×
X is now offering me end-to-end encrypted chat. You probably shouldn’t trust it yet. | TechCrunch

X is now offering me end-to-end encrypted chat. You probably shouldn’t trust it yet. | TechCrunch

X, formerly Twitter, has started rolling out its new encrypted messaging feature called “Chat” or “XChat.” 

The company claims the new communication feature is end-to-end encrypted, meaning messages exchanged on it can only be read by the sender and their receiver, and — in theory — no one else, including X, can access them. 

Cryptography experts, however, are warning that X’s current implementation of encryption in XChat should not be trusted. They’re saying it’s far worse than Signal, a technology widely considered the state of the art when it comes to end-to-end encrypted chat. 

In XChat, once a user clicks on “Set up now,” X prompts them to create a 4-digit PIN, which will be used to encrypt the user’s private key. This key is then stored on X’s servers. The private key is essentially a secret cryptographic key assigned to each user, serving the purpose of decrypting messages. As in many end-to-end encrypted services, a private key is paired with a public key, which is what a sender uses to encrypt messages to the receiver. 

This is the first red flag for XChat. Signal stores a user’s private key on their device, not on its servers. How and where exactly the private keys are stored on the X servers is also important. 

Matthew Garrett, a security researcher who published a blog post about XChat in June, when X announced the new service and slowly started rolling it out, wrote that if the company doesn’t use what are called Hardware Security Modules, or HSMs, to store the keys, then the company could tamper with the keys and potentially decrypt messages. HSMs are servers made specifically to make it harder for the company that owns them to access the data inside. 

An X engineer said in a post in June that the company does use HSMs, but neither he nor the company has provided any proof so far. “Until that’s done, this is ‘trust us, bro’ territory,” Garrett told TechCrunch. 

The second red flag, which X itself admits in the X Chat support page, is that the current implementation of the service could allow “a malicious insider or X itself” to compromise encrypted conversations.

This is what is technically called an “adversary-in-the-middle, or AITM attack. That makes the whole point of an end-to-end encrypted messaging platform moot. 

Garret said that X “gives you the public key whenever you communicate with them, so even if they’ve implemented this properly, you can’t prove they haven’t made up a new key,” and performed an AITM attack. 

Another red flag is that none of XChat’s implementation, at this point, is open source, unlike Signal’s, which is openly documented in detail. X says it aims to “open source our implementation and describe the encryption technology in depth through a technical whitepaper later this year.”

Finally, X doesn’t offer “Perfect Forward Secrecy,” a cryptographic mechanism by which every new message is encrypted with a different key, which means that if an attacker compromises the user’s private key, they can only decrypt the last message, and not all the preceding ones. The company itself also admits this shortcoming. 

As a result, Garrett doesn’t think XChat is at a point where users should trust it just yet. 

“If everyone involved is fully trustworthy, the X implementation is technically worse than Signal,” Garrett told TechCrunch. “And even if they were fully trustworthy to start with, they could stop being trustworthy and compromise trust in multiple ways […] If they were either untrustworthy or incompetent during initial implementation, it’s impossible to demonstrate that there’s any security at all.”

Garrett isn’t the only expert raising concerns. Matthew Green, a cryptography expert who teaches at Johns Hopkins University, agrees. 

“For the moment, until it gets a full audit by someone reputable, I would not trust this any more than I trust current unencrypted DMs,” Green told TechCrunch.  (XChat is a separate feature that lives, at least for now, along with the legacy Direct Messages.)

X did not respond to several questions sent to its press email address.

Source link
#offering #endtoend #encrypted #chat #shouldnt #trust #TechCrunch

However, the images and audio might not be directly available to the user. Here’s how the FT describes one way the glasses could use the data:

In one proposed system, raw footage and audio would not be stored by Meta or made available to the user, several people said. Instead, the metadata from that audio and images would be extracted and uploaded to the server for Meta’s AI to query, which proponents argue would have fewer privacy implications.

But currently, Meta is planning for the LED recording indicator to remain off in “super sensing” mode, the FT reports. In a July 2025 whitepaper, the company said that it would reserve the LED indicator for “active capture” scenarios where the user is saving photos or videos, and leave it off during “AI Feature” use — such as scanning a menu — to avoid users becoming too used to the indicator. (If the indicator was on during the “super sensing” mode, it might also be harder to know when the glasses are actually recording video.)

Meta is also discussing if it would use the captured data for training its AI models. It may also bring the “super sensing” features to glasses it has already released, the FT says.

