European data protection regulators are “engaging” with Twitter following a series of complaints from users that it’s ignoring requests to delete their direct messages, TechCrunch has learned.
Concerns over the privacy and security of Twitter DMs — which are not end-to-end encrypted (E2EE) — has grown since Elon Musk’s takeover of the company last fall, triggering an exodus of staff and relevant expertise. The sink-carrying billionaire’s arrival at Twitter HQ also led to a series of rapid-fire but ill-considered product changes by the self-styled Chief Twit, amping up reasons for users to worry about the safety of their data.
At the same time, there is a wider question mark hanging over the company in relation to how easily — or even whether — Twitter can delete data, following allegations by a security whistleblower last year.
DM data erasure requests
The U.K.’s Information Commissioner’s Office (ICO) and Ireland’s Data Protection Commission (DPC) told TechCrunch they are talking to the social media firm after receiving a number of complaints from users that Twitter is failing to fulfill requests to delete DMs.
An ICO spokesperson said: “The ICO is engaged in dialogue with Twitter’s data protection officer and is continuing to assess the potential data protection impacts of any changes to the company and its online services.”
TechCrunch has learned that Twitter is responding to this type of deletion request by telling the user about an existing option to deactivate their account — and providing them with generic information on how to do that.
In an email sent to one user, who had requested deletion of their DMs, the company wrote: “You can deactivate your account at any time. When deactivated your Twitter account, including your display name, username, and public profile, will no longer be viewable on Twitter.com, Twitter for iOS, and Twitter for Android.”
Twitter also informed them that account deactivation can be reversed within 30 days “if it was accidentally or wrongfully deactivated” — before caveating this with a warning that “search engines and other third parties may still retain copies of your public information…even after you have deleted the information.”
It ended the email by providing a link to “more information about account deactivation.”
The correspondence — which was signed “Twitter Office of Data Protection” — does not make any mention of deleting direct messaging data, which was what the person had actually asked be deleted.
The complaint by users, therefore, is that Twitter is denying European legal requests to delete their personal data.
The EU’s General Data Protection Regulation (GDPR) — which applies in Ireland, an EU member state, and in the U.K., at least for now, where it’s still baked into domestic data protection law— provides citizens with a suite of rights wrapping their personal data, including the right to ask for personal data to be deleted.
It’s this right Twitter users have been seeking to exercise as regards direct messages.
While Twitter DMs are private (rather than public), they are not E2EE — meaning that the contents of messages are accessible by Twitter.
The company also does not provide users with a function to erase sent message data from its servers themselves. If you manually delete a DM you sent, Twitter’s Help Center says the information is only deleted from your own account (so, essentially, it’s just hidden from your own view) — the data is not removed from any other messaging participants’ accounts — with Twitter specifying that: “When you delete a Direct Message or conversation (sent or received), it is deleted from your account only.”
This means the data itself remains on the company’s severs, and remains accessible by Twitter’s staff, so there’s no way for users to manually erase sent DMs.
This issue with DM deletion has been known about for some time but it’s flared up since Musk took over Twitter and set about sinking the boat by firing senior execs and slashing the company’s headcount. His actions also triggered a wave of departures by key security and privacy staffers — sparking concerns that existing security systems and privacy protocols wouldn’t survive the transition.
Musk’s focus on railroading remaining staff to rush out new features quickly led to reports of the company dispensing with standard product safety review processes. And last November a source told us the company is no longer fulfilling key requirements of the GDPR. Ergo, remaining Twitter users have plenty of reasons to worry about the safety of their data.
If that wasn’t enough, concerns have been exacerbated by Musk’s decision to hand internal data and system access to a number of nonstaffers — after he invited in a number of journalists for a project dubbed “The Twitter Files” — aiming to generate coverage of content moderation decisions made by the prior Twitter leadership team, apparently to further an agenda to stoke right-wing conspiracy claims that conservative views get shadowbanned on Twitter. (Funnily enough, such claims have persisted into the Musk-Twitter era — leading to some amusing theatrics from the Chief Twit earlier this month, when he said he would be temporarily setting his own account private to “test” whether private tweets are more visible than public tweets…but, er, we digress.)
