Elon Musk is about to own your DMs, but he may not be Twitter’s biggest privacy risk.
Elon Musk’s Twitter buyout will likely be a done deal on October 28. For just $44 billion, he will own what he once referred to as a “de facto town square.” He also, it seems, will own all of Twitter users’ data.
If you care about digital privacy and you’re a Twitter user, this may not be great news. Over the years, Twitter has been dogged by privacy and security issues, while also dragging its feet on implementing possible solutions. The result is that conceivably everything you’ve ever done or said on Twitter, public or private — including your direct messages — may soon belong to one of the richest people in the world, a man known for being unpredictable, childish, and even vengeful. It’ll also be owned by a man who reportedly plans to get rid of 75 percent of its staff, which could compromise Twitter’s security even more. Oops!
There’s a lot we still don’t know, and it may be a long time before it’s revealed. Musk’s attorney, Alex Spiro, didn’t respond to a request for comment, and Twitter isn’t saying much to reassure users. The company told Recode it had “nothing to add here at this time” when asked how long it kept user data or how long it would take for a user’s data to be completely deleted from Twitter — if ever — should that user delete their account. Twitter has said that it will completely delete a user’s account upon their request, but it takes at least 30 days for that to happen. And your DMs may stay on Twitter’s servers for years even after you think you’ve deleted them. So you can go ahead and delete your account if you’re really worried, but there’s no guarantee that will delete some or all of your data, too.
We have seen other situations where controls over user data were a condition of regulatory approval, like Google’s merger with Fitbit. The European Union approved that acquisition on the condition that Fitbit’s user data was technically separated from any Google data used for advertising for at least 10 years. But those terms were announced before the merger went through and were meant to mitigate competition concerns. That’s not an issue with the Twitter-Musk deal, and no such announcements have yet been made.
Now, is Musk going to waltz into Twitter’s headquarters on Friday (maybe holding a sink again), fire up his computer, and immediately set about reading all of your DMs, peering in on private accounts’ tweets, and harvesting users’ phone numbers? Almost certainly not, and whether that happens at all depends on several factors, according to Andy Wu, a professor of business administration at Harvard Business School.
Twitter’s management team would first have to be amenable to fulfilling Musk’s requests. If not, he has to replace them. To do that, he’d have to go through the board of directors. Based on the preliminary proxy statement filed with the Securities and Exchange Commission, Musk plans to install his own board immediately, so it’s not clear whether veteran Twitter employees or current board members could impede him.
There are also whatever internal controls Twitter has — including those it’s supposed to have implemented per consent orders with agencies like the Federal Trade Commission (FTC) — that might get in Musk’s way. Musk would have to work with Twitter employees to get that data, and they might not be willing to help him read someone’s DMs. It’s hard to imagine Musk making such a request and that request not somehow being leaked to the press. And that would certainly be a disaster for a company Musk paid a lot of money for.
That’s especially true for Musk’s stated plan to make Twitter “the most respected advertising platform in the world” with “advertising that is as relevant as possible to [users’] needs.” You need data to do that. Overtly spying on users is a great way to get them to stop providing it — and to invite governments to crack down on your company’s privacy controls.
But when it comes down to it, if Twitter has the data and Musk wants to see it, well …
“I think the takeaway is, he could probably do that,” said Wu, who was speaking on the assumption that the deal will close on Friday. “It wouldn’t make sense to do that. But Musk also does things that don’t make sense.”
Twitter users should perhaps be concerned not about their data leaking to Musk but their data leaking to everyone. Twitter’s track record when it comes to security already isn’t great, and Musk might be laying off employees who are essential to maintaining the protections it has that actually work (Musk has reportedly said he doesn’t plan to lay off that many people or that soon).
In July 2020, Twitter was hacked by a teenager, who gained access to some of the platform’s biggest accounts, including Musk’s, and some of those accounts’ DMs. Twitter responded to the hack by hiring famed hacker Peiter “Mudge” Zatko to head up its security division in November 2020. Zatko left the company in January 2022. By September, he was testifying before Congress that Twitter had significant security issues and vulnerabilities and has routinely failed to properly safeguard its users’ data. In a leaked whistleblower complaint, Zatko claimed that about half of Twitter’s 7,500 employees could access any user’s personal information. There were rules against doing so, but Zatko said they weren’t enforced. He also claimed that Twitter wasn’t following security protocols as part of its 2011 consent order with the FTC.
Twitter has mostly denied Zatko’s allegations, calling them in a statement a “false narrative” containing inaccuracies and lacking context. A spokesperson for Zatko said he wasn’t commenting on Twitter.
Jason Goldman, Twitter’s first head of product and a former board member, tweeted on Wednesday night that “a non trivial number of people who worked on this site” were downloading their archives and have stopped DMing anything they wouldn’t want to somehow become public. He told Recode that he doesn’t think there will be any “nefarious leaks or deletions,” but he does think the presumably chaotic period Twitter is about to undergo will mean a lot of upheaval.
“With that comes the increased risk of some big mistakes,” Goldman said in a Signal message.
There is one possible bright spot, however: Musk has expressed an interest in encrypting DMs end-to-end. And that would mean no one except the sender and receiver could see them, including Musk. Sen. Ron Wyden (D-OR), who has been asking Twitter to encrypt DMs for years, told Recode he thinks encrypting DMs should be the first thing Musk does with his new company.
He added that, while Musk has the right to moderate Twitter as he sees fit, he should also keep in mind that Twitter’s users and advertisers may not want to have much to do with a place that platforms hate and misinformation.
“If Musk decides to court celebrities who spread hate and lies, advertisers and users are going to flee,” Wyden said. “The internet is littered with failed MAGA platforms that prove the vast majority of internet users have no interest in swimming in the muck of a site that doesn’t invest in responsible moderation.”
We’ll all soon see what kind of town square Musk thinks Twitter should be. If nothing else, the Twitter-Musk deal should be a good reminder that your data is only as private as the company you give it to wants it to be. And as we know now more than ever, that ownership can change.
Update, October 27, 6:30 pm ET: We’ve updated this story with additional information on potential changes to the board of directors.