In his quest To turn a simple, efficient Twitter app into X, an everything app that doesn't do anything particularly well, Elon Musk launched audio and video calling on Learn how to limit who can contact you.
In a post on Wednesday, X's official news account announced the new feature: “Voice and video calls are now available to everyone on X! Who do you call first?” X wrote.
We looked at the official Help Center page for X and ran feature tests to analyze how the calling feature works and understand the risks associated with it.
A person's IP address is not very sensitive, but these online identifiers can be used to infer location and can be linked to a person's online activity, which can be dangerous for high-risk users.
First, the audio and video calling feature is located within the Messages pane of the
Calling is enabled by default in X apps. The caveat is that you can only make and receive calls on the X app, not in your browser yet.
By default, calls are peer-to-peer, which means that the two people participating in the call share each other's IP addresses because the call connects directly to their devices. This happens by design in most messaging and calling apps, like FaceTime, Facebook Messenger, Telegram, Signal, and WhatsApp, as we mentioned in November.
In its official help center, X says that calls are routed peer-to-peer between users in such a way that IP addresses “may be visible to others.”
If you want to hide your IP address, you can turn on the “Enhanced Call Privacy” toggle in X’s messaging settings. By turning this setting on, X says that the call “will be relayed over A party has enabled this setting.”
X doesn't mention encryption on the official help center page at all, so calls may not be end-to-end encrypted, which could allow Twitter to listen in on conversations. End-to-end encrypted apps, Signal or WhatsApp – prevent anyone other than the caller and recipient from listening, including WhatsApp and Signal.
We asked X's press email if there is end-to-end encryption. The only response we got was: “Busy now, please check back later,” which is X's default automated response to media inquiries. We also emailed X spokesperson Joe Benarroch, but did not receive a response.
Due to these privacy risks, we recommend turning off the calling feature completely.
If you want to use this calling feature, it's important to understand who can contact you and who you can contact – and depending on your settings, it can get very confusing and complicated.
The default (as you can see above) is “People you follow,” but you can choose to change it to “People in your address book,” if you share your contacts with X; “Verified Users,” which allows anyone who pays X to contact you; Or everyone, if you want to receive unwanted calls from any rando.
TechCrunch decided to test several different scenarios using two X accounts: a newly created test account and a long-standing real account. Using the open source network analysis tool Burp Suite, we can see the network traffic flowing in and out of the X application.
Below are the results (at the time of writing):
When neither account follows the other, neither account sees the phone icon, and therefore neither can call. When the demo account sends a direct message to the real account, the message is received but neither account sees the phone icon. When the real account accepts a direct message, the demo account can then connect to the real account. If no one responds, only the IP address of the demo account caller will be revealed. When the test account initiates a call and the real account answers (which exposes the real account's IP address – and thus both sets of IP addresses), the test account cannot call back because the test account is set to allow incoming calls for “follow-up” only. When the real account follows the demo account, both can connect to each other.
Network analysis shows that , even if you cannot hear the contents of the call.
Ultimately, using the X connection is your choice. You can't do anything, which could expose you to calls from people you might not want to receive calls from and could put your privacy at risk. Or you can try limiting who can contact you by deciphering your X settings. Or you can just turn the feature off completely and not have to worry about any of this.
Carly Page and Jagmeet Singh contributed reporting.