Apple’s iMessage, which is otherwise considered a relatively strong end-to-end encryption system, has long suffered from this same vulnerability. But WhatsApp and Signal are trying to prevent man-in-the-middle attacks by allowing users to verify a key “fingerprint” that ensures they encrypt messages intended for the intended recipient. As of now, Twitter does not have such a fingerprint verification feature, although it says it will add it soon.
This missing feature may partly explain why Twitter has so far refused to claim that it offers true end-to-end encryption, the “can’t-read-your-messages-with-a-gun-to-the-head” encryption. ” feature Musk promised.
“This appears to be a rushed deployment of a product that is not yet fully operational,” says Riana Pfefferkorn, a security researcher at Stanford University’s Internet Observatory. She points out that Zoom was penalized by the Federal Trade Commission in 2020 for claiming it offered “end-to-end” encryption when it didn’t – and that Twitter’s reluctance to use the term may be a sign that it is not sure of its The system could meet this “end-to-end encryption” standard.
While Twitter is remarkably transparent about the shortcomings of its encrypted DM feature on its Help Center page, Pfefferkorn worries that its flaws may not be as clear in the web interface and app that users see. “I think it was a good choice for the help page to try from the first paragraph to manage expectations,” she says. “It remains to be seen whether Twitter users will believe that encrypted DMs provide more privacy and security than they actually do.”
Perhaps the most serious downside to Twitter’s encrypted DMs is simply that very few of its users will have the ability to send or receive them. The feature, at least for now, only works between two verified accounts, both of which must be verified institutions or users who pay $8 per month for their blue checkmark. “It shouldn’t be something you have to pay for,” Green says. “You shouldn’t have to pay for basic security.”
The notion of end-to-end encrypted Twitter DMs could one day offer a crucial new method for finding someone online and sending them a secret message; after all, the biggest downside to Signal and WhatsApp is that both require you to know a person’s cell phone number, while Twitter’s DMs allow strangers to interact more freely. But as long as encrypted DM functionality is only available for sending messages to and from verified accounts, its network will, by some measures, be even more restricted, limited to only a tiny fraction of Twitter’s overall users.
For security-conscious Twitter users, there’s only one way left to send an encrypted message to someone, and that hasn’t changed in years: DM someone, ask them their Signal number and use Signal to start a real end-to-end conversation. end the encrypted conversation.
Additional reporting by Lily Hay Newman