Twitter doesn't want to delete your private messages

Twitter doesn't want to delete your private messages

Twitter direct messages (DMs) have always been a security concern. Since the DMs you send to friends and strangers on the social network aren't protected by end-to-end encryption, your conversations are potentially accessible by cybercriminals in the event of a Twitter data breach, as well as by company personnel. company with the right permits. It is plausible that both scenarios have become more likely in the version of Twitter led by Elon Musk , which fired several employees who performed essential functions for security and data protection .

Since Musk acquired the social network starting shedding thousands of employees in early November and reshaping the company according to his vision, many people have left the platform. Before leaving, users often try to download their archive and delete the Dm . And amidst the chaos the company is currently in, the process is proving to be bumpy to say the least in many cases.

In Europe, users have turned to the European Union's data protection regulation ( EU), the GDPR, which guarantees citizens guarantees on the ways in which their personal information is collected, stored and used. Among these safeguards there is also the right to have your data deleted. However, judging by Twitter's response to these requests - which were viewed by UK - it appears that the platform is ignoring the DM deletion questions, merely referring users to a generic guide that doesn't explain whether Twitter deletes DMs. Dm from his servers as well.

Lack of transparency

“ On Twitter, the unsubscribe button doesn't do what users think it does,” explains Michael Veale, associate professor of digital rights and regulation at the Faculty of Law of University College London –. When you delete direct messages within the app or on the website, they are not removed from the Twitter server.”

It has been unclear for years what Twitter's internal message deletion tools actually do On the platform, in theory, there are two ways to delete sent DMs. In the inbox you can delete entire conversations, while within conversations you can delete individual messages.

Neither option seems However, really delete messages. According to Twitter, when you delete entire conversations they are removed from the message inbox but remain available to the person they were sent to. Even when deleting a single message, Twitter reports that the recipient's "will still be able to able to view it ". The service help center claims that " the operation is performed only for your account ", but does not clarify whether messages are deleted you from its systems or servers.

In the past, some research has found that deleted DMs are stored on Twitter's servers for years. In 2022, whistleblower and former Twitter security chief Peiter "Mudge" Zatko said that in some cases Twitter didn't have the ability to delete data.

In early November, Veale created guidance that i European citizens can use it to ask Twitter to delete DMs from its servers. In the document, Veale says that the worst-case scenario for users would be a data breach similar to the attack suffered by the Ashley Madison dating site in 2015 , which resulted in details of the private lives of people using the site being leaked onto the internet. service. Over the past decade, journalists, activists, protesters and more have relied on Twitter messages to share private information and connect with people at risk.

Both the GDPR in Europe and the California privacy law (Cppa) establish the right to ask companies to delete the data they hold (with some exceptions). Furthermore, when a person requests the deletion of their data pursuant to the GDPR, the company receiving the request is obliged to respond and explain the reasons for any refusal. Veale's guide suggests using a specific wording to request the deletion of DMs: “ I want this data to be deleted from all systems, including backup ones (at appropriate times) ”. Veale also suggests that you only ask for the deletion of messages sent from your account (and therefore not those received) and points out that there is no obvious reason why Twitter should keep messages.

Responses evasive

Lari Lohikoski, a Finnish communication professional and entrepreneur, manually deleted his Dm after Musk took control of Twitter, and also asked the company to delete them from its systems: " I don't see my messages directed to Twitter UI, but I really believe they are still on their server,” he says.

Twitter initially responded with a short message advising Lohikoski to delete his account to delete messages, without, however, responding to the merits of his request (in November, I too asked Twitter to delete my Dm, receiving a similar, one-line response). Twitter, which no longer has a communications department, did not respond to UK's request for comment. In the guidelines of the platform we read : “ Once deleted, your account will no longer be available in our systems ”. However, it is not specified whether the data is deleted completely or if it is not available within the company.

Lohikoski, who claims that Twitter does not "appear to comply with the GDPR " , filed a complaint with the authority Finnish data regulator and also to its Irish counterpart, the body responsible for much of the supervision of Twitter in Europe. Veale also received a similar message to that of the entrepreneur, and decided to lodge a complaint with the Irish regulator and the Information commissioner's office (ICO) in the United Kingdom (complaints regarding the deletion of Twitter DMs are were also reviewed by TechCrunch ).

The ICO let Veale know that Twitter's response "does not meet the obligations of data protection legislation", as the company did not properly respond to his request and only provided "general information" about deleting accounts. Companies that fail to comply with GDPR rules may be subject to hefty fines or other measures, but they are rarely enforced in circumstances like this.

On Jan. 18, Lohikoski says he received an email " Surprise” from Twitter. The message repeated the advice given in the help center, without directly responding to the points raised in the initial request. The ICO told Veale that Twitter replied at the same time, but it seems that the company sent the message to the wrong email address (the British body asked Twitter to explain the error). An ICO spokesperson said it was "in dialogue" with Twitter's data protection chief and was in the process of assessing the impact of Musk's changes to the platform.

h2> Breathing on the neck Since Musk took control of Twitter, the company has tried to reassure regulators that it is taking its obligations seriously, especially in Europe . European officials have criticized the company for suspending the accounts of some journalists and for modifying access to the platform's APIs in ways that could negatively impact disinformation research activity. Furthermore, it is likely that Twitter will be subject to the stricter rules set by the new European law on digital services, which could lead to steep fines in case of non-compliance.

The company has declared that it intends to integrate the end-to-end encryption, but it could take some time to roll out, if at all . Until then, it's probably best not to include sensitive information in messages sent on the social network (and perhaps consider switching to an encrypted messaging service, such as Signal ).

Ultimately, according to Veale, the big Tech companies are trying to position themselves so they can decide what information they should provide to users. The professor gives an example of the functions to offload your data offered by technology companies, which give people data such as posts, photos, but seem to avoid providing other information, such as analytics. "The central problem is that these companies mask things that look like information rights behind bogus user interfaces," comments Veale.

This article originally appeared on UK.

Powered by Blogger.