En marge de ma volonté d’effacer mes tweets après 48h, j’en ai profité pour faire une demande formelle que me permet la loi : obtenir l’intégralité des informations personnelles qu’ils connaissent sur moi.
Pour ceux qui veulent s’y essayer aussi il y a une procédure assez claire. Il suffit globalement de recopier les courriers pré-rédigés et suivre les étapes. Bon, j’ai dit claire mais pas simple. On voit bien la volonté de ne pas proposer quelque chose de simple : mail, fax (??), copie de carte d’identité (pourquoi ? ils ne la connaissent pas de toutes façons), reconfirmation par mail.
Toujours est-il que j’ai passé les étapes, voilà ce que j’ai reçu après 9 jours accompagné d’un zip de 2,6 Mo :
We're responding to your request for information about your Twitter account @edasfr. We've attached the following files: - USERNAME-user.txt: Basic information about your Twitter account. - USERNAME-email-address-history.txt: Any records of changes of the email address on file for your Twitter account. - USERNAME-tweets.txt: Tweets of your Twitter account. - USERNAME-favorites.txt: Favorites of your Twitter account. - USERNAME-dms.txt: Direct messages of your Twitter account. - USERNAME-contacts.txt: Any contacts imported by your Twitter account. - USERNAME-following.txt: Accounts followed by your Twitter account. - USERNAME-followers.txt: Accounts that follow your Twitter account. - USERNAME-lists_created.txt: Any lists created by your Twitter account. - USERNAME-lists_subscribed.txt: Any lists subscribed to by your Twitter account. - USERNAME-lists-member.txt: Any public lists that include your Twitter account. - USERNAME-saved-searches.txt: Any searches saved by your Twitter account. - USERNAME-ip.txt: Logins to your Twitter account and associated IP addresses. - USERNAME-devices.txt: Any records of a mobile device that you registered to your Twitter account. - USERNAME-facebook-connected.txt: Any records of a Facebook account connected to your Twitter account. - USERNAME-screen-name-changes.txt: Any records of changes to your Twitter username. - USERNAME-media: Images uploaded using Twitter's photo hosting service (attached only if your account has such images). - USERNAME-profileimg: Your avatar and background image, if uploaded. - other-sources.txt: Links and authenticated API calls that provide information about your Twitter account in real time. All our records are maintained in UTC, which is the same as GMT for time zone purposes. Any files or fields that are blank, or any files that have no content between the PGP header and signature block, indicate that no responsive records were found. No records were found of any disclosure to law enforcement of information about your Twitter account. It is our policy to notify users of requests for their information prior to disclosure unless we are prohibited from doing so by statute or court order. For more information, please see our Guidelines for Law Enforcement at http://support.twitter.com/articles/41949-guidelines-for-law-enforcement#section9 We searched for the specific information identified in your request and have also provided other information associated with your Twitter account. We have not provided all information that may be related to you because of the difficulty of providing it, or because it may not be specific to you or may reveal the nonpublic information of another user or of Twitter. If there is other information that you are looking for, please let us know so that we can consider your request. Our Privacy Policy at http://twitter.com/privacy describes the information that Twitter may collect and use and the limited circumstances in which your private personal information may be shared. Regards, The Trust & Safety Team Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, California 94103
Vous noterez qu’ils s’autorisent à ne pas tout donner, parce que c’est difficile (?). Je vais faire suite pour avoir l’intégralité, la loi ne les autorise pas à sélectionner ce qu’ils retournent. Je suis entre autre très intéressé par les données de profiling qu’ils peuvent avoir (et sur lesquelles seront basées les pub) et sur les entreprises partenaires à qui ils diffusent leurs données.
12 réponses à “Données personnelles de twitter”
Mail envoyé :
I am responding to the transmission of my personnal information, itself following my legal request in doing so.
You said in your response you did not provided all information that may be related to me, partly because it may be difficult for you, partly for other reasons.
Please be informed that the legal request does not permit a such retention for convenience reasons. There is no optionnal data in the response expected. Following the same request, I confirm and insist that you, on the same terms of the first request, send me all data related to me, including the data that may be difficult retreiving for you.
Name : Éric D.
Twitter username : @edasfr
Email address : XXX@XXXX
Request filled on your side with : « Policy Support, Twitter Inc.-YLee – Support ticket #XXXX »
Procedure followed at this date : » with the title « Re: #XXXX Twitter Privacy Inquiry » with the same terms as the previous email with title « Re: Twitter Response To Request For Own Information » and attached again the same identity check and written confirmation
– October 11th : First by me to privacy@twitter.com on October 11th with title « Access Request » (copy attached under the file Twitter-access-request-2012-10-11.pdf)
– October 13th : at your request, email by me to « Twitter Support
– October 15th : at your request, sent a fax to 0014152229958 with the reference « Policy Support, Twitter Inc.-YLee – Support ticket #XXXX » with a copy of my id, and a written and firmed authorization (attached again in this email under the name twitter-identity-check-2012-10-15.pdf)
– October 16th : at your request, confirmation by mail that I am the sender of the fax, sent to Twitter-Legal
While I thank you for the first part of data provided, I am at least missing :
1- the complete list of your clients, partners and service providers (including advertising clients and partners) that had access to my personnal data (full identification of the partner and the dates or date range of share) ;
2 – and all « data mining » you may have done on my personnal data (if you link my profile to keywords, age range, social category, or any other categorization) for example in the purpose of advertising.
