Twitter's encrypted DMs are here, but they have many, many limitations

As promised by Twitter CEO and owner Elon Musk, encrypted direct messaging on Twitter has arrived. But is it any good? In a word, no.

The good news: at least Twitter is honest about it.

Echoing Musk's tweet from Wednesday, in a new section of Twitter's Help Center, the company explains that the goal of DM encryption should be "if someone puts a gun to our heads, we still can’t access your messages." Twitter then readily admits: "We’re not quite there yet, but we’re working on it."

While Twitter's current implementation of encrypted messaging has many technical limitations (more on that later), its biggest flaw is that it's not available to everyone. Instead, both the sender and the recipient of the message has to be verified, meaning (as of late) that they have to pay for the $8 per month Twitter Blue subscription tier. The number of Twitter users that have done so is currently tiny compared to Twitter's entire user base.

Also, encrypted messaging is opt-in, meaning messages aren't encrypted by default, even for eligible users. Instead, sending an encrypted message requires toggling an icon to enable encrypted mode.

As for the overall limitations of the feature, they are numerous. For one, encrypted messages can only be sent to a single recipient, not groups. For another, encrypted messages can only include text and links; media and other attachments aren't supported. Perhaps even more worryingly, Twitter says that "while messages themselves are encrypted, metadata (recipient, creation time, etc.) are not."

Also, new devices cannot join existing encrypted conversations, and it's not possible to report encrypted messages to Twitter.

In addition, Twitter says it doesn't offer protection from a certain type of attack called "man-in-the-middle." According to the company, "If someone–for example, a malicious insider, or Twitter itself as a result of a compulsory legal process--were to compromise an encrypted conversation, neither the sender or receiver would know." Twitter says it's working on it, though.

Finally, if the private key of a registered device were somehow compromised, "an attacker would be able to decrypt all of the encrypted messages that were sent and received by that device," and Twitter says it does not plan to address this issue at all in the future.

All in all, while encrypted messages on Twitter are a step forward for the company, they lag behind privacy-first messaging apps such as Signal, and it will probably take a while until Twitter gets close to that level of security. They're also only available to a small subset of Twitter users, which is a shame. As is, encrypted messages are a better-than-nothing option for Twitter Blue subscribers, but for serious privacy they should look elsewhere.