For years privacy advocates have pushed Twitter to roll out end-to-end encrypted messaging on the platform. Now, Elon Musk appears to be moving toward finally delivering this long-sought feature, but his deep cuts to the company’s workforce and chaotic management style are raising major questions about whether he can do so responsibly.
In a presentation to employees this week, Musk laid out his vision for encrypted messaging on the platform. “We want to enable users to be able to communicate without being concerned about their privacy,” Musk said, according to a recording of the presentation obtained by The Verge. Users, he said, should be able to message one another “without being concerned about a data breach at Twitter causing all of their DMs to hit the web.”
Musk’s embrace of encrypted messaging represents a win for privacy activists who have pushed social media platforms to embrace the technology at a time when online privacy is more at risk than ever. But experts are deeply skeptical that Musk can execute on his plan while addressing the serious safety concerns that a move to encrypted messaging entails.
“It’s not the math that’s hard,” said Bruce Schneier, a renowned security technologist and lecturer in public policy at the Harvard Kennedy School. “It’s the software engineering to get it out there.”
Since Musk took over, Twitter has lost more than half its workforce, as well as its chief information security officer, head of privacy and head of trust and safety. The company has also struggled to roll out new products under his watch, launching and then quickly abandoning a premium subscription and verification product after it was used to impersonate well-known figures and brands on the platform.
That leaves experts concerned that Twitter can execute on an end-to-end encrypted messaging system, or E2EE, when much larger, better resourced and managed companies have struggled to do so.
“E2EE is not a feature which you credibly lash together with cable-ties and duct tape,” Alec Muffett, a software engineer who led the team that built the first end-to-end encryption system for Facebook Messenger in 2016, wrote in a message to CyberScoop.
The system Muffett’s team built, which was supported by the Signal Protocol and something users had to opt into, took 18 months, he says. Now, more than five years later, Meta is still working on rolling out end-to-end encryption across all its messaging platforms.
Twitter has not announced a timeline for encrypting DMs. CyberScoop reached out to Twitter’s press office for comment and did not receive a response. It is unclear if any communications employees at Twitter remain.
Muffett says that Twitter now faces many of the same questions Meta engineers have been tackling for the past five years. Meta executives have said they aim to encrypt all of its messaging services, but that project has faced repeated delays as engineers and policy staff attempt to sort out the complex privacy and safety issues that moving to E2EE raises.
These questions include what to do with old messages, whether or not it will offer the service across devices, how to address the spread of child sexual abuse material, and how to deal with abuse and harassment. Unleashing encrypted messages could also put Twitter at the center of an ongoing battle between the industry and law enforcement over encryption.
“Twitter faces a similar challenge, and not only are ‘superprogrammers’ and ‘being hardcore’ not going to solve the problem in a credible way [and] in fact taking such an approach would be antithetical to credibility,” Muffet wrote, referencing Musk’s ultimatum to employees to redouble their efforts to ship products.
Facebook has said users won’t see platform-wide encryption until 2023 at the earliest, citing “ongoing debate” about balancing privacy and combating abuse as one reason for its cautious approach.
Since he acquired the platform, Musk has rolled out products with little consideration of how they will be used. Musk’s subscription service for the platform allowed users to pay for verification and resulted in a stream of hoaxes in which accounts impersonated major brands and public figures.
Such issues around identity could pose a potential danger for users who turn to encrypted messaging for sensitive communication, such as dissidents and journalists.
“There is no secrecy without trust. And you can have all of the most elegant math, and the most elegant cryptography, but if you cannot actually intuit with your human sense of trust that you are actually talking to the person that you want to be talking to, then it’s all moot,” Harlo Holmes, chief information security officer and director of digital security at the Freedom of the Press Foundation, told CyberScoop.
Experts note that encrypted services don’t exist in a vacuum and require weighing questions of security against abuse. The trade-off is one that companies like Meta and Signal have struggled to tackle for years and would fall to the Twitter’s trust and safety team — which has been devastated by layoffs in recent weeks — to address.
Twitter’s attempts to encrypt messaging date back to 2016, according to an internal history obtained by tech newsletter Platformer. Twitter was reportedly interested in licensing technology from Signal, the encrypted messaging platform founded by Moxie Marlinspike. The proposed system would only allow use on one device at a time and would be separate from the normal direct message system. One of the reasons the project ultimately failed was because of a lack of support from the company and issues with the technology’s customer experience, according to the document.
Musk has hinted at seeking outside support for the project and told employees that had spoken with Signal’s Moxie and that he was “potentially willing” to help Twitter. Moxie did not respond to a request for comment, but Musk’s Twitter has not obtained a license for the Signal’s messaging technology, which provides the infrastructure for encryption on WhatsApp.
“Signal has not been working with Twitter on this effort. We do believe that more private communications are a net good, and we are interested to see how Twitter tackles the complexity of creating usable, encrypted DMs across the web and mobile,” Meredith Whittaker, president of Signal, said in a statement to CyberScoop.
Issues involving the privacy of users’ direct messages have plagued Twitter for years. In 2018, the company reported a bug that for over a year shared some users’ direct messages to developers before Twitter discovered the issue. Earlier this year, the U.S. government convicted a former Twitter employee who used access to Twitter’s platform to spy on users for the Saudi Arabian government.
End-to-end encryption, which prevents third parties from accessing data while it’s transferred between devices, would prevent that kind of spying in the future.
But adding encrypted messaging could also draw even more attention to Musk’s handling of user data, which has already drawn scrutiny from both Republicans and Democrats, some of whom have urged the Federal Trade Commission to investigate whether the company is meeting the requirements of its 2011 agreement with the agency over previous privacy failures.
“Against the backdrop of a consent order that they already have in place over their data security practices, I think we can also expect that there would be a federal agency that will come calling and would want to be assured that if Twitter says it has end-to-end encrypted DM that it has in fact done so,” said Riana Pfefferkorn, research scholar at the Stanford Internet Observatory.
The FTC last year reached a settlement with web conference service Zoom after it allegedly misled the public over how it encrypted its communications, and Twitter may face similar scrutiny.
But Musk’s embrace of E2EE has activists encouraged after they redoubled their efforts to push Twitter, Facebook and Google to fully encrypt their messaging app after the Supreme Court struck down the constitutional right to abortion this summer.
Caitlin Seeley George, campaign director at Fight for the Future, one of the groups leading the effort, said that while the organization is still waiting on a “real plan and timeline” that Musk’s interest in rolling out encrypted messaging is “a beacon of hope for those of us still on Twitter” and that such a move would have “a big impact on the industry and in pushing other major platforms to take steps to secure users’ privacy.”