Twitter: Pay us to encrypt your direct messages
Elon Musk confirmed the availability of encrypted direct messages on Twitter earlier today after he teased it last week.
The milestone is marred by restrictions, as the feature is only available for direct messages exchanged between two accounts that pay Twitter for Twitter Blue or are linked to a verified organization, and has other restrictions.
Musk recommends to try the new security feature, but to "don't trust it yet", which is anything but encouraging.
A new support page on the official Twitter Help website provides additional information on the launch of the new feature.
It points out that Twitter users need the latest version of the Twitter app, either the web-based version or the Android or iOS apps. These generate device specific keys, a private and public key pair for the Twitter user.
Twitter explains that the public key is "automatically registered when a user logs into Twitter" and that the private key stays on the user's device and is never shared with others or Twitter.
There is also a conversation key, which is used to encrypt the content of messages. Twitter employs " a combination of strong cryptographic schemes" to encrypt messages, links and reactions that are part of an encrypted conversation on Twitter. Media content is not encrypted currently.
The encrypting happens on the user's device and content is stored encrypted by Twitter on its servers. The encrypted message is decrypted on the recipients device so that the content can be accessed by the user.
The launch enables a much requested feature on Twitter, but it is limited in several ways. While it is somewhat understandable that sender and recipient need to use the latest version of Twitter, the same can't be said for the other limitations.
Only verified users on Twitter or "affiliates to a verified organization" may use the feature to encrypt direct messages.
There is a third limit, which makes things even more complicated. Encrypted messages require that the recipient either follows the sender, has sent a message to the sender previously, or has accepted a direct message request from the sender before.
Encryption of direct messages is not enabled by default. Twitter users who meet all the requirements need to enable encrypted mode when sending messages or "start an encrypted message" by tapping on the information icon in unencrypted conversations in the inbox.
Encrypted conversations show a lock icon on the avatar and also in the inbox. They also highlight if a message is encrypted when a message is opened.
Twitter confirms that there are other limitations in place currently. Group encryption is not supported yet, but the feature is planned.
Another major limitation is that "new devices cannot join existing encrypted conversations". These messages are filtered automatically by Twitter and any attempt to open such a conversation is met with an error message. Reinstalling the Twitter app on a device is considered a new device in this context.
Last but not least, Twitter's system does not include protection against man-in-the-middle attacks. There are no integrity verifications, but the feature is planned.
Twitter's new security feature is limited to paying users of the service; this restricts it significantly, and the other limitations reduce the use of the feature further.
Twitter plans to launch updates in the future to address some of these issues. The company has not revealed if it plans to roll out the feature to free users of the service as well in the future.Advertisement