New X feature can leak your location without you realising
Strangers can now see the locations of users on X after the social media platform rolled out a new calling feature.
Anyone with a profile on X, previously known as Twitter, has a new setting on their account turned on by default, which enables others to call their profile. By doing so the caller can see their town, city or postcode.
The feature has caused concern among liberty groups and digital rights campaigners who say showing this information could be a âmatter of life or deathâ for vulnerable campaigners. The Open Rights Group and Big Brother Watch labelled the move by X as âextremely concerningâ and âa serious error of judgementâ regarding usersâ safety and privacy.
The Information Commissionerâs Office told i platforms were required to ensure personal information was protected and for users to be made aware of changes to their private data.
Xâs change reveals a userâs IP address when they are called. This is a unique set of numbers assigned to a device, like a phone or laptop, that is connected to the internet. Those numbers enable the device to communicate with the internet and include information, such as its physical location.
An IP address can reveal the town, city or postcode of a user. It can be used to find the exact address of individuals â a practice known as âdoxxingâ.
It is unclear when the new feature was rolled out across accounts. After searching on an archive of Xâs website, i found a âHelp Centreâ page detailing the update on 23 February. Five days later on 28 February, X announced the ability to make calls on the app but did not disclose that a personâs IP address would be visible.
Some users sought to let others know about the privacy issue through Xâs âcommunity notesâ feature, where accounts can highlight key information the original user has omitted in a post.
The function can be disabled, but some people have reported receiving an error message or having to try multiple times before the feature would turn off. It also appears it can only be disabled while using Xâs app, not on a desktop.
There is one barrier to who is able to call an X user on their profile. The platform states that a caller must have sent a message to the account at least once before. The audio feature was previously only available to premium users.
The real-world impact of this change is alarming, according to Mahsa Alimardani, a digital rights researcher at the Oxford Internet Institute.
She has closely monitored the use of social media in the recent Iranian protests against the government, when activists used anonymised accounts to publish videos, photos and posts from within the country to highlight how protesters were being silenced.
Ms Alimardani told i: âDespite a mass migration off of Twitter, most Iranians inside Iran are still using it for their activism, as are a lot of other community activist communities. This was just reckless behaviour from X for vulnerable users.
âIran has had massive crackdowns to really snuff out all the dissidents and activism, [including those on] Twitter anonymously posting against the regime. Weâve seen cyber army accounts dox activist accounts. They are putting a tonne of resources into locating and identifying people on this platform.
âNow having this feature, where they would be able to find this personâs IP address, is really making things easier for the regime.â
She added: âThis is a matter of life and death.â
Abby Burke, programme manager at Open Rights Group, a digital rights safeguarding group, echoed her concerns.
âItâs extremely concerning that X has rolled out a new feature that has serious implications for users privacy and security quietly, without making users aware of the changes.â
She added this change had come in the wake of X scrapping its content moderation teams and a rise in hate speech on the platform. âProfit is the motivating factor over user safety and security.â
Mark Johnson, advocacy manager at civil liberties group Big Brother Watch, said: âThis is a serious error of judgement from X, which could have major ramifications for people on the site who require privacy to ensure their safety and security.
âThe platform should reconsider the design of this new feature and ensure any system that facilitates calls via the site does so in a way which doesnât compromise the privacy of users.â
Pat de BrĂșn, head of big tech accountability at Amnesty International, said many human rights workers relied on X to document abuses and that âany moves by X that risk surreptitiously exposing the location of platform users are deeply alarming and should be revisited immediately to ensure compliance with human rights standardsâ.
The Information Commissionerâs Office, the government body looking at the use of private information and tasked with upholding information rights in the UK, said: âOnline platforms are required to take a âdata protection by designâ approach when introducing new features that might reveal personal data.
âAs part of this approach, platforms should put protections in place to minimise the amount of personal information surfaced to other users and people should be fully informed about the privacy impacts of these features.â
X did not respond to requests for comment.
How to turn the feature off
Go to the X app on your phone.
Go to your messages and tap the settings button.
Toggle the button to âoffâ (so it is not green) on the âEnable audio and video callingâ section.
If you encounter an error or glitch, some users have reported that closing and reopening the app works, while others have also had success when uninstalling and reinstalling the app.