(CNN Business) — Most people live their lives on the internet with the assumption that they can delete their posts, messages and personal data from the services whenever they want. But a tech hearing this week called that fundamental assumption into question.
Peiter “Mudge” Zatko, former head of Twitter security, testified Tuesday before a Senate committee that the social network does not reliably delete the data of users who cancel their accounts, thus expanding on the startling allegations it made in a disclosure that was published by CNN and The Washington Post last month.
In his testimony and disclosure, Zatko alleged that Twitter does not reliably delete user data, in some cases because it has lost track of the information. Twitter has widely defended itself against Zatko’s accusations, saying his disclosure paints a “false narrative” of the company. In response to questions from CNN, Twitter previously said it has workflows to “start a takedown process,” but hasn’t said whether it typically completes that process.
Although Zatko’s accusations are surprising, they have also served to remind Sandra Matz “how brainless we often are” when sharing our data online.
“It sounds so simple, but whatever you put out there, don’t ever expect it to be private again,” said Matz, a social media researcher and professor at Columbia Business School. “Removing something from the internet, hitting the reset button, it’s almost impossible.”
It could be said that what is at stake is the feeling of control of our data and the confidence in our ability to delete it. Following the decision of the Supreme Court to annul the case Roe v. Wade in June, there is now the potential to use search histories, location data, text messages and other data to punish people who search the internet for information about or access to abortion services.
In July, Meta, the parent company of Facebook, came under heavy scrutiny after it emerged that messages sent via Messenger and obtained by law enforcement had been used to accuse a Nebraska teenager and her mother of practicing an illegal abortion. (There was no indication that any of the messages in that case had been previously deleted.)
Ravi Sen, a cybersecurity researcher and professor at Texas A&M University, said that law enforcement and other groups “with the right resources and access to the right kind of tools and knowledge” could recover deleted data, under certain circumstances.
Sen said many people don’t know all the places their data ends up. Any post, be it an email, a social media comment or a direct message, is typically saved on the user’s device, the recipient’s device and on the servers of the company whose platform was used. “Ideally,” she said, “if the user who generated the content” deletes it, “the content should be gone from all three locations.” But in general, he added, “it doesn’t happen that easily.”
Sen said you can go to companies and ask them to wipe your data from their servers, though presumably many never take this step. The chances of recovering a deleted message from a user’s device decrease over time, he added.
According to privacy experts, the best way to control online data is to primarily use apps that offer end-to-end encryption. It is also important manage cloud backup settings to ensure that private data from encrypted services is no longer accessible elsewhere.
But even with all the precautions an individual can take on their part, once you put something online, Matz says, “you’ve essentially lost control.”
“Because even if Twitter deletes the post, or you delete it from Facebook, someone else may have already copied the photo you put there,” he said.
Matz recommends that people be more mindful of what they share on Big Tech platforms. Although he sounds pessimistic, he believes that it is better to be excessively cautious on the internet.
“Assume that everything you post can be used by anyone, and will live in perpetuity,” he said.