X, Twitter new calling feature could open you up to scams, stalking

In his quest to make X into an “everything app,” last week Elon Musk gave free audio and video calling to all users—not merely the 650,000 subscribers who pay to use the platform, but literally all 1.3 billion accounts.

What a noble act, some may think, except that a privacy issue emerged almost immediately. The new feature was activated by default, without notifying users. And now, users are discovering not only that X has exposed their data to other users, but it’s also handing call-making capabilities to people they might wish didn’t have it.

The feature’s setup is part of the reason behind the complaints. Currently, it’s only available using the phone app; calls can’t be placed using X on an internet browser yet. But like other messaging phone apps, X is routing calls through a peer-to-peer network. Such a setup exposes both parties’ IP addresses.

X acknowledges this if you visit the X Help Center’s new “Audio and Video Calls” page: “If both parties to a call [don’t change the default settings] . . . the call itself is routed peer-to-peer such that each parties IP address may be visible to the other.”

Don’t want your IP address shared? Then you have to manually enable a specific setting, marked “Enhanced call privacy.” If that’s enabled, X says “a call between [two parties] will be relayed through X infrastructure, and the IP address of any party that has this setting enabled will be masked.”

The power of an IP address

For many people, having theirs exposed doesn’t pose an immediate threat. An IP address acts as a unique string of characters that identifies a person’s computer so it can communicate over a network. But any additional exposure makes users more vulnerable to spam, identity theft, and other privacy attacks. If it falls into the wrong hands, your IP address can help a bad actor track your online activity and even figure out where you’re located.

Why X’s calls select peer-to-peer networking by default is a question the company hasn’t answered. (It didn’t respond to Fast Company’s inquiries.) X would likely argue peer-to-peer networks yield better call quality. But another major benefit is they also reduce infrastructure and management costs for the call’s host.

But with privacy protection a topic of concern for many users, other platforms have been clawing back their use of peer-to-peer networks. Last November, WhatsApp unveiled a “Protect IP Address in Calls” feature that does precisely as the name suggests, warning users that the only downside is a possible reduction in call quality. On Signal, meanwhile, if callers aren’t in recipients’ address books, the app automatically routes the IP addresses through a Signal server as a safeguard.

A charitable interpretation of Musk’s vision for X has always been that he wants to make it suck, big time—but here, we mean suck in an inescapability sense: It should pull users back in constantly, to stream movies, manage their finances, look for jobs, find dating partners, share hilarious memes, and even engage in a little good-natured harassment of fellow users.

The last activity should be facetious, but it isn’t. Elon Musk promised to save Twitter users from spam and bots; instead, they’ve gotten more bots than ever, lost their block function, and had their experience inundated with ads for porn and fake luxury goods. Prior to X’s call feature rolling out, the worst trolls and scammers could do was send users harassing DMs. Now, they can call you.

Damage control

This specter has alarmed users enough for them to have already community-noted X’s official post announcing the start of calls, and driven wire services like the Associated Press to publish detailed instructions explaining how to mask IP addresses on X and block calls from certain kinds of users. (In short: Load the X app on your phone. Navigate to “Settings and Support.” Tap “Settings and privacy,” choose “Privacy and safety,” then go to “Direct messages.” Here, you can turn off the function entirely, or limit incoming callers to people you follow or your address book contacts. (This is also where you’ll find the “Enhanced call privacy” option.)

X has offered users no assistance here, nor is it working to clarify confusion arising from who can message whom by default. X takes the initiative to automatically enable calling from people you follow. Under the phone app’s DM settings tab, however, a line explains: “To reduce unwanted calls, you’ll need to have messaged an account at least once before they’re able to call you.”

Fast Company tried subjecting this to a test, but we couldn’t get the phone symbol that populates when calls are possible to appear at all. (The symbol appeared randomly for other users in our DMs, though, suggesting rollout for now is inconsistent and glitchy.)

But TechCrunch’s Lorenzo Franceschi-Bicchierai writes that he had a different result in practice: He claims he created a test account, messaged his real account, then discovered that (under X’s default settings) all the test account needed to start calling his real account was merely for the real account to accept the test account’s DM—not even message back. When the test account made a call and the real account answered, both parties’ IP addresses were then exposed to each other.

All of this sounds like cause for concern, but the issue of X exposing user IP addresses can be preempted. What users get no say over is what else X is doing with their calls.

X dedicates an entire Help page to explaining how it’s working to encrypt users’ DMs—part of the company’s goal “to be the most trusted platform on the internet.” A bunch of screenshots are involved, and X gives tips to help differentiate encrypted DMs from unencrypted DMs. It is eager to show it’s trying, in other words. But its page for the new audio and video calls doesn’t mention the word encryption, leading skeptical reporters like Franceschi-Bicchierai to wonder if the platform isn’t bothering to do that for calls—a decision that would make X an outlier among messaging apps, because it would give Musk’s platform the ability to listen in on users’ calls if it wanted.

