According to security researcher Karan Saini, Twitter retains, for years, direct messages that users have sent, including messages that have been deleted as well as data sent to and from accounts that have been deactivated.
Saini reported he found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. It is alarming that Twitter retained this seemingly deleted information for so long.
TechCrunch also conducted their own test to see if they could find similarly old and deleted messages – they were able to find old messages that had since been lost to suspended as well as deleted accounts.
While Saini is quick to state this is a ‘functional bug’ and not necessarily a security flaw, it’s an alarming privacy matter which is a stark reminder that ‘delete’ does not automatically mean delete for good.
This will make for an interesting data privacy discussion – under GDPR rules, any request from a user to delete their data that’s directly communicated to a company signifies a valid exercise of that users’ rights and hence must be followed.
A delete button is a unique case – it perhaps does not in and of itself reflect the same exercise of the right for erasure that a direct communication does. It will be interesting to see where this case study takes us in the sphere of data privacy and compliance.
