Slashdot Mirror

← Back to Stories (view on slashdot.org)

Even Years Later, Twitter Doesn't Delete Your Direct Messages (techcrunch.com)

Posted by BeauHD on from the marked-for-deletion dept.

An anonymous reader quotes a report from TechCrunch: Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini. Saini found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient -- though, the bug wasn't able to retrieve messages from suspended accounts.

Direct messages once let users "unsend" messages from someone else's inbox, simply by deleting it from their own. Twitter changed this years ago, and now only allows a user to delete messages from their account. "Others in the conversation will still be able to see direct messages or conversations that you have deleted," Twitter says in a help page. Twitter also says in its privacy policy that anyone wanting to leave the service can have their account "deactivated and then deleted." After a 30-day grace period, the account disappears, along with its data. But, in our tests, we could recover direct messages from years ago -- including old messages that had since been lost to suspended or deleted accounts. By downloading your account's data, it's possible to download all of the data Twitter stores on you. A Twitter spokesperson said the company was "looking into this further to ensure we have considered the entire scope of the issue."

30 comments

  1. 3rd party, folks. by Anonymous Coward · · Score: 0

    If you transmit your data to a 3rd party, expect that data to exist forever.

    How is this new insight? You dumbfucks are the reason we can't have nice things; you're always surprised by the most obvious outcomes.

    1. Re: 3rd party, folks. by Anonymous Coward · · Score: 0

      I guess people need to keep track of their messages. I used to delete all my old emails every year until I realized there were a few I really wanted to hang on to. Sigh. Even Twitter is complicated now?

    2. Re: 3rd party, folks. by Anonymous Coward · · Score: 0

      Police state shills be shillin' for the police state.

    3. Re: 3rd party, folks. by Anonymous Coward · · Score: 0

      Any good porn stored at Twitter?

  2. pop quiz by Anonymous Coward · · Score: 0

    How much time will you spend deleting those messages in the next couple days?

    Today's cap===>socially LOL

  3. Flip a flag by Anonymous Coward · · Score: 0

    deleting just means isVisible = 0

    1. Re:Flip a flag by Anonymous Coward · · Score: 0

      Anyone who has ever built a data-driven website knows this. You never actually DELETE a record from a database. You just hide it from the user. If you actually delete a record, you will probably break your site in some weird way.

    2. Re:Flip a flag by phantomfive · · Score: 1

      Anyone who has ever built a data-driven website knows this. You never actually DELETE a record from a database.

      You should know that this is probably illegal under GPDR. Yes, that is going to cause problems with database design, for reasons that anyone who has ever built a data-driven website knows.

      --
      "First they came for the slanderers and i said nothing."
    3. Re: Flip a flag by astrofurter · · Score: 2

      If deleting a record breaks your site, that's a good hint your DB schema doesn't have referential integrity.

    4. Re: Flip a flag by phantomfive · · Score: 1

      Would it surprise you to find out that most DB schemas don't have referential integrity?

      --
      "First they came for the slanderers and i said nothing."
    5. Re: Flip a flag by astrofurter · · Score: 1

      Alas, it would not.

    6. Re: Flip a flag by Anonymous Coward · · Score: 0

      There are two sets of problems, one set if you allow for a true DELETE, and another if you just hide the records.

      If you DELETE records and your database supports foreign key constrains, then your site will break when you try to delete records that are stored as foreign keys in other tables. The problems propagate from the database layer to the application layer, making them particularly nasty to diagnose, and almost no one is able to design and implement such a system who is working in the industry today. We live with the legacy systems that tried to solve this problem 20 or 30 years ago, and we keep adding to the legacy.

      If you hide records instead of deleting them, you end up with the Twitter situation. The records are hidden by a conventional mechanism, and anyone working with the system has to be aware of the conventions in order to not break something. Smart people are able to maintain such software, but almost no companies have the ability to codify such conventions in an effective manner.

    7. Re: Flip a flag by Anonymous Coward · · Score: 0

      GDPR was written by Europeans. Europeans have no understanding of the internet. If they had, they would be able to compete. How is it that in 28+ years of the World Wide Web existing there are no Euro tech giants, hmmm? Not so smart after all.

