Peiter “Mudge” Zatko, the former security chief at Twitter, told a Senate committee on Tuesday that the social network does not reliably delete the data of users who cancel their accounts, expanding on bombshell allegations he made in a whistleblower disclosure first reported by CNN and The Washington Post last month.
In his testimony and whistleblower disclosure, Zatko alleged Twitter does not reliably delete users’ data, in some cases because it has lost track of the information. Twitter has broadly defended itself against Zatko’s allegations, saying his disclosure paints a “false narrative” of the company. In response to questions from CNN, Twitter has previously said it has workflows in place to “begin a deletion process” but has not said whether it typically completes that process.
While Zatko’s allegations are stunning, it also served as just another reminder to Sandra Matz of “how oftentimes mindless we are” in sharing our data online.
“It sounds very simple, but whatever you put out there, don’t ever expect it to become private again,” said Matz, a social media researcher and professor at Columbia Business School. “Retracting something from the internet, hitting the reset button — is almost impossible.”
The stakes for feeling in control of our data, and confident in our ability to delete it, have arguably never been higher. In the wake of the Supreme Court’s decision to overturn Roe v. Wade in June, there’s now potential to use search histories, location data, text messages and more to punish people who look online for information about or access to abortion services.
In July, Facebook-parent Meta came under harsh scrutiny after news broke that messages sent through Messenger and obtained by law enforcement had been used to charge a Nebraska teen and her mother with having an illegal abortion. (There was no indication any of the messages in that case had previously been deleted.)
Ravi Sen, a cybersecurity researcher and professor at Texas A&M University, said law enforcement and other groups “with resources and access to the right kind of tools and expertise” could likely recover deleted data, in certain circumstances.
Sen said many people don’t know all the places where their data ends up. Any post, whether it’s an email, social media comment or direct message, is typically saved on the user’s device, the recipient’s device and the servers owned by a company whose platform you used. “Ideally,” he said, “if the user who generated the content” deletes it, “the content should disappear from all three locations.” But generally, he said, “it doesn’t happen that easily.”
Sen said you can reach out to companies and ask them to delete your data from their servers, though many presumably never take this step. The chances of recovering a deleted message from a user’s device decreases with time, he added.
The best way to control your online data is to primarily use apps that offer end-to-end encryption, according to privacy experts. It’s also important to manage your cloud backup settings to ensure that private data from encrypted services isn’t still accessible elsewhere.
But even with all the precautions an individual can take on their end, once you put something online, Matz says, “you’ve essentially lost control.”
“Because even if Twitter now deletes the post, or you delete it from Facebook, someone else might have already copied the picture that you put out there,” she said.
Matz said she recommends people be more mindful about what they share on Big Tech platforms. As pessimistic as it sounds, she thinks it’s better to be overly cautious online.
“Just assume that everything you put out there can be used by anyone, and will live in perpetuity,” she said.