How extensive this nonstaff access to Twitter’s data and systems is remains unclear. However, privacy experts were quick to highlight the unorthodox development as yet another threat to users’ data — and to DMs specifically, given private messaging is likely to contain more sensitive content than public (or even private) tweets, so probably of high interest to journalists sniffing around for scoops.
In November, Michael Veale, an associate professor in digital rights and regulation at University College London, published a handy blog post with instructions for how Twitter users could make a “right to erasure request” under EU law (aka, Article 17 of the GDPR) and ask Twitter for their DMs to be deleted.
His suggested email text clearly instructs Twitter that the user is “specifically not asking for any other data, such as tweets, or DMs sent to me from others, to be erased” — and also specifies that “I am not requesting you to deactivate my account” — further emphasizing: “No copies of any direct messages sent by my account should remain on Twitter’s or their data processors’ servers.”
Veale used this template to put in his own request to Twitter last year asking it to delete his DMs. But Twitter also refused his request by suggesting he could deactivate his account. So he filed a complaint with the ICO — which led to the regulator engaging with Twitter on the complaint.
But in a further twist, the ICO contacted Veale to say Twitter had told it that it had sent him a follow-up email. However, the email address Twitter had used contained a typo — meaning this additional correspondence not only did not reach Veale but also may have been sent to another person entirely (insert your own facepalm), which means Twitter may not just have fumbled the DM deletion request but may have committed a data breach too.
We understand the ICO wrote again to Twitter this week regarding Veale’s ongoing complaint — instructing it to provide “a clear and substantive response to his request for erasure” — and to do so within seven days.
So the back-and-forth continues — for now.
However, if Twitter continues to dance around EU law by denying users the right to delete their DMs, it will be up to regulators to crack down and enforce the GDPR on the bird. Penalties for breaches of the regime can scale up to 4% of annual turnover and, in the case of ongoing infringements, would typically be accompanied by corrective orders.
Scalable deletion work derailed?
That’s not all, either. There is another question mark over whether Twitter actually has systems in place that would enable it to easily (and promptly) carry out the requested DM deletions — or, indeed, delete other types of user data (even entire accounts) on request.
Thing is, one of the allegations made against Twitter last fall by the security whistleblower Peiter “Mudge” Zatko, was a claim that it cannot delete user data. Per CNN, the former head of security at Twitter said the company does not reliably delete users’ data after they cancel their accounts — in some cases because it may have lost track of the information.
He also alleged Twitter had misled regulators about whether it does actually delete the data as it may be legally required to.
A source familiar with Twitter’s systems and processes prior to Musk’s takeover of the company disputed some of Mudge’s claims last year — telling us the data deletion issue is “a much more complicated story” than his account alleges. However, this person, who spoke to TechCrunch on condition of anonymity, also told us the company does not have scalable systems in place for deleting data — saying it has instead historically relied upon using “one-off mechanisms” to get the task done.
After Mudge’s complaint landed, our source said scrutiny on Twitter over the deletion issue dialed up and work, which had been ongoing internally for perhaps as long as five years to try to get a proper handle on the deletion issue, cranked up — with the company assigning “dedicated teams” to work on scalable deletion. Teams Musk then fired in the headcount purges following his takeover. “The result is there aren’t the people and the resources there to finish that work on time,” the source suggested.
Additionally, they told us Twitter had made representations to regulators in the U.S. and Europe that this work would be done by certain dates — with a rough target (prior to Musk’s wrecking ball swinging in) of completion by Q3 of this year — so any missed deadlines for that project could have additional regulatory implications.
“Because of [the wave of layoffs last November] that work is terminally, terminally off schedule,” our source predicted. “Even if [Musk] moved every engineering resource that he has currently available at the company — meaning he couldn’t ship a new product, he has to focus on this — he would still blow the deadline by at least two quarters.”
We’ve reached out to Twitter with questions about its denials of users’ DM deletion requests — and on the broader issue of whether it has scalable systems in place for deleting user data in a way that complies with regulatory obligations — and will update this post with any response. But do feel free to slip into our DMs, Ella Irwin.
Do you work at Twitter and have a tip about what’s going on? Get in touch at natasha@techcrunch.com