Who else can read your private messages online?

When using direct and private messages on Twitter or Facebook or other services, you might not have thought that these messages are not encrypted in the database. What this means is that without a password, the administrators of the database have an access to the private messages.

On a site the size of Twitter or Facebook, it is unlikely that the conversations would make ANY sense to the admins, especially as they are often in chat format, but if some rogue administrator REALLY wanted to get to the bottom of something, they might be able to do it.

Here’s what a database looks like

This is not a private message table, but it would look very similar to this. It contains the ID number of the sender and the recipient, timestamp, the message etc, but the username is most likely stored into another table linking it to the ID number. So to read the messages, you’d have to first figure out which ID number refers to which username, (which username relates to which real name) and then piece the conversation together by searching a potentially an enormous database file.

The danger is minor but…

There is a chance of someone catching a glimpse of a conversation on the database while working on some administrative task on it. It is rare that anyone would do that particularly on a live site, but there’s always the possibility of it happening.

The backup copies of the database are always available though, on a site like Facebook, they probably run backups continually, so some section of the website would always be readable for a curious employee with high enough security clearance to do it.

It is also true that a smaller website owner, like me, would have set the database up differently, so that they gain a direct access to private conversations with a relative ease. They might even create a backend access to reading the conversations without anyone knowing, just to get the gossip.

So the question really is, do you trust them or not?

I still beat myself up for accidentally catching this on a private conversation on my personal website database in 2001: “Oh don’t waste time on X” (someone I got constantly compared to), “Sebastyne is the mature one!” I caught my own name in the database file I was transferring onto a new server, and I used all my willpower to not read the entirety of the message. I still don’t know who wrote it or to whom, but I had a moment to think whether or not I should figure out the user ID numbers and dig up the entire conversation thread. I am sure they’d have a laugh if they’d know my emotional distress over the fact, but I never forgot how accidentally I caught a juicy bit of a conversation I really wanted to read! 😀 When celebrities are in question… A similar temptation might be impossible to overcome.

When celebrities are in question… A similar temptation might be impossible to overcome.

If you’re suspicious, send fake news!

If you are suspicious about the integrity of a website, test them by sending a piece of absolute fabrication that looks real enough to publish and see what happens. Write a long piece with lots of famous names to draw attention to it, and figure out a way to prove you planted the bait to test the reliability of the site. A wild description of a private party that never took place would be a good bait. Just make sure your guests were out of the country or town at the time of the party, and make sure the date of the alleged party can be timed from “yesterday” or “last weekend” written into your message compared to the time stamp of the message.

Should nobody be reading your private messages, at least deliberately, nobody will be aware you were that paranoid. 😉 If they do and get caught, you’ll be a hero. 🙂

Subscribe to get a Daily Message