Most people can live their digital lives assuming they can delete their posts, messages, and personal data from the services whenever they want. But a technical hearing this week challenged that fundamental assumption.
Peiter “Mudge” Zatko, Twitter’s former security chief, told a Senate committee Tuesday that the social network does not reliably delete the data of users who cancel their accounts, expanding on the explosive allegations it made in a whistleblower disclosure first reported by CNN and the Washington Post last month.
In his testimony and disclosure to the whistleblower, Zatko alleged that Twitter does not reliably delete user data, in some cases because it has lost track of information. Twitter has largely defended itself against Zatko’s allegations, saying its disclosure paints a “false narrative” from the company. In response to questions from CNN, Twitter previously said it had workflows in place to “begin a removal process,” but didn’t say whether it generally completes that process.
While Zatko’s allegations are astonishing, they only served to remind Sandra Matz “how often we are stupid” by sharing our data online.
“It sounds very simple, but whatever you post, don’t expect it to go private again,” said Matz, a social media researcher and professor at Columbia Business School. “Removing something from the Internet, pressing the reset button – is almost impossible.”
The challenge of feeling in control of our data and confident in our ability to delete it has probably never been higher. Following the Supreme Court’s decision to overturn Roe v. Wade in June, it is now possible to use search histories, location data, text messages and more to punish people who seek or access information about abortion services online.
In July, Meta, parent of Facebook has been subject to scrutiny After news broke, messages sent via Messenger and obtained by law enforcement were used to accuse a Nebraska teenager and her mother of having an illegal abortion. (There was no indication that any of the posts in this case had ever been deleted.)
Ravi Sen, a cybersecurity researcher and professor at Texas A&M University, said law enforcement and other groups “with resources and access to the right kind of tools and expertise” could likely recover the data. data deleted, under certain circumstances.
Sen said many people don’t know all the places where their data ends up. Any post, whether it’s an email, social media comment, or direct message, is typically saved on the user’s device, the recipient’s device, and the servers belonging to a company whose platform you used. “Ideally,” he said, “if the user who generated the content” deletes it, “the content should disappear from all three locations.” But usually, he said, “it doesn’t come that easily.”
Sen said you can contact companies and ask them to remove your data from their servers, though many are likely never to take that step. The chances of recovering a deleted message from a user’s device decrease over time, he added.
The best way to control your data online is to primarily use apps that offer end-to-end encryption, according to privacy experts. It is also important to manage your cloud backup settings to ensure that private data from encrypted services is still not accessible elsewhere.
But even with all the precautions an individual can take on their own, once you’ve put something online, Matz says, “you’ve essentially lost control.”
“Because even if Twitter now deletes the post, or if you delete it from Facebook, someone else may have already copied the photo you posted,” she said.
Matz said she recommends people be more careful about what they share on Big Tech platforms. As pessimistic as that sounds, she thinks it’s best to be overly cautious online.
“Just assume that whatever you put out there can be used by anyone and will live in perpetuity,” she said.