Dec 1, 2013

Twitter DM and Privacy


Twitters privacy policy:
"When using any of our Services you consent to the collection, transfer, manipulation, storage, disclosure and other uses of your information as described in this Privacy Policy. Irrespective of which country you reside in or supply information from, you authorize Twitter to use your information in the United States and any other country where Twitter operates... ... We may share [with 3rd.parties] or disclose .... comply with a law, regulation or legal request.... ." Etc.
As a summary, anything Twitter can collect about you, is collected, used and distributed.



What about direct messages (DM)?

"Definition: A direct message (DM) is a private message sent via Twitter to one of your followers."

But how private does Twitter consider a "private message"?

Twitter implemented the "t.co link wrapper".
They announced this was a service for "link shortener" and done "to detect, intercept(!!), and prevent the spread of malware, phishing, and other dangers".
Of course giftwrappet with all the common bullshit claiming "better user experience and increased safety". 



Test:
I sent this DM message to @userA
@userA I left a very private message for you here:
www.my-web-server.com/private4UserA

Seconds later this was logged to my-web-server's accesslog:
199.59.149.166 - - [day/month/year:21:54:23 +0200] "GET /my-web-server/private4UserA HTTP/1.1" 200 151284 "-" "Twitterbot/1.0"
Surprised? A DM is not "a private message sent via Twitter to one of your followers" but content Twitter read and copy - also if content is located external to Twitter.

I look closer at the  DM.
My eyes read this:
"@userA I left a very private message for you here: www.my-web-server.com/private4UserA"

But the html-code behind the visible display is:
<a data-original-title="http://www.my-web-server.com/private4UserA" href="http://t.co/xyz123" rel="nofollow" dir="ltr" data-expanded-url="http://www.my-web-server.com/private4UserA" class="twitter-timeline-link" target="_blank"
This is the same method used for phising. I.e. the URL (web-adress) you read on the display is different than the actual URL you will be (re)directed to.


Twitter has a notis about this:
"Please note: t.co links, even those shared via DM, are neither private nor public. Anyone with the link will be able to view the content. "

I doubt many users read this, and if they do, they might not understand the privacy intrusion represented by this. At least I didn't - for how can a message be both "a private message" and "neither private nor public"? Nor did my link need "shortening" and there are no warnings either.


When the Twitter-user (@userA in this example) reads the DM, a new record is logged with the webserver (www.my-web-server.com):

11.22.33.255 - - [day/month/year:22:31:38 +0100] "GET /private4UserA HTTP/1.1" 200 747 "http://t.co/xyz123" "Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206 Twitter for iPhone"
This means Twitter is recording when and what the user reads, including from private massages.



Unfortunately Twitter is gradually closing its garden with proprietary and increasingly more privacy invasive methods.
Like it or not, but you should understand that your private DMs are not as private as you might have thought. And also understand that Twitter is no better than anyone else when it comes to privacy.



No comments:

Post a Comment