A new report from TechCrunch has revealed that Twitter may keep your deleted direct messages for years.
The discovery was made when security researcher Karan Saini downloaded an archive of his data from the Twitter website and found a file containing messages that were years old and sent from accounts that are no longer on Twitter. After further testing, TechCrunch was able to retrieve messages sent to and from a suspended Twitter account that dated back to March 2016.
Not only is it concerning that Twitter keeps these deleted messages for so long but it may also be a violation of the EU GDPR (European Union General Data Protection Regulation) which requires companies to delete a user's data on request. If Twitter is keeping supposedly deleted data for years after these requests are made, it could be subject to a fine of up to 4% of its annual turnover.
A Twitter spokesperson has responded to the TechCrunch article saying they are “looking into this further to ensure we have considered the entire scope of the issue.”
The main take away is that it's always best to assume that what happens on the internet, stays on the internet, even if you hit the delete button. You can't be sure how long any messages you send will be kept and if you're not using an encrypted messaging solution, anyone could potentially access them. If this has you concerned, stop using Twitter for DMs and instead use an encrypted solution such as Signal.