On May 11, 2023, Twitter launched its encrypted messaging feature. Although this feature has provided an extra security layer for some of its users, it is still not refined and seamless.
Users need to satisfy the following criteria in order to send and receive encrypted messages:
- Both the sender and the receiver should use the latest version of the Twitter app.
- Both the sender and the receiver should be verified or affiliated with a verified organisation.
- The recipient should follow the sender or has previously sent or received a DM from the sender.
Twitter has placed several restrictions and limitations on this service. For instance, you cannot send or receive encrypted messages in a group or you cannot attach links or other media with your messages. Moreover, the metadata of the messages, such as the creation time is not encrypted as of now.
These restrictions have certainly raised some eyebrows among the security researcher community. Matthew Green, a cryptography-focused professor of computer science at John Hopkins University suggests that the encryption feature is not better than Signal or WhatsApp encryption protocol, both of which use the Signal Protocol.
Although Musk was much impressed by Signal, the encryption feature on Twitter excludes many of the most important points of the Signal protocol including the protocol’s constantly changing cryptographic keys, which are used to encrypt messages only once and are never repeated thereafter.
Moreover, as the encryption is opt-in and not turned on by default, it doesn’t prevent man-in-the-middle attacks that would allow the platform to spoof users’ identities and intercept messages. The encryption also lacks the Perfect Forward Secrecy (PFS) feature that generates a unique key for each session. And lastly, this feature is limited only to the verified users.
As Elon Musk said, when it comes to Direct Messages, the standard should be, if someone puts a gun to our heads, we still can’t access your messages. We’re not quite there yet, but we’re working on it
Twitter
As security researcher Matthew Garret told Platformer, using encrypted DMs on Twitter will require the users to place utmost trust in the company. Garret also believes that users should avoid using Twitter encryption mechanisms and should stick to other options such as Signal or WhatsApp for the time being.
“What would happen if Twitter changed the registered public key associated with a device to one where they held the private key, or added an entirely new device to a user’s account? If the app were to just happily send a message with the conversation key encrypted with that new key, Twitter would be able to decrypt that and obtain the conversation key,” Garret wrote in a blog post. “Since the conversation key is tied to the conversation, not any given pair of devices, obtaining the conversation key means you can then decrypt every message in that conversation, including ones sent before the key was obtained.”
Tech giants like Twitter succumb under government pressure as can be gauged from the fact that government demands have risen from around 50 per cent to 80 per cent after Elon Musk took over the platform. The bulk of these requests came from countries such as India, Turkey and UAE. It has been reported that Twitter complied with more than 100 block orders from India which were mostly against journalists, foreign politicians and even poets.
Only recently, Twitter announced that it is restricting access to content in Turkey during the national elections. Although the restricted accounts and tweets were visible outside Turkey’s borders, Musk is sending a clear signal that he is ready to comply with the governments worldwide. As Tesla is making inbounds in the Turkish market, Musk needs to allay the Turkish government’s fears regarding the alleged spread of misinformation.
All these half-hearted steps by Musk raise one question — how far is he willing to go to sacrifice freedom of speech and privacy for the sake of his personal gains, if any? And what will be the future of the platform, will it be the same as Twitter 1.0 which sued governments to protect the tweets from deletion or will it become something else entirely, where only the most powerful entities, including the governments, will control the flow of information, and we the people will remain a mere spectator in all this mayhem.
In the News: 4 new accessibility features are coming to iOS and iPadOS
