Elon⁣ Musk’s latest⁢ endeavor involves the evolution of a basic Twitter application⁤ into X, ⁤a multi-functional app that seems to struggle with excelling in any particular⁤ function. Recently, ⁤Musk introduced ⁣audio⁤ and ⁢video calling capabilities on X. This new ‌feature, which is activated by default, ​exposes your IP ⁤address to anyone you interact with and raises ⁤questions⁢ about who can contact you.

Unveiling the New Capability

On the previous ​Wednesday, the⁢ official ​news account ⁢ of X publicized ⁣the⁢ new feature: “Audio and video calling are⁢ now available to everyone on X! Who will you⁤ call first?” X‌ posted.

We decided to delve into X’s official help center page and conduct ⁤tests ​of the feature to ‌comprehend how the calling feature⁢ functions and to identify the potential ​risks it poses.

Understanding the Potential Dangers

While an individual’s IP⁤ address isn’t extremely ⁤sensitive, these online ‌identifiers can be used to deduce location ⁢and ⁣can be associated‌ with a person’s​ online behavior, which can pose a risk‌ to high-risk users.

The audio ‍and ‌video calling⁢ feature is primarily​ located within the‌ Messages‌ section of the X app, where a phone icon is now visible ‌in the top right-hand corner, on ‌both iOS ⁢and Android.

The calling feature is activated‍ by⁤ default⁤ in the X apps. However, ​the limitation is​ that you can only initiate⁢ and ​receive calls on X’s app, and not yet on your browser.

Addressing ​Privacy Concerns

By‌ default, calls‍ are peer-to-peer, ​meaning that the two individuals in a call exchange each others’ IP addresses because the ​call⁢ connects their devices directly. This is​ a standard design in most messaging and calling ⁤apps, such as FaceTime, ‌Facebook Messenger,⁤ Telegram, Signal, and WhatsApp, as we highlighted in November.

In its official help center, X acknowledges that calls are‍ routed peer-to-peer between⁣ users in a way that IP addresses “may be visible to the other.”

If you wish to conceal your IP address, you can enable ​the “Enhanced call privacy” toggle in X’s Message settings. By activating this setting, X⁤ assures that the call “will be relayed ‍through X infrastructure, and the IP address of⁤ any party that has this setting enabled will be⁢ hidden.”

Interestingly, X doesn’t mention encryption in the official ​help‌ center page at all, suggesting that the ⁢calls are likely not end-to-end encrypted, potentially ​allowing Twitter‌ to listen‌ in on conversations. End-to-end encrypted ⁤apps, like Signal ‌or WhatsApp, prevent anyone other ‍than the caller and​ the​ recipient from eavesdropping, including WhatsApp and​ Signal.

We reached out to X’s press email to inquire​ about end-to-end encryption. The⁢ only response we received ⁣was: “Busy now, please check back later,” X’s standard auto-response to media inquiries. We also ⁤contacted X spokesperson Joe Benarroch but received​ no⁤ response.

Recommendations and‌ Experiments

Considering these ⁣ privacy concerns, we suggest disabling⁢ the calling feature entirely.

If you still wish to use this call feature, it’s crucial‌ to understand who can ⁤call you and who you can ⁣call — and depending on ⁤your settings, it can become quite perplexing and complex.

The default setting is ‌“People you‍ follow,” but you can‍ opt to change it to‍ “People in your address book,”​ if you shared your contacts with X; “Verified users,” which would allow anyone who pays for X‌ to⁢ call⁤ you; or everyone, if you are open to ⁢receiving ⁣unsolicited‌ calls from any random person.

We⁤ at TechCrunch decided to experiment with several‍ different scenarios using two X accounts: a newly created test account and a long-standing⁣ real account. Using the open-source​ network analysis tool Burp Suite, we‍ were able to observe ​the ⁣network traffic entering ​and exiting the ‌X app.

Here‌ are ⁢the findings (as of the time of writing):

When neither account follows‌ each other, ⁢neither account sees the phone⁤ icon, and thus neither can‍ call. When the test account sends ‌a DM to the real account, ⁢the message is received but neither account sees ‌the phone icon. When ⁤the real account⁤ accepts the DM, the ⁤test account can then call the real account.⁤ And if nobody picks up, only the test account caller’s ‌IP is exposed. When the test account starts a call and the real account ​picks up (which exposes the real account’s IP address — so ​both sets of IP addresses), the test account cannot‌ call back ⁢because the test⁤ account ⁤is set to allow incoming calls ⁤ for “follow” only. ⁢When the real account follows the test account ⁤back, both ⁢can contact each other.

The network analysis reveals that ‍X built ‌the⁢ calling feature ‍using Periscope, Twitter’s livestreaming service and app ⁢ that‌ was discontinued in ‍2021. Because X’s calling​ uses Periscope,​ our network analysis shows⁣ the X app creates the call⁢ as if it were a live Twitter/X broadcast, even if the contents⁣ of the call cannot be heard.

In conclusion, whether to use X calling is up to you. You can⁤ do nothing, which potentially exposes you to calls from people you⁣ probably don’t want to receive calls⁤ from⁣ and can⁤ compromise your privacy. Or you⁣ can try to limit ​who can call you ‌by deciphering X’s settings. Or, you can simply disable the feature altogether and not have ⁤to‍ worry about any of this.