“While we don’t comment on internal prototypes, we’re committed to getting our glasses right because they need to be loved by both people wearing them and those around them,” Meta spokesperson Dave Arnold says in a statement to The Verge. Arnold also notes that “Our approach has been to develop new technologies that will help people throughout their day, with privacy built in from the ground up.”

Meta hasn’t been shy about some type of always-aware glasses being a possibility. CEO Mark Zuckerberg, in the company’s Q1 2026 earnings call, said that he was “really excited to see the glasses evolve from being able to answer questions to being able to be a personal agent that’s with you all day long, helping you remember things and achieve your goals.” In a March blog post about new Ray-Ban Meta glasses, the company wrote that “with ongoing software updates, Meta AI on glasses will transition from something you have to prompt with a question each time, to a more continuous, in-the-moment assistant that can help throughout the day.”

#Meta #reportedly #working #smart #glasses #recording #timeGadgets,Meta,News,Privacy,Tech,Wearable">Meta is reportedly working on smart glasses that would be recording all the timeMeta might be the next company to make an always-on AI wearable. The company is working on prototype “super sensing” always-aware smart glasses that could continuously record audio and snap photos “every few seconds,” according to the Financial Times. The wearer could then ask Meta AI about the captured audio and images.However, the images and audio might not be directly available to the user. Here’s how the FT describes one way the glasses could use the data:In one proposed system, raw footage and audio would not be stored by Meta or made available to the user, several people said. Instead, the metadata from that audio and images would be extracted and uploaded to the server for Meta’s AI to query, which proponents argue would have fewer privacy implications.But currently, Meta is planning for the LED recording indicator to remain off in “super sensing” mode, the FT reports. In a July 2025 whitepaper, the company said that it would reserve the LED indicator for “active capture” scenarios where the user is saving photos or videos, and leave it off during “AI Feature” use — such as scanning a menu — to avoid users becoming too used to the indicator. (If the indicator was on during the “super sensing” mode, it might also be harder to know when the glasses are actually recording video.)Meta is also discussing if it would use the captured data for training its AI models. It may also bring the “super sensing” features to glasses it has already released, the FT says.“While we don’t comment on internal prototypes, we’re committed to getting our glasses right because they need to be loved by both people wearing them and those around them,” Meta spokesperson Dave Arnold says in a statement to The Verge. Arnold also notes that “Our approach has been to develop new technologies that will help people throughout their day, with privacy built in from the ground up.”Meta hasn’t been shy about some type of always-aware glasses being a possibility. CEO Mark Zuckerberg, in the company’s Q1 2026 earnings call, said that he was “really excited to see the glasses evolve from being able to answer questions to being able to be a personal agent that’s with you all day long, helping you remember things and achieve your goals.” In a March blog post about new Ray-Ban Meta glasses, the company wrote that “with ongoing software updates, Meta AI on glasses will transition from something you have to prompt with a question each time, to a more continuous, in-the-moment assistant that can help throughout the day.”#Meta #reportedly #working #smart #glasses #recording #timeGadgets,Meta,News,Privacy,Tech,Wearable

according to the Financial Times. The wearer could then ask Meta AI about the captured audio and images.

However, the images and audio might not be directly available to the user. Here’s how the FT describes one way the glasses could use the data:

In one proposed system, raw footage and audio would not be stored by Meta or made available to the user, several people said. Instead, the metadata from that audio and images would be extracted and uploaded to the server for Meta’s AI to query, which proponents argue would have fewer privacy implications.

But currently, Meta is planning for the LED recording indicator to remain off in “super sensing” mode, the FT reports. In a July 2025 whitepaper, the company said that it would reserve the LED indicator for “active capture” scenarios where the user is saving photos or videos, and leave it off during “AI Feature” use — such as scanning a menu — to avoid users becoming too used to the indicator. (If the indicator was on during the “super sensing” mode, it might also be harder to know when the glasses are actually recording video.)

Meta is also discussing if it would use the captured data for training its AI models. It may also bring the “super sensing” features to glasses it has already released, the FT says.

“While we don’t comment on internal prototypes, we’re committed to getting our glasses right because they need to be loved by both people wearing them and those around them,” Meta spokesperson Dave Arnold says in a statement to The Verge. Arnold also notes that “Our approach has been to develop new technologies that will help people throughout their day, with privacy built in from the ground up.”

