Spoiler alert: they’re called Direct Messages, not Private Messages, for a reason.
1. Twitter employees have access and can read your DMs
When you think about it, the capability of reading DMs isn’t really surprising. What is surprising though, is that in an investigative journalism piece by Project Veritas, several Twitter employees said that they actively read and monitor DMs. It’s of course up for a debate how much of this privacy violating practise in conducted by humans and how much by algorithms.
Considering the latter, already in 2015 there was a lawsuit filed against Twitter, accusing the service of reading DMs. The filing states that:
Before Twitter delivers the message to the intended recipient, Twitter intercepts and accesses the contents of the message. The moment the consumer clicks Send, Twitter’s service will open, scan, and potentially alter the contents of the message.
Maybe that’s why it was so easy for Twitter to joke about reading @MattNavarra’s DMs when they did an account takeover PR stunt a while back.
2. Your DMs are never really deleted
When you delete your direct message, sure it disappears from the UI, but that’s pretty much it. It seems that DMs are stored forever, even if the account has been deleted. Read more details from here.
3. A bug sent DMs to third-party developers
This API bug existed from May 2017 until September 2018, and after discovering it, it still took two weeks for Twitter to inform users about it. This wasn’t the only data handling oopsie Twitter did (even just) in 2018, so I’m expecting to see more announcements like this in the future.
4. E2EE for DMs has been promised for a while, still not implemented
Early in 2018, The Hacker News broke the story that Twitter was testing end-to-end encrypted direct messages. (Side note: encryption wasn’t even enabled by default, which in itself is pretty telling.) Well nothing has been implemented since. Thanks to this lack of action, EFF chose Twitter as one of the companies in crosshairs in #FixItAlready campaign. At the time of writing, the campaign’s success rate is ~11%, so perhaps there’s still hope for E2EE DMs to happen.
Bonus tip: to get a minor privacy increase to your DMs, you should disable read receipts.