Why deleting something from the Internet is “almost impossible”

Twitter’s former security chief Peiter “Mudge” Zatko told a Senate committee on Tuesday that the social network does not reliably delete data from users who cancel their accounts, expanding on allegations from a whistleblower first reported by CNN. and The Washington Post last month.

During his testimony and the whistleblower’s appearance, Zatko alleged that Twitter does not reliably delete user data, in some cases losing track of the information. Twitter has defended itself against Zatko’s allegations, saying his disclosures paint a “false narrative” of the company. In response to questions from CNN, Twitter has previously said it has workflows to “initiate a deletion process,” but has not said whether it typically completes that process.

While Zatko’s allegations are shocking, it also served as another reminder to Sandra Matz of “how stupid we are” when it comes to sharing our data online.

“It sounds very simple, but what you put out there, don’t expect it to become private again,” said Matz, a social media researcher and professor at Columbia Business School. “To withdraw something from the Internet, to hit the reset button, it’s almost impossible.”

The stakes of feeling in control of our data and confident in our ability to delete it have arguably never been higher. In June, the Supreme Court ruled in Roe v. In light of the decision to overturn Wade, it is now possible to use search histories, location data, text messages, and more to punish people who have access to or information about online abortion services.

In July, Facebook parent Meta came under intense scrutiny after news broke that messages sent through Messenger and obtained by law enforcement were used to accuse a Nebraska teenager and her mother of having an illegal abortion. (There was no indication in that case that any of the messages had been deleted earlier.)

Ravi Sen, a cybersecurity researcher and professor at Texas A&M University, said law enforcement and other groups “with the resources and access to the right kinds of tools and expertise” could likely recover deleted data in certain circumstances.

Sen said many people don’t know where their data is all over the place. Any post, whether it’s email, social media comments, or direct messages, is typically stored on the user’s device, the recipient’s device, and on servers owned by a company of the platform you used. “Ideally,” he said, if “the user who created the content” deletes it, “the content should disappear from all three locations.” But in general, he said, “it doesn’t happen that easily.”

Sen said you can contact the companies and ask them to delete your data from their servers, although many reportedly never take this step. The chances of recovering a deleted message from a user’s device diminish over time, he added.

The best way to control your online data is to use apps that offer end-to-end encryption, according to privacy experts. It is important to manage your cloud backup settings to ensure that private data from encrypted services is not available elsewhere.

But even with the precautions an individual can take on their own, once you put something online, Matz says, “you’ve basically lost control.”

“Even if Tites deletes the post now, or if you delete it from Facebook, someone else may have already copied the picture you put there,” he said.

Matz said he advises people to be more careful about what they share on Big Tech platforms. As pessimistic as it sounds, he believes it’s better to be overly cautious online.

“You just assume that whatever you put out there can be used by anyone and will live forever,” he said.