Meta hasn’t been shy about some type of always-aware glasses being a possibility. CEO Mark Zuckerberg, in the company’s Q1 2026 earnings call, said that he was “really excited to see the glasses evolve from being able to answer questions to being able to be a personal agent that’s with you all day long, helping you remember things and achieve your goals.” In a March blog post about new Ray-Ban Meta glasses, the company wrote that “with ongoing software updates, Meta AI on glasses will transition from something you have to prompt with a question each time, to a more continuous, in-the-moment assistant that can help throughout the day.”

#Meta #reportedly #working #smart #glasses #recording #timeGadgets,Meta,News,Privacy,Tech,Wearable">Meta is reportedly working on smart glasses that would be recording all the time

Meta might be the next company to make an always-on AI wearable. The company is working on prototype “super sensing” always-aware smart glasses that could continuously record audio and snap photos “every few seconds,” according to the Financial Times. The wearer could then ask Meta AI about the captured audio and images.

However, the images and audio might not be directly available to the user. Here’s how the FT describes one way the glasses could use the data:

In one proposed system, raw footage and audio would not be stored by Meta or made available to the user, several people said. Instead, the metadata from that audio and images would be extracted and uploaded to the server for Meta’s AI to query, which proponents argue would have fewer privacy implications.

But currently, Meta is planning for the LED recording indicator to remain off in “super sensing” mode, the FT reports. In a July 2025 whitepaper, the company said that it would reserve the LED indicator for “active capture” scenarios where the user is saving photos or videos, and leave it off during “AI Feature” use — such as scanning a menu — to avoid users becoming too used to the indicator. (If the indicator was on during the “super sensing” mode, it might also be harder to know when the glasses are actually recording video.)

Meta is also discussing if it would use the captured data for training its AI models. It may also bring the “super sensing” features to glasses it has already released, the FT says.

“While we don’t comment on internal prototypes, we’re committed to getting our glasses right because they need to be loved by both people wearing them and those around them,” Meta spokesperson Dave Arnold says in a statement to The Verge. Arnold also notes that “Our approach has been to develop new technologies that will help people throughout their day, with privacy built in from the ground up.”

Meta hasn’t been shy about some type of always-aware glasses being a possibility. CEO Mark Zuckerberg, in the company’s Q1 2026 earnings call, said that he was “really excited to see the glasses evolve from being able to answer questions to being able to be a personal agent that’s with you all day long, helping you remember things and achieve your goals.” In a March blog post about new Ray-Ban Meta glasses, the company wrote that “with ongoing software updates, Meta AI on glasses will transition from something you have to prompt with a question each time, to a more continuous, in-the-moment assistant that can help throughout the day.”

#Meta #reportedly #working #smart #glasses #recording #timeGadgets,Meta,News,Privacy,Tech,Wearable
Truecaller has opened a public fight with India’s telecom regulator over rules governing caller ID apps, saying the country’s anti-spam framework is making it harder to protect consumers from unwanted calls in its biggest market.

On Wednesday, CEO Rishit Jhunjhunwala (pictured above) took to X to publicly challenge the Telecom Regulatory Authority of India (TRAI), accusing the watchdog of preventing Truecaller from displaying community-reported spam information for calls from the country’s dedicated 1400 and 1600 number series, a restriction he said had enabled abuse of those numbers and eroded trust in legitimate business calls.

The dispute stems from a framework introduced in 2024 under which India’s telecom authorities designated the 1400 and 1600 number series for commercial communications, with businesses using the former for telemarketing calls and the latter for service- and transaction-related calls. TRAI later mandated the migration to the dedicated numbering series, saying the move would help consumers identify legitimate business communications and curb spam and scam calls.

The framework was rolled out amid growing concerns over spam and scam calls in India, one of the world’s largest telecom markets, where regulators and telecom operators have rolled out multiple measures to curb fraudulent communications. Last year, the Indian communications ministry said authorities disconnected more than 2.1 million fraudulent mobile numbers and took action against more than 100,000 entities over the preceding year, underscoring the scale of the challenge.

Jhunjhunwala argued the policy has produced unintended consequences. Citing internal company data, he said consumers have increasingly lost trust in the designated number series, with Truecaller users ignoring 81% of calls from the 1400 series and 79% from the 1600 series over the past eight months. During the same period, users manually blocked 74 million calls from the two number series, while daily blocking actions against 1600-series numbers have more than tripled since October 2025, he said.

Unable to mark those numbers as spam, Truecaller instead introduced a “Frequently Blocked” badge to alert users when a number from the designated series has been blocked by many people.

The unusually public criticism came after Indian business daily The Economic Times reported that TRAI had sought powers under India’s Information Technology Act to take action against caller ID apps such as Truecaller, Hiya, and Whoscall for labeling numbers from the designated 1400 and 1600 series as spam.

