Why you can't trust Twitter's encrypted DMs
A promised audit hasn't actually happened, sources say. PLUS: Twitter's Turkey problem, and a new CEO
After an unusually eventful few days, let’s check in on the current state of affairs at Twitter. A high-profile capitulation to the Turkish government and new CEO sparked a ton of chatter over the weekend. Meanwhile, a troubled introduction of encrypted messaging on the site has raised questions over when, if ever, the product can be said to be truly secure.
Start with encrypted messaging, where owner Elon Musk’s ready-fire-aim approach to product development has once again led to a chaotic feature rollout.
Last week, Twitter launched encrypted direct messages, a project the company has been exploring since at least 2018, and that Musk has been talking about since November. Encryption, which comes free on apps including WhatsApp, Messenger, and Signal, is available on Twitter only to paying subscribers.
In tweets, Musk promised the feature will “grow in sophistication rapidly,” and noted, “the acid test is that I could not see your DMs even if there was a gun to my head.”
It’s not there yet. These messages are not encrypted end to end, making them vulnerable to so-called man-in-the-middle attacks. “Currently, we do not offer protections against man-in-the-middle attacks,” the company acknowledged in a blog post. “As a result, if someone – for example, a malicious insider, or Twitter itself as a result of a compulsory legal process – were to compromise an encrypted conversation, neither the sender or receiver would know.”
But this doesn’t cover the full extent of the vulnerabilities. Security researcher Matthew Garrett told us that using encrypted DMs on Twitter will require you to place a great deal of trust in the company.
He explained it like this: Under Twitter’s system, each device generates a cryptographic key pair, with a public key and a private key. The public key is uploaded to Twitter and associated with your account. When you want to send a message, you effectively ask Twitter for the set of keys associated with a user and use them to decode the message.
But what if someone at Twitter added their own public key to the list of keys associated with a user, or swapped out one of the user device keys with their own? Then they'd have the corresponding private key, and would be able to obtain the message encryption key.
In a detailed blog post critiquing Twitter’s approach to encryption, Garrett said the feature represents a modest security improvement over the status quo — but said users would be safer using Signal or WhatsApp.
On Twitter itself, Garrett sparred with Christopher Stanley, who previously worked at SpaceX and is now running security engineering at Twitter. Stanley is leading Twitter’s encrypted DMs project.
“A white paper will be published soon,” Stanley said in response to criticisms. “I had [cybersecurity firm] Trail of Bits audit our implementation. Dan Guido and those folks are badass.”
Stanley then deleted the tweet. Probably because, according to Twitter sources, it hasn’t even signed a contract with Trail of Bits. (Trail of Bits declined to comment.) The reason, Platformer is told: Twitter continues to lay off employees who previously handled procurement.
To sum up, then, Twitter launched its encrypted messaging effort with the project lead appearing to falsely claim that it had been audited. And the worker shortage at the company is making it more difficult to bring on auditors.
“Try it, but don’t trust it yet,” Musk tweeted when encrypted messages launched.
He had us at “don’t trust it.”
One reason to care about how secure your nominally encrypted messages are is that, when pressed, tech platforms sometimes share encryption keys with the government. While iMessage is encrypted end to end, for example, iCloud backups are not. In 2020, Reuters reported that Apple postponed plans to offer end-to-end encrypted backups after the FBI complained that it would make their investigations more difficult. (It is now available.)
Tech platforms, and Twitter 1.0 in particular, will push back on some requests that they view as overbroad or inappropriate. In fact, Twitter sued Turkey in 2014 after the country temporarily blocked access to the site.
But that was the old Twitter. Under Musk, Twitter’s compliance with government demands has risen from around 50 percent to more than 80 percent, Rest of World’s Russell Brandom reported last month. And so if you were counting on the company to push back on requests to view your encrypted messages, the odds are much lower than they were at this time last year.
Twitter’s newfound willingness to roll over for strongmen was on full display over the weekend after the company acknowledged that it would restrict access to some (unspecified) content in Turkey during its national election. The restricted tweets and accounts remained visible outside of Turkey. But to critics — especially the more liberal Twitter dead-enders, who operate under the belief that if they only screenshot enough examples of Musk’s hypocrisy he might resign in disgrace and restore the site to its former glory — the move offered an irresistible invitation to dunk.
“The Turkish government asked Twitter to censor its opponents right before an election and @elonmusk complied — should generate some interesting Twitter Files reporting,” quipped Matt Yglesias.
“Did your brain fall out of your head, Yglesias?” Musk replied. “The choice is have Twitter throttled in its entirety or limit access to some tweets. Which one do you want?”
