are Twitter direct messages content or communication?

In many ways, this issue involving Twitter direct messages raises a very interesting question: Is Twitter a media platform, or is it a communication platform? If it is a media platform, and you view sending a private message as a form of content that you create on Twitter, then there is a much stronger case for having all content (including Twitter direct messages) deleted on demand.

But what if Twitter is much more of a communication platform? If that’s the case, then it is much more practical to think of Twitter direct messages exchanged between two users in the same way that you think about email messages between two users. Typing your message would be the same as typing an email. If you delete an email from your own personal email account at some later date, you do not have a reasonable expectation that this will also delete messages from someone else’s account, do you?  So if you click send and communicate a direct message to someone else, is it really a security flaw if that private message is not deleted from the other person’s account when you delete it from your account?

A worst-case scenario for Twitter direct messages

The bigger picture, of course, is that content (including Twitter direct messages) unknowingly stored on the Twitter social media platform might be used against users such as activist or journalist Twitter users at some later date. Say, for example, that you are a citizen living in an authoritarian nation, and you are corresponding with a close-knit group of fellow activists via a group conversation. You might have a very real reason to delete all Twitter direct messages that you send with a click or tap – you don’t want the government snooping around in your Twitter data archive at some later date, reading through messages (or other data Twitter stores) that might place you or your family in a dangerous position.

It is for this reason that social media giants like Twitter need to take data privacy seriously. If users demand that data, information or messages be deleted, then that demand needs to be honored and dealt with promptly. This is especially the case if a user takes the next step, which is to deactivate, delete or block the account forever. Most people would hold a reasonable expectation that deleting an account and then exiting a platform would 100 percent guarantee erasure of all data associated with that account. However, as we have seen in case after case, that is rarely the case. On the Internet, nothing is really ever gone forever, including identifying information such as phone numbers.

Next steps for Twitter

Going forward, this discussion around Twitter direct messages and what it means to send and receive DMs should help to guide the company in making changes to the platform (and the Twitter app) that benefit the user. Data privacy needs to be taken seriously, and that means any request to delete data – no matter how informal – needs to be taken seriously as well.