Twitter’s direct messages have always been a security liability. The DMs you send to friends and Internet strangers aren’t end-to-end encrypted, making your conversations potentially accessible if Twitter suffers a data breach, or to company staffers with the right permissions to access them. Both scenarios are arguably more likely in Elon Musk’s version of Twitter, where key security and data protection staff have departed.
Since Musk acquired Twitter and started laying off thousands of employees at the start of November, remodeling the firm in his vision, multiple waves of tweeters have abandoned the platform. When they do, they often try to download their Twitter archive and delete DMs. In the chaos, the process has often been glitchy.
However, in Europe, people have turned to the continent’s GDPR data laws, which give people rights over how their information is collected, stored, and used. This includes the right to have data deleted. However, Twitter’s response to these requests, which have been seen by Wired, appears to show the platform ignoring detailed asks to delete DMs and just point people to generic guidance that doesn’t explain whether Twitter deletes your DMs from its servers. And now Europe’s data regulators are getting involved.
“On Twitter, the delete button does not do what users think it does,” says Michael Veale, an associate professor focusing on digital rights and regulation in the Faculty of Laws at University College London. “If you delete your direct messages within the app or on the website, it does not remove them from Twitter’s server,” Veale says.
For years, there hasn’t been any clarity around what Twitter’s inbuilt tools for deleting your messages actually do. Within the social media site, there are, theoretically, two ways to delete the DMs you’ve sent. In your inbox, you can delete entire conversations, while within messages you can delete individual posts.
Neither of these options really appears to delete your messages. If you delete entire conversations, Twitter says, they are removed from your messages inbox but still available to the person you are messaging. Meanwhile, if you delete an individual message, Twitter says the people you sent it to “will still be able to see it.” Twitter’s help center says messages and conversations are “deleted from your account only.” They don’t say messages are deleted from its systems or servers.
Previous research has found that deleted DMs are held within Twitter’s servers for years. In 2022, Twitter whistleblower and former security chief Peiter “Mudge” Zatko claimed it wasn’t possible in some cases for Twitter to delete data.
At the start of November, Veale created a guide that people in Europe can use to request that Twitter delete DMs from its servers. In the guide, Veale says the “disaster scenario” is a data breach similar to 2015’s Ashley Madison hack, where people’s private lives were spread across the Internet. Journalists, activists, protesters, and more have all relied on Twitter’s messages in the past decade to share private information and get in touch with those who may be at risk.
Both Europe’s GDPR and California’s CPPA privacy laws give people the right to ask companies to delete data they hold about them, though there are exceptions to these rules. Furthermore, if someone writes to a company under GDPR and asks it to delete their data, the firm is obliged to reply and, if refusing, explain its reasons why. Veale’s guide suggests using this language to request DM deletion: “I wish for these data to be erased from all systems, including backup systems (on an appropriate schedule).” It further suggests asking only for messages sent by your account to be deleted (not those you have received), and states there’s no obvious reason why Twitter should keep the messages.
Lari Lohikoski, a communications professional and entrepreneur based in Finland, manually deleted his DM conversations after Musk took over Twitter but also decided to request the company delete them from its systems. “I don’t see my direct messages on Twitter’s user interface, but I very much think that they are on their server still,” Lohikoski says.