The platform has warned that its encryption offering is ‘not quite there yet’, while metadata and links are currently unprotected.
Twitter has launched an early version of its own encrypted messaging service today (11 May), in a bid to boost user privacy on the platform.
The feature allows users to encrypt direct messages on Twitter, which means they can only be read by the sender and the recipient. This feature has been launched for subscribers of Twitter Blue and it is unclear if the feature will be expanded to all users in future.
Early version of encrypted direct messages just launched.
Try it, but don’t trust it yet.
— Elon Musk (@elonmusk) May 11, 2023
Twitter CEO Elon Musk announced the feature yesterday (10 May) and said it should mean that he can’t see a user’s direct messages “even if there was a gun to my head”.
More details about the encryption service are on Twitter’s Help Center, which echoes Musk’s statement but notes that “we’re not quite there yet, but we’re working on it”.
When announcing the feature release today, Musk warned that the feature is still in development by saying “try it, but don’t trust it yet”.
Twitter’s encryption details
End-to-end encryption has been a popular feature for years, with other companies such as Signal capitalising on the desire for private messaging. There have been rumours since 2018 that Twitter has been working on encryption for direct messaging.
But Twitter’s new message encryption appears to have issues compared to the standard provided by free services such as WhatsApp and Signal.
To use this Twitter feature, both the receiver and the recipient of the message have to be verified users, or be affiliated with a verified organisation.
The current version means the text within messages is encrypted and these messages will be deleted when a user logs out of the platform.
Encrypted messages can only include text and links for now, with media and other attachments “not supported yet”. The company also warns that links and the messages’ metadata are currently not encrypted.
The current version of Twitter’s encryption also doesn’t protect against “man-in-the-middle” attacks.
“If someone – for example, a malicious insider, or Twitter itself as a result of a compulsory legal process – were to compromise an encrypted conversation, neither the sender or receiver would know,” Twitter said.
Twitter launched encrypted* DMs for verified accounts.
* No sync
* No group chats
* No attachments
* No timers
* Vulnerable to MITM
* No reporting (msg franking)
* No Forward Secrecy
* No Key Transparency
* Private keys are NOT erased after web logouthttps://t.co/ZBnF5hLz08
— Paul Miller (@paulmillr) May 11, 2023
Some users have criticised the current flaws in Twitter’s encrypted messaging. Meanwhile, the encryption service could cause issues for Twitter in the UK due to the country’s Online Safety Bill, which is currently being considered by parliament.
Last month, representatives from several Big Tech companies including Meta, Signal, Threema and Viber called on the UK government to “urgently rethink” this bill, due to fears that the law would force companies to break encryption. WhatsApp previously said it would risk being banned in the UK to save encryption.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.