On this point, we can be sympathetic to Musk. This is not the first time a company has restricted access to content as a last-ditch effort to remain operating there. In fact, Turkey temporarily blocked access to Twitter as recently as February, in the wake of the country’s devastating earthquake. And in 2021, before Musk bought the company, Twitter restricted access to various high-profile accounts at the behest of the Indian government.
The rationale for these moves is fairly straightforward: it’s typically better for the cause of speech to have at least some content available. Pakistan banned YouTube outright from 2012 to 2016; when the government relented and allowed it to return, it was largely in part because it had established a means to get YouTube to restrict access to some videos within the country.
If there’s a difference in the Twitter case, it’s that some authoritarians now have an additional lever of control over the company: Musk’s business interests. Tesla just entered the Turkish market last month; that gives Musk more than the usual free-speech reasons to want to comply with the government’s demands. (Last year Yglesias raised a similar concern around Musk and Tesla’s dependence on China for manufacturing.)
In any case, the Turkish election is now headed to a runoff in two weeks. How Twitter responds to any new government demands between now and then will deserve close scrutiny.
There is much to know and surely even more to be learned about Linda Yaccarino, who Musk has named Twitter’s next CEO. And yet before discussing anything about her leadership style, her appeal to advertisers, or her politics, it seems pertinent to discuss Twitter’s previous CEO — and it isn’t who you might think.
Here’s Aditi Bharade, writing on April 11 for Insider:
Twitter CEO Elon Musk told the BBC that his pet Shiba Inu, Floki, is the CEO of the social media platform and that he dresses it in black turtlenecks — the outfits disgraced Theranos CEO Elizabeth Holmes was known for wearing.
During a live interview on Twitter Spaces with James Clayton, a BBC journalist, Musk kept correcting Clayton when the latter called Musk Twitter's CEO.
"I'm not the CEO of Twitter. My dog is the CEO of Twitter. He's a great dog, very alert, and it's hard to get anything by him," Musk said.
Well — move over, Floki.
Musk tweeted that Yaccarino, a longtime ad executive who comes to the company from NBCUniversal, “will focus primarily on business operations.” Musk, on the other hand, will “focus on product design & new technology.”
And maybe they will. But the Musk era at Twitter has been marked by so many broken promises and false starts that it’s hard to know how seriously to take any of it. Maybe Yaccarino and Musk will get along famously and help to rebuild the ad business that he has spent the past six months cheerfully undermining. Or maybe he will tire of her pushback, as he has tired of so many of his previous executives, and she’ll be looking for new work again within months.
In any case, the fact that she’s taking over for a Shiba Inu would seem to say a lot about what Musk thinks of the role.
Current Twitter employees don’t seem to be preparing for Yaccarino to shake things up much. On Blind, a pseudonymous workplace forum, her appointment has generated minimal discussion, sources said.
One employee, nodding to how many current Twitter employees remain there because visa issues prevent them from easily leaving, jokingly wondered whether Yaccarino was having visa issues of her own. (She’s an American citizen.)
In December, after Musk lost a poll about whether he should remain as CEO, he said he would resign “as soon as I find someone foolish enough to take the job!”
What kind of person steps into such a job? We’re about to find out.
