Most people live their digital lives with the assumption that they can delete their posts, messages, and personal information from services at any time. But a technical hearing this week challenged that core assumption.
Peiter “Mudge” Zatko, Twitter’s former security chief, told a Senate committee on Tuesday that the social network does not reliably delete the data of users who unsubscribe from their accounts, building on bombshell allegations he made in a first by CNN reported a whistleblower disclosure and The Washington Post last month.
In his statement and disclosure as a whistleblower, Zatko claimed that Twitter does not reliably delete users’ data, in some cases because it has lost track of the information. Twitter has largely denied Zatko’s allegations, saying his disclosure paints a “misrepresentation” of the company. In response to questions from CNN, Twitter has previously said it has workflows to “commence a deletion process,” but hasn’t said if it typically completes that process.
While Zatko’s allegations are intriguing, they also served as just another reminder to Sandra Matz of “how often we are thoughtless” when sharing our dates online.
“It sounds very simple, but whatever you post, never expect it to go private again,” said Matz, a social media researcher and professor at Columbia Business School. “Removing something from the internet, hitting the reset button – it’s almost impossible.”
The stakes for feeling in control of our data and having confidence in our ability to delete it has arguably never been higher. Following the Supreme Court decision in Roe v. Wade in June now has the ability to use search history, location data, text messages and more to punish people who search online for information about or access to abortion services.
In July, Facebook parent Meta came under scrutiny after it was revealed that messages sent through Messenger and received by law enforcement were used to charge a Nebraska teen and her mother with an illegal abortion. (There was no indication that any of the messages in this case had been previously deleted.)
Ravi Sen, a cybersecurity researcher and professor at Texas A&M University, said law enforcement and other groups “with resources and access to the right tools and expertise” could likely recover deleted data in certain circumstances.
Sen said many people don’t know all the places their data ends up. Any post, whether it’s an email, social media comment, or direct message, is typically stored on the user’s device, the recipient’s device, and the servers of a company whose platform you used. “Ideally,” he said, “if the user who generated the content” deletes it, “the content should disappear from all three places.” But in general, he said, “it’s not that easy.”
Sen said you can reach out to companies and ask them to wipe your data from their servers, though many likely never take that step. The likelihood of recovering a deleted message from a user’s device decreases over time, he added.
According to privacy experts, the best way to control your online data is to mainly use apps that offer end-to-end encryption. It’s also important to manage your cloud backup settings to ensure private data from encrypted services isn’t accessible elsewhere.
But even with all the precautions a person can take on their end, Matz says, once you put something online, “you’ve essentially lost control.”
“Because even if Twitter deletes the post now, or you delete it from Facebook, someone else might have already copied the image you posted there,” she said.
Matz said she recommends people to pay more attention to what they share on big tech platforms. As pessimistic as it sounds, she thinks it’s better to be overly cautious online.
“Just assume that whatever you put out there can be used by anyone and will last forever,” she said.