Elon Musk’s latest endeavor involves the evolution of a basic Twitter application into X, a multi-functional app that seems to struggle with excelling in any particular function. Recently, Musk introduced audio and video calling capabilities on X. This new feature, which is activated by default, exposes your IP address to anyone you interact with and raises questions about who can contact you.
Unveiling the New Capability
On the previous Wednesday, the official news account of X publicized the new feature: “Audio and video calling are now available to everyone on X! Who will you call first?” X posted.
We decided to delve into X’s official help center page and conduct tests of the feature to comprehend how the calling feature functions and to identify the potential risks it poses.
Understanding the Potential Dangers
While an individual’s IP address isn’t extremely sensitive, these online identifiers can be used to deduce location and can be associated with a person’s online behavior, which can pose a risk to high-risk users.
The audio and video calling feature is primarily located within the Messages section of the X app, where a phone icon is now visible in the top right-hand corner, on both iOS and Android.
The calling feature is activated by default in the X apps. However, the limitation is that you can only initiate and receive calls on X’s app, and not yet on your browser.
Addressing Privacy Concerns
By default, calls are peer-to-peer, meaning that the two individuals in a call exchange each others’ IP addresses because the call connects their devices directly. This is a standard design in most messaging and calling apps, such as FaceTime, Facebook Messenger, Telegram, Signal, and WhatsApp, as we highlighted in November.
In its official help center, X acknowledges that calls are routed peer-to-peer between users in a way that IP addresses “may be visible to the other.”
If you wish to conceal your IP address, you can enable the “Enhanced call privacy” toggle in X’s Message settings. By activating this setting, X assures that the call “will be relayed through X infrastructure, and the IP address of any party that has this setting enabled will be hidden.”
Interestingly, X doesn’t mention encryption in the official help center page at all, suggesting that the calls are likely not end-to-end encrypted, potentially allowing Twitter to listen in on conversations. End-to-end encrypted apps, like Signal or WhatsApp, prevent anyone other than the caller and the recipient from eavesdropping, including WhatsApp and Signal.
We reached out to X’s press email to inquire about end-to-end encryption. The only response we received was: “Busy now, please check back later,” X’s standard auto-response to media inquiries. We also contacted X spokesperson Joe Benarroch but received no response.
Recommendations and Experiments
Considering these privacy concerns, we suggest disabling the calling feature entirely.
If you still wish to use this call feature, it’s crucial to understand who can call you and who you can call — and depending on your settings, it can become quite perplexing and complex.
The default setting is “People you follow,” but you can opt to change it to “People in your address book,” if you shared your contacts with X; “Verified users,” which would allow anyone who pays for X to call you; or everyone, if you are open to receiving unsolicited calls from any random person.
We at TechCrunch decided to experiment with several different scenarios using two X accounts: a newly created test account and a long-standing real account. Using the open-source network analysis tool Burp Suite, we were able to observe the network traffic entering and exiting the X app.
Here are the findings (as of the time of writing):
When neither account follows each other, neither account sees the phone icon, and thus neither can call. When the test account sends a DM to the real account, the message is received but neither account sees the phone icon. When the real account accepts the DM, the test account can then call the real account. And if nobody picks up, only the test account caller’s IP is exposed. When the test account starts a call and the real account picks up (which exposes the real account’s IP address — so both sets of IP addresses), the test account cannot call back because the test account is set to allow incoming calls for “follow” only. When the real account follows the test account back, both can contact each other.
The network analysis reveals that X built the calling feature using Periscope, Twitter’s livestreaming service and app that was discontinued in 2021. Because X’s calling uses Periscope, our network analysis shows the X app creates the call as if it were a live Twitter/X broadcast, even if the contents of the call cannot be heard.
In conclusion, whether to use X calling is up to you. You can do nothing, which potentially exposes you to calls from people you probably don’t want to receive calls from and can compromise your privacy. Or you can try to limit who can call you by deciphering X’s settings. Or, you can simply disable the feature altogether and not have to worry about any of this.