TRAI and India’s Ministry of Electronics and Information Technology, which would consider any such proposal, did not immediately respond to requests for comment.

The dispute comes at a pivotal time for Truecaller, whose core caller ID business has been facing growing regulatory and competitive pressures as the company expands into new products and services. India remains its largest market by a wide margin, with more than 350 million of its 500 million monthly active users based in the country, according to the company.

Jhunjhunwala said Truecaller would share its data with the Indian IT ministry as part of the regulatory process, arguing that any decision on caller ID apps should be evidence-based.

“Penalize the bad actors, not the ones like Truecaller that make a significant positive impact,” he wrote.

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

#Truecaller #clashes #Indias #telecom #regulator #antispam #rules #TechCrunchTruecaller,MeitY,TRAI">Truecaller clashes with India’s telecom regulator over anti-spam rules | TechCrunch
Truecaller has opened a public fight with India’s telecom regulator over rules governing caller ID apps, saying the country’s anti-spam framework is making it harder to protect consumers from unwanted calls in its biggest market.

On Wednesday, CEO Rishit Jhunjhunwala (pictured above) took to X to publicly challenge the Telecom Regulatory Authority of India (TRAI), accusing the watchdog of preventing Truecaller from displaying community-reported spam information for calls from the country’s dedicated 1400 and 1600 number series, a restriction he said had enabled abuse of those numbers and eroded trust in legitimate business calls.







The dispute stems from a framework introduced in 2024 under which India’s telecom authorities designated the 1400 and 1600 number series for commercial communications, with businesses using the former for telemarketing calls and the latter for service- and transaction-related calls. TRAI later mandated the migration to the dedicated numbering series, saying the move would help consumers identify legitimate business communications and curb spam and scam calls.

The framework was rolled out amid growing concerns over spam and scam calls in India, one of the world’s largest telecom markets, where regulators and telecom operators have rolled out multiple measures to curb fraudulent communications. Last year, the Indian communications ministry said authorities disconnected more than 2.1 million fraudulent mobile numbers and took action against more than 100,000 entities over the preceding year, underscoring the scale of the challenge.

Jhunjhunwala argued the policy has produced unintended consequences. Citing internal company data, he said consumers have increasingly lost trust in the designated number series, with Truecaller users ignoring 81% of calls from the 1400 series and 79% from the 1600 series over the past eight months. During the same period, users manually blocked 74 million calls from the two number series, while daily blocking actions against 1600-series numbers have more than tripled since October 2025, he said.

Unable to mark those numbers as spam, Truecaller instead introduced a “Frequently Blocked” badge to alert users when a number from the designated series has been blocked by many people.

The unusually public criticism came after Indian business daily The Economic Times reported that TRAI had sought powers under India’s Information Technology Act to take action against caller ID apps such as Truecaller, Hiya, and Whoscall for labeling numbers from the designated 1400 and 1600 series as spam.


TRAI and India’s Ministry of Electronics and Information Technology, which would consider any such proposal, did not immediately respond to requests for comment.

The dispute comes at a pivotal time for Truecaller, whose core caller ID business has been facing growing regulatory and competitive pressures as the company expands into new products and services. India remains its largest market by a wide margin, with more than 350 million of its 500 million monthly active users based in the country, according to the company.

Jhunjhunwala said Truecaller would share its data with the Indian IT ministry as part of the regulatory process, arguing that any decision on caller ID apps should be evidence-based.







“Penalize the bad actors, not the ones like Truecaller that make a significant positive impact,” he wrote.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.#Truecaller #clashes #Indias #telecom #regulator #antispam #rules #TechCrunchTruecaller,MeitY,TRAI

took to X to publicly challenge the Telecom Regulatory Authority of India (TRAI), accusing the watchdog of preventing Truecaller from displaying community-reported spam information for calls from the country’s dedicated 1400 and 1600 number series, a restriction he said had enabled abuse of those numbers and eroded trust in legitimate business calls.

The dispute stems from a framework introduced in 2024 under which India’s telecom authorities designated the 1400 and 1600 number series for commercial communications, with businesses using the former for telemarketing calls and the latter for service- and transaction-related calls. TRAI later mandated the migration to the dedicated numbering series, saying the move would help consumers identify legitimate business communications and curb spam and scam calls.

The framework was rolled out amid growing concerns over spam and scam calls in India, one of the world’s largest telecom markets, where regulators and telecom operators have rolled out multiple measures to curb fraudulent communications. Last year, the Indian communications ministry said authorities disconnected more than 2.1 million fraudulent mobile numbers and took action against more than 100,000 entities over the preceding year, underscoring the scale of the challenge.

