A Twitter hole lets you Google protected tweets


This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

[UPDATE, Oct. 20, 1:50 p.m.: The Bill Clinton tweets appear to be a leftover from a Clinton impersonator who now resides at @NotBillClinton. Also, Twitter spokeswoman Jenna Sampson wrote an e-mail today saying, “We have no deal with Google that gives them access to private accounts. … Trust and safety are huge areas of interest for us, and we would never make a deal that damages those ethics.”]

You can find just about anything with a Google search. That includes status updates on many Twitter profiles that were supposed to be private.


Some Twitter users lock their profiles from public view by checking a box on their settings page. People looking to follow protected accounts must then ask permission.

A minority of Twitterers do so to avoid public attention but, as Fleet Foxes indie folk singer Robin Pecknold writes on his protected profile, “keep up to date w/ loved ones and family.”

If you try to access a protected account from just about any Web browser, you’ll see this message: “This person has protected their tweets.”

But Twitter gave at least one company the key to the city: Google.

Google’s search crawler, called the Googlebot, appears to be given an unobstructed view into Twitter’s more than 5 billion messages, including supposedly protected tweets. It seems Googlebot can crawl through the doggy door and access private profiles without permission.

Many of those protected messages can be found through Google’s search engine. The results page shows an index of the tweets it has logged, and for more recent tweets, a cache of the page as it might appear for someone who has been granted access.

Even tweets that appear to have been deleted from a hidden account show up partially. For example, a search for Bill Clinton‘s profile spits out the first few words of tweets. The excerpts include: “John Edwards...why did you,” “NY Gov got caught with a,” “Oh Hillary, 3rd place in,” and “I have been too depressed...” Bummer that it cuts off the juiciest parts.


San Diego Chargers cornerback Antonio Cromartie has Twittered about mornings at church and days spent at home watching the Lifetime channel with his wife, whom he calls “poohcat.”

Jersey City rapper Joe Budden appears to be ripping on his hip-hop cohorts from the comfort of a perceived private broadcast medium.

Jonathon Linner, chief executive of location-based social network Brightkite, uses his private Twitter account to automatically tell his locations to friends. Little does he know that anyone could just as easily follow him around San Francisco.

Twitter has fixed at least two holes in the past that allowed users to peek into hidden profiles. Twitter’s own search engine used to occasionally display tweets from private accounts. You could also trick Twitter into showing you hidden tweets using the site’s RSS feeds.

Google was wrapped in a similar controversy recently when its search engine began surfacing voice mail messages for some users of Google Voice. Whoops.

To pull back the Twitter curtain, search the following string, replacing “<user>” with the name of a protected profile: “<user>.”

We expect this is an unintentional “feature.” Twitter Chief Executive Evan Williams wrote on his profile (which is not protected) Saturday, saying, “I think it’s not cool to retweet a protected tweet.”

We think it’s not cool to let Google index a protected tweet.

-- Mark Milian

Follow my unprotected Twitter profile: @markmilian