Twitter gets serious about user privacy with added encryption

Snooping on your Twitter account and direct messages just got a lot more difficult. On Friday, the social network announced that it has bolstered its system with a robust privacy technology that makes it extremely difficult for anyone – from Chinese hackers to NSA spies – to get a look at your Twitter data.

The encryption technology, which both Google and Facebook adopted after the leaks by former NSA contractor Edward Snowden, is called “perfect forward secrecy,” or PFS, and will work in conjunction with HTTPS encryption. Unlike HTTPS, which encrypts Internet traffic using a preset pair of “keys” that are stored on company servers for long periods of time, PFS creates an entirely new set of encryption keys for each user, every time a person logs into Twitter, either through the desktop or mobile websites, or through Twitter clients like TweetDeck. These keys are then destroyed after each session, making it nearly impossible for an “adversary,” as Twitter calls it, to steal the keys and grab user data.

“If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic,” writes Twitter.

Digital rights advocacy group the Electronic Frontier Foundation (EFF) is a vocal proponent of PFS, and has been pushing for Web companies to implement the technology as a way to better protect user privacy.

“It may not be as obvious a step as simply enabling HTTPS, but turning on perfect forward secrecy is an important improvement that protects users,” wrote EFF’s Parker Higgins in a blog post. “More sites should enable it, and more users should demand it of the sites they trust with their private data.”

Twitter agrees with the EFF, saying that it believes perfect forward secrecy should become the “new normal” on the Web thanks to its ability to protect both private direct messages, as well as linked email addresses, and metadata like timestamps and sender/receiver data.

“At the end of the day, we are writing this not just to discuss an interesting piece of technology, but to present what we believe should be the new normal for Web service owners,” Twitter writes. “A year and a half ago, Twitter was first served completely over HTTPS. Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”

Get our Top Stories delivered to your inbox: