Twitter’s Encrypted DMs Are Deeply Inferior to Signal and WhatsApp

Elon Musk's long-promised launch of encrypted direct messages on Twitter has arrived. Like most attempts to add end-to-end encryption to a massive existing platform—never an easy proposition—there's good, bad, and ugly. The good: Twitter has added an optional layer of security for a small subset of its users that has never existed in Twitter's 16-plus years online. As for the bad and ugly: Well, that list is quite a lot longer.

Yesterday night, Twitter announced the release of encrypted direct messages, a feature that Musk had assured users was coming from his very first days running the company. To Twitter's credit, it accompanied the new feature with an article on its help center breaking down the new feature's strengths and weaknesses with unusual transparency. And as the article points out, there are plenty of weaknesses. 

In fact, the company appears to have stopped short of calling the feature "end-to-end" encrypted, the term that would mean only users on the two ends of conversations can read messages, rather than hackers, government agencies that can eavesdrop on those messages, or even Twitter itself.

"As Elon Musk said, when it comes to Direct Messages, the standard should be, if someone puts a gun to our heads, we still can’t access your messages," the help desk page reads. "We’re not quite there yet, but we’re working on it."

In fact, the description of Twitter's encrypted messaging feature that follows that initial caveat seems almost like a laundry list of the most serious flaws in every existing end-to-end encrypted messaging app, now all combined into one product—along with a few extra flaws that are all its own.

The encryption feature is opt-in, for instance, not turned on by default, a decision for which Facebook Messenger has received criticism. It explicitly doesn't prevent “man-in-the-middle” attacks that would allow Twitter to invisibly spoof users' identities and intercept messages, long considered the most serious flaw in Apple's iMessage encryption. It doesn't have the “perfect forward secrecy” feature that makes spying on users harder even after a device is temporarily compromised. It doesn't allow for group messaging or even sending photos or videos. And perhaps most seriously, it currently restricts this subpar encrypted messaging system to only the verified users messaging each other—most of whom must pay $8 a month—vastly limiting the network that might use it.

“This clearly is not better than Signal or WhatsApp or anything that uses the Signal Protocol, in terms of features, in terms of security,” says Matthew Green, a professor of computer science at Johns Hopkins University who focuses on cryptography, referring to the Signal Messenger app that's widely considered the modern standard in end-to-end encrypted calling and texting. Signal's encryption protocol is also used in both WhatsApp's encrypted-by-default communications and Facebook Messenger's opt-in encryption feature known as Secret Conversations. (Both Signal and WhatsApp are free, compared to the $8 per month for a Twitter Blue subscription that includes verification.) “You should use those things instead if you really care about security,” Green says. “And they’ll be easier because you won’t have to pay $8 a month.”

“On the positive side,” Green adds, “hey, it’s a first step, maybe it’ll get better.”

Musk has praised Signal in comments to Twitter's staff, and even said that he'd spoken with Signal's creator, Moxie Marlinspike, about similarly encrypting Twitter's DMs—a goal that Marlinspike himself shared when he briefly led Twitter's security team nearly a decade ago.

So Green—who has consulted at both WhatsApp and Facebook in their rollouts of encryption features based on Signal's protocol—was surprised to see that Twitter's encrypted messaging feature lacks so many of the positive properties of Signal and WhatsApp's end-to-end encryption. Beyond its lack of support for encrypted photos, videos, and group chats—key features of both Signal and WhatsApp—it also excludes the Signal protocol's constantly changing cryptographic keys, which are used to encrypt each message and never repeat.

That feature of Signal is what ensures “perfect forward secrecy,” the security property that if a device is somehow compromised and the private key that decrypts messages is stolen, an eavesdropper still can't spy on future messages to and from that user. “I'm a little baffled by the lack of perfect forward secrecy,” says Green. “That's a basic feature of the Signal protocol.”

Twitter writes in its help center explanation that it essentially couldn't make that feature work while preserving the ability to access DMs when the user logs in on a new device. “We don’t plan to address this limitation,” the article reads.

Then there's the company's professed inability to stop “man-in-the-middle” attacks, in which Twitter itself could spoof users' identities to intercept their messages. In end-to-end encryption systems, messages are encrypted with an intended recipient's public key, such that only the recipient's private key—which is safely stored on the recipient's device—can decrypt them. But Twitter could trick a user—or even be compelled to do so by a government—so that their device invisibly encrypts messages to an eavesdropper's public key instead. Those messages could then be read and then re-encrypted with the intended recipient's key before they're sent on.

Apple's iMessage, which is otherwise considered a relatively strong end-to-end encryption system, has long suffered from this same vulnerability. But WhatsApp and Signal attempt to prevent man-in-the-middle attacks by allowing users to check a key “fingerprint” that ensures they're encrypting messages to the intended recipient. For now, Twitter has no such fingerprint-checking feature, though it says that it will add it soon.

That missing feature may be part of why Twitter has so far declined to even claim that it offers true end-to-end encryption, the "can't-read-your-messages-with-a-gun-to-our-head" feature Musk has promised.

"This appears to be a hasty deployment of a product that isn’t quite fully baked yet," says Riana Pfefferkorn, a security researcher at Stanford University's Internet Observatory. She points out that Zoom was penalized by the Federal Trade Commission in 2020 for claiming that it offered "end-to-end" encryption when it didn't—and that Twitter's reluctance to use the term may be a sign that it's not sure its system could meet that “end-to-end-encrypted” standard.

While Twitter is remarkably transparent about its encrypted DM feature's shortcomings on its help center page, Pfefferkorn worries that its flaws may not be as clear in the actual web and app interface that users see. “I think it was a good choice for the help page to try from the very first paragraph to manage expectations,” she says. “It remains to be seen whether Twitter users will believe that encrypted DMs offer more privacy and security than they actually do.”

Perhaps the most serious drawback to Twitter's encrypted DMs is simply that very few of its users will have the ability to send or receive them. The feature, at least for now, only works between two verified accounts, both of which must be verified institutions or users who pay $8 a month for their blue check mark. “This shouldn’t be something you have to pay for,” says Green. “You shouldn’t have to pay for basic security.”

The notion of end-to-end encrypted Twitter DMs might one day offer a crucial new method of finding someone online and sending them a secret message; after all, Signal and WhatsApp's biggest drawback is that both require you to know a person's cell phone number, while Twitter DMs allow strangers to interact more freely. But as long as the encrypted DM feature is only available to send messages to and from verified accounts, its network will, by some measures, be even more restricted, limited to only a tiny fraction of Twitter's overall users.

For Twitter's security-conscious users, there remains only one way to send someone an encrypted message, and it hasn't changed in years: Send someone a DM, ask for their Signal number, and use Signal to start an actual end-to-end encrypted conversation.

Additional reporting by Lily Hay Newman