Main content

The failure of Twitter and social media management suites to get GDPR

Den Howlett Profile picture for user gonzodaddy July 19, 2018
We have been testing social media management suites and find to our horror that those we tested utterly fail to understand privacy. We think we know why.

A failing businesswoman wearing a box over her head holds her hands before her face.

Social media management suites such as those from SproutSocial, SocialReport, SocialPilot and eClincher have shown up as popular on review sites like G2 Crowd. Ease of use is often cited as the main plus point. In Sprout Social's case, the top review says:

Sprout Social is easy to use. We've stuck with it because it is very easy to draft posts across platforms and attach media files. It is easy to reply and view posts that mention our client directly from the interface.

Similar glowing approvals are offered for others. But there is one problem most of these solutions face which, in our view, is non-compliant with GDPR.

All these suites allow administrators to add social profiles. This provides a modicum of control over what people can add. In most cases, a user is going to want their Twitter, LinkedIn and (possibly) Facebook identities included. There's just one problem relating directly to Twitter.

The default in most cases is to include the ability to 'Direct Message' (DM) which is kind of OK but what isn't possible is the ability to hide or switch off this functionality in any meaningful way.

According to Twitter:

Direct Messages are the private side of Twitter. You can use Direct Messages to have private conversations with people about Tweets and other content.

In our view DMs are private conversations and as such should never be visible except as between intended recipients. The fact Twitter has effectively exposed these via their API is worrisome. Equally worrying, however, is the position Social Sprout took when I spoke with Aaron Rankin, co-founder and CTO Sprout Social.

Despite its expense when compared to other offerings, we were willing to give Social Sprout a run except for the DM issue. I explained to Rankin that in our view, the inability to completely switch off DMs represents an important privacy issue and likely contravened GDPR because DMs are not public.

The argument that came back - and it is one that we also saw with eClincher - was that 'no-one had asked for it.' Wow! But then I believe I understand why that might be the case.

Social media management suites, while they offer team-based approaches, are designed with agencies in mind. Agencies act on behalf of their clients to promote social messages. The expectation is that agencies will operate corporate accounts where the use of DMs is usually restricted to business transactions. In the alternative, agencies also operate accounts on behalf of individuals within corporate environments. Again, the expectation is that these will be 'all business.'

But as Phil Fersht poignantly reminded us on LinkedIn the other day:

fersht on social

Note that this was liked 51 times and has drawn 14 comments.

We understand this intuitively and wanted to include the personal Twitter accounts of our core team into a social media management suite. That's not viable because of the DM issue.

Sprout Social didn't really get it, trying to convince me that they are GDPR compliant. That may be the case for them as data processors but not us as data controllers. Why? According to ICO: (PDF)

The DPA draws a distinction between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. It is the data controller that must exercise control over the processing and carry data protection responsibility for it. This distinction is also a feature of Directive 94/46/EC, on which the UK’s DPA is based.

Since DMs are private, it is inconceivable that anyone would give access and viewing permission to others except under very exceptional circumstances.

We also raised this with eClincher. Their system provides the means to turn off a variety of notifications inside their universal inbox, including DMs but then when you click on another person's Twitter account inside eClincher, hey presto - up pop DMs. This was not immediately apparent until one of my team proved the point. eClincher also said that no-one had asked for the inclusion of a means to universally switch off DM access. Once we went through the issues, which took quite a few cycles and escalation, they understood the problem and promised to find a fix. We looked at SocialReport and guess what, they have the same problem. As an admin, I can see DMs from anyone else who's on the system. I can even get a report on the amount of DM activity on any selected account.

My take

Putting aside the corporate issues highlighted by Fersht, the lack of GDPR understanding by social media management suite providers is breathtaking. Even more disturbing is that Twitter, which already recognizes the private nature of DMs, has chosen to leave this element exposed via their API.

This is an issue that needs a solution because right now, anyone using these solutions and who has implemented private Twitter accounts inside those systems is at risk of privacy rights failure. We assumed that a fix was simply a matter of applying a toggle or switch so that DMs would be permanently hidden. Apparently, life in Twitter land is not that simple.

A grey colored placeholder image