X Offers End-to-End Encrypted Chats: Trust Concerns Linger

X (formerly Twitter) has introduced a new feature called XChat, which promises end-to-end encrypted messaging for its users. The intended benefit is that only the conversation participants can read their messages—locking out everyone else, even X itself. But prominent security experts caution users to hold back their trust, citing several implementation shortcomings and red flags.

How XChat Encryption Actually Works

XChat requires users to set a 4-digit PIN, which is then used to encrypt their private cryptographic key. Unlike state-of-the-art encrypted apps (like Signal), X stores these private keys on its own servers, rather than locally on user devices. In cryptography, a private key is essential for decrypting messages, and its security is fundamental to message privacy. Signal’s approach of device-only key storage dramatically reduces the risks of unauthorized access—but X’s method means the keys exist on infrastructure it controls.

Security researcher Matthew Garrett points out that unless X uses specialized hardware called Hardware Security Modules (HSMs), insiders at the company could potentially tamper with keys and decrypt user chats. An X engineer has claimed that they use HSMs, but no evidence or technical documentation has been provided so far.

Critical Flaws: Red Flags You Should Know

There are several reasons experts are sounding the alarm:

• Key Control: X issues public keys to users, but there’s no way to verify that X isn’t substituting new ones to intercept conversations—opening the door to so-called “adversary-in-the-middle” (AITM) attacks.
• Lack of Transparency: XChat’s implementation is not open source and lacks independent security reviews. In contrast, apps like Signal maintain open, peer-reviewed protocols documented in detail.
• Perfect Forward Secrecy Absent: If a private key is compromised on XChat, historical messages can potentially be decrypted. Competing apps implement perfect forward secrecy, so only the latest message would be at risk in a breach.

Even X’s own support documentation admits these limitations—acknowledging the risk of malicious insiders and future plans to publish a technical whitepaper, but little current verifiable proof.

Expert Opinions: Proceed with Caution

Garrett says that even if X’s systems work as described, users cannot prove that X can’t observe their chats. Johns Hopkins cryptographer Matthew Green agrees, suggesting that users should treat current XChat encrypted messages as no more secure than standard, unencrypted direct messages. The lack of independent audits and the potential for company insiders to access user messages mean that “end-to-end encryption” may be more of a marketing term than a functional guarantee—for now.

Deep Founder Analysis

Why it matters

For startups and founders, X’s move signals the mainstreaming of encrypted communication—once limited to niche or privacy-first products. As social platforms add security features, user expectations and regulatory pressure are likely to rise, challenging even non-security startups to reevaluate their data handling practices. It also highlights how perception, rather than fact, drives user trust and adoption: a lesson for any startup marketing privacy features.

Risks & opportunities

If major platforms poorly implement encryption, there’s risk of eroding overall public trust in secure messaging. Opportunity lies in transparency: startups that publish open security documentation or invite audits can win credibility against larger, opaque competitors. We’re entering an era where “trust but verify” becomes a product differentiator, much as SSL adoption distinguished early e-commerce leaders.

Startup idea or application

An emerging opportunity is to offer third-party auditing or key management services for apps rolling out encryption—think of SOC2 compliance but for end-to-end encrypted systems. Alternatively, there’s a case for building open-source libraries or plug-and-play modules that SaaS and consumer apps can integrate for verified secure messaging, lowering the barrier to privacy best practices for startups of any size.

What Should Users Do?

For now, the prudent move is to treat XChat’s encryption claims with skepticism. Until transparent documentation, third-party audits, and peer-reviewed standards are in place, the underlying risks mean users concerned about privacy should stick with more trusted, independently audited applications.

Related Reading from DeepFounder

• DuckDuckGo Expands Its Subscription With Access to Advanced AI Models
• Reality Check for Tech Security: Venezuela’s President Claims American Spies Can’t Hack Huawei Phones

Encryption Cybersecurity Privacy Messaging Apps Startups

Visit Deep Founder to learn how to start your own startup, validate your idea, and build it from scratch.

📚 Read more articles in our Deep Founder blog.