Elon Musk said Twitter Direct Messages (DM) should have end-to-end encryption (E2EE). This comes in the wake of Twitter agreeing to sell itself to the business magnate earlier this month.
Musk’s reasoning is ostensibly simple. “Twitter DMs should have end to end encryption like Signal, so no one can spy on or hack your messages,” Musk said in a tweet.
Signal, an instant messaging service, has been gaining in popularity as people express more concern about privacy. Meta’s Facebook Messenger and Instagram chats (now merged) also offer E2EE as an option. Whatsapp, also part of Meta, supports E2EE by default.
E2EE encrypts data between a sender and receiver so that no third party can access it. While there are several techniques available to protect the content of online messaging, E2EE is considered the most secure.
But end-to-end encryption has become a hot-button topic since it goes to the heart of privacy vs public good concerns.
Privacy advocates support E2EE because, they argue, it ensures online users are free from the threat of unauthorized surveillance from service providers, government agencies, cybercriminals and any other threat actors. Law enforcement agencies, on the other hand, have come out against broad use of E2EE, claiming that it could serve to protect cybercriminals.
Complicating the push to E2EE is reintroduced legislation in the U.S. that targets the removal of liability protections for online platforms that have child sexual abuse content. This is rekindling debate around end-to-end encryption (E2EE) since the law could discourage its use due to liability issues.
CIO Study: Outages Escalating with Massive Growth in Machine Identities
The state of Twitter DM
Twitter DMs contain some of the most sensitive user data on the platform, according to the Electronic Frontier Foundation.
“Because they are not end-to-end encrypted, Twitter itself has access to them. That means Twitter can hand them over in response to law enforcement requests, they can be leaked, and internal access can be abused by malicious hackers and Twitter employees themselves (as has happened in the past),” the Electronic Frontier Foundation wrote last month.
(See Twitter’s Some Important Things to Know about Direct Messages.)
The EFF goes on to say that Twitter could make DMs safer for users with E2EE and advises that Twitter do so.
“Encrypting direct messages would go a long way toward improving safety and security for users, and has the benefit of minimizing the reasonable fear that whoever happens to work at, sit on the board of, or own shares in Twitter can spy on user messages,” the EFF said.
But going E2EE isn’t simple
For years, Twitter has thought about encrypting DMs but then backed off, as The Brookings Institution recently noted when writing about Musk’s impending acquisition of Twitter.
That’s because it’s not an easy undertaking. “Rolling out E2EE represents a major technical undertaking, poses difficult product tradeoffs, and raises thorny trust and safety issues,” Brookings said, adding that “Facebook parent Meta will spend four years making E2EE the default across its messaging services.”
But it’s worth the effort because E2EE gives “technical teeth” to users’ privacy expectations, according to Brookings.
“It protects the privacy of our conversations where the law falls short…[and] if a company can’t access your messages due to E2EE, its TOS [Terms of Service] won’t say that it may search your messages and disclose them to law enforcement,” Brookings said.
What E2EE can’t do
It’s important to remember that E2EE can’t provide a perfect private messaging platform. Anyone that has access to your account – be it a hacker that has compromised an endpoint or a family member – could still read all your messages.
Encryption is critical to privacy
Encryption—in general—is critical to protecting the privacy of both individuals and organizations. Any campaign that portrays encryption in a bad light endangers the privacy protections that we all rely on. So, while there may be merit in exposing encrypted communications to certain privileged organizations—such as law enforcement—we should be extremely careful how we portray the value of encryption to those who will benefit most from its protections.
Get a 30 Day Free Trial of TLS Protect Cloud, Automated Certificate Management.
Related Posts
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.