As social media giant Twitter seeks to become the “most trusted platform” on the World Wide Web, it has launched its first version of encrypted direct messages (DMs), according to official documents.

The feature will be initially available to Twitter Blue verified users, verified organizations, or their affiliates.

Additionally, the encryption feature is only functional when both the sender and recipient are on the latest iOS, Android, and Web Twitter apps.

Features Of Encrypted Direct Messages On Twitter

Twitter has explained in a new support document the features of the tech giant’s first version of encrypted DMs.

Perhaps the most important feature of this development is that you must be a paying user for you to be able to send and receive encrypted messages.

Note that rival platforms like Meta’s FaceBook Messenger and WhatsApp as well as Signal and iMessage already allow users to send and receive encrypted messages for free. Therefore, having to pay for the feature on the Elon Musk-owned social media platform might be hard to sell.

Early version of encrypted direct messages just launched. Try it, but don’t trust it yet. — Elon Musk (@elonmusk) May 11, 2023

According to the social network, encrypted messages are only available to verified users – people who pay for Twitter Blue, verified organizations – entities that pay $1,000 per month, and affiliates of verified organizations that pay $50 per person.

Twitter said the encryption works on the “latest version of Twitter apps (iOS, Android, Web) which generate a pair of device-specific keys, called private and public key pair.

The public key is automatically registered when a user logs into Twitter on a new device or browser. The private key never leaves the device and therefore is never communicated to Twitter.

According to the company:

The private-public key pairs are used to exchange the conversation key securely between participating devices.

Twitter’s new DM encryption employs a “combination of strong cryptographic schemes to encrypt every single message, link, and reaction that are part of an encrypted conversation before they leave the sender’s device.

These remain encrypted while stored on Twitter’s system and are decrypted once the message is received on the recipient’s device so that they can be read by the user.

Twitter emphasizes while encryption works across platforms, “an encrypted DM recipient must follow the sender.” Alternatively, encryption can be enabled if a user has sent a message to the sender in the past or accepted a DM request from the sender at some point.

The documents also stated:

We aim to open source our implementation and describe the technology in depth through a technical whitepaper later this year.

Limitations To Twitter’s Encrypted DMs

The San Francisco-based tech company acknowledges that there are a number of limitations to this feature. At the conversational level, the platform only supports encryption for one-to-one messages with text and links.

Twitter said that media such as photos and videos are currently not supported in encrypted conversations.

Twitter also warns that it doesn’t have protections against man-in-the-middle attacks stating that, “If someone — for example, a malicious insider, or Twitter itself as a result of a compulsory legal process — were to compromise an encrypted conversation, neither the sender or receiver would know.”

This has raised doubts about the feature’s security offering. It’s not clear what cryptographic standard has been used in Twitter’s feature as the company just said it is deploying “a combination of strong cryptographic schemes” in the document.

*Properly implemented* End to end encrypted messaging = good. But trustworthy & safe deployment = hard. Rolling your own crypto = recipe for trouble. Transparency is key. Many questions: did Twitter roll their own? Is this somebody else's protocol? Has it been audited? pic.twitter.com/kqUTpL038v — John Scott-Railton (@jsrailton) May 10, 2023

The company has placed a limit of 10 devices per user and an existing device needs to be deregistered if the user wants to add a new one.

Twitter also doesn’t allow a new device to access messages of an existing encrypted conversion.

