Twitter has long been rumored to be building a way for direct messages (DMs) on the platform to use end-to-end encryption, but in the wake of an eye-opening hack early this week, calls for a more private way of messaging are growing louder.
Hackers took control of several high-profile accounts on Wednesday—including Joe Biden, Barack Obama, Elon Musk, and others—and pushed out a bitcoin scam.
In the aftermath, questions have been raised about how much information could have been gleaned from the accounts, including the possibility of DMs being accessed.
Twitter said internal employee tools were used in the hack, allowing the attackers to gain access to accounts. On Thursday, the social media giant said it believed 130 accounts were targeted.
As answers continue to trickle out about the nature of the hack and what exactly has been compromised, a push for Twitter to implement end-to-end encryption for its DMs has been renewed.
Twitter declined to comment for this story. The company has not mentioned direct messages in any of its updates about the hack, but did say it was looking into “what other malicious activity they may have conducted or information they may have accessed.”
Update 7:40am CT, July 23: In a statement released on Thursday, Twitter said that “for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed.”
Calls grow to implement end-to-end encryption
Given the nature of Wednesday’s hack, it’s unclear how much end-to-end encryption would have helped in blocking the attackers from potentially seeing direct messages.
End-to-end encryption is encryption that allows only the sender and receiver to view the contents of a message. For example, Signal, the popular encrypted messaging app, cannot see messages users write to one another if asked to find it.
However, since it appears that the attackers had full control of the accounts during Wednesday’s incident, it is likely that once in control, they would be able to see the direct messages.
“Twitter should implement end-to-end encryption for DMs, they’re a little behind the time,” Rachel Tobac, a hacker and CEO of SocialProof Security, told the Daily Dot. “The nuance here is that if we believe attackers had the ability to change access to Twitter accounts and log into those accounts via manipulation on the admin panel … they could have likely gotten access to DMs just by logging in as if they were the owner of the account.”
The possibility of direct messages being part of the attack has raised questions about the vulnerability of Twitter DMs. Overall, having end-to-end encryption for DMs would make its users have more privacy and security.
Karen Gullo, an analyst and senior media relations specialist at the Electronic Frontier Foundation (EFF), told the Daily Dot the organization has been pushing Twitter to implement end-to-end encryption for years, arguing that the messages could not get into the hands of law enforcement or other unwanted eyes.
On Thursday, Sen. Ron Wyden (D-Ore.) called out Twitter CEO Jack Dorsey, saying the executive told him two years ago that the company was working on end-to-end encryption for DMs.
Wyden called the lack of encryption a vulnerability that needed to be fixed.
“While it still isn’t clear if the hackers behind yesterday’s incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms,” Wyden said in a statement to the Daily Dot. “If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come.”
Meanwhile, internet rights group Fight for the Future has launched a petition, urging people to tell Twitter to make DMs end-to-end encrypted by default.
The petition calls the lack of end-to-end encryption a “gaping security hole.”
The group was one of several that launched petitions urging Zoom, the popular videoconferencing software, to implement end-to-end encryption. The company initially drew ire after its CEO said the option would only be available for paying customers.
The day after it was announced the petitions had amassed 70,000 signatures, Zoom said it would offer end-to-end encryption for all users.
The goal of the petition is to create enough pressure so that Twitter follows Zoom in offering end-to-end encryption.
“We shouldn’t have to pressure companies to prioritize user safety and security, but the reality is that we do,” Evan Greer, deputy director of Fight for the Future, told the Daily Dot, adding: “When Zoom said they’d only offer strong encryption to paid users, we publicly called them out and they changed course. We plan to do widespread education to help Twitter users understand how this affects them, and then put pressure directly on decision-makers at Twitter to make this a priority.”
Twitter has been down the end-to-end encryption path before
While there has been a renewed push for Twitter to beef up the security of its DMs, the company seemed to be on the verge of offering end-to-end encryption just a few years ago.
Twitter had been developing a way to encrypt direct messages before 2014, the Verge reported at the time.
In 2018, a “Secret Conversation” feature was spotted in Twitter’s Android application package. As the Hacker News noted at the time, the feature would not be default for all DMs, but rather a user would have to start a separate encrypted chat with another user.
It’s possible that the feature would only have been available on mobile versions of Twitter.
Dorsey seemed to confirm something like this was in development by tweeting a response to a TechCrunch story about it with a hush emoji.
That feature being spotted is more or less around the same time when Wyden said Dorsey told him the company was working on encrypted messages.
But even before that, Twitter seemed to be hinting that it was considering heightening security on DMs.
Edward Snowden, the whistleblower who leaked documents showing massive government surveillance, asked Dorsey in 2016 whether the company was considering “secret, burn-after-reading DMs” if end-to-end encryption “won’t work by default in all clients.”
Dorsey responded: “reasonable and something we’ll think about.”
READ MORE: