Deleting DMs from Twitter using the GDPR

After laying off huge proportions of staff, this week Twitter's Chief Information Security Officer, Chief Privacy Officer and Chief Compliance Officer resigned, with the head of Trust and Safety also no longer in post.

Permanent link: https://perma.cc/LSM4-G74L

As information security commentators quickly noted, in response to reporting that engineers were asked to "self certify" compliance with laws they likely did not understand:

This led to several people expressing concerns around the security of their direct messages. Direct messages on Twitter are not end-to-end encrypted, as you can expect them to be on Signal or on WhatsApp, which means that Twitter can, if they wished to, read them. Twitter spying on you may not be your usual threat model, but when a company tanks, there are both concerns around who they sell that data to, and the security of that data. This is why end-t0-end encrypted messengers are generally crucial — if implemented correctly at the time the messages are being sent, they can give you a lot of security later regardless of what happens to the company.

The disaster scenario is an Ashley Madison one — where a site famous for extramarital dating had 60gb of sensitive data leaked by a hacking group in August 2015. Some have attributed several suicides to this incident.

But, deleting messages is not a simple feat. Firstly, do you trust that Twitter really deletes the messages you ask it to? As Zach Whittaker and Natasha Lomas noted in 2019, data requests to Twitter have previously unearthed messages that according to Twitter's own policy and communications, should have been deleted. It is unclear what the "delete" button even does with regards to back-end systems, including backups. So we cannot rely on the user interface to save the day. Secondly, even if we could, there appears to be no simple way to delete multiple DMs, leaving an arduous task of going through one-by-one, with little guaranteed security at the end of it. Some plugins promise to do this for you, but you risk even more by letting an untrusted third party read your direct messages — some cures could be worse than the disease.

This is where we can attempt to make use of your right to erasure under data protection law. Many jurisdictions have such a right. In the EU, it is popularly known as the "right to be forgotten". (note, UK residents: you can still do this too).

The Twitter Privacy Policy conflates your right to deletion with the deactivation of an account. Of course, Twitter retains the right to deactivate the account of anyone they choose — they do not (yet) have any obligations to carry your content.

Yet the right to erasure in EU law (and similar jurisdictions' statutes) does not operate in an all-or-nothing way. Different categories of personal data is processed for particular purposes, and data subjects can be specific about what they wish to be erased.

How to make an erasure request (under EU law)

Twitter does not let you make contact with their privacy team through email. This is questionable legally, but let's just go with what they have: a form from a contractor of theirs called NAVEX that uses the 'EthicsPoint' platform for confidential reporting.

You can access it at this link.

You can use the suggested text I have written below, amending it as you wish. If someone wishes to write a letter for other jurisdictions, such as California, I am happy to include it below. Note, you may wish to download your data in your Twitter settings before this: this will include your DMs for your own archiving purposes.

Dear Twitter
I am writing to request the erasure of all Direct Messages (DMs) I have sent from the account referred to above under the right to erasure (Article 17, GDPR). I am specifically not asking for any other data, such as tweets, or DMs sent to me from others, to be erased. I am not requesting you to deactivate my account. I have already downloaded a copy of any DMs I wish to retain. I wish for these data to be erased from all systems, including backup systems (on an appropriate schedule). This implies that they should also become inaccessible to the recipient. No copies of any direct messages sent by my account should remain on Twitter's or their data processors' servers. I have noted that it is possible to delete direct messages one by one, but it is unclear how this relates to Twitter's storage of them, and it is against the fairness principle of the GDPR to require such a labourious process, and I am instead using my legal right to ask for data erasure in writing.
Please note the following:
 1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. These messages have been sent and read.
2. I have withdrawn consent to, and objected to any legitimate interests relating to, the processing of data within my DMs.
3. I believe the personal data are currently being unlawfully processed due to the absence of a Data Protection Officer within Twitter.
I also note that
as I am only requesting my own sent DMs be deleted, and not those written by other people to me, there is no issue with the exercise of freedom of expression and information. (17(3)(a))
I do not know of any legal obligation in my jurisdiction which requires processing of my DMs. If such an obligation exists, please specify it precisely (17(3)b).
I see no reason to retain data for the establishment, exercise or defence of legal claims. If any such claims exist, please specify them precisely (17(3)(e)).

Important: Write down the password and report key!

The Twitter EthicsPoint system did not, at least when I last used it, have a way to reset the EthicsPoint form password it asks you to make. Write it down! Also write down the "report key" you get on the next page. Else you won't be able to see their response.

Final step

Set a calendar reminder for 1 month's time. Twitter has a legal obligation to reply in that time. They can say the request is complex, and may give you a further timeframe. If you have heard nothing back, or a timeframe given has elapsed, submit a short complaint to the Irish Data Protection authority (if you live in the European Union, EFTA States, or the United Kingdom). You can also (or instead) submit a complaint to your national regulator. If you're in the EU/EFTA, find your local authority here. Many, many countries have similar laws and you can amend the above complaint (basically, substitute your national law for 'GDPR' and remove article numbers). You can then submit your complaint to your national data protection or privacy authority, if it exists.

Disclaimer

Given that there may be no technical or legal staff left to process these requests, your mileage may vary.

Good luck!