Twitter introduced a new feature on Wednesday that encrypts some direct messages between its users. But there are limitations to the plan. Senders and recipients must satisfy certain conditions, including both must be verified, in fact means that they are paying for Twitter. And some cybersecurity experts have criticized the feature itself.
Direct messages, or DMs, are messages sent privately between two users, not publicly viewable like most tweets. And encryption is a way of storing a message in a scrambled format so that it cannot be read without a special key of some kind.
An explanation posted on Twitter’s online help center states that users of encrypted messaging must be on the latest Twitter apps, must have specific first contact and must be both Prove user or affiliate of a certified organization.
“Verified” no longer means what Twitter once did. The older verification program was free and provided mainly popular and well-known numbers as a means of authentication. After Elon Musk bought Twitter and took over as CEO in 2022, he started switching blue badges to only pay Twitter Blue subscribers to make money.
Why do you want encrypted DMs?
Twitter has faced privacy issues in the past. In 2020, the accounts of several high-profile Twitter users, including current owner and CEO Elon Musk, were hacked to spread a bitcoin scam. At the time, the US Department of Justice said the scam bitcoin account racked up more than $100,000 simply by sending messages that appeared to be from Musk, Bill Gates and other high-profile users. asking users to send bitcoin to supposedly double their payment.
How do you send an encrypted DM on Twitter?
If you and the recipient both meet the criteria for encryption, that does not mean that your direct messages will automatically be encrypted. Twitter’s online explanation page says that those eligible to use the feature will automatically see a button that lets you switch between encrypted and regular DMs. A lock icon will show the avatar of the user who received the message.
Currently, encrypted messages cannot be sent to groups, and can only include text and links, no media attached. And they can’t be reported to Twitter if they’re threatening or problematic. Twitter suggests anyone receiving this type of encrypted message block the sender and file a report about the account itself.
The company said in its post that the new encryption does not protect against “man-in-the-middle attacks,” where a conversation can be compromised by “a malicious insider, or Twitter itself as result of a coercive legal process.”
The blog post also noted that Twitter has chosen to ignore security, meaning that if an attacker compromises a device’s private key, the attacker can decrypt all encrypted message sent or received by the same device.
Controversy about encryption itself
It didn’t take long for cybersecurity experts to weigh in on Twitter’s encryption methods. Even Twitter’s own former chief information security officer, Lea Kissner, said in rival messaging platform Bluesky that part needs repair.
“People on Twitter, seriously. I left some design docs somewhere. Please use them,” said Kissner, according to CNN Business.
CNN Business also cited a Bluesky post from Jonathan Mayer, a computer scientist at Princeton University and former chief technologist at the Federal Communications Commission.
“We’re literally teaching (information security) students not to do what Twitter is doing,” Mayer said.
Even Twitter owner and CEO Elon Musk himself seems wary of the new feature.
“The first version of encrypted direct messages has just been launched,” Musk tweeted on Thursday. “Try it, but don’t trust it yet.”