Should I delete my DMs? What Twitter has on you, and what you can and can’t do with it
It is not so easy to delete instant messages Twitter.
Private communications sent between individuals or to groups through Twitter’s “Messages” system, commonly known as instant messages, can only be eliminated if all the people involved in the conversation delete those messages, according to Twitter’s system. This means that users who wish to delete their DMs must ensure that all their counterparts do so as well.
And there is an opportunity that may not be enough.
One current and two former employees said both senders and recipients who delete messages should remove them entirely from Twitter’s internal systems — but there may be cases where the system isn’t working as intended, or messages can’t be deleted for other reasons. All three had direct knowledge of the company’s messaging system and data retention policies and asked to remain anonymous in order to speak freely about internal Twitter systems.
One person said direct messages should disappear from Twitter’s databases within a few weeks, while another said it usually only takes a few days. Twitter did not respond when asked about its direct messaging policy.
The lack of clarity regarding the deletion of private messages adds to broader concerns expressed publicly about Twitter’s data retention practices. Twitter has a variety of other types of user data, including phone numbers and the Internet Protocol addresses used to log in, that can reveal users’ locations.
Pieter “Mudge” Zatko, a highly respected cybersecurity veteran and former head of security at Twitter, filed a whistleblower complaint in June accusing Twitter of poor cybersecurity practices, including concerns that it had not deleted the data of people who deleted their accounts.
“At the time I was hired, it was not possible for Twitter to be compliant with a request that their user data be deleted,” Zatko said in Senate testimony in response to a question about the company’s ability to delete data in compliance with California and European regulations.
More from NBC News
Direct messages, sometimes referred to as DMs, have long been a popular feature on the platform, allowing users to communicate away from Twitter’s public feed. However, these messages are not as secure as those sent on apps such as Signal or Meta-owned WhatsApp and Facebook Messenger.
Twitter has never encrypted its instant messages, despite calls from cybersecurity activists to do so. That means any time someone’s private messages are accessed, they’re immediately readable—whether by a government agency asking Twitter to turn over messages via a warrant or court order, a rogue employee with permission to examine users’ accounts, or hackers who have gained access to individual accounts or to Twitter’s own systems.
Twitter does not provide an option to mass delete direct messages. Silas Cutler, senior director of cyber threat research at the Institute for Security and Technology, a San Francisco think tank, said the difficulty of deleting data from Twitter has become its own risk, as there has been a wave of third-party Twitter apps that promise to delete user data , but requires access to a user’s account to do so.
“I think deleting DMs and old posts is more dangerous for regular people,” Cutler said. “There are many sketchy services that offer ‘verification’ and cleanups, and that will only lead to account takeovers.”
Some service alternatives like Semiphemeral, which claim they don’t need access to a user’s account to work, have grown in popularity as people look for easier ways to delete tweets, favorites and DMs.
Security concerns surrounding Twitter’s private messaging service have recently come to the fore given that the company has either laid off or laid off many employees since Elon Musk took over, which experts say greatly increases the chance that the company could be hacked or otherwise lose custody of users’ data.
Zatko said in his complaint that the company does not actually understand its own retention of user data. Instead, he said, the company deliberately refers to deleted accounts as “deactivated” to cover the potential that the data isn’t actually gone and because it’s simply not a good way for the company to track the data. Zatko declined to answer questions for this article.
Zatko also said in his whistleblower complaint that Twitter is breached far more often than the public is generally made aware of, with around 20 major breaches in 2020 alone.
Cyber security experts and former Twitter employees say the lack of a robust security staff makes the company more vulnerable to hackers who are constantly trying to find new ways to break into software.
Musk announced plans to lay off about half of Twitter’s employees shortly after the takeover in late October. A number of both rank-and-file employees and those in leadership roles, some from Twitter’s cybersecurity and trust and security teams, have since left. Even more engineers have been fired in recent days.
Cutler advised Twitter users to proceed with caution.
“After the Mudge testimony from earlier this year, there’s really good reason to be careful on the social media platforms and when things play out,” he said. “This is a continuing reminder.”