Why it matters: Twitter apparently retains direct messages for years even if the accounts are suspended or deactivated. This could potentially have privacy ramifications leading to regulatory action.
Deleting your direct messages on Twitter doesn't actually delete them at all. In fact, Twitter appears to retain messages for years even if an account is suspended or deactivated, according to a report by TechCrunch.
Security researcher Karan Saini told the publication he found that messages he'd sent years ago were still there after he downloaded an archive of his account. Some of the messages were from accounts that had long since been deactivated. Saini was even able to use a deprecated Twitter API to get DMs that had been deleted from both sender and recipient.
TechCrunch conducted their own tests and confirmed they were able to retrieve direct messages that were sent from suspended or deactivated accounts. Anyone can download their Twitter archive, which essentially has all the data Twitter stores for your account.
Saini's primary concern wasn't necessarily that the messages were being retained, but rather the length of time those messages were held.
"We keep Log Data for a maximum of 18 months. When deactivated, your Twitter account, including your display name, username, and public profile, will no longer be viewable on Twitter.com, Twitter for iOS, and Twitter for Android. For up to 30 days after deactivation it is still possible to restore your Twitter account if it was accidentally or wrongfully deactivated."
It appears as if Twitter is intentionally retaining data after the 30 days are up and after the 18-month maximum. As TechCrunch notes, this is egregious not for security reasons but for privacy. In fact, Twitter may be liable under Europe's General Data Protection Regulation (GDPR) and made to pay up to four percent of their annual income for violations.
For now, Twitter has stated that the company is "looking into this further to ensure we have considered the entire scope of the issue."