The Latest Trend in Encrypted Messaging: Secure for the Platform, But Not for You
Why X’s new encrypted messaging isn’t as private as it seems
When X (formerly Twitter) unveiled its new encrypted messaging feature, XChat, the company positioned it as a step toward greater security in digital conversations. Encryption is often associated with privacy, and for users who value secure communication, this announcement seemed promising. However, leading cryptography and security experts—Matthew Green, a professor at Johns Hopkins University specializing in cryptographic research, and Matthew Garrett, a well-regarded Linux security developer—have examined XChat’s design and exposed signifcant shortcomings. While XChat encrypts messages, it does not ensure true privacy for users. Instead, the platform itself retains significant control, undermining privacy usually associated with end-to-end encryption.
Encryption vs. True Privacy: The Key Differences
At its core, encryption is meant to protect information from unauthorized access. It ensures that data is scrambled in such a way that only the intended recipient, possessing the correct decryption key, can access it. However, encryption alone does not automatically make a communication system private, especially when the service provider holds the keys.
A truly private messaging system means that only the sender and recipient control their encryption keys. In contrast, a system in which the company stores these keys, even if they claim to protect them, is vulnerable to outside interference. Users are essentially forced to trust the platform’s administrators. Governments, corporate policies, or malicious actors could force access to users’ messages if those decryption keys are retained by the platform rather than remaining solely with the user.
Green and Garrett both emphasize that XChat’s encryption model does not meet the standard of true privacy. The system encrypts messages using a recipient’s long-term