In search of him to turn a simple and functional Twitter app into X, everyone’s app that doesn’t do anything very well, Elon Musk launched audio and video calling in X last week — and this new feature is enabled by default, leaks the address your IP to anyone you chat with and it’s incredibly confusing to figure out how to limit who can call you.
In a post on Wednesday, the official news account of X announced the new feature: “Audio and video calls are now available to everyone on X! who do you call first?’ wrote H.
We reviewed the official X help center page and performed feature tests to analyze how the calling feature works and understand the risks associated with it.
A person’s IP address is not highly sensitive, but these online identifiers can be used to infer location and can be linked to a person’s online activity, which can be dangerous for high-risk users.
First of all, the audio and video calling feature is inside the Messages section of the X app, where a phone icon now appears in the top right corner, on both iOS and Android.
A screenshot of X’s audio and video calling feature on iOS. Image Credits: TechCrunch
A screenshot of X’s audio and video calling feature on Android. Image Credits: TechCrunch
Calling is enabled by default in X apps. The caveat is that you can only make and receive calls in the X app and not yet in your browser.
By default, calls are peer-to-peer, meaning that the two people on a call share each other’s IP addresses because the call connects directly to their devices. This is by design in most messaging and calling apps, including FaceTime, Facebook Messenger, Telegram, Signal, and WhatsApp, as we reported in November.
In official help centerX says calls are routed peer-to-peer between users in a way that IP addresses “may be visible to others”.
If you want to hide your IP address, you can enable the “Enhanced Call Privacy” toggle in X’s messaging settings. By enabling this setting, X says that the call “will be transmitted over the X infrastructure and the IP address of any party that has this setting enabled will be covered.”
A screenshot of the settings for X’s audio and video calling feature for iOS. Image Credits: TechCrunch
A screenshot of the settings for the audio and video calling feature of X for Android. Image Credits: TechCrunch
X doesn’t mention encryption at all on the official help center page, so the calls are likely not end-to-end encrypted, potentially allowing Twitter to listen in on the conversations. End-to-end encrypted apps, Signal or WhatsApp — prevent anyone other than the caller and recipient from listening, including WhatsApp and Signal.
We asked X’s guy email if there is end-to-end encryption. The only response we got was: “Busy now, check back later,” X’s default auto-response to multimedia queries. We also emailed X’s representative, Joe Benarroch, but did not hear back.
Because of these privacy risks, we recommend turning off the calling feature entirely.
In case you want to use this calling feature, it’s important to understand who can call you and who you can call — and depending on your settings, it can get very confusing and complicated.
The default setting (as you can see above) is “People You Follow”, but you can choose to change it to “People in your Address Book” if you’ve shared your contacts with X. “Verified Users”, which would allow to anyone paying for X to call you. or to everyone if you want to receive spam calls from anyone random.
TechCrunch decided to test several different scenarios with two X accounts: a newly created test account and a real account that has been in use for a long time. Using the open source network analysis tool Burp Suite, we could see the network traffic flowing in and out of the X application.
Here are the results (at the time of writing):
- When no accounts are following each other, none of the accounts see the phone icon and therefore none can call.
- When the test account sends a DM to the real account, the message is received but neither account sees the phone icon.
- When the real account accepts the DM, the test account can then call the real account. And if no one picks it up, only the caller’s IP of the test account is revealed.
- When the test account initiates a call and the real account picks up (which reveals the IP address of the real account — so both sets of IP addresses), the test account cannot call back because the test account is configured to allow incoming “follow up” calls only.
- When the real account follows the test account, both can communicate with each other.
Network analysis shows that X created the calling feature using Periscope, Twitter’s live streaming service, and the app that was discontinued in 2021. Because X’s call uses Periscope, our network analysis shows that X’s app creates the call as to be a live Twitter/X broadcast, even if the content of the call is not audible.
Ultimately, whether you use the X call is your choice. There’s nothing you can do, which potentially exposes you to calls from people you probably don’t want to receive calls from and can put your privacy at risk. Or you can try to limit who can call you by decrypting X’s settings. Or, you can just disable the feature entirely and not worry about any of it.
Carly Page and Jagmeet Singh contributed to this report.
