Twitter's new encrypted message feature criticized by security and privacy experts

Twitter's new encrypted message feature criticized by security and privacy experts

Washington CNN

Experts in privacy and security have criticized a new feature introduced by Twitter on Wednesday, which encrypts direct messages sent between users. This raises questions about the safety of the platform's users.

Experts said that Twitter's initial efforts to secure direct messages using encryption are riddled by caveats, bugs and risks which could endanger its users.

In the first version of the feature, users can only use encrypted messages if they are Twitter Blue subscribers or their organizations have paid a fee to be verified by the company.

Encrypted messages can only be sent to two individuals and not groups. Images, videos and other media cannot be encrypted. The recipient must have already followed the sender or both participants must have previously exchanged direct messages.

Twitter has acknowledged, perhaps most importantly, that even if the encryption feature is enabled, Twitter and third parties can still potentially view user messages.

Matthew Green, a computer science professor and cryptographer at Johns Hopkins University said in a Twitter that he was trying to remain positive about Twitter's deployment of encrypted DMs, even though it felt like a v0.1 version or were just obnoxious.

Lea Kissner - Twitter's former Chief Information Security Officer - publicly asked Twitter's engineering team to improve this feature as soon as possible.

I have some design documents somewhere. Kissner told Bluesky, an rival platform, to "please use them".

Twitter says that encrypted messaging is key to its future as a'most trusted platform on internet'. The rollout is another example of Elon Musk's Twitter ignoring warnings from independent researchers that incomplete or poorly-implemented updates could have unintended consequences.

Twitter announced in a blog Wednesday that users of the latest version of its app would be able to send encrypted direct messages. It announced its goal to provide the same level of privacy protection as other privacy-preserving applications that are highly recommended by experts in security, such as Signal.

The blog stated that 'the standard should be that if someone put a gun on our heads, then we can still not access your messages'. We're still not there, but we are working on it.

The company acknowledged that this feature has limitations. For example, it does not offer protection against man-in the-middle attacks.

Twitter posted a blog that said, "As a consequence, if someone were to compromise a conversation encrypted, for example, an insider maliciously compromising it, or Twitter as a part of a legal process, neither the sender nor receiver would be aware."

Security experts have said that Twitter's implementation is largely ineffective due to the lack of "end-to-end" encryption.

Marcus Hutchins (also known as MalwareTech) said on Bluesky that the ENTIRE PURPOSES of End-to end encryption is to protect against whoever controls messaging servers.

John Scott-Railton is a cybersecurity researcher and expert in disinformation. He tweeted that it was 'not safe' for those concerned about their privacy to assume this app has the same protections as [Signal].

Twitter's latest feature encrypts all messages, but not at an individual level. If a malicious actor were to gain unauthorized access, they would be able to view the entire chain of messages. It would be better to give each message its unique encryption key. This feature is already available in other apps.

Jonathan Mayer is a computer science professor at Princeton University, and former chief technologist for the Federal Communications Commission. He said that Twitter's encryption version would not meet basic principles taught in a course on Information Security 101.

Mayer stated that 'we literally teach our students to not do what Twitter does'.

Hutchins said that the biggest danger to users of this feature is that they may feel lulled by a false sense security. This would be worse than Twitter not offering encryption, as users might be encouraged to share more information in Twitter messages.

Tweeted early Thursday morning: "Try it but don't yet trust it."