Jhunjhunwala argued the policy has produced unintended consequences. Citing internal company data, he said consumers have increasingly lost trust in the designated number series, with Truecaller users ignoring 81% of calls from the 1400 series and 79% from the 1600 series over the past eight months. During the same period, users manually blocked 74 million calls from the two number series, while daily blocking actions against 1600-series numbers have more than tripled since October 2025, he said.

Unable to mark those numbers as spam, Truecaller instead introduced a “Frequently Blocked” badge to alert users when a number from the designated series has been blocked by many people.

The unusually public criticism came after Indian business daily The Economic Times reported that TRAI had sought powers under India’s Information Technology Act to take action against caller ID apps such as Truecaller, Hiya, and Whoscall for labeling numbers from the designated 1400 and 1600 series as spam.

TRAI and India’s Ministry of Electronics and Information Technology, which would consider any such proposal, did not immediately respond to requests for comment.

The dispute comes at a pivotal time for Truecaller, whose core caller ID business has been facing growing regulatory and competitive pressures as the company expands into new products and services. India remains its largest market by a wide margin, with more than 350 million of its 500 million monthly active users based in the country, according to the company.

Jhunjhunwala said Truecaller would share its data with the Indian IT ministry as part of the regulatory process, arguing that any decision on caller ID apps should be evidence-based.

“Penalize the bad actors, not the ones like Truecaller that make a significant positive impact,” he wrote.

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

#Truecaller #clashes #Indias #telecom #regulator #antispam #rules #TechCrunchTruecaller,MeitY,TRAI">Truecaller clashes with India’s telecom regulator over anti-spam rules | TechCrunch

Truecaller has opened a public fight with India’s telecom regulator over rules governing caller ID apps, saying the country’s anti-spam framework is making it harder to protect consumers from unwanted calls in its biggest market.

On Wednesday, CEO Rishit Jhunjhunwala (pictured above) took to X to publicly challenge the Telecom Regulatory Authority of India (TRAI), accusing the watchdog of preventing Truecaller from displaying community-reported spam information for calls from the country’s dedicated 1400 and 1600 number series, a restriction he said had enabled abuse of those numbers and eroded trust in legitimate business calls.

The dispute stems from a framework introduced in 2024 under which India’s telecom authorities designated the 1400 and 1600 number series for commercial communications, with businesses using the former for telemarketing calls and the latter for service- and transaction-related calls. TRAI later mandated the migration to the dedicated numbering series, saying the move would help consumers identify legitimate business communications and curb spam and scam calls.

The framework was rolled out amid growing concerns over spam and scam calls in India, one of the world’s largest telecom markets, where regulators and telecom operators have rolled out multiple measures to curb fraudulent communications. Last year, the Indian communications ministry said authorities disconnected more than 2.1 million fraudulent mobile numbers and took action against more than 100,000 entities over the preceding year, underscoring the scale of the challenge.

Jhunjhunwala argued the policy has produced unintended consequences. Citing internal company data, he said consumers have increasingly lost trust in the designated number series, with Truecaller users ignoring 81% of calls from the 1400 series and 79% from the 1600 series over the past eight months. During the same period, users manually blocked 74 million calls from the two number series, while daily blocking actions against 1600-series numbers have more than tripled since October 2025, he said.

Unable to mark those numbers as spam, Truecaller instead introduced a “Frequently Blocked” badge to alert users when a number from the designated series has been blocked by many people.

The unusually public criticism came after Indian business daily The Economic Times reported that TRAI had sought powers under India’s Information Technology Act to take action against caller ID apps such as Truecaller, Hiya, and Whoscall for labeling numbers from the designated 1400 and 1600 series as spam.

TRAI and India’s Ministry of Electronics and Information Technology, which would consider any such proposal, did not immediately respond to requests for comment.

The dispute comes at a pivotal time for Truecaller, whose core caller ID business has been facing growing regulatory and competitive pressures as the company expands into new products and services. India remains its largest market by a wide margin, with more than 350 million of its 500 million monthly active users based in the country, according to the company.

Jhunjhunwala said Truecaller would share its data with the Indian IT ministry as part of the regulatory process, arguing that any decision on caller ID apps should be evidence-based.

“Penalize the bad actors, not the ones like Truecaller that make a significant positive impact,” he wrote.

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

#Truecaller #clashes #Indias #telecom #regulator #antispam #rules #TechCrunchTruecaller,MeitY,TRAI

Post Comment