Please provide me any other data you may have not transmitted previously, including these two items (and please tells me in written in your response if you have not transmitted my data to any partner and if you have not done any data mining or categorization on mypersonnal data.
Sur les données : J’ai la liste de tous les tweets, avec bien moins de détail que les API mais j’ai du coup les identifiants des tweets plus anciens que les 3200 derniers donc je peux aller les chercher par l’API, les sauvegarder et les effacer. C’est en cours.
La structure est par contre du plein texte. Pas de délimiteur clair (il y a un délimiteur, mais ce dernier pourrait tout à fait apparaitre au milieu d’une donnée et casser la lecture automatisée). Pas de JSON, de XML ou de données type CSV. Là c’est un mauvais point, mais pas dramatique à l’usage.
J’ai l’intégralité des IP utilisées. Si j’ai le courage j’irai vérifier que toutes sont vraisemblables et donc si à priori un tiers a eu accès à mon compte.
Il est intéressant de noter que chaque fichier est signé avec PGP. On a donc une information fiable et opposable. Je ne m’y attendais pas et c’est un très bon point.
L’absence de structure ne permet par contre d’avoir strictement aucune information sur l’interne de Twitter.
Très intéressante, ta démarche et ton compte-rendu ! Merci de la partager et de continuer à le faire !
L’accès aux vieux tweets est intéressant. Si les demandes se généralisent, ils feront peut-être des fichiers individuels téléchargeables.
Vous remarquerez que dans leur réponse il y a (la majuscule est de moi) :
> We have NOT provided all information that may be related to
> you because of the difficulty of providing it, or because it may not
> be specific to you or may reveal the nonpublic information of another
> user or of Twitter.
Suite à mon insistance pour avoir *toutes* les données, voici leur réponse (qui contredit explicitement leur mail précédent :
On Thu, Oct 25, 2012 at 9:55 PM, Twitter-Legal
wrote:
> Hello,
>
> The records provided were complete as of the time they were produced.
> Our Privacy Policy at http://twitter.com/privacy describes the
> information that Twitter receives, the purposes for which it may be
> used, and the limited circumstances in which private personal
> information may be shared.
>
> You can also check the Apps tab at
> http://twitter.com/settings/applications for a list of the third-party
> applications you’ve authorized to access your account and revoke the
> access privileges of any that you wish.
>
> Thank you,
> Twitter Trust & Safety
Ma réponse pour l’heure :
—-
Hello
This new statement is explicitly opposite to the previous one you send
me, which was (quoting, capitalization of the word « not » is from me) :
« We have NOT provided all information that may be related to
you because of the difficulty of providing it, or because it may not
be specific to you or may reveal the nonpublic information of another
user or of Twitter. »
Furthermore, this new statement is explicitly in contradiction to your
public announcement at
http://advertising.twitter.com/2012/08/interest-targeting-broaden-your-reach.html
stating that you are doing interest targeting. Doing so you attach or
attached a categorization with up to more than 350 categories to
Twitter profiles. You didn’t send me any categorization (or lack of)
associated with my profile.
Such information is definitely something attached to my personal data
in the scope of my legal request. You should have at least sent me
that categorization and I request you to do so.
Note that the interest targeting may not be the only personal data
attached to my profile (being from my input or from your analyzis
doesn’t matter) and I explicitly ask for *all* my data, including this
one but not limited to this one.
—-
(s’en suit le même format que la précédente, avec la liste des coordonnées et des échanges précédents)
T’es un fou, mais j’admire les fous.
Ca y est, je suis coincé. J’ai obtenu par deux fois la même réponse disant qu’ils m’ont tout envoyé (ce qui est certainement erroné d’après leurs propres déclarations précédentes mais aussi d’après ce qu’ils annoncent sur leur blog).
Nouvelle demande plus insistante mais je vais arriver au bout de ce que je vais pouvoir faire sans envoyer un recommandé ou déposer une plainte. On verra comment je continue ensuite.
Hello,
Your own public announcement at http://advertising.twitter.com/2012/08/interest-targeting-broaden-your-reach.html tells you are doing interrest categorization and targeting. Such data is linked to my personnal data and in the scope of my legal request to retrieve all data attached to me. Such data was not part of your first package.
In consequence, I demand that the interrest categorization and targeting done on my profile be sent to me. This is a legal request under Section V of the Directive 95/46/EC, transposed in Section 7 of the UK Data Protection Act. Please answer me with a non pre-written response and return me the data asked.
Name : xxxx
Twitter username : xxxx
Email address : xxxxx
Request filled on your side with : « Policy Support, Twitter Inc.-YLee
– Support ticket #xxxx »
[…]
Bon, à partir de là ils font les morts.
J’aime beaucoup ta démarche
Arrivé la c’est presque dommage de ne pas utiliser un petit recommandé avec mise en demeure, c’est souvent à partir de la que Free et consort finisse finalement par faire un geste. En général, je précisait que je n’hésiterais, pas faute de satisfaction, à diffuser le « mauvais traitement » subis sur tous les réseaux sociaux et forums concernés. C’est peut être un autre gabarit concernant Twitter, mais avec ma femme on a déjà obtenu gain de cause suite à cette démarche (remboursement de frais + dédommagement pour gène occasionnée)
Éric,
Je tombe sur ce billet seulement aujourd’hui.
Y’a-t-il eu une suite depuis ton dernier commentaire daté de novembre ?
Sébastien.
Rien de neuf, non