News: 1748973728

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

X's new 'encrypted' XChat feature seems no more secure than the failure that came before it

(2025/06/03)


Elon Musk's X social media platform is rolling out a new version of its direct messaging feature that the platform owner said had a "whole new architecture," but as with many a Muskian proclamation, there's reason to doubt what's been said.

Dubbed "XChat" (not to be confused with the venerable Linux/Windows IRC app of the same name), Musk informally [1]announced the feature on Sunday, a few days after the company formerly known as Twitter [2]paused encryption on messaging to make "some improvements.".

Musk's declaration, however, didn't reveal much about the nature of the changes, and has been enough to cause some encryption experts to doubt what was stated by the world's richest man.

[3]

"All new XChat is rolling out with encryption, vanishing messages and the ability to send any kind of file," Musk said in a tweet. "Also, audio/video calling.

[4]

[5]

"This is built on Rust with (Bitcoin style) encryption, whole new architecture," Musk added. And here's where the skeptics and cryptocurrency fans in the digital town square pounced: There ain't no encryption on the Bitcoin blockchain.

As reported by crypto news site [6]Coindesk , experts have been quick to point out that, while there's plenty of cryptography and digital signing involved in Bitcoin, the blockchain itself isn't encrypted, and there really isn't such a thing as "Bitcoin style encryption."

[7]

In other words, it's worth questioning whether XChat is going to be encrypted in a way that most people think of encrypted chat: End-to-end encryption (E2EE) that renders messages completely unreadable by anyone who might happen to snoop in them, be it an illicit intermediary or the platform that hosts the messages itself. That's how Signal and Meta-owned WhatsApp work.

As was the case [8]in 2023 , when then-Twitter first announced encrypted messages under owner Elon Musk, it doesn't appear that XChat will offer true E2EE. The [9]help page , which was updated with the launch of the service, still warns "currently, we do not offer protections against man-in-the-middle attacks" and says that Twitter itself, "as a result of a compulsory legal process," could compromise so-called encrypted DMs on the platform without the sender or receiver being aware.

The help page does say that messages are stored on X infrastructure in an encrypted format, and are only decrypted once received "so that they can be read by the user." That sounds a lot like E2EE, but it's crucial to note that the old version of the encrypted DM help page said the same thing, followed by that "we-can-still-read-your-messages" warning, so take that with a grain of salt. Perhaps the details will become clearer once X releases a whitepaper and open-sources its implementation of Xchat, as it promised to do "later this year."

[10]X marks the drop for European users

[11]Musk's DOGE muzzled on X over tape storage baloney

[12]Elon's latest X-periment: Blocked users can still stalk your public tweets

[13]Musk's xAI swallows Musk's X in ego-friendly, all-stock deal

Safety not guaranteed

Skeptics about the new Xchat's privacy include Matthew Hodgson, the co-founder and CEO of encrypted messaging platform Element, used by the US military, NATO, the United Nations, and other highly secure organizations.

"XChat looks to be just another centralized platform where users have zero control over their data," Hodgson said in a statement emailed to The Register . "Elon Musk says it's 'encrypted' but offers no technical transparency, no audits, no open source, just vague references to Bitcoin-style architecture."

[14]

Hodgson referred to allegations that Musk's [15]position at DOGE potentially gave him access to sensitive government data and the personal information of US citizens, as well as [16]reports claiming the social media platform formerly known as Twitter had collected more data than necessary. He claims both are reasons to question whether XChat is anywhere as safe to use as Musk claims.

"Such actions highlight a pattern of data handling that prioritizes X rather than its users," Hodgson said. Anything less than "open protocols, transparency and decentralization," said the Element chief, "is just marketing."

We've reached out to X to get more details on the nature of XChat, but didn't immediately hear back. ®

Get our [17]Tech Resources



[1] https://x.com/elonmusk/status/1929238157872312773

[2] https://x.com/XEng/status/1927826425173696988

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aD9waR3ezlDjyunEIgjOqgAAABE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aD9waR3ezlDjyunEIgjOqgAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aD9waR3ezlDjyunEIgjOqgAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.coindesk.com/tech/2025/06/02/elon-musk-announces-xchat-with-bitcoin-style-encryption-tech-experts-raise-questions

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aD9waR3ezlDjyunEIgjOqgAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2023/05/10/twitter_adds_new_dm_features/

[9] https://help.x.com/en/using-x/encrypted-direct-messages

[10] https://www.theregister.com/2025/05/01/x_accounts_europe_drop/

[11] https://www.theregister.com/2025/04/08/doge_tape_storage_diss/

[12] https://www.theregister.com/2024/09/24/x_block_changes/

[13] https://www.theregister.com/2025/03/31/xai_acquires_x/

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aD9waR3ezlDjyunEIgjOqgAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[15] https://www.theregister.com/2025/04/17/whistleblower_nlrb_doge/

[16] https://www.theregister.com/2024/09/19/social_media_data_harvesting_handling_ftc/

[17] https://whitepapers.theregister.com/


Blockchain

elsergiovolador

Does it mean all chat history of everyone is publicly available?

