A slightly forensic Twitter example – in which a key tweet is now unavailable

Image by Pavlofox on Pixabay:

Warning: this post contains antisemitic imagery / phrases. These are used to illustrate a discussion about whether someone replying positively to a tweet (alleged to contain an antisemitic image) was being intentionally or unwittingly antisemitic.

I was reluctant to publish this post on an unpleasant topic but it seems that the people involved have been being reported to various bodies, likely unfairly, and a great deal of on-Twitter commentary about the case is flat-out wrong.

My post focuses largely on the Twitter-technical side of things. If you spot any mistakes in my assumptions or thinking, or can see that I’ve missed an important piece of evidence that changes things, please let me know, thanks – @JoBrodie.

In early February 2019 I spotted that my “Remember Twitter screenshots can be faked” post was doing the rounds*, in response to a tweet sent by Wes Streeting MP who had commented on a screenshot.

The question, greatly contested on Twitter, is whether someone called Annie (whose June 2018 tweet had been included in the screenshot, saying “Good one Angela“) was replying favourably (perceived as ‘endorsing’) to a problematic tweet from someone called Angela, or if Wes had been sent and then shared a faked^ screenshot.

It is possible that more than one faked screenshot has been sent to people in order to give the impression that Annie or others were endorsing a problematic tweet, when she may have replied to an innocent one. It is also possible that Annie endorsed a problematic tweet in error, not spotting its problematic nature. And it is possible that Annie endorsed a problematic tweet. (‘Possible’ in a vaguely technical sense not taking into account how likely someone might be to respond in a particular way to a particular tweet).

From the information I’ve found I think Annie probably replied favourably to a problematic tweet, not necessarily intentionally ‘endorsing’ it though. She and many others maintain that it wasn’t intentional. It’s quite difficult to clearly distinguish among these three options, though other circumstantial evidence / balance of probabilities etc may come into play.

Table of contents

  1. Did Annie send a tweet with those words?
  2. Was her tweet sent in reply to a tweet from Angela?
  3. What was the thread in which the tweets appear?
  4. Is it possible to fake screenshots?
  5. Red herrings and faked screenshots
  6. Is it possible to be unaware that a trope is antisemitic?
  7. Doxxing claims
  8. Rounded corners etc (!) – added 12 Feb 2020
  9. How I heard about this case.

1. Did Annie send a tweet with those words?

Yes. Regardless of what tweet was being replied to Annie sent the response “Good one Angela” to someone named Angela at 11.09pm on 13 June 2018.

Original reply tweet

My avatar appears at the bottom of the screen on the left as I’m logged in as me.

2. Was her tweet sent in reply to a tweet from Angela?

Yes. Clicking in the bit saying “Tweet your reply” on the original tweet on Twitter brings up an enlarged reply box with the names of people to whom you’d be replying. As you’d be replying to Annie’s tweet her name appears first. Second in the list is Angela. This strongly indicates that Annie’s tweet had been sent in reply to Angela.

Clicking in the reply to bit uncovers the person or people to whom it was sent

There’s my avatar again on the bottom left – I’m logged in as me and clicked the reply button. If someone else was logged in they’d see their own picture.

Further confirmation can be found from Dabr (a simplified Twitter app) – here’s the same tweet showing clearly that it was sent in reply to Angela (Dabr includes all participants in a reply-tweet). It also indicates that Angela’s tweet was sent to someone called Sarah, potentially placing the tweets in a thread [see (3)].

Dabr shows to whom a tweet is sent and the app used to send it

Here’s the original tweet on Dabr (you’d need to log in to be able to see it though).

(i) A note on the timing of tweets – Dabr marks the tweets at 22:09, one hour behind the 11:09 PM timestamp on Twitter. Given that the tweet was sent in June I suspect this is just to do with the way both apps handle GMT / BST. It’s certainly the same tweet, as both URLs have the same tweet ID of 1007022280143237121.

Above a typical tweet URL and below the same tweet URL shown on Dabr

(ii) A note on ‘in reply to’ – the reply-thread makes it clear that it was a tweet sent in response, and not a spontaneous tweet to Angela. However in both cases the format of the tweet would be largely the same. What’s missing here is the phrase “in reply to” which appears on all replies on Twitter but not on spontaneous tweets sent to someone. The likely reason it is missing is probably becasuse Angela’s account is now protected.

