European data protection regulators are “engaging” with Twitter following a series of complaints from users that it’s ignoring requests to delete their direct messages, TechCrunch has learned. Concerns over the privacy and security of Twitter DMs — which are not end-to-end encrypted (E2EE) — has grown since Elon Musk’s takeover of the company last fall, triggering an exodus of staff and relevant expertise. The sink-carrying billionaire’s arrival at Twitter HQ also led to a series of rapid-fire but ill-considered product changes by the self-styled Chief Twit, amping up reasons for users to worry about the safety of their data. At the same time, there is a wider question-mark hanging over the company in relation to how easily — or even whether — Twitter can delete data, following allegations by a security whistleblower last year. The UK’s Information Commissioner’s Office (ICO) and Ireland’s Data Protection Commission (DPC) told TechCrunch they are talking to the social media firm after receiving a number of complaints from users that Twitter is failing to fulfil requests to delete DMs.
TechCrunch has learnt that Twitter is responding to this type of deletion request by telling the user about an existing option to deactivate their account — and providing them with generic information on how to do that. In an email sent to one user, who had requested deletion of their DMs, the company wrote: “You can deactivate your account at any time. When deactivated your Twitter account, including your display name, username, and public profile, will no longer be viewable on Twitter.com, Twitter for iOS, and Twitter for Android.” Twitter also informed them that account deactivation can be reversed within 30 days “if it was accidentally or wrongfully deactivated” — before caveating this with a warning that “search engines and other third parties may still retain copies of your public information… even after you have deleted the information”. It ended the email by providing a link to “more information about account deactivation”. The correspondence — which was signed “Twitter Office of Data Protection” — does not make any mention of deleting direct messaging data — which was what the person had actually asked be deleted. The complaint by users, therefore, is that Twitter is denying European legal requests to delete their personal data.
