Way back in 2018, Twitter was making noises about more secure forms of direct messaging (DM) for its users. The proposed feature, tentatively referred to as “Secret Conversations”, was supposed to allow for end-to-end encrypted (E2EE) conversations that couldn't be intercepted, read by staff, or read by thieves if the platform's database was compromised.
This feature, which did not come to pass, has languished for some years now. Twitter is a place where the unwary may decide to tip off a journalist, or send someone something a little bit racy, without realising how potentially exposed the lack of encryption makes their messaging. Indeed, this is why many journalists direct Twitter users to contact them offsite using more secure forms of communication.
One thing's for certain among all the turmoil at Twitter: Things are going to change. If the platform manages to keep the lights on, we may see renewed activity in E2EE messaging.
Bringing it back (again)
It seems that Twitter is bringing the encrypted messaging party back from the dead. From the long time code hunter Jane Manchun Wong:
According to the above tweet, the feature is being worked on in Twitter for Android. There’s no indication of work done for other platforms at time of writing. The text in the code reads as follows:
“This number was generated from your encryption keys from this conversation. If it matches the number in the recipient's phone, end-to-end encryption is guaranteed.”
This is by no means a guarantee that the feature will ever see the light of day. As TechCrunch notes, it’s taken some organisations like Meta years to perfect their E2EE offerings before rolling them out. One of the reasons is that this isn't just a technical challenge. Additional factors, such as concerns over abusers and people up to no good hiding themselves from scrutiny, have to be taken in to account too.
It goes without saying that the huge numbers of staff leaving Twitter may also get in the way of progress here. Unfortunately it may be a case of this project being too late to get out the door for the people left working on it. Even so, more secure messaging can only be a good thing (should it ever arrive).
With the recent push away from Twitter to Mastodon for some users, the security of DMs is one of the main talking points. There seem to be two main schools of thought on this. There’s the “Random admins can read your Mastodon DMs, this is bad” camp:
I’m still not sure why I would move to a platform with bad UX (no search, first step is to select 1 of 3000 instances) in which unknown hobby admins can read DMs & delete accounts and servers if they wish too. #Mastodon— Florian Roth ⚡ (@cyb3rops) November 5, 2022
What exactly do you expect to happen here on Twitter?
Elsewhere, there’s the “People can do this at any organisation you care to mention, including Twitter itself” camp:
People argue that on Mastodon, "admins can read your DMs" (which is true) but also that at Twitter (where that's also true) there are probably rules against actually doing that.— Esther (@selfawaresoup) April 26, 2022
As someone who has worked at tech companies for a longtime, let me tell you: no. Nobody cares.
Both of these are valid stances, and there’s nothing wrong with a little bit of caution. Even so, maybe the main message we should be pushing for is that DMs on social media are a risky business for anything sensitive. Even basic Mastodon DM functionality is quite a bit different from how they work elsewhere, which could lead to some embarrassing situations.
Personally I’d send anything critically sensitive, or just messages for select people’s eyes only, away from social media. Stick to one of the many E2EE apps out there such as Signal, Viber, WhatsApp, even Facebook Messenger. There’s currently just too many ways that sending messages more suited to E2EE on various social networks and platforms can backfire in ways you may not be able to predict.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.