Twitter saves all your direct messages, new research has found. Karan Saini, a researcher on internet security and privacy, discovered some of his years-old direct messages on Twitter from deleted accounts. The researcher was also able to use a bug to retrieve even older messages from suspended or deactivated accounts. This has raised eyebrows among some of the leading security experts online as well as social media communities. Despite Twitter claiming to delete accounts upon user request, this new research indicates otherwise.
Twitter DMs are Forever New Research Confirms
How Did They Uncover the Bug?
According to the researcher who uncovered the bug on Twitter this thin is functional in the web service. So, it will allow anyone to have a clear bypass and gain access to Tweets made virtually since the platform began.
Now, for many people who share sensitive data or insights like journalists or whistleblowers, this is a dangerous concern. Being able to retrieve any Tweet from any duration is a serious breach of data privacy and internet rights. However, as of now, the US does not have any such laws in place which can mandate Twitter should delete this data.
On the other hand, the EU does have certain laws in this regard but Twitter is still in a legal grey area on that front. So, all this leaves you and your online privacy at considerable risk. Imagine if anyone could dig up any Tweet you sent out at any time. Even if you have deleted the account, they might be able to access.
Shouldn’t Twitter Have a Policy Against This?
Yes, Twitter should have a policy against and it does. According to its policy statements, Twitter will keep a deactivated account in suspension for a period of 30 days from the request. The account holder can choose to reactivate their account within this 30 day period after which, it will be permanently deleted. This may seem like the deal we want but there is a fine print here which sobers it all up.
According to the details on this deactivation policy, the data on the account such as logs, device details, the location at the time of log in etc. are kept for 18 months. So, your data is still technically on the Twitter server and can be potentially accessed.
Aside from that, there are other considerations like with regard to Direct Messages. For example, in 2013, Twitter allowed users to delete messages they had sent to others by deleting them in their own account. However, this policy was changed sometime later and after that, people could only delete the messages from their own accounts. The messages which they had sent to others would not get deleted from their account.
How to Secure Your Social Media Accounts
We have previously published a guide that shows you how to keep all your social media account secure. Here is the sum-up:
- Frequently change your Twitter password. Make sure you don’t use the same password in order to log into different social media apps.
- Use two-factor authentication. This will make it much harder for cyber-criminals to hack into your account.
- Avoid clicking on shortened URLs that appear on your Twitter feed.
- Keep an eye on your email inbox for suspicious log-ins.
- Always remember that whatever you tweet or send in a direct message stays forever.
- Make use of a VPN for Twitter. By connecting to a VPN server, you are basically encrypting all your Internet traffic.
- Never share sensitive data online.
What is Twitter Saying About This Bug?
Twitter has been informed by the researcher of the bug through an online bug bounty platform called HackerOne. The bug itself is currently being investigated by the technical division at Twitter. While Saini, the researcher, and Twitter have both called the bug more functional than security oriented, it still poses a lot of questions. Not surprisingly, a lot of the online channels for social media and related security considerations have an ongoing discussion on this.
There are many opinions on may sides but for the most part, the questions are being raised over the safety of users. We all know that social media has enabled anyone to dig up out of context Tweets from the past and identify them. Now, since no Tweets are potentially beyond reach, all kinds of people can have their previous Tweets used against them.
Comments are also being directed towards the legal aspect of the Tweets. Some are arguing that Twitter might consider deleting the accounts as withdrawing rights from the Tweets made out. This is certainly a troubling idea but the Twitter camp has not made any comment here. So, the actual process for the way the bug can be exploited remains unknown. However, it is not beyond the realms of imagination to consider how this can be used nefariously.
Twitter is a brilliant social media platform and every one of these has its drawbacks. The functional bug that has been found calls into question the actual data retention process followed at Twitter. In time, it may be that Twitter policies ensure that no tweets from deactivated accounts. If you are on Twitter or planning to use it in the near future, then remember what you are paying with.
Online privacy and security is a major concern for all of us and it pays to know where we might leak private information. As a Twitter user, you need to know how you can make full use of the platform without compromising your overall online safety. Knowing this functional bug should be a starting point for that.