Twitter Now Supports Encrypted Direct Messages — For a Price

While end-to-end encryption is effectively table stakes for most messaging services, Twitter has remained behind the curve on bringing encryption to its private direct messaging system. The good news is that’s slowly changing, but with the way Twitter is rolling lately, it’s hard to know whether to celebrate this or be concerned.

Communications using Apple’s iMessage have been end-to-end encrypted since Apple debuted the service in 2011, meaning that messages in transit can only be read by the sender and the recipient. iMessage was one of the first mainstream messaging services to offer this level of security, although it wasn’t until recently that Apple took additional steps to ensure iMessage conversations were also encrypted “at rest” in your iCloud backups.

Other messaging services, including Meta’s trifecta of Facebook Messenger, Instagram, and WhatsApp, came to the party a bit later, but they’ve supported end-to-end encryption (E2EE) in various forms for several years now. Even Google is embracing E2EE in its RCS-based messaging app for Android.

By contrast, Twitter seemingly had no solid plans for end-to-end encryption for its direct messages until Elon Musk took the helm last year., It toyed with the idea in 2014 but seemingly abandoned those attempts without explanation. Researcher Jane Manchung Wong found evidence of a possible revival of the technology in 2018, but that never came to fruition. Some also suggested it may have been nothing more than leftover pieces from the earlier 2014 attempt.

Hence, many folks were skeptical when Musk promised to bring E2EE to direct messages as part of his vision for “Twitter 2.0.” However, there was reason to be at least cautiously optimistic; Musk’s ambition is to turn Twitter into a dominant messaging platform, and it’s fair to say that E2EE will be a necessary step toward achieving that goal. Whether he’ll ultimately get there is another question, but implementing E2EE isn’t nearly as difficult to achieve as complete world domination.

End-to-End Encryption Into the Blue

Twitter security engineer Christopher Stanley shared the news today that Twitter has begun a “Phase 1” rollout of encrypted direct messages.

While the system appears to be fully functional, it’s not without some significant limitations. Chief among these is that you’ll need to be a “verified” Twitter user to access it — that means someone with a blue checkmark by their name.

Once upon a time, the blue checkmark meant that you were a person of some noteworthiness, such as a journalist, celebrity, or someone who might be popular enough to be impersonated on Twitter. However, that verification system was always something of a mess when it came to anybody other than those who were clearly top A-list celebrities, and Musk has been working to phase it out since he took over.

Instead, a blue checkmark now represents somebody who pays $8 per month to be a Twitter Blue member. This comes with several perks, such as fewer ads and the ability to edit tweets and effectively write essays on Twitter — tweets of up to 10,000 characters in length rather than the usual 280.

Twitter Blue members also receive “verified” status as long as their account meets certain eligibility criteria; that basically comes down to having an account that’s been around for more than a month, looks like it belongs to a human, and has been used responsibly.

Since it’s only the first phase of the rollout, it’s unclear whether Twitter plans to limit end-to-end encryption to only its paying members, but that’s how it works for now — both the sender and receiver must be verified users to access E2EE for direct messages. Otherwise, you’re stuck exchanging plain old-fashioned DMs “in the clear.”

Users affiliated with Verified Organizations are also eligible to use the new E2EE feature, but that’s even more complicated since the organization needs to pony up $1,000/month just to become a verified organization in the first place, plus an additional $50/month for each person they want to invite as an affiliate.

The E2EE rollout is in a very preliminary stage, and at this point, it’s also missing support for features like group messages and rich media. Message metadata also remains unencrypted at this point, and Twitter notes that the encryption isn’t as solid as it should be since it lacks the kind of signature checks and safety numbers that would prevent man-in-the-middle attacks from intercepting encrypted conversations.

That’s far short of the “if someone puts a gun to our heads, we still can’t access your messages” standard that Elon Musk promised. Twitter’s team admits they’re not “not quite there yet,” but that they’re working on it.

Ultimately, it’s fair to say that this implementation should be considered a “beta” test of the E2EE system that Twitter will continue to iterate on. Hopefully, Musk also agrees with Apple’s stance that “privacy is a fundamental human right,” and that’s also the case with who gets access to encrypted messaging.