Twitter’s direct messages have always been a security liability. The DMs you send to friends and internet strangers aren’t end-to-end encrypted, making your conversations potentially accessible if Twitter suffers a data breach, or to company staffers with the right permissions to access them. Both scenarios are arguably more likely in Elon Musk’s version of Twitter, where key security and data protection staff have departed.
Since Musk acquired Twitter and started laying off thousands of employees at the start of November, remodeling the firm in his vision, multiple waves of tweeters have abandoned the platform. When they do, they often try to download their Twitter archive and delete DMs. In the chaos, the process has often been glitchy.
However, in Europe, people have turned to the continent’s GDPR data laws, which give people rights over how their information is collected, stored, and used. This includes the right to have data deleted. However, Twitter’s response to these requests, which have been seen by WIRED, appears to show the platform ignoring detailed asks to delete DMs and just point people to generic guidance that doesn’t explain whether Twitter deletes your DMs from its servers. And now Europe’s data regulators are getting involved.
“On Twitter, the delete button does not do what users think it does,” says Michael Veale, an associate professor focusing on digital rights and regulation in the Faculty of Laws at University College London. “If you delete your direct messages within the app or on the website, it does not remove them from Twitter’s server,” Veale says.
For years, there hasn’t been any clarity around what Twitter’s inbuilt tools for deleting your messages actually do. Within the social media site, there are, theoretically, two ways to delete the DMs you’ve sent. In your inbox, you can delete entire conversations, while within messages you can delete individual posts.
Neither of these options really appears to delete your messages. If you delete entire conversations, Twitter says, they are removed from your messages inbox but still available to the person you are messaging. Meanwhile, if you delete an individual message, Twitter says the people you sent it to “will still be able to see it.” Twitter’s help center says messages and conversations are “deleted from your account only.” They don’t say messages are deleted from its systems or servers.
Previous research has found that deleted DMs are held within Twitter’s servers for years. In 2022, Twitter whistleblower and former security chief Peiter “Mudge” Zatko claimed it wasn’t possible in some cases for Twitter to delete data.
At the start of November, Veale created a guide that people in Europe can use to request that Twitter deletes DMs from its servers. In the guide, Veale says the “disaster scenario” is a data breach similar to 2015’s Ashley Madison hack, where people’s private lives were spread across the internet. Journalists, activists, protesters, and more have all relied on Twitter’s messages in the past decade to share private information and get in touch with those who may be at risk.
Both Europe’s GDPR and California’s CPPA privacy laws give people the right to ask companies to delete data they hold about them, though there are exceptions to these rules. Furthermore, if someone writes to a company under GDPR and asks it to delete their data, the firm is obliged to reply and, if refusing, explain its reasons why. Veale’s guide suggests using this language to request DM deletion: “I wish for these data to be erased from all systems, including backup systems (on an appropriate schedule).” It further suggests asking only for messages sent by your account to be deleted (not those you have received), and states there’s no obvious reason why Twitter should keep the messages.
Lari Lohikoski, a communications professional and entrepreneur based in Finland, manually deleted his DM conversations after Musk took over Twitter but also decided to request the company delete them from its systems. “I don’t see my direct messages on Twitter’s user interface, but I very much think that they are on their server still,” Lohikoski says.
Twitter initially replied to his request with a short message advising him to delete his account to get rid of messages, which Lohikoski says is not what was asked for. (In November, the author of this article made a request for Twitter to delete their DMs and received a similar one-line response from Twitter.) Twitter, which no longer has a communications department, did not respond to WIRED’s request for comment. Its policies say: “Once your account is deleted, your account is no longer available in our systems.” It is not clear whether this means the data is deleted entirely, or is unavailable internally.
Lohikoski, who says Twitter doesn’t “seem to respect the GDPR,” complained to Finland’s data regulator and also the Irish data regulator, the body that primarily oversees Twitter in Europe. Veale received a similar message and complained to the Irish regulator as well as the UK’s Information Commissioner’s Office (ICO). TechCrunch has also reviewed complaints about deleting DMs.
The ICO told Veale that Twitter’s response “failed to comply with the requirement of the data protection legislation” as it didn’t reply properly to the request and only provided “general information” about deleting Twitter accounts. The ICO said it would write to Twitter. Companies that don’t follow GDPR rules may be liable for large fines or enforcement action—although it would be rare in this circumstance.
On January 18, Lohikoski says he received a “surprise” email from Twitter. It repeated Twitter’s help center advice about DMs. It did not directly respond to the points made in the initial request. Lohikoski says “this again does not respond to my request.” (The ICO told Veale that Twitter also replied to him around this time; however, it appears to have sent the message to an email address that doesn’t belong to Veale. The ICO told the company to explain how this happened.) An ICO spokesperson says that it is “engaged in dialog” with Twitter’s data protection officer and assessing the impacts of changes to Twitter under Musk. The ICO did not comment on any specifics of complaints about DMs being deleted.
Since Musk took charge at Twitter, the company has been trying to reassure regulators that it is taking its obligations, particularly in Europe, seriously. European officials have criticized Twitter for suspending journalists and changing its API access in ways that could impact disinformation research. Twitter is also likely to fall under the strictest tier of Europe’s new Digital Services Act, which could see companies face large fines for not complying with its rules.
Twitter has claimed it wants to introduce end-to-end encryption to its DMs, but this could take awhile, if it ever happens at all. Until then, it is probably best not to include sensitive information in DMs. Instead, you should consider an encrypted messenger, such as Signal.
Ultimately, Veale says, Big Tech companies are trying to position themselves so that they decide what people’s information rights are and what information they should provide to people. Veale highlights tech companies’ “download your data” services, which provide people with their posts, photos, and other data, but appear to avoid providing other forms of data such as analytical information. “We don’t really know the extent of information that’s collected by these companies,” Veale says. “The real core problem is that these companies disguise things that look like information rights behind fake user interfaces.”