What does Twitter know about its users? #NOLOGS

News & Analysis
What does Twitter know about its users? #NOLOGS

Inspired by the Europe v Facebook campaign and further motivated by revelations that individuals associated with WikiLeaks and the Occupy movements in Boston and New York have had their Twitter data disclosed to American law enforcement authorities, Privacy International is launching a campaign to encourage European data subjects to get access to the personal information that Twitter holds on them.

Our campaign aims to achieve two objectives: to help European citizens exercise their rights and to raise awareness about data retention policies. We hope that by raising awareness we can also gain clarity on what information Twitter collects and stores about its users, especially after the recent news that Twitter has been storing the full iPhone contact lists of users who choose to 'Find Friends'.

Here are step-by-step instructions for people based in the European Union to follow to discover what data Twitter has about them. The entire process takes just a few minutes.

1) Send an e-mail to privacy@twitter.com that includes the following text:

Subject Access Request

[Your mailing address]

[Date]

Twitter UK Ltd
100 New Bridge Street
London
EC4V 6JA
United Kingdom

To the Twitter UK Legal Department,

Re: [Your Twitter username]

This is a request to access my personal data under Section V of the Directive 95/46/EC, transposed in Section 7 of the UK Data Protection Act.

As a Twitter user based in the European Union I request records of the following:

All personal data that Twitter holds about me, inter alia
All logs of IP addresses associated with my account (because these are bound to my password-authenticated account and are thus identifiable)
Any records of the contacts stored on my mobile device that may have been collected by Twitter via the 'Find Friends' function, or any other information collected from a Twitter mobile client
Any records of disclosures of personal data to other parties, including law enforcement (such records of disclosures themselves constitute personal data)
I request this information to be delivered in machine-readable form, to the e-mail address registered to my Twitter account.

Data Subject Authentication

My name: [Insert your name]

My current Twitter handle: [Insert your current user name] (former usernames associated with this account are: [Insert any previous usernames if you've ever changed your handle])

My e-mail address: [Insert the e-mail address from which you're sending the request. It should be the same e-mail that's linked to your Twitter account]

Please inform me, prior to processing this request, if you require a fee to be paid.

I look forward to receiving this information within 40 days. If you have any queries or questions regarding my request, please contact me by e-mail.

Yours faithfully,

[Insert your name]

 

2) You will receive an auto-response from Twitter that says you "need to reply to this email in order to open a ticket for review". Just paste your original message in the reply. This will allow you to open a ticket.

 

3) Twitter should then contact you by e-mail with a more personalised message requesting that you send a fax with a signed request providing consent to disclose this information. This request must explicitly grant Twitter permission to disclose your information to you ("I consent to the disclosure of any and all personal information associated with my Twitter account, including log data, IP addresses, contact list information, data collected from my mobile device, and records of disclosure to law enforcement.").

 

Be sure to include your username (e.g. @privacyint) and the e-mail address on the account, along with a scanned copy of a government-issued photo ID. We disagree with the photo ID requirement, especially considering that many Twitter accounts are pseudonymous without a 'real' identity attached to them, but Twitter insists on seeing photo ID. To help protect your privacy, we encourage you to mark out all the information on your ID except your name and photo. They don't need to know your birthdate, place of birth, ID number, etc.

 

The Twitter fax number is +1 415 222 9958 (this includes the international prefix so you don't need to add it). If you don't have a fax machine there are free online services that you can use, but be sure to check out their privacy policies first.

 

4) Once Twitter receives the fax, they will send a 'request-for-consent' e-mail to the e-mail address of record for your account, to which you need to respond affirmatively. Once they receive this confirmation e-mail they will e-mail you your records.

 

5) When you get your data, have a look through it and try to understand what's there and what's not. In particular, for what period has Twitter retained your IP logs? Their privacy policy says they can store up to 18 months of information. Is there other personal data that you know Twitter has that it didn't disclose? Let us know what you discover, especially if you find anything odd or anomalous.

 

N.B. Thanks to @runasand for leading the beta run to help us work out the kinks.