Twitter faces privacy lawsuit over automated URL shortener

Twitter, one of the world’s most popular social networks, is facing a class-action lawsuit by users who claim the service’s URL shortener violates federal and state privacy laws.

The complaint, filed in a San Francisco federal court on Monday, alleges that “Twitter surreptitiously eavesdrops on its users’ private Direct Message communications” by automatically intercepting and modifying links through a function it claims is private, according to the Hollywood Reporter.

“As soon as a user sends a Direct Message, Twitter intercepts, reads, and at times, even alters the message,” the complaint reads. “For example, should a user write a Direct Message and include a hyperlink … Twitter’s algorithm will read through the Direct Message, identify the hyperlink, and replace it with its own custom link, thereby sending the person clicking on the link to Twitter’s analytics servers before passing them on to the original linked-to website.”

A Twitter spokesman told the Daily Dot in an email that it would fight the lawsuit.

“We believe these claims are meritless and we intend to fight them,” said Nu Wexler, senior communications manager at Twitter.  

When users share links on Twitter, even in DMs, the service creates a short URL, ostensibly permitting it to collect analytical information—and to notify advertisers when traffic originates from Twitter. For example, when a user shares a link to a Daily Dot article, Twitter automatically takes the full URL and assigns it a shortened address that looks something like this: http://t.co/pHXvOFjdmv.

Online services like Goo.gl and Bit.ly allow users to create their own short URLs, which can in turn be used to collect data about the URL’s use, including the location of users, and browsers and platforms used to access the link.

Although short URLs do appear shorter, they take up as many of the 140 characters allowed per tweet as a full URL.

On its support page, Twitter refers to Direct Messages (DMs) as the “private side” of its service, adding that DMs allow users “to have private conversations” between one another. Although the plaintiffs do acknowledge that it is an algorithm creating the short URLs, as opposed to a Twitter employee, the complaint nevertheless argues that this service violates the Electronic Communications Privacy Act and California’s privacy law, according to THR.

“While Twitter reads the contents of its users’ private Direct Messages, Twitter never obtains (or even seeks) its users’ consent,” the complaint says.

The plaintiffs, represented by the law firm Edelson PC, are seeking damages as high as $100 per day for each Twitter user whose privacy was allegedly violated.

Edelson PC did not immediately return a request for comment.

Read the full complain below:


Update 1:55pm CT, Sept. 15: Added comment from Twitter.

H/T Hollywood Reporter | Photo by David Prasad/Flickr (CC BY SA 2.0)

Dell Cameron

Dell Cameron

Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.