X

Twitter Now Offers Encrypted DMs, but Not Everyone Can Send Them

"Try it, but don't trust it yet," says Twitter CEO Elon Musk. The new feature is only available to paying subscribers.

Gael Cooper
CNET editor Gael Fashingbauer Cooper, a journalist and pop-culture junkie, is co-author of "Whatever Happened to Pudding Pops? The Lost Toys, Tastes and Trends of the '70s and '80s," as well as "The Totally Sweet '90s." She's been a journalist since 1989, working at Mpls.St.Paul Magazine, Twin Cities Sidewalk, the Minneapolis Star Tribune, and NBC News Digital. She's Gen X in birthdate, word and deed. If Marathon candy bars ever come back, she'll be first in line.
Expertise Breaking news, entertainment, lifestyle, travel, food, shopping and deals, product reviews, money and finance, video games, pets, history, books, technology history, generational studies. Credentials
  • Co-author of two Gen X pop-culture encyclopedia for Penguin Books. Won "Headline Writer of the Year"​ award for 2017, 2014 and 2013 from the American Copy Editors Society. Won first place in headline writing from the 2013 Society for Features Journalism.
Gael Cooper
3 min read
Twitter logo on a phone screen

Twitter is introducing encrypted direct messages, but with limitations.

Sarah Tew/CNET

Twitter on Wednesday introduced a new feature encrypting some direct messages between its users. But there are limitations to the plan. Senders and recipients must satisfy certain conditions, including that both must be verified, essentially meaning they are paying for Twitter. And some cybersecurity experts have criticized the feature itself.

The basics

Direct messages, or DMs, are messages sent privately between two users, not seen publicly as most tweets are. And encryption is a way of storing a message in a scrambled format so it can't be read without a special key of some kind.

An explanation posted in Twitter's online help center says that users of encrypted messaging must both be on the latest Twitter apps, must have had specified prior contact and must both be verified users or affiliates to a verified organization.

"Verified" no longer means what it once did on Twitter. The older verification program had been free and granted mainly to celebrities and notable figures as a method of authentication. After Elon Musk bought Twitter and took over as CEO in 2022, he shifted blue badges to only paid Twitter Blue subscribers to generate revenue.

Why would you want encrypted DMs?

Twitter has faced privacy issues in the past. In 2020, the accounts of numerous high-profile Twitter users, including now-owner and CEO Elon Musk, were hacked to spread a bitcoin scam. At the time, the US Department of Justice said the scam bitcoin account racked up more than $100,000 simply by sending messages that appeared to come from Musk, Bill Gates and other high-profile users asking people to send bitcoin to supposedly double their payment.

How do you send an encrypted Twitter DM?

If you and the recipient both meet the criteria for encryption, that doesn't mean your direct messages will be automatically encrypted. Twitter's online explanation page says that those who are eligible to use the feature will automatically see a button that lets you switch between encrypted and regular DMs. An icon of a lock will show up on the avatar of the user receiving the message. 

Right now, encrypted messages can't be sent to groups, and can only include text and links, no attached media. And they can't be reported to Twitter if they're threatening or otherwise problematic. Twitter suggests anyone receiving this kind of encrypted message block the sender and file a report about the account itself.

Limitations of the encryption

The company says in its post that the new encryption does not protect against "man-in-the-middle attacks," where a conversation could be compromised by "a malicious insider, or Twitter itself as a result of a compulsory legal process."

The blog post also notes that Twitter chose to forgo forward security, meaning that if an attacker does compromise a device's private key, that attacker could decrypt all the encrypted messages sent or received on that same device.

Controversy about the encryption itself

It didn't take long for cybersecurity experts to weigh in on Twitter's encryption methods. Even Twitter's own former chief information security officer, Lea Kissner, said on rival messaging platform Bluesky that the feature needs improvement.

"Twitter folks, seriously. I left some design docs somewhere. Please use them," Kissner said, according to CNN Business.  

CNN Business also quoted a Bluesky post from Jonathan Mayer, a computer scientist at Princeton University and a former chief technologist at the Federal Communications Commission.

"We literally teach (information security) students not to do exactly what Twitter is doing," Mayer said.

Even Twitter owner and CEO Elon Musk himself seemed wary of the new feature.

"Early version of encrypted direct messages just launched," Musk tweeted on Thursday. "Try it, but don't trust it yet."