Strangers can now see the locations of users on X after the social media platform rolled out a new calling feature.
Anyone with a profile on X, previously known as Twitter, has a new setting on their account turned on by default, which enables others to call their profile. By doing so the caller can see their town, city or postcode.
The feature has caused concern among liberty groups and digital rights campaigners who say showing this information could be a “matter of life or death” for vulnerable campaigners. The Open Rights Group and Big Brother Watch labelled the move by X as “extremely concerning” and “a serious error of judgement” regarding users’ safety and privacy.
The Information Commissioner’s Office told i platforms were required to ensure personal information was protected and for users to be made aware of changes to their private data.
X’s change reveals a user’s IP address when they are called. This is a unique set of numbers assigned to a device, like a phone or laptop, that is connected to the internet. Those numbers enable the device to communicate with the internet and include information, such as its physical location.
An IP address can reveal the town, city or postcode of a user. It can be used to find the exact address of individuals – a practice known as ‘doxxing’.
It is unclear when the new feature was rolled out across accounts. After searching on an archive of X’s website, i found a ‘Help Centre’ page detailing the update on 23 February. Five days later on 28 February, X announced the ability to make calls on the app but did not disclose that a person’s IP address would be visible.
Some users sought to let others know about the privacy issue through X’s ‘community notes’ feature, where accounts can highlight key information the original user has omitted in a post.
The function can be disabled, but some people have reported receiving an error message or having to try multiple times before the feature would turn off. It also appears it can only be disabled while using X’s app, not on a desktop.
There is one barrier to who is able to call an X user on their profile. The platform states that a caller must have sent a message to the account at least once before. The audio feature was previously only available to premium users.
The real-world impact of this change is alarming, according to Mahsa Alimardani, a digital rights researcher at the Oxford Internet Institute.
She has closely monitored the use of social media in the recent Iranian protests against the government, when activists used anonymised accounts to publish videos, photos and posts from within the country to highlight how protesters were being silenced.
Ms Alimardani told i: “Despite a mass migration off of Twitter, most Iranians inside Iran are still using it for their activism, as are a lot of other community activist communities. This was just reckless behaviour from X for vulnerable users.
“Iran has had massive crackdowns to really snuff out all the dissidents and activism, [including those on] Twitter anonymously posting against the regime. We’ve seen cyber army accounts dox activist accounts. They are putting a tonne of resources into locating and identifying people on this platform.
“Now having this feature, where they would be able to find this person’s IP address, is really making things easier for the regime.”
She added: “This is a matter of life and death.”
Abby Burke, programme manager at Open Rights Group, a digital rights safeguarding group, echoed her concerns.
“It’s extremely concerning that X has rolled out a new feature that has serious implications for users privacy and security quietly, without making users aware of the changes.”
She added this change had come in the wake of X scrapping its content moderation teams and a rise in hate speech on the platform. “Profit is the motivating factor over user safety and security.”
Mark Johnson, advocacy manager at civil liberties group Big Brother Watch, said: “This is a serious error of judgement from X, which could have major ramifications for people on the site who require privacy to ensure their safety and security.
“The platform should reconsider the design of this new feature and ensure any system that facilitates calls via the site does so in a way which doesn’t compromise the privacy of users.”
Pat de Brún, head of big tech accountability at Amnesty International, said many human rights workers relied on X to document abuses and that “any moves by X that risk surreptitiously exposing the location of platform users are deeply alarming and should be revisited immediately to ensure compliance with human rights standards”.
The Information Commissioner’s Office, the government body looking at the use of private information and tasked with upholding information rights in the UK, said: “Online platforms are required to take a ‘data protection by design’ approach when introducing new features that might reveal personal data.
“As part of this approach, platforms should put protections in place to minimise the amount of personal information surfaced to other users and people should be fully informed about the privacy impacts of these features.”
X did not respond to requests for comment.
How to turn the feature off
Go to the X app on your phone.
Go to your messages and tap the settings button.
Toggle the button to ‘off’ (so it is not green) on the ‘Enable audio and video calling’ section.
If you encounter an error or glitch, some users have reported that closing and reopening the app works, while others have also had success when uninstalling and reinstalling the app.