    8. Re: Flip a flag by aix+tom · · Score: 2

      I have designed quite a few database schemas in the last twenty years or so. Deleting a "logical unit" (which might be spread out between different tables with different relations between them technically) has never been a *technical* problem for me.

      The only problem is that the people who actually wind up using the system (and in the end pay you through one scheme or another) allays whine and groan at you: "yes, yes, yes, I know, I deleted it. Yes, yes, I now, I even confirmed the dozens of security confirmations asking me that I really wanted it deleted. But now I want it back, and when I can't get it back it's YOUR SOFTWARES FAULT!!!!"

  4. Nothing digital ever dies by Anonymous Coward · · Score: 0

    You were warned.

  5. You only get what they want you to have by Anonymous Coward · · Score: 0

    By downloading your account's data, it's possible to download all of the data Twitter stores on you.

    Wrong.

    I decided to give it a try and the page where you can download your data says this:

    You can request a file with the information that we believe is most relevant and useful to you.

  6. How surprising. by Anonymous Coward · · Score: 0

    Evil, data-hoarding scumbag company keeps data indefinitely. News at 11.

  7. SFW by drinkypoo · · Score: 1

    This to you is news? It would be news if they did delete them, it definitely isn't that they keep them forever. Of course they keep them, the only things of value they have are messages, whether public or private.

    TL;DR: zzzzz

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:SFW by Anonymous Coward · · Score: 0

      OF COURSE.

      If ANY of you think for the SLIGHTEST FUCKING SECOND that ANY CORPORATION actually DELETES the data they have on you... YOU'RE FUCKING DELUDED and RETARDED.

      Your shit literally gets bought, sold, mined, pimped out, and fucking ASS RAPED daily.

      So WHAT THE FUCK are you FUCKING SHEEPLE gonna *** DO *** about it?

      Probably keep picking up the soap in the shower as usual.
      You know you like it.
      That's why you keep doing it.
      You ENSLAVED DUMBFUCKS.

    2. Re: SFW by astrofurter · · Score: 1

      Don't you just love the smell of cybernetic totalitarianism I'm in the morning?

    3. Re: SFW by drinkypoo · · Score: 1

      Don't you just love the smell of cybernetic totalitarianism I'm in the morning?

      I'm jeering, not cheering. We should all know that this is how they work. Now what are we going to do about it? Just sit around acting surprised?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. More money for EU taxpayers by Bruce66423 · · Score: 4, Insightful

    Sounds like a blatant GPDR violation that can attract BIG fines.

    1. Re:More money for EU taxpayers by Anonymous Coward · · Score: 0

      Someone needs to let the GPDR people know that their regulations are incompatible with the way these systems are built.

    2. Re:More money for EU taxpayers by Anonymous Coward · · Score: 0

      If a toxic waste processing plant is just stockpiling the stuff, then it's breaking its fundamental promise even though no one outside can see the difference. This cannot be excused by "the way the system is built".

    3. Re: More money for EU taxpayers by Anonymous Coward · · Score: 0

      Fines are expected & companies will keep doing the same db collection. News again at eleven. & they will be sooo sorry....

  9. Fixed immediately by Anonymous Coward · · Score: 0

    ... we could recover direct messages ...

    Obviously, that will be fixed immediately, the rest, not so much.

  10. It is not your average 3rd party by Anonymous Coward · · Score: 0

    If in the US, the "third party" is the GUBBERMINT. And they want to ready your messages, years later, decades later, maybe forever.

  11. Trade-off; Internet memory by UnixUnix · · Score: 1
    True deletion would allow someone to send threatening or abusive DMs and then remove the evidence. Non-deletion means an ex-gf wants to delete hot NSFW DMs, especially her very NSFW nude pics, but can't; not even blocking me gets rid of them.

    It's over IRL but it lives forever in Internet memory.

    1. Re:Trade-off; Internet memory by Anonymous Coward · · Score: 0

      Twitter DM should be treated like a letter written with disappearing ink. If you're being threatened and want evidence, then you need to make a copy.