Twitter rolls out encryption for direct messages but with key limitations

Both the sender and recipient must be verified, while group conversations and attached media aren't supported by the encryption.
Written by Lance Whitney, Contributor
Twitter logo on laptop and phone
Christopher Furlong/Staff/Getty Images

Twitter users who want to encrypt their direct messages will now finally have a shot, though there are a few conditions and constraints that may get in your way. Twitter itself announced the new direct message encryption through a recent Help Center page, which also explained how it works and how it's limited.

The ability to encrypt a direct message is available in Twitter on the web, as well as in the iOS and Android apps. Should you choose the option, Twitter uses strong cryptography to encrypt every direct message, link, and reaction contained in your conversation before the DM is sent from your device. The encryption remains in effect while the message is stored by Twitter. Once the message is received by the recipient, it's decrypted so the other person can read it.

Also: Lost your blue check? These are the best Twitter alternatives 

From a more technical perspective, Twitter starts by creating device-specific keys called private and public key pairs. The public key is automatically set up when you sign in to Twitter on a new device or through a browser. The private key never leaves your devices and therefore is not shared with Twitter. In a recent tweet forecasting the future of this encryption, owner Elon Musk said, "The acid test is that I could not see your DMs even if there was a gun to my head."

Beyond the private-public key pairs, a per-conversation key is generated to encrypt the content of your direct messages. The private-public key pairs are employed to securely exchange the conversation key between participating devices, thereby allowing for encryption and decryption.

Encryption is already offered by other social media and chat services to secure the messages sent and received by users. Such apps as Signal, WhatsApp, Apple's iMessages, and Telegram enable end-to-end encryption in your messages by default. Facebook Messenger and Instagram apply end-to-end encryption for certain types of conversations. That leaves Twitter playing catch-up to provide similar security for its users who need to send and receive confidential or private direct messages.

Also: How to enable end-to-end encryption for Facebook Messenger chats 

However, there are a few hiccups in Twitter's implementation.

First, both the sender and recipient must be using the latest version of the Twitter apps for the web, iOS, or Android. Second, both of them must be verified users or affiliated with a Verified Organization. (Yes, that means an infamous blue checkmark courtesy of an $8 per month individual Twitter Blue account or a $1,000 per month Verified Organization subscription. Third, the recipient has to be following the sender, has previously sent a message to the sender, or has accepted a DM request from the sender.

Next, only certain types of messages and content can be encrypted. Group conversations are out of the loop, though Twitter said it's working on encrypting those as well.

Any message you want to encrypt can contain only text and links. A DM with media or other types of attachments is not supported. Twitter will prevent any such encrypted message from being sent. Further, any metadata such as the recipient or creation time is not encrypted. And though any links are encrypted, the linked content itself is not encrypted.

Also: How to delete your Twitter account and protect your data, too

Any new device on which you log into Twitter will not be able to participate in an existing encrypted DM conversation. Such messages will be filtered out, with a message popping up that the conversation is inaccessible on your device. Twitter allows for a maximum of ten devices per user for encrypted DMs. After that limit, you'll be unable to send and receive new encrypted messages on any additional devices. Plus, you can't see a list of your registered devices or remove a device from the list.

Twitter can't protect against man-in-the-middle attacks, such as those from a malicious insider who tries to access an encrypted conversation. And in this event, neither the sender nor the receiver would know that their conversation was hijacked. However, Twitter said that it's working on a way to protect against this scenario in the future.

If you qualify for the DM encryption and want to give it a shot, here's how. Open Twitter in your browser or your mobile device. For the latter, make sure you've updated the mobile app to the latest version. Find an existing conversation or start a new direct message that meets the requirements for both you and the sender.

Twitter offers an option to encrypt a direct message
Screenshot by Lance Whitney/ZDNET

For an existing chat, tap the Info icon. If the option is available, you'll see a button for Start an encrypted message that you can just click. For a new chat, turn on the switch to enable encrypted mode. Write your message, and then send it.

Also: How to encrypt your email and why you should

To help you distinguish between encrypted and unencrypted direct messages, Twitter displays a lock icon on the badge of the other person's avatar if the DM is encrypted. Plus, the screen that appears when you click the Info icon will tell you that the messages are encrypted.

Editorial standards