Twitter adds new DM features, and Musk claims encryption is here, starting today
We'll believe our DMs are secure when someone provides proof, thanks
Updated Twitter has rolled out some quality of life updates for direct messages on the platform, and CEO Elon Musk reckons the site is to start encrypting DMs, beginning today, without providing proof that's the case.
In a tweet last night, Twitter Support announced that a couple of well-trodden DM features from other platforms were being added to Twitter. Namely, the ability to directly reply to a specific message, à la Apple's iMessage, and a new expandable menu of message reactions will allow responses "with a wider range of emojis than ever before."
We're unsure if Twitter engineers simply forgot that any and all emojis were usable in DMs before coding in an alternative to the emoji keyboard available on most modern devices.
"We are already working on improving these features - web support and better rendering for replies to media messages," Twitter Support said.
As for encrypted DMs on Twitter, Musk said in a tweet prior to the Support account's announcement last night that "release of encrypted DMs V1.0 should happen tomorrow." The Twitter-owning billionaire said his platform's DM encryption would "grow in sophistication rapidly," with the "acid test" being that "I could not see your DMs even if there was a gun to my head."
That suggests Twitter is aiming for secure end-to-end encryption for direct messages.
Musk added that Twitter would also be adding voice and video chat "so you can talk to people anywhere in the world without giving them your phone number." This, perhaps, is the next "everything app" feature - it's a clear attempt to lure users from platforms like Signal, which offer encrypted communications by default, but require a phone number that's publicly visible and used to contact others.
DM at your own risk
Of course, "encrypted messages arrive today" is no guarantee that's actually the case, and Twitter users assuming their DMs are now truly private are doing so at their own risk. Musk has said end-to-end encryption of DMs was a goal since taking over the company last year, but since seizing the reins in October, he had yet to follow through on that promise.
To make matters worse, Twitter has a history of less-than-stellar treatment of its user's privacy: A software bug allowed bad actors to harvest phone numbers, email addresses and account IDs for 5.4 million twitter users last year, and former Twitter security chief turned whistleblower Peiter "Mudge" Zatko revealed a bevy of security concerns at the company shortly before Musk took over.
Twitter also self-reported that it was getting increased numbers of government requests to remove tweets and reveal user information from governments since Musk took over. According to the same dataset, Twitter hasn't refused to comply with any of the 971 government requests it received since October 2022, and fully complied with 83 percent of requests. Prior to Musk's takeover, Twitter averaged around 50 percent compliance with such requests.
- 23-year-old Brit linked to 2020 Twitter attack and SIM-swap scheme pleads guilty
- Musk decides to bury dead Twitter accounts, warns users follower counts could sink
- Twitter admits 'security incident' made private Circles not so much
- DEF CON to set thousands of hackers loose on LLMs
Musk said on February 3 that "starting today" Twitter would begin sharing ad revenue with creators, but let slip last night - a full 95 days after he said it'd be starting - that Twitter was still working on the software needed to share ad revenues.
As any security-conscious pro will tell you, it is safest to operate on the assumption that a service isn't encrypted until presented with actual confirmation. ®
Updated to add
Twitter has now shared more details about its promised encrypted direct messages. As we should have expected, to benefit from this privacy feature, both the sender and receiver need to be verified or affiliated with a verified organization. And to be verified, you need to be a paid-up Twitter Blue subscriber, typically.
Also, conversations won't be truly strongly end-to-end encrypted. As the above-linked page states:
Currently, we do not offer protections against man-in-the-middle attacks. As a result, if someone – for example, a malicious insider, or Twitter itself as a result of a compulsory legal process – were to compromise an encrypted conversation, neither the sender or receiver would know.
Twitter said it's working on adding cryptographic signature checks and safety numbers to combat man-in-the-middle attacks though they may not necessarily fully protect users. There are other shortcomings, such as metadata not being encrypted.
Given those significant limitations, what really is the point of this new encryption, we wonder?