With the acquisition of Twitter by Elon Musk, a billionaire with a well-trodden track record of going on vindictive tirades against his critics despite his declared adoration of “free speech,” some people have raised concerns about the privacy of Twitter’s direct messages once again.
Twitter’s direct messages are not end-to-end encrypted, unlike messages from more security-focused services such as Signal. With end-to-end encryption, the service provider is unable to read the content of messages because they are encrypted on a user’s device and not by the site’s server. Sites like Twitter, at least theoretically, which don’t have such robust encryption run the risk of someone inside the company being able to access those messages, depending on the specifics of how that company has set up their systems.
Malicious insiders are a threat that all tech companies have to grapple with. Motherboard has previously reported on how Facebook workers have used their privileged access to user data to stalk people; how MySpace employees used an internal tool called “Overlord” to track love interests; and how workers inside Snapchat abused the company’s own system called Snaplion. Motherboard also obtained a document showing Google has fired dozens of employees for data misuse.
Do you work at Twitter? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Twitter has had malicious insiders before. The Department of Justice previously charged two Twitter employees for accessing user data on behalf of Saudi Arabia.
But with Musk potentially taking control of the company, will the calculus around the issue of malicious insiders change?
“I don't think the likelihood of insider threat at Twitter has changed now that Elon Musk has purchased it, but I think that it may change who those insiders are, how they try to get at the data, and what kind of data they think they can get,” Eva Galperin, director of cybersecurity at activist organization the Electronic Frontier Foundation (EFF), told Motherboard in an online chat.
Musk using his position as Twitter’s head to access users’ DMs would, in all likelihood, be illegal in most contexts. Jake Williams, director of threat intelligence at cybersecurity firm Scythe, told Motherboard in a Twitter DM he “can't fathom Musk would risk that level of legal exposure for some unspecified gain.”
“I don't think there will be any meaningful change to insider risk. I think anyone claiming otherwise is living in a bit of a fantasy land,” Williams said.
Alan Woodward, visiting professor at the University of Surrey’s Centre of Cyber Security, Department of Computer Science, told Motherboard in a Twitter direct message that he was “Not quite sure why it would be any worse now than it has been.”
“DMs have lacked E2EE [end-to-end encryption] whilst many other comms channels have adopted it, but introducing E2EE on Twitter DMs has some particular problems, so it’s not surprising. Hence, if anyone thinks their DMs are truly private, they should think again. If you think Elon Musk is somehow going to monetise the content of your DM, then that’s always a possibility but malicious insiders might possibly have some extra infrastructure/tools with which to search DMs, but that’s quite a stretch.”
Ultimately, cybersecurity researcher Matt Tait said, it depends how hands-on Musk is with Twitter.
“Honestly not sure we know yet. It depends on what Elon wants to do with the site, and how hands-on he wants to be,” he said.