Congress is divided on how to regulate AI ahead of OpenAI CEO Sam Altman’s first appearance in front of lawmakers on Tuesday. (Diane Bartz and Jeffrey Dastin / Reuters)
Google is blocking access to its Bard chatbot in the European Union and Canada, likely due to data privacy and other regulatory concerns. (Ben Schoon / 9to5Google)
The European Commission approved Microsoft’s Activision Blizzard acquisition, breaking with the U.K.’s Competition and Markets Authority. A big win for Microsoft. (Tom Warren / The Verge)
The EU has opened an informal probe into Microsoft’s Azure cloud business to investigate whether it uses confidential customer information to compete with cloud rivals. (Samuel Stolton / Bloomberg)
India opened an investigation into Google’s user choice billing option for Play Store apps, alleging that the fees are still too high and violate an earlier antitrust directive. (Aditya Kalra / Reuters)
A profile of Yiva Johansson, the EU Commissioner of Home Affairs, details how the Swedish politician is spearheading a child safety movement that critics fear will threaten encryption. (Morgan Meaker / Wired)
Eun Young Cho, the head of the DOJ’s cryptocurrency enforcement team, said the agency plans to target crypto exchanges and platforms that obscure transaction histories. (Stefania Palma / Financial Times)
Pakistan tried to quell protests last week by shutting off access to social media sites, but activists and organizers turned to VPNs and encrypted messaging apps like WhatsApp. (Frances Mao / BBC)
The TSA is testing a facial recognition systems at 16 U.S. airports in an effort to boost security, but lawmakers have raised concerns over how the agency is handling biometric data. (Rebecca Santana and Rick Gentilo / Associated Press)
A former ByteDance executive called TikTok a "propaganda tool” of the Chinese government and accused the company of promoting a culture of “lawlessness” that led to rampant content theft from competitors. (Thomas Fuller and Sapna Maheshwari / The New York Times)
Google led a multi-company effort in Brazil to combat a fake news law that would have given the country’s government more strict control over YouTube and other social media content. Some of you have been telling me I am not enough paying attention to this story. Message received! (Vittoria Elliott / Wired)
Former Twitter trust lead Yoel Roth said the platform’s propensity to suggest animal abuse videos is likely the result of dismantled safeguards under Musk leadership. (Ben Collins / NBC News)
A rising trend of parents monetizing their children’s medical conditions on social media is bringing attention to a lack of child influencer protections. Critics say “medical moms” are violating the privacy of non-consenting children by posting private health info. (Fortesa Latifi / The Washington Post)
An investigation into 60 of the largest crypto companies found that roughly one third of them didn’t have an independent board of directors and only half have hired an independent auditor. (Emily Nicolle / Bloomberg)
OpenAI released a major update for ChatGPT that includes 70 third-party plugins, and support for web browsing queries, for Plus subscribers. (Kristi Hines / Search Engine Journal)
Google CEO Sundar Pichai discussed renewed competition with Microsoft, the future of search, and the new generative AI race in an interview on Decoder. (Nilay Patel / The Verge)
Google’s approach to Android was markedly different at this year/s I/O conference, with a big focus on AI but very little mention of Android 14. The company is rolling out more new features on a continuous update rather than all at once. (Allison Johnson / The Verge)
Google said its Google Assistant technology is not being phased out, and will power some new smartphone features, despite its absence at last week’s AI-centric I/O conference. (Khari Johnson / Wired)
Anthropic expanded the “context window” for its AI chatbot Claude from 9,000 to 100,000 tokens, which should allow the bot to remember longer conversations and digest larger texts. (Kyle Wiggers / TechCrunch)
The open source community is keeping pace with generative AI developments from Big Tech, but access to the underlying code and research may get more restrictive as competition heats up. (Will Douglas Heaven / MIT Technology Review)
A new crop of startups are using GPT-4 to help law firms and legal department automate entry-level research and clerical work. (Erin Mulvaney and Lauren Weber / WSJ)
Influencer Caryn Marjorie launched a GPT-4-powered chatbot called CarynAI that replicates her voice and personality that costs $1 a minute. Majorie estimates the product will generate $5 million a month when fully scaled and made $100,000 in its first week. (Taylor Lorenz / The Washington Post)
A study found that co-writing using a biased generative AI chatbot resulted in participants more often agreeing with the bot’s suggested opinions without realizing they were being influenced. Gulp. (Christopher Mims / WSJ)
Apple’s new mixed reality headset, set to debut next month, will represent a break with tradition for the iPhone maker due to its high cost and experimental nature. (Aaron Tilley and Yang Jie / WSJ)
Netflix has emerged as a central villain emblematic of the streaming era’s mistreatment of Hollywood workers in the ongoing Writers Guild of America strike. (John Koblin and Nicole Sperling / The New York Times)
Warner Music Group operates a “nightcore” Spotify account that posts sped-up remixes of popular Warner-signed artists to covertly capitalize on TikTok trends. Amazing. (Ashley Carman / Bloomberg)
The Athletic is finding success with so-called live audio rooms, which deliver a Clubhouse-like experience for writers to connect with sports fans. The company thinks of the product as an interactive spin on sports radio. (Sarah Scire / Nieman Lab)
Sex workers are struggling with the stigma against Twitter Blue subscribers, as paid verification has become of the one the only avenues to promote adult content on social media. (Lux Alptraum / The Verge)
Formerly online-only retailers have accelerated their brick-and-mortar expansions, and Warby Parker executives now estimate the company could someday operate close to 1,000 physical stores. (Kate King / WSJ)
WhatsApp is rolling out its new “Chat Lock” feature to protect conversations behind a password or biometric identifier and keep notifications and sender information from popping up in notifications. (Jay Peters / The Verge)
Those good tweets
For more good tweets every day, follow Casey’s Instagram stories.
Talk to us
Send us tips, comments, questions, and censored Turkish tweets: email@example.com and firstname.lastname@example.org.