With that statement, Musk waded into a long-running debate among technologists and privacy advocates around the level of encryption apps and platforms should provide to their users. Growing concerns about privacy have led to questions about how much user data tech companies collect, and many platforms — including the Signal messaging app Musk referred to — have begun to tout end-to-end encryption as a key feature.
That capability means communications can only be seen by the senders and recipients, without the platform being able to access them. While some apps, such as Signal and WhatsApp, have end-to-end encryption by default, others including Telegram, Instagram and Facebook Messenger allow users to opt into encrypted messaging.
Twitter did not respond to a request for comment.
“It would be a significant move in favor of user privacy if Twitter were to turn on [end-to-end encryption] for DMs, as it would keep the company from reading its users’ conversations or disclosing them to anyone else,” Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory whose work focuses on encryption, told CNN Business. “For the company to tie its own hands in this way would prevent a bad actor within the company from abusing the access they have as an employee to user data.”
And the fact that the influential platform will now be under new ownership is raising fresh questions about what data it has access to.
Hours after Musk announced he would take over Twitter, Oregon Sen. Ron Wyden — a longtime advocate for digital privacy — issued another warning.
“Twitter is used less for that kind of direct conversation than Signal, SMS, WhatsApp and Telegram,” he said. “It’s more semi-public.”
Also, Twitter’s architecture — a single platform that includes public tweets and DMs, and is accessed on its website as well as mobile apps across multiple operating systems — could make full encryption more complicated than mobile-first messaging platforms such as Signal, according to Deirdre Connolly, a cryptographic engineer.
“No web service has slapped end-to-end encrypted messaging onto it — after its initial deployment — successfully,” Connolly said, adding that most apps offering it have either started from a mobile platform and expanded, or “have designed their web and mobile apps for [end-to-end encrypted] messaging from the get-go.”
“Building a secure web application that runs in a modern, patched web browser is a fundamentally different and more difficult task than doing the same on desktop or especially mobile,” she said. “They haven’t done it yet because it’s hard. Really hard.”
Twitter and other companies often have policies and controls in place to prevent unauthorized access to private messages. But encrypting those messages “goes beyond policy or access controls by making access impossible in the first place [and] would also limit what information a malicious outsider could obtain about a particular user, whether that’s a hacker or someone posing as law enforcement,” said Pfefferkorn.
“In all, [end-to-end encryption] for DMs would be a net gain for user privacy and security,” Pfefferkorn said.