Twitter sued for 'reading' private direct messages
Link redirects are equivalent to eavesdropping, says lawsuit
Twitter is being sued for invading users' privacy over its practice of replacing hyperlinks in direct messages with its own "t.co" short links.
Californian Wilford Raney filed a class action lawsuit [PDF] against the company in San Francisco this week and is seeking millions of dollars in damages.
According to Raney, Twitter represents that its direct messages, or DMs, are entirely private between users, but in reality the company "reads" all such messages despite not having sought users' permission.
This violates both the Electronic Communications Privacy Act and the California Invasion of Privacy Act, the lawsuit claims.
At the heart of the issue is Twitter's system of replacing hyperlinks in people's messages with its own shortlinks that use its t.co domain address. Raney says that this practice is equivalent to "reading" private communications.
He also notes that Twitter then masks the t.co link and instead displays a more readable version of the link to the user. For example, a link to a New York Times article will display as linking to the newspaper's own link-shortening service at nyti.ms, but will in fact go through a custom Twitter t.co domain.
The reason Twitter does this, says the lawsuit, is so that from the New York Times perspective, the incoming traffic is coming from Twitter, rather than from millions of individual users, and so Twitter is able to negotiate higher advertising rates.
Twitter has been desperately chasing revenue for its service, which is currently used by over 300 million users a month.
The lawsuit says that while normal "tweets" are assumed to be public and so Twitter is entitled to "read" them, it expressly advertises its direct message service as "Direct messages can only be seen between the people included."
"Before Twitter delivers the message to the intended recipient, Twitter intercepts and accesses the contents of the message. The moment the consumer clicks Send, Twitter's service will open, scan, and potentially alter the contents of the message," states the filing.
It seeks damages equal to the profit made by Twitter for its "unlawful conduct" or $100 per member of the class action lawsuit per day, whichever is higher. It also seeks statutory damages of $5,000 per class member and unspecified punitive damages.
Unsurprisingly, Twitter denies the claims. "We believe these claims are meritless and we intend to fight them," the company said in a statement.
As to the likelihood of success, there is already precedent in a similar lawsuit brought against Google for "reading" Gmail messages. In that case, the judge refused to allow the class action lawsuit to proceed, meaning that it falls to individual users to sue the search giant. But she also denied Google's efforts to dismiss the lawsuits altogether.
A month after that ruling, Google changed both its practices and its terms and conditions and reached a private settlement with the litigants.
It's possible that Raney and his lawyers – privacy specialists Edelson PC – are looking to reach a similar agreement with Twitter. Twitter meanwhile is likely to argue that its service does not "read" the message but simply replaces hyperlinks through an automated system.
There is little doubt that direct messages are treated very differently by Twitter. For example, in June the company said it was lifting its 140-character limit on direct messages, whereas public tweets would still be held to the limit. It also has separate APIs for direct messages. But the key question will be: does Twitter adequately inform its users about what it does? ®
Sponsored: Becoming a Pragmatic Security Leader