Since last Wednesday's Twitter hack, a lot of people have begun (or renewed) their demand for Twitter to begin end-to-end encrypting their DMs as a way to protect their users.

In case you somehow missed it, last week Twitter experienced a massive hack wherein dozens of high profile accounts - like Barack Obama, Kanye West, Apple, Warren Buffett, and more - were compromised and began running a Bitcoin scam. It's possible that over $100,000 in Bitcoin was stolen, but nobody can really confirm that at this time.

But let's be honest, E2EE DMs aren't really what Twitter needs.

End-to-end encryption (or E2EE) means that nobody can read the content of the communication except the sender and the reciever. Right now, all of Twitter's communications are wide open to Twitter employees. This is, I will readily concede, problematic at best. Think of how many companies conduct support tickets through Twitter. Conventional wisdom says that if you can't get ahold of a company through conventional means, then blast them on Twitter. Tag them, and especially if you have a following they're likely to engage. "Bad press is good press" rarely holds true these days, so such pressure often forces a company into resolving your issue. But if you've ever taken that approach, you know that the response is often "we're sorry to hear that, DM us!" at which point you're asked to disclose personal information like contact info, purchase numbers, maybe even payment information if an order was messed up.

On a first glance, I must seem like a monster to say that protecting such sensitive information isn't necessary, which is why I'm not saying that. Encrypted DMs would be a major improvement for Twitter users and their privacy, as well the sensitive information that gets sent in DMs like the one I mentioned above. E2EE DMs would mean that even Twitter couldn't harvest the contents of your private messages. But in this case, encrypting DMs would be a lot like fixing a broken window on the Titanic after it struck the iceberg. Twitter has a lot more problems that need to be addressed first.

Even if messages were encrypted, Twitter can still see all your likes, your retweets, your original tweets, the metadata of your photos, your public tags and messages, and I suspect (though I have no proof) they can even see your actual screen time, as in how much time you spend looking at any given tweet. It wouldn't surprise me if the capability exists on at least some devices. But even if it doesn't, that's still A LOT of information. Do you really need to see my direct conversation with Apple if I've spent the last few weeks complaining openly about a technical issue and searching it on my device? Oh yeah, don't forget Twitter uses cookies so I'm sure they can see some (or a lot) of my off-Twitter activity, too.

The messages are definitely a small fraction of the information that Twitter sweeps up about it's users, and while encrypting them is a step in the right direction, we need to pay attention to all the other privacy abuses that Twitter is committing and address those, too. To me, Twitter agreeing to encrypt DMs just proves my point that they can gather enough meaningful data in other ways that they don't care. It's like taking your child to the grocery store and letting them use a quarter to get candy or a toy out of the machine (do they still have those?). The quarter is an insignificant portion of your grocery budget, let the child have it. DMs are a fraction of the data Twitter needs, let's let all those loudmouths feel accomplished like they actually helped users by appeasing them with a meaningless victory.

The problems don't stop there. Let's consider a few other issues with encrypting Twitter DMs. First off, Congress is currently trying hard to undermine E2EE in the US ([Source 1, Source 2). Any sort of encryption introduced into Twitter's DMs would be subject to these laws (if passed), meaning that they wouldn't truly be end-to-end encrypted. There is no such thing as a backdoor that only good guys can use, so if Congress is going to call for E2EE DMs, they better be prepared to back off and let it be possible.

Second, how would this feature be introduced? Most likely, users would want a feature that "just works." Consider Wire messenger: when logging in for the first time on a new device, your previous messages aren't visible for security reasons. Mainstream users would hate this feature. They'd want something more along the lines of ProtonMail or Tutanota: log in and all your stuff is there. In such a case, even end-to-end encryption does absolutely nothing for the users in a situation like last week's hack. It's neat, and it gives them privacy, but it doesn't answer the problem. Furthermore, experts aren't even sure if the hackers accessed DMs at all, this entire argument might be a completely moot point.

I recognize that progress is not an overnight thing. The tech industry - even a single company like Twitter - is aptly compared to the Titanic in the sense that they are massive entities. Changing course isn't like walking down the street and suddenly realizing you need to turn around, it's a monumental undertaking with many moving pieces that takes time. I'm not decrying the need for that change of course to happen. But unlike a ship, the tech industry has many ways in which it can begin to change course, and I think we're not addressing the right ones. One could make the argument that we're going for the low-hanging fruit: do the basics then tackle the big stuff. Unfortunately, at the risk of sounding extreme, I think the time has passed for slow, incremental changes. That ship has sailed (sorry, couldn't resist). Extreme changes need to happen, and quickly.

I would love to speculate on some of those changes - decentralization, government regulation, etc - but frankly that's another large post in and of itself. Maybe I'll tackle that next time. But for now, I think the takeaway is to push harder. E2EE messaging is a great step, but it's not a total solution. We need to push for actual solutions much harder, and not settle until we get them. We - the end users - have the power to demand those changes. Let's do it. If they can give us E2EE, they have the ability to give us other things, like our privacy and our freedom. Demand them back.

Big welcome to The New Oil, a recent addition to the blogging crew!

Share this post