It’s not that easy to delete your direct messages on Twitter.
Private communications sent between individuals or to groups through Twitter’s “Messages” system, commonly known as direct messages, can only be eliminated if all the people involved in the conversation delete those messages, according to Twitter’s system. That means users looking to delete their DMs will need to make sure all of their counterparts do so as well.
And there’s a possibility that may not be enough.
One current and two former employees said that both senders and recipients deleting messages should completely remove them from Twitter’s internal systems — but there may be cases in which the system does not work as intended, or messages may not be deleted due to other circumstances. All three had direct knowledge of the company’s messaging system and data retention policies and asked to remain anonymous to speak freely about internal Twitter systems.
One person said direct messages should be gone from Twitter’s databases within a few weeks, while another said it normally takes just a few days. Twitter didn’t respond when asked about its direct messaging policies.
The lack of clarity regarding the deletion of private messages adds to broader concerns voiced publicly about Twitter’s data retention practices. Twitter holds a range of other types of user data, including phone numbers and the internet protocol addresses used to log in, which can reveal users’ location.
Pieter “Mudge” Zatko, a widely respected cybersecurity veteran and former security lead at Twitter, filed a whistleblower complaint in June accusing Twitter of poor cybersecurity practices, including concerns that it had not properly deleted the data of people who deleted their accounts.
“At the time of my employment it was not possible for Twitter to be compliant with a request that their user data be deleted,” Zatko said in testimony to the Senate in response to a question about the company’s ability to delete data in compliance with California and European regulations.
More from NBC News
Direct messages, sometimes referred to as DMs, have long been a popular feature of the platform, allowing users to communicate away from Twitter’s public-facing feed. Those messages, however, are not as secure as those sent on apps like Signal, or Meta-owned WhatsApp and Facebook Messenger.
Twitter has never encrypted its direct messages, despite calls from cybersecurity activists to do so. That means that anytime anyone’s private messages are accessed they are immediately readable — whether by a government agency that asks Twitter to turn messages over via a warrant or court order, a rogue employee who has permission to examine users’ accounts, or hackers who have gained access to individual accounts or to Twitter’s own systems.
Twitter provides no way to bulk-delete direct messages. Silas Cutler, the senior director of cyber threat research at the Institute for Security and Technology, a San Francisco think tank, said that the difficulty in deleting data from Twitter has become its own risk, as there’s been a surge of third-party Twitter apps that promise to delete user data but require access to a user’s account to do that.
“I think deleting DMs and old posts is more dangerous for general folks,” Cutler said. “There are a lot of sketchy services offering ‘verification’ and cleanups, and it’s only going to lead to account takeovers.”
Some service options like Semiphemeral, which claims it does not need access to a user’s account to work, have grown in popularity as people look for easier ways to delete tweets, favorites and DMs.
Security concerns around Twitter’s private messaging service are newly relevant given that the company has either laid off or fired many employees since Elon Musk took over, which experts say substantially increases the chance that the company could be hacked or otherwise lose custody of users’ data.
Zatko said in his complaint that the company doesn’t actually understand its own retention of user data. Instead, he said, the company deliberately refers to deleted accounts as “deactivated” to cover for the potential that the data isn’t actually gone and because there just isn’t a good way for the company to track the data. Zatko declined to answer questions for this article.
Zatko also said in his whistleblower complaint that Twitter is breached far more frequently than the public is generally made aware, with about 20 major breaches in 2020 alone.
Cybersecurity experts and former Twitter employees say that a lack of a robust security staff makes the company more vulnerable to hackers who are constantly trying to find novel ways to break into software.
Musk announced plans to lay off about half of Twitter’s staff shortly after taking over at the end of October. A number of both rank-and-file employees and those in leadership roles, some from Twitter’s cybersecurity and trust and safety teams, have since quit. Even more engineers were fired in recent days.
Cutler recommended that Twitter users proceed with caution.
“After the Mudge testimony from earlier this year, there’s really good reason to be careful on the social media platforms and as things play out,” he said. “This is a continued reminder.”