Twitter on Wednesday introduced a new feature encrypting some direct messages between its users. But there are limitations to the plan. Senders and recipients must satisfy certain conditions, including that both must be verified, essentially meaning they are paying for Twitter. And some cybersecurity experts have criticized the feature itself.
The basics
Direct messages, or DMs, are messages sent privately between two users, not seen publicly as most tweets are. And encryption is a way of storing a message in a scrambled format so it can’t be read without a special key of some kind.
An explanation posted in Twitter’s online help center says that users of encrypted messaging must both be on the latest Twitter apps, must have had specified prior contact and must both be verified users or affiliates to a verified organization.
“Verified” no longer means what it once did on Twitter. The older verification program had been free and granted mainly to celebrities and notable figures as a method of authentication. After Elon Musk bought Twitter and took over as CEO in 2022, he shifted blue badges to only paid Twitter Blue subscribers to generate revenue.
Why would you want encrypted DMs?
Twitter has faced privacy issues in the past. In 2020, the accounts of numerous high-profile Twitter users, including now-owner and CEO Elon Musk, were hacked to spread a bitcoin scam. At the time, the US Department of Justice said the scam bitcoin account racked up more than $100,000 simply by sending messages that appeared to come from Musk, Bill Gates and other high-profile users asking people to send bitcoin to supposedly double their payment.
How do you send an encrypted Twitter DM?
If you and the recipient both meet the criteria for encryption, that doesn’t mean your direct messages will be automatically encrypted. Twitter’s online explanation page says that those who are eligible to use the feature will automatically see a button that lets you switch between encrypted and regular DMs. An icon of a lock will show up on the avatar of the user receiving the message.
Right now, encrypted messages can’t be sent to groups, and can only include text and links, no attached media. And they can’t be reported to Twitter if they’re threatening or otherwise problematic. Twitter suggests anyone receiving this kind of encrypted message block the sender and file a report about the account itself.
Limitations of the encryption
The company says in its post that the new encryption does not protect against “man-in-the-middle attacks,” where a conversation could be compromised by “a malicious insider, or Twitter itself as a result of a compulsory legal process.”
The blog post also notes that Twitter chose to forgo forward security, meaning that if an attacker does compromise a device’s private key, that attacker could decrypt all the encrypted messages sent or received on that same device.
Controversy about the encryption itself
It didn’t take long for cybersecurity experts to weigh in on Twitter’s encryption methods. Even Twitter’s own former chief information security officer, Lea Kissner, said on rival messaging platform Bluesky that the feature needs improvement.
“Twitter folks, seriously. I left some design docs somewhere. Please use them,” Kissner said, according to CNN Business.
CNN Business also quoted a Bluesky post from Jonathan Mayer, a computer scientist at Princeton University and a former chief technologist at the Federal Communications Commission.
“We literally teach (information security) students not to do exactly what Twitter is doing,” Mayer said.
Even Twitter owner and CEO Elon Musk himself seemed wary of the new feature.
“Early version of encrypted direct messages just launched,” Musk tweeted on Thursday. “Try it, but don’t trust it yet.”