Twitter’s new feature unveiled last week, which encrypts some direct messages (DMs), has raised criticism from experts. The microblogging platform has made a wide range of changes regarding its policy since Elon Musk’s takeover last October.
Subscription-based blue tick verification, changes in two-factor authentication, algorithms open to the public, and monetization avenues for content creators are some of the significant changes so far during the Musk era.
Twitter launched “Encrypted Direct Message” on Wednesday to make the platform the “most trusted on the internet,” as mentioned in a blog post.
‘Try it, but don’t trust it yet’
“When it comes to Direct Messages, the standard should be, if someone puts a gun to our heads, we still can’t access your messages. We’re not quite there yet, but we’re working on it,” stated the Twitter boss.
Early version of encrypted direct messages just launched.
Try it, but don’t trust it yet.
— Elon Musk (@elonmusk) May 11, 2023
Until then, Twitter has incorporated encrypted direct messages, defined as “a new way of communicating on Twitter that will appear as separate conversations, alongside your existing direct messages in your inbox.”
However, the introduction of this new feature has raised questions about the future of user safety on the platform.
“I’m trying to be positive about Twitter deploying encrypted DMs even though there are so many things about this system that make it feel like a v0.1 release, or are just obnoxious,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University.
The former chief information security officer of Twitter Lea kissner made a public plea to the current engineering team of Twitter, urging them to swiftly enhance the feature.
“Twitter folks, seriously. I left some design docs somewhere. Please use them,” Kissner stated on Bluesky, a rival and rapidly growing platform.
Twitter has announced that users will have the opportunity to engage in encrypted direct messages.
The company aims to provide a level of protection similar to that of highly recommended privacy-preserving apps like Signal.
Twitter emphasized the importance of maintaining strict privacy standards.
However, the company acknowledged that they are still working on achieving this level of security.
The limitations of the encryption feature, noting that it does not protect against man-in-the-middle attacks, indicated the platform.
Consequently, if an encrypted conversation is compromised by a malicious insider or as a result of legal processes, neither the sender nor the receiver would be aware of it, as stated in Twitter’s blog post.
Bad encryption means no encryption
Hence, the experts showed scepticism towards the new feature, stating that so-called end-to-end encryption makes Twitter’s implementation largely meaningless.
“Bad encryption is as bad as no encryption. It only creates confusion about what E2EE means in the minds of the average consumer who adopts the label at face value,” tweeted Uzma, director of growth and privacy at Whatsapp, in a response to Green’s tweet.
“The ENTIRE PURPOSE of End-to-end encryption is to protect you against whoever controls the messaging servers,” stated Marcus Hutchins, aka MalwareTech.
A cybersecurity and disinformation researcher John Scott-Railton mentioned caveat implies that individuals concerned about privacy and safety should not assume that this feature provides the same level of protection as apps like Signal.
I appreciate Twitter makes it clear that there is *no protection from man-in-the-middle attacks.
— John Scott-Railton (@jsrailton) May 10, 2023
“Not safe for anyone worried about privacy & safety to assume that this has equivalent protections to things like [Signal],” tweeted Scott-Railton.