TechCrunch has reported that the security researcher Karan Saini found out that when a user deletes direct messages, it is not deleted on Twitter's end. This includes messages that were sent between deleted and suspended accounts as well. While it isn't clear if Twitter stores deleted messages indefinitely, it sure seems that the social media platform keeps them for years.
When a direct message is deleted, the user interface no longer shows it, giving the impression that it's gone for good. However, as Saini found out, even years-old messages can be retrieved by using the platform's archive feature.
Saini has reported this problem on HackerOne, which is a bug bounty service that works with Twitter and encourages ethical hackers to disclose vulnerabilities in exchange for a reward. Moreover, he has also stumbled upon a previously undisclosed bug that makes it possible to retrieve deleted messages using an API, the difference being that this bug cannot access messages from suspended accounts.
Back in the day, Twitter allowed users to unsend messages, which enabled them to delete sent messages not only from their account, but also from the recipient's inbox. That has changed now and if a user deletes a sent message, it is still viewable to the recipient unless they delete it too. However, as Saini has discovered, Twitter keeps deleted messages saved on its servers, even it has been deleted by both the sender and receiver.
This implies that Twitter permanently deletes all data it has on the user after the grace period but that clearly isn't the case. Even TechCrunch's own test has revealed that it is possible to recover years old direct messages, even if the associated accounts have since been deleted or suspended.
Saini has termed this a functional bug, and not a security flaw, but has still raised concerns over the data retention. The bug also poses a security issue, as it can make it possible for governments, especially fascist regimes, to exact information on power users such as journalists. Twitter is aware of the problem and is looking into it currently. However, that doesn't necessarily mean that it will stop retaining deleted messages in the future.
Social media platforms have received flak from civil society and governments around the world for their failure to take privacy more seriously. The data retention issue can land Twitter in trouble as Europe's General Data Protection Regulation (GDPR) law gives users "the right to be forgotten,'' as well as the right to erasure.
In simple terms, it grants users the rights to have their personal data erased. Since delete doesn't necessarily translate into erasure, Twitter might escape unscathed. However, the latest revelation could definitely make privacy-conscious users flee the platform, something that Twitter would definitely not want, as its user base has been shrinking over the years already. If it's any consolation, the deleted messages are only available to the sender and the receiver of the message and cannot be viewed by anyone else.