What Saini found
Saini downloaded an archive of his data on Twitter from accounts that were no longer on Twitter that contained messages that were years old. He also reported a similar bug a year earlier that was just disclosed now, that allowed him to use an API to retrieve direct messages even after they had been deleted both by the sender and recipient. The API is no longer approved.
An API is described by Wikipedia: “In computer programming, an application programming interface (API) is a set of subroutine definitions, communication protocols, and tools for building software. In general terms, it is a set of clearly defined methods of communication among various components. A good API makes it easier to develop a computer program by providing all the building blocks, which are then put together by the programmer.” Saini was unable to retrieve messages from accounts that were suspended.
Saini, speaking to TechCrunch, said that he had concerns that data was retained by Twitter for so long.
How the delete system works
At one time Twitter allowed users to “unsend” their direct messages. By deleting the message in their own inbox, it also deleted it in the receiver’s inbox. This has changed so that now the deletion is only of the message in your own inbox. Anyone else to whom the message was sent can still see the direct message.
Anyone who wants to leave Twitter can have their account deactivated and then deleted. After 30 days the accounts disappears along with its data.
The disappeared account data is still recoverable
However tests showed that direct messages could be recovered from years ago including those from suspended or deleted accounts. By downloading your account’s data you can retrieve all of the data Twitter has stored on you. A conversation dated March 2016 is shown in a TechCrunch article.
Delete doesn’t mean delete exactly on Twitter
Saini calls the weakness a “functional bug” rather than a security flaw but claims that the bug allows anyone a way to bypass to bypass suspended or deactivated accounts.
The bug creates a privacy issue
The bug means that when you delete you have not really deleted your direct message. It means that high risk accounts, such as those of journalists and activists are open to government demands for data from years earlier that the users thought had been deleted.
Twitter claims that for only a brief period after an account has been deactivated, 30 days, in which Twitter could access account information including tweets and direct messages to provide them to law enforcement officials. However, a Twitter spokesperson told TechCrunch that the company was looking into the matter further to ensure that they had considered the full scope of the matter.
Twitter may run afoul of EU regulations
Retaining direct messages for years could put the company in a grey area at the very least with respect to the EU’s new GDPR rules. Wikipedia describes the General Data Protection Regulations as follows: “The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personal data of individuals (formally called data subjects in the GDPR) inside the EEA, and applies to an enterprise established in the EEA or—regardless of its location and the data subjects’ citizenship—that is processing the personal information of data subjects inside the EEA…. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.”
The GDPR regulations allow a user to demand that a company deletes their data. The demand process is quite simple. Neil Brown a UK lawyer said that any request from a user to delete their data that is directly communicated to the company involved is a valid exercise of the user’s right.
For violating the GDPR rules a firm can be fined up to 4 percent of their yearly turnover.
However, Brown said: “A delete button is perhaps a different matter, as it is not obvious that ‘delete’ means the same as ‘exercise my right of erasure’.” Since there is no case law yet under the new rules it will be up to the courts to decide the matter Brown said.
The appended video was posted in April of 2017 and shows methods of recovering deleted messages on Twitter and includes a software program. In the comments, the program worked for quite a few but some could not get it to function.
