Delete data....

Twitter urged firms to delete data during 2016 campaign

Company directives reinforced privacy policies that were already being criticized for helping Russia meddle in elections.

By JOSH MEYER

Twitter quietly ramped up a campaign last year to permanently delete some user data from its social media platform and the files of commercial firms using it, raising concerns that the policy would help Russian cyberspies suspected of meddling in the 2016 election cover their tracks.

In June and September of 2016, the company posted updates to its privacy policy and user agreements that reminded firms that when anyone deleted or revised tweets – or closed accounts – that all others with access to them would have to destroy any trace of them as well. If they failed to comply, the company warned, they risked being cut off from the Twitter data base.

The second of the directives came amid intensifying questions about who was behind efforts to hijack Twitter to sway voters, and after cyber-researchers had expressed concerns that the deletion policy was undermining their efforts to link that campaign to Moscow.

In some cases, private-sector researchers say they complained about the directives to Twitter officials, while others issued warnings on the platform itself and other online platforms.

Samuel Woolley, an information warfare expert who was director of the Oxford University’s Computational Propaganda Research Team, questioned the timing of the directives, saying they came after he and associates had repeatedly warned Twitter officials that the existing deletion policy already was undermining their efforts – and those of many other researchers – to determine the extent of Russia’s attempts to manipulate the social media platform.

“There was a ton of research showing that Twitter was the place spreading disinformation, just overwhelmingly manufactured information,” said Woolley, now the director of the Silicon Valley-based Digital Intelligence Lab. “Many of us in the [cyber-research] community have made it clear to Twitter that to delete this information would be a travesty. We’ve been having this conversation for over four years” with people at various levels of Twitter, including senior executives.

“All social media companies have deletion policies,” Woolley added. “However, when policies are changed during pivotal political moments -- and when the company has regularly been warned its platform is the vessel for civic manipulation in similar moments -- one is right to wonder why then?”

People familiar with Twitter’s thinking said the directives were merely efforts to reinforce and clarify existing company policies designed to protect the privacy of users, and that the September directive in particular was made to bring Twitter more in line with stringent privacy protections established by the European Union.

"It has long been our stance that developers must keep the Twitter content they consume up to date,” a Twitter official said, in response to questions from POLITICO. “We've clarified our policy at several points, based both on updates to our overall Privacy Policy and based on feedback from developers about different use cases … But the intent is the same.”

“Importantly, nearly every major social media platform requires external developers who use their data to follow these kinds of rules,” the Twitter official said, citing what she said were the similar policies of Facebook, Tumblr and Instagram.

But some government and private-sector cybersecurity analysts said the changes were far more significant, and had the effect of prompting data firms to destroy potentially large amounts of information that could be relevant to probes of Russia’s efforts to influence the 2016 election. Twitter was aggressive enough in its enforcement that one company lost access to the data base for failing to make required deletions.

Emilio Ferrara, principal investigator at the University of Southern California’s Machine Intelligence and Data Science, said he had criticized Twitter’s privacy policy during last fall’s campaign. He said he did so on Twitter itself, even though “they just ignore those.”

“Their implementation and the decision to physically destroy these data raises critical issues on accountability that social-media service providers should be asked to address moving forward,” Ferrara said. “Even if I appreciate Twitter’s initiative regarding deleting abusive or propagandist content on the platform, their implementation of it is problematic: There is no need to physically destroy such content in the company’s servers, it can be just hidden from the public interface and records should be kept, for auditing purposes.”

For at least four years before the 2016 election, researchers who monitor Twitter had openly criticized Russia for using the platform to meddle in other elections, especially in Ukraine.

They had also pointedly criticized Twitter for its failure to do anything substantive about that meddling, including not changing its deletion policy to allow for saving of material that might be useful to researchers and law enforcement.

“This policy allows adversarial intelligence agencies and other disinformation operators to edit the news and then remove their traces,” according to Thomas Rid, a professor of strategic studies at Johns Hopkins University and a leading cyber-researcher who was the first person to publicly link Russia to the WikiLeaks release of hacked emails from the Democratic National Committee. “It means they can run operations more effectively and more covertly than ever before, and we may never find out exactly how they pulled it off.”

Now, more than a year later, Twitter’s deletion policy – and how it changed over time, and why – merits further scrutiny by congressional committees investigating Russian meddling in the U.S. election and the apparently significant role social media played in it, the analysts said.

“If certain aspects of content on Twitter reveals that there has been interference in our elections, especially by foreign actors but also by people in our country, the public has a right to know,” Woolley said. “But before the public has the right to know, I think that congressional investigators, third-party researchers, a lot of other people need to have this information. And this effort to obfuscate information that has been deleted or made private is super problematic.”