3. What was the thread in which the tweets appear?

It appears to be the one below. Someone called Sarah sent a tweet about a band, Angela replied to it and Annie replied to that. As Angela’s account is locked and her tweets are no longer visible the current version of that Twitter thread now looks like this, giving the mistaken impression that Annie has replied directly to Sarah‘s tweet.

This may have been the likely sequence of tweets

  1. Sarah sent the tweet about the band
  2. Angela replied to it (with a now-missing tweet)
  3. Annie replied to Angela.

What we lack is screenshot proof of the three tweets in context.

This tweet shows the screenshot below (of the first and third tweet) with some more context.

Tweet thread showing C replying to A with Tweet B in the middle now missing

Twitter has since temporarily restricted Annie’s account meaning that her tweets are mostly hidden from search results, so now it would be even harder to re-run these searches, so I’m glad I did it in February.

4. Is it possible to fake screenshots?

Yes, very much so, it’s extremely easy. Here’s one to illustrate that point – however it does not seem that the tweeted screenshot sent by Wes Streeting was necessarily faked, if we look at other circumstantial evidence below.

Note that it is certainly technically possible that Wes was sent a doctored screenshot which he then shared in good faith, and that others (eg David, below) have also been sent faked screenshots of tweets which they’ve also shared. It does not seem particularly likely though.

David’s tweet (below), sent two days before the thread above, shows a different post from Angela with the same imagery.

David's tweet shows a similar post from Angela from two days earlier

After publishing this post I sent the link to someone that I’d previously discussed this with and he feels that it’s not the chain of tweets in the thread that’s at issue but the photoshopping of the image shared by Wes. Unfortunately I’m unable to investigate this myself (not a Photoshop expert) and have asked for further info – click on the tweet to see our discussion.

^ 5. Red herrings and faked screenshots

I was surprised (and a bit disappointed) that so many respondents satisfied themselves with a simplistic explanation saying that because it’s possible to find unadorned copies of the image on the web Wes (or whoever sent him the screenshot) must have tinkered with the image. That’s a bit silly.

All of these can be true

(a) a reasonably inoffensive image exists
(b) more offensive variations of this image exist
(c) a tweet was sent containing the inoffensive image, but later photoshopped for some mischief
(d) a tweet was sent already containing an offensive image, and a screenshot was taken of it
(e) someone interacting with a (d) tweet missed its offensive nature

Clearly a version of the ‘raw’ image (a) appears to have been amended (b) at some point as the original has neither the star nor the ring. I suppose it cannot be known for certain which version (c or d) was tweeted out by Angela as the original tweet is no longer available (either because her account is locked or because the tweet was deleted), but…

…an entirely separate screenshot posted by David (in (4)) provides fairly strong circumstantial evidence that Wes’ screenshot was also correct (d). Note though that it does not automatically follow that anyone endorsing such a tweet either spotted or understood the imagery (e).

6. Is it possible to be unaware that a trope is antisemitic?

Yep. Here’s me learning about one myself.

In Annie’s defence she is a very high-volume tweeter with over 225,000 tweets (this includes tweets and RTs) sent since May 2010 (about 70 tweets a day). I think of myself as pretty chatty on Twitter but have sent ‘only’ 116,000 since June 2008 (about 30 tweets a day). With her fast-pace Twitter exchanges it’s entirely believable that she might have missed the nuance of a piece of imagery when responding.

7. Doxxing claims

A separate discussion on Twitter was about whether Wes had published Annie’s personal information (doxxing) in sharing her real name and whether this breaks Twitter’s rules or those of the Labour Party. I think I’d describe what Wes had done as having ‘surfaced’ information that was publicly available elsewhere, but which hadn’t been explicitly shared on Twitter before. In Annie’s own Twitter account she uses her real initials – that doesn’t in itself give her name away but if you come across her name elsewhere it would be confirming evidence.

I don’t think Wes can reasonably be said to have doxxed her, given the ease with which her info can be found (as she has also used the same account name for other services you can find and confirm her info quite easily), however I’d agree that it was a bit ‘ungallant’ of him to have done so as it brought her a lot of unwanted and unpleasant attention (and to him too). It does not appear to break Twitter’s rules about sharing personal information (I don’t know about the Labour Party’s own rules) and I don’t believe it’s illegal, but it may well be ‘GDPR-problematic’.

Edit: 7 March – in fact if you type Annie’s account name into a search on Twitter it will show you a separate account of hers which also uses her real name, that account is also followed by someone who shares the same family name.

