Twitter has owned up to a privacy goof that exposed some Android users’ private tweets.
That would be bad enough if the problem existed for an hour, or a day, or a month. But unfortunately for Twitter (and affected users) the problem was present from November 3 2014 until January 14 2019.
That’s over four years.
The good news is that the problem only affected users of Twitter for Android who had enabled the “Protect your Tweets” setting. The vast majority of Twitter users don’t protect their tweets, and in fact when you create an account on Twitter it is public by default – meaning anyone can view and interact with your tweets.
But a small proportion of Twitter users do prefer to protect their tweets – meaning that the only people who can follow and interact with their tweets are users who they authorised.
So far, so reasonable.
But everything seems to have changed on November 3 2014 when Twitter introduced a bug which only impacted users who had “protected” accounts.
As Twitter explains:
You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.
In short, the Twitter Android app reset the “Protect your Tweets” setting without users’ knowledge or permission, if other account settings were changed. The same bug did not apply to the official Twitter app for iOS or the web versions of Twitter.
To make things worse, Twitter admits that it cannot be sure that it knows what accounts may have been impacted. So potentially-affected users are being “encouraged” to review their privacy settings to check that “Protect your Tweets” is set properly.
For this bug to have lurked for so long tells me two things:
- Not many users are making use of the “Protect your tweets” feature, and even less of them are running the Android app and changing their account settings.
- Twitter’s quality control needs to improve. They simply cannot have tested the functionality properly.
Of course, it’s also worth bearing in mind that even if you do successfully set your social networking updates to be private, that doesn’t mean they’re private from the social networking site itself.
Sadly, if you ever relied on the ‘private’ option on any online service over the past 20+ years, it turns out you were deluding yourself.
— Rich Baldry (@RBaldry) January 18, 2019