Twitter introduced a new layer of privacy and security on user communications, named Encrypted Direct Messages.
This new feature is Twitter’s implementation of end-to-end encryption (E2EE) for direct messages that users exchange on the platform, allowing them to communicate with greater confidence.
The option to use Encrypted Direct Messages will be made available on the latest version of Twitter apps for Android and iOS, and on the web interface of course, appearing as separate conversations alongside the existing Direct Messages inbox. On the mobile apps, users will see a toggle that can be turned “on” and “off” to use secure or regular communication channels.
Sending an encrypted message will be otherwise similar to sending a regular message, and will be governed by the same “followership” or DM invite acceptance rules.
Twitter will be publishing a detailed technical whitepaper later this year where it will explain the encryption scheme in greater detail. For now, it is clear from the use of public-private key pairs that the social media platform has implemented an asymmetric encryption scheme.
Each user has a pair of keys: a public key that is automatically registered when a user logs into Twitter on a new device or browser, and a private key that remains on the device and is never shared with Twitter. In addition, each conversation has its own key used to encrypt the content of messages, which is securely shared between participating devices using the private-public key pairs. As such, even if someone were to intercept the conversation key during transmission, they would not be able to decrypt it without the recipient’s private key.
Only Available to Paying Twitter Users
The introduction of Encrypted Direct Messages has been a long-awaited feature for many Twitter users, especially those concerned about privacy and security. However, this added layer of security will unfortunately not be made available to everyone, but only to subscribers of Twitter Blue, Twitter’s premium tier service.
This could potentially incentivize more users to upgrade to Twitter Blue, enhancing their experience and the overall value proposition of the service, but it is inevitably that many people in need of increased security will be left out.
It is also important to note that for E2EE mode to be activated in a conversation, both parties will have to be Twitter Blue subscribers, or affiliated with a verified organization.
Limitations and Security Concerns
While the introduction of encrypted Direct Messages is a significant step towards enhancing privacy, there are several limitations and security concerns Twitter highlighted on its announcement. For instance, encrypted messages currently can only be sent to a single recipient and can only include text and links. Media and other attachments are not supported, limiting the usability of the feature.
Moreover, there are potential security risks associated with storing the private key locally on the device. For example, if a device is lost, stolen, or compromised, the attacker could potentially access the private key and decrypt all encrypted messages on that device. Also, without forward secrecy, if the private key is compromised, all past and future messages could be decrypted by an attacker.
For more details on how to use the new feature and what the current limitations are, check out Twitter’s announcement.