This blog post suggests that a police investigation is underway but I don’t know if that’s definitely the case. Lots of people apparently tweeted that they were reporting Wes for faked images and doxxing – but that in itself doesn’t prove that they did of course. Here, lots of people discuss the blog post on Twitter.

8. Rounded corners etc (!) – added 12 Feb 2020

These two tweets (from Jimbo and Jenny) point out that there’s a discrepancy with the roundedness of the corners on the image. This is more likely to be due to how a particular tweet is presented (or to updates to the app, as LatestMessiah pointed out) than to wrongdoing (photoshopping a picture but failing to take account of how Twitter presents the corner edges) though wrongdoing can’t be discounted.

Jimbo also points out that the symbolism on the arm’s sleeve may have been missed (as he had done so himself – “I missed it on first viewing as I focussed on the quote” – particularly as Twitter often crops images anyway, see below). I wonder if a saliency heat map (when you test, using eye cameras etc, what people actually look at on a picture) of the full image would show that the main focus was the text.

An example of how Twitter truncated images

The screenshots below of an old tweet of mine were all taken on a desktop browser (Firefox) today 12 Feb 2020 to illustrate how various settings can affect appearance.

Top panel = Old Twitter
Bottom panel = New Twitter

Note: in ~July 2019 Twitter updated how things appeared (“#NewTwitter” as opposed to what then became the older “#LegacyTwitter”) so I’ve shown both. I am using the browser add-on ‘Good Twitter‘ so that I only ever see the ‘old’ Twitter.

From left to right
(i) how image appears in a tweet while the tweet is part of a larger timeline, as you scroll through a bunch of tweets
(ii) how the image appears when the tweet is selected and shown on its own page
(iii) how the image appears when the image is selected, to enlarge it

Screenshot 2020-02-12 15.27.14Screenshot 2020-02-12 15.27.30

Note that screenshots taken on various phone / tablet apps, Tweetdeck etc would likely show a different view, so ‘cropped’-ness and ’roundedness’ of corners may not always be that instructive and the time a screenshot was taken, and the app / platform on which a tweet was viewed (and whether it was viewed as (i), (ii) or (iii) would need to be taken into account.


* 9. How I heard about this case.

I regularly run a Twitter search for this blog. Its most-shared post, at the time of writing, is “Hate seeing other people’s likes on Twitter? Some options to try” which looks at the options to avoid seeing “Your friend X liked Y’s tweet”. When people share my post they often include additional solutions that they’ve found out, with which I then update the post (I say as much in that post). Searching Twitter for howtodotechystuff.wordpress.com brings up any public tweet containing a link to this blog.



• “Forensic” Twitter – getting evidence for use in court etc

           For anyone who wants to capture Twitter-related evidence [17 Aug 2019]

I am not a lawyer and this is not legal advice (I am not qualified to give it). Be very careful about relying on this information – if I am wrong my advice might damage your case! – and always seek appropriate legal advice if you need it. Different localities will have their own laws and application of those laws. [Page updated 17 Aug 2019 29 Aug 2018]

See further reading at end.

This post is written for people who need to keep an eye on a particular set of tweets, or information on a website. An example might be where someone says something (on Twitter) that crosses a line and may need to result in intervention from Police, statutory bodies or some other legal body, or perhaps it may even end up in court. I have no idea what type of evidence would be required to satisfy a court but here are some suggestions for capturing tweets as evidence, and their limitations.

If you’ve been blocked you can still view and save tweets by logging out, using a third party app (like Echofon for iPhone or Dabr.eu for desktop) or creating a spare account. You can’t reply to a blocker’s tweets but you can reply to other people’s replies to them, if you want your tweet in the thread.

Table of Contents
1. Capturing the tweets while they’re still available
• 1a. Screen capture / screenshot
• 1b. Freezepage
• 1c. Storify or embedding in a blog
• 1d. Capturing the tweets as they’re sent – email notifications or IFTTT
2. Capturing deleted tweets
3. What did they use to send the tweet?
4. Detect changes on another website, or new information being published
5. How many followers did X have at point Y?
6. Fake tweets – screenshots, deletions
7. Further reading

1. Capturing the tweets while they’re still available

In Monroe v Hopkins (see PDF in further reading) section 84 the Judge notes that any litigant (either party in a trial) needs to take responsibility for capturing any tweet-related evidence (“and the responsibility of a solicitor to take reasonable steps to ensure that the client appreciates this responsibility and performs it”). This may include capturing the tweet itself, responses to it, information about how many people have liked or RTed it. You could even plug the tweet’s URL into Facebook to see if anyone’s shared it there too (only the public posts will show up).

