Following the Twitter breach that allowed attackers to access internal admin tools and take over several prominent accounts last week, the company has now revealed that the attackers also accessed DMs belonging 36 out of the 130 affected users — including one elected official in the Netherlands.
This simply won’t do, at a time when Twitter is a trusted communication platform for hundreds of millions of people around the world, as well as for global leaders. The debate around what sort of damage hackers could do by tweeting incendiary messages from the verified accounts of powerful people rages on, but it’s clear that they could do more harm by snooping on private correspondence.
US Senator Ron Wyden raised this concern last week in a statement, noting that he’d discussed the issue back in September 2018 with Twitter CEO Jack Dorsey. The company is said to have been working on end-to-end encryption (E2EE) for DMs as far back as May 2018, but there’s still no sign of that feature on the horizon.
In a post this week, the tech policy-focused nonprofit Electronic Freedom Foundation (EFF) highlighted the dangers of unsecured DMs in its call for E2EE to be implemented on Twitter’s messaging service:
… because they are not end-to-end encrypted, so Twitter itself has access to them. That means Twitter can hand them over in response to law enforcement requests, they can be leaked, and — in the case of this week’s attack — internal access can be abused by malicious hackers and Twitter employees themselves.
We don’t need any more signals that this is the logical next step for Twitter in the evolution of its product. As the tool of choice for so many voices, both in power and those fighting the abuse of power, it’s now obliged to secure their communications just as so many other companies have.