With this statement, Musk launched into a long-running debate among technologists and privacy advocates around the level of encryption apps and platforms should provide their users. Growing privacy concerns have led to questions about how much data tech companies collect from users, and many platforms — including the messaging app Signal that Musk refers to — have started to introduce end-to-end encryption as a key feature.
This capability means that communications can only be seen by senders and recipients, without the platform being able to access them. While some apps, such as Signal and WhatsApp, have end-to-end encryption by default, others, including Telegram, Instagram, and Facebook Messenger, allow users to opt in to encrypted messaging.
Twitter did not respond to a request for comment.
“It would be a significant step in favor of user privacy if Twitter were to activate [end-to-end encryption] for DMs because it would prevent the company from reading its users’ conversations or disclosing them to anyone,” Riana Pfefferkorn, a researcher at Stanford’s Internet Observatory whose work focuses on encryption. his own hands in this way would prevent a bad actor within the company from abusing the access he has as an employee to user data.”
And the fact that the influential platform will now be under a new owner raises new questions about the data it has access to.
Hours after Musk announced he would take over Twitter, Oregon Sen. Ron Wyden — a longtime digital privacy advocate — issued another warning.
“Twitter is less used for this kind of direct conversation than Signal, SMS, WhatsApp and Telegram,” he said. “It’s more semi-public.”
Additionally, Twitter’s architecture – a single platform that includes public tweets and DMs, and accessible through its website as well as mobile apps on multiple operating systems – could make full encryption more complicated than mobile-first messaging platforms such as Signal, according to Deirdre Connolly, a cryptographic engineer.
“No web service has managed to apply end-to-end encrypted messaging to it – after its initial deployment,” Connolly said, adding that most apps that offer it started from a mobile platform. and have developed, or “designed, their website and mobile applications for [end-to-end encrypted] messaging from the start.”
“Building a secure web application that runs in a modern, patched web browser is a fundamentally different and more difficult task than doing the same thing on desktop or especially on mobile,” she said. “They haven’t done it yet because it’s difficult. Really difficult.”
Twitter and other companies often have policies and controls in place to prevent unauthorized access to private messages. But encrypting these messages “goes beyond policy or access controls by making access impossible in the first place. [and] would also limit the information a malicious third party could obtain about a particular user, whether a hacker or someone posing as law enforcement,” Pfefferkorn said.
“In total, [end-to-end encryption] for DMs would be a net gain for user privacy and security,” Pfefferkorn said.