1a. Screen capture / screenshot
Have the tweet visible on the screen and take a screenshot. Methods for doing this depend on the device but see [Taking a screenshot] for some suggestions.

For a better picture use desktop Twitter (and include the https:// link that’s visible in the address bar). Most Twitter platforms, including desktop, will also show you who has favourited or RTed the tweet (which may be useful evidence in itself of the spread of the tweet) but you may need to note the accounts that have done this as it’s not necessarily obvious from the pictures (and they may subsequently change their picture). If you hover the mouse over their picture a pop-up of their profile will appear. You can also capture some of the replies to the tweet too.

Note that more people might reply to the tweet later (or favourite it, or RT it) so this process may need to be repeated periodically.

Advantages: captures the tweet as it is, even if later deleted
Limitations: because an image can be altered it may not be deemed strong enough evidence. However I think it would be a ‘not unreasonable supposition’ to believe that someone stating under oath that it is true might satisfy the courts, though see tweet below. You might be lucky and find that others have created a corroborating screenshot or other way of verifying the tweet too. See also Section 6 on faked screenshots.

1b. Freezepage
To capture a copy of the ‘page’ on which the tweet appears (you need to use the tweet’s own address – you can find its URL in the tweet’s timestamp. Make sure you remove the S from the httpS bit of the address [update 22 March – removing the S from https:// to make it http:// may no longer be necessary, but if it gives an error message try that first]. You can create an account, or not http://www.freezepage.com/

1c. Storify or embedding in a blog
Storify no longer available, alternatives here “Alternatives to Storify”

A tweet, once embedded in a Storify story or blog, will remain visible there even once deleted. It will look slightly different (you won’t be able to favourite it or RT it) but it will remain there otherwise exactly as it was.

Storify embeds: Search for the name of the person, or words in the tweet, or if you have its address use the link search to pin it down and save it in your Storify. See [How to use Storify like a pro to collect tweets] for more info.

Blog embeds: Either use the embed tweet option (previously found in the three … dots but this has been replaced with a down arrow to the right of the tweet) or, for WordPress dot com blogs (as this one) you can just use the tweet’s address and it will autoembed.

1d. Capturing the tweets as they’re sent
Email notifications – Generally this is ON by default and you might have already switched it off (it can be a bit annoying). Twitter can send you an email notification when someone sends you a tweet (or when someone likes or retweets your tweet).

Check your email notification settings here

This is an imperfect solution. Note that Twitter won’t email you every notification and it will largely ignore new accounts or those that haven’t confirmed an email address (and  it may be these types of accounts that you need to collect tweets from). Twitter has also changed its notifications – it used to be the case that you’d get a full copy of the text of the tweet and that may no longer be the case. [More on Twitter’s email preferences]

In fact it is likely that Twitter will hide some tweets sent in your mentions (notifications tab) from new or unconfirmed accounts, or even tweets that show up in response to those. It may be worth searching for the tweets (using to:yourusername to search). You can search while logged out but you may get a more complete picture logging in with a spare account.

IFTTT – The free online tool IFTTT (If This, Then That) lets you capture a copy of a ‘corpus’ (“bunch”) of tweets eg all from a particular user or all containing a hashtag. You can have them emailed to you or you can have them collected in a Google Drive spreadsheet or Evernote file. You can even have the tweets rebroadcast to a spare account (though I recommend making it a private one otherwise it’s a bit annoying and spammy).

I’ve not written a blog post specifically about setting up IFTTT but the information can be gleaned from the second part of [Downloading your old Twitter faves, setting up IFTTT to capture new ones] and another post that might be useful on how to use IFTTT is [How to display Instagram pictures correctly in tweets using IFTTT].

With IFTTT you authorise it to access your own Twitter account (to let it interact with Twitter) then authorise another service (whatever you want to use to collect the tweets) eg Google Drive or something else. IFTTT calls the different services channels and the instructions to “if a tweet contains X send an email to Y” a recipe.

2. Capturing deleted tweets
While deleting a tweet removes it from Twitter’s public servers it is still potentially findable by users (in some cases you may need to get a court order to recover it from Twitter’s backup servers, assuming that is possible).

If you are looking for a tweet only a short while after its deletion (I’m not sure exactly how long but it’s a matter of hours and no guarantees) you may find it via Google’s cache (see tiny green arrow in picture below, flanked by orange arrows, that is the link to find a cached copy, if available – manage your expectations though, it’s not all that common to find them in this way but does happen). Note that tweets that have previously been embedded in a blog post or used in a Storify story will still remain even after the tweet is deleted. Other search engines have caches too and you can see an example here http://cachedview.com/


Other things to try if you can’t find the tweet(s) are to see if others have retweeted the text of the tweet(s) [search for words you remember in the tweet] or a screenshot [in which case they may have included the original @handle of the person who deleted the tweet so try searching for to:handle].

If you’re the sort of person who knows what an API is then you might be able to do something on that front but alas this exceeds my knowledge.

3. What did they use to send the tweet?
All tweets used to have additional information below the tweet saying what software had been used to send the tweet but Twitter no longer adds this in. However many third party apps do. Echofon for iPhone and Dabr.eu will tell you how a tweet was sent.

  • Sent via Twitter Web Client generally means the person was using a web browser to send the tweet
  • Sent via Twitter for iPhone (or for Android), etc – fairly explanatory (official Twitter apps)
  • Sent via Echofon for [smartphone] – these are 3rd party apps
  • Sent via Mobile Twitter – they may have used the mobile version of desktop Twitter on their smartphone

Here’s a screenshot of this information for a tweet sent via Dabr.eu, as seen on Dabr.eu.

Screenshot 2018-08-12 17.49.37

Because Echofon is used on a mobile device it’s reasonable to assume that if that was used to send the tweet the person was using a phone. If it says something like ‘Twitter for web’ then they may have tweeted from a desktop computer.

Limitations: On an iPhone it was possible to download the Chrome browser and use Twitter’s desktop version (ie force it to show desktop rather than the more usual mobile-friendly version). Tweets sent in this way would appear as ‘from desktop’ yet would have been sent by mobile phone. It’s a while since I’ve played with this so don’t know if it’s still the case.

4. Detect changes on another website, or new information being published
Use the change detection service and get it to send you an email if the text on a website is amended https://www.changedetection.com/, or you can set up a Google Alert to email you if a particular word or phrase appears in a newly published page on the internet https://www.google.com/alerts

5. How many followers did X have at point Y?
One of the considerations in the recent Monroe v Hopkins Twitter libel case considered how many followers the parties had at the time the relevant tweets were made. This was estimated but in some cases you’d be able to find the exact number thanks to the Internet Archive‘s ‘Wayback Machine‘ which periodically saves copies of web pages and stores them for future searching.

Whether or not someone’s Twitter account has been archived will probably be fairly random (and presumably new accounts won’t be included – though you can of course manually add their page to the archive, or use Freezepage as mentioned above) – I was quite pleased to find that my page has been archived. The Internet Archive takes snapshots at particular time points, often several months apart – it’s pot luck what’s there.

The Internet Archive has taken several snapshots of my Twitter account and one, made at 14:52 on 14 Feb 2010 showed that I had 820 followers, by 3 August 2014 this had increased to 3,631. My account has had 44 snapshots taken between 23 Dec 2008 and 9 Jan 2017. Use the format https://twitter.com/USERNAME and insert it here to test an account’s history.

6. Fake tweets – screenshots, deletions
(i) It is possible to open the Inspector panel on a browser (on Firefox on a Mac this is Command+Alt/Option+i). If you have a tweet open while doing this you can search for the text of the tweet within the Inspector panel that appears and edit it. Clicking back in the main browser window will show a fake tweet which could then be captured with a screenshot. Of course screenshots can also be faked with (ii) Photoshop-type editing or (iii) copying the text of someone else’s tweet onto a screenshot. I don’t know how prevalent this is but I’ve seen a suspected example this evening (I don’t know which of the methods suggested above they used to create it).

I asked about (i) and received confirmation from Sean Ellis who also pointed out that you could also just (iv) download a local copy of the web page, manipulate the underlying HTML code in notepad and reload a local copy and take a screenshot. There seem to be a lot of ways of cheating!

If you add extra numbers to the end of a tweet’s URL / link you are effectively creating a tweet that has never been published. When pressing enter, to open the tweet, Twitter will return a page not found – which looks as if the person has deleted the tweet. Here’s an example I created for myself using two numbers repeated to make it clear what I did.


It looks like this on the page. The page never existed!

Screenshot 2018-08-29 23.48.59

7. Further reading