Twitter has finally rolled out encrypted messaging, something users have anticipated since Elon Musk took over last year. However, privacy experts have been widely critical of the feature, which is seemingly riddled with caveats and flaws.
An announcement about the release on Twitter’s website states that “Twitter seeks to be the most trusted platform on the internet, and encrypted Direct Messages are an important part of that. As Elon Musk said, when it comes to Direct Messages, the standard should be, if someone puts a gun to our heads, we still can’t access your messages.”
More pompous words about user safety follow, but when one reaches the section on eligibility – to send and receive encrypted direct messages (DMs) – an important caveat awaits.
It turns out the new feature only works if both the sender and recipient have the infamous Twitter Blue subscription. Besides, encrypted DMs may only be sent between two individuals, not groups, and encrypting images, video, and other media within messages is not supported.
Most importantly, Twitter acknowledges that the new standard for DMs is not actually a properly designed end-to-end encryption system. The aforementioned blog post says that the company itself, as well as other third parties, can still potentially access encrypted messages.
“Currently, we do not offer protections against man-in-the-middle attacks. As a result, if someone – for example, a malicious insider, or Twitter itself as a result of a compulsory legal process – were to compromise an encrypted conversation, neither the sender or receiver would know,” Twitter said.
According to most privacy and security experts, this can actually endanger users, even if the intention is to protect them. Researchers have long been warning Musk that incomplete or poorly implemented updates can have unpleasant consequences.
“I’m trying to be positive about Twitter deploying encrypted DMs even though there are so many things about this system that make it feel like a v0.1 release, or are just obnoxious,” Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, said in a tweet.
On the other hand, John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto, said he appreciated Twitter made it clear there was no protection from man-in-the-middle attacks.
According to Scott-Railton, this caveat is an indirect acknowledgement that it is not safe for anyone worried about privacy and security to assume that encrypted Twitter DMs have equivalent protections to apps like Signal.
Signal is considered to be safer than many other messaging apps because it ensures that not even the company itself can intercept and read users’ encrypted messages.
However, Twitter and Musk have hyped the new feature so much that tempted users might come away with a false sense of security. Besides, without third party audits or thorough descriptions of the technology, we just have to take Twitter’s word for it.
To be fair, Twitter said it aimed “to open source our implementation and describe the technology in depth through a technical whitepaper later this year.”
So far, though, there’s probably no need to worry about wider impact, since Twitter Blue only has around 640,000 paying subscribers. The platform has more than 206 million monetizable daily active users in total.
Your email address will not be published. Required fields are markedmarked