Re: Blockchain

that one in the corner

More subtle than that, and he isn't keeping it a secret (at least, that will be his excuse - "We told you from the start")

> "Bitcoin style encryption."

As we all know, the closest the blockchain gets to encryption is the work involved in the hashing of the blocks, which is supposed to be a one-way calculation and proof that the copy of the chain you hold hasn't been tampered with. At least, as agreed by a quorum of all the miners*. Hence the issue with the 51% attack: if you hold 51% of whichever mechanism is being used (proof-of-whatever) then you can modify the contents of the blocks, recalculate the chain and everyone else will take your copy as Truth. The Bitcoin (or other) blockchain is an Immutable Ledger, but only for certain values of "immutable".

So we are being told that not only will your chat history be capable of being made public (at Twitter's discretion - oops, I mean when Twitter responds to a legitimate request from "an authority") it will do so with proof that that IS what you said because, look, our crypto-quality hashes can't be wrong, anyone can verify them. As if they were on "the Bitcoin blockchain". Only, cough, a certain someone happens to hold control over this particular "chain" and it might get recalculated once we have corrected your posts to show our Preferred Truth about what you said.

* Description courtesy of Really Quick And Shoddy Explanations Inc, on the basis that if you, gentle reader, do know how blockchain works then you don't need anything better to follow what I'm trying to say. And if you don't know how it works I'm not going to be able to explain it all in one comment. Either way, just go with me here.

Probably by "Bitcoin-style encryption" Musk meant...

The Man Who Fell To Earth

UHJvYmFibHkgYnkgIkJpdGNvaW4tc3R5bGUgZW5jcnlwdGlvbiIgTXVzayBtZWFudCBNSU1FIGVuY29kaW5nLg==

Would Elon do that?

Throatwarbler Mangrove

Would he just tell lies?

Re: Would Elon do that?

Paul Crawford

Yes.

In related news ursine defaecation is observed in arboreal regions, and the Pope's religious affiliation is seen to be strongly Catholic...

eswan

"This is built on Rust with (Bitcoin style) encryption, whole new architecture"

My mind keep trying to fit that to Gangnam Style.

'Rust with Bitcoin Style

Bitcoin Style

Whole new Architecture...

Rust with Bitcoin Style...'

Blue Shirt Guy

I believe there's a reference to a horse in the Gangnam Style video as well.

It's Musk: by "encrypted" he means they used https...

Brewster's Angle Grinder

For it to be E2E, the key would have to be stored in the client and nowhere else. So if you can read DMs on the web and the mobile app, chances are it's not E2E. There are ways around that, but those ways mean they can probably retrieve the key. (Or have I missed something?)

Re: It's Musk: by "encrypted" he means they used https...

Roopee

I think you are conflating your terminology - WhatsApp has a Web client and mobile app clients and they all use E2EE for DMs (but not group chats).

You’re not wrong about Musk though.

Re: It's Musk: by "encrypted" he means they used https...

Brewster's Angle Grinder

I've just tried Whatsapp's web client. I had to explicitly link my phone to the web client, which involved menu options on my mobile and scanning QR codes. That, presumably, handles the key transfer necessary for E2E, and it required my explicit authorisation for it to happen.

But, last time I used Twitter, you could log in via web or mobile app using the same account + password, and DMs would just work. No explicit key transfer was necessary. So any encryption either has the key stored on their server, or can be transferred from one client to another without your express authorisation. Unless that model has changed, there's no security.

I wonder

DS999

Will even MAGA people who are now big Musk fans trust him on this and be willing to follow him down his "everything app" train, even making purchases or doing banking with "X"?

I'm skeptical. I think they like him because he's willing to spend money on helping get republicans elected, mostly says the "right things", they see what he did with DOGE as mostly good. But I don't think they truly TRUST him the way they trust people who have been MAGA since Trump's first term. He knows he has zero chance of getting anyone on the left to trust his encrypted chat, let alone trust him with their banking, so in order to make his dream come true he has to get the MAGA people to want an X "everything app" en masse. I just don't see it. I think he's wasting a ton of time on this strange obsession of his.

Re: I wonder

JustAnotherITPerson

He's desperatly trying to prove that he's the smartest man in the world but all he's really doing is making himself look very dumb.

One meets his destiny often on the road he takes to avoid it.