On Thursday, Twitter introduced its new feature for encrypted direct messages (DMs), aimed at enhancing message security on the platform. This marks the company’s first step toward bolstering end-to-end encryption, although Twitter has cautioned users about several limitations of this initial rollout. Currently, only verified users are able to initiate encrypted chats, and group messages remain unsupported.
In a detailed blog post, the company outlined that the new encryption feature is compatible with the latest versions of Twitter on iOS, Android, and the Web. Both parties involved in the conversation must be verified, either through a Twitter Blue subscription or as members of a verified organization. Additionally, the person receiving the message must follow the sender or have engaged in previous communication, which includes accepting direct message requests.
Once the necessary criteria are met, the sender will see a toggle featuring a lock icon when clicking the new message button. This will initiate a chat with a qualified recipient, and encrypted conversations will be identifiable through a lock icon displayed on the recipient’s profile picture.
However, Twitter’s encrypted DMs feature has multiple constraints compared to established messaging platforms like Signal and WhatsApp. The company has not revealed the cryptographic methods utilized for message encryption. At present, encrypted messaging is limited to one-on-one exchanges, and only text and links are protected; media files, reactions, and overall chat metadata remain unencrypted.
Furthermore, Twitter acknowledges that users currently have no method for verifying the integrity of their encrypted conversations. This implies that either Twitter or potential malicious actors could access these conversations without users being notified. The platform is reportedly working on integrating signature checks and “safety numbers,” similar to features available on apps like Signal and WhatsApp, to enhance the verification processes.
Early version of encrypted direct messages just launched.
Try it, but don’t trust it yet.
— Elon Musk (@elonmusk) May 11, 2023
Moreover, Twitter limits access to encrypted DMs to a maximum of ten devices, with no facility to view registered devices or deregister those that are no longer accessible. New devices will not be able to access ongoing encrypted conversations.
If a user logs out of a device, all encrypted chats will be erased. Due to the absence of a key backup provision, retrieving those chats is only possible by logging back into the original device. Additionally, users cannot report encrypted messages directly to Twitter but can block the sender from sending further DMs and report the account if necessary.
