In October, after Twitter refused to give a user information about how it tracks him when he clicks on links in tweets (as is the right of EU citizens under the newly passed, sweeping General Data Protection Regulation [GDPR] privacy law), Irish privacy authorities launched an investigation into the platform’s privacy practices.
Things could get hairier still, given the major privacy glitch Twitter disclosed on Thursday.
We’ve become aware of and fixed an issue where the “Protect your Tweets” setting was disabled on Twitter for Android. Those affected have been alerted and we’ve turned the setting back on for them. More here: https://t.co/0qM5B1S393
— Support (@Support) January 17, 2019
Twitter said that it had become aware of a bug that, under certain circumstances, switched private tweets to public view in Twitter for Android. That bug went unnoticed for four years, from 3 November 2014 until last Monday.
The bug disabled the “Protect your Tweets” setting for Android users if certain account changes were made, Twitter said. Namely, Android users would be well-advised to check their settings if they changed the email address associated with their account during that time period.
This doesn’t affect iOS or web users. Twitter says it fixed the issue on 14 January.
Twitter also turned “Protect your Tweets” back on for users it knows were affected. The thing is, the company isn’t entirely sure that it got to every affected account. Hence, it posted the notice in the Twitter Help Center and is encouraging people to review their privacy settings to make sure “Protect your Tweets” is still set correctly.
Graham X. Doyle, head of communications at the Irish Data Protection Commission (DPC), told Bloomberg Law on Thursday that the commission hasn’t yet launched a formal investigation into this new security flaw, but that it’s mulling the matter:
The [DPC] has been notified of this data breach and we are currently assessing its contents.
A company violating GDPR can face fines of up to 4% of its annual revenue.
Liz Kelley, a spokesperson for Twitter, told Bloomberg that it acted “immediately” to fix the problem once it was discovered. She said that Twitter’s also working with regulators to address the issue.
Twitter hasn’t put a number on how many users were affected.
Bryan
Am I merely too “vintage” to envision why I might publish a tweet yet keep it private*? Tweeting seems to be an intrinsically public act (reliant of course upon other factors such as number of followers). What would be the purpose of a “private” tweet?
* Aside the obvious privacy concerns naturally, in a service whose software glitch alters my own preference.
Paul Ducklin
Twitter itself quite reasonably warns you that you can’t stop your followers sharing protected tweets (e.g. via screenshot or copy-and-paste) – they just can’t retweet them via Twitter itself.
However, as Twitter concedes, the “protected” system wasn’t supposed to do what it did – no matter how weak a protection might be it ought to work as claimed! – so they have fixed it.
My own 2p is that if you feel strongly enough to use the “protected tweets” feature you should probably not use Twitter at all. My understanding is that the world mostly agrees because the “protected” feature is not widely used.