In his quest to make X into an “everything app,” last week Elon Musk gave free audio and video calling to all users—not merely the 650,000 subscribers who pay to use the platform, but literally all 1.3 billion accounts.

What a noble act, some may think, except that a privacy issue emerged almost immediately. The new feature was activated by default, without notifying users. And now, users are discovering not only that X has exposed their data to other users, but it’s also handing call-making capabilities to people they might wish didn’t have it.

The feature’s setup is part of the reason behind the complaints. Currently, it’s only available using the phone app; calls can’t be placed using X on an internet browser yet. But like other messaging phone apps, X is routing calls through a peer-to-peer network. Such a setup exposes both parties’ IP addresses.

X acknowledges this if you visit the X Help Center’s new “Audio and Video Calls” page: “If both parties to a call [don’t change the default settings] . . . the call itself is routed peer-to-peer such that each parties IP address may be visible to the other.”

Don’t want your IP address shared? Then you have to manually enable a specific setting, marked “Enhanced call privacy.” If that’s enabled, X says “a call between [two parties] will be relayed through X infrastructure, and the IP address of any party that has this setting enabled will be masked.”

The power of an IP address

For many people, having theirs exposed doesn’t pose an immediate threat. An IP address acts as a unique string of characters that identifies a person’s computer so it can communicate over a network. But any additional exposure makes users more vulnerable to spam, identity theft, and other privacy attacks. If it falls into the wrong hands, your IP address can help a bad actor track your online activity and even figure out where you’re located.

Why X’s calls select peer-to-peer networking by default is a question the company hasn’t answered. (It didn’t respond to Fast Company’s inquiries.) X would likely argue peer-to-peer networks yield better call quality. But another major benefit is they also reduce infrastructure and management costs for the call’s host.

But with privacy protection a topic of concern for many users, other platforms have been clawing back their use of peer-to-peer networks. Last November, WhatsApp unveiled a “Protect IP Address in Calls” feature that does precisely as the name suggests, warning users that the only downside is a possible reduction in call quality. On Signal, meanwhile, if callers aren’t in recipients’ address books, the app automatically routes the IP addresses through a Signal server as a safeguard.

A charitable interpretation of Musk’s vision for X has always been that he wants to make it suck, big time—but here, we mean suck in an inescapability sense: It should pull users back in constantly, to stream movies, manage their finances, look for jobs, find dating partners, share hilarious memes, and even engage in a little good-natured harassment of fellow users.

The last activity should be facetious, but it isn’t. Elon Musk promised to save Twitter users from spam and bots; instead, they’ve gotten more bots than ever, lost their block function, and had their experience inundated with ads for porn and fake luxury goods. Prior to X’s call feature rolling out, the worst trolls and scammers could do was send users harassing DMs. Now, they can call you.

Damage control

This specter has alarmed users enough for them to have already community-noted X’s official post announcing the start of calls, and driven wire services like the Associated Press to publish detailed instructions explaining how to mask IP addresses on X and block calls from certain kinds of users. (In short: Load the X app on your phone. Navigate to “Settings and Support.” Tap “Settings and privacy,” choose “Privacy and safety,” then go to “Direct messages.” Here, you can turn off the function entirely, or limit incoming callers to people you follow or your address book contacts. (This is also where you’ll find the “Enhanced call privacy” option.)

X has offered users no assistance here, nor is it working to clarify confusion arising from who can message whom by default. X takes the initiative to automatically enable calling from people you follow. Under the phone app’s DM settings tab, however, a line explains: “To reduce unwanted calls, you’ll need to have messaged an account at least once before they’re able to call you.”

Fast Company tried subjecting this to a test, but we couldn’t get the phone symbol that populates when calls are possible to appear at all. (The symbol appeared randomly for other users in our DMs, though, suggesting rollout for now is inconsistent and glitchy.)

But TechCrunch’s Lorenzo Franceschi-Bicchierai writes that he had a different result in practice: He claims he created a test account, messaged his real account, then discovered that (under X’s default settings) all the test account needed to start calling his real account was merely for the real account to accept the test account’s DM—not even message back. When the test account made a call and the real account answered, both parties’ IP addresses were then exposed to each other.

All of this sounds like cause for concern, but the issue of X exposing user IP addresses can be preempted. What users get no say over is what else X is doing with their calls.

X dedicates an entire Help page to explaining how it’s working to encrypt users’ DMs—part of the company’s goal “to be the most trusted platform on the internet.” A bunch of screenshots are involved, and X gives tips to help differentiate encrypted DMs from unencrypted DMs. It is eager to show it’s trying, in other words. But its page for the new audio and video calls doesn’t mention the word encryption, leading skeptical reporters like Franceschi-Bicchierai to wonder if the platform isn’t bothering to do that for calls—a decision that would make X an outlier among messaging apps, because it would give Musk’s platform the ability to listen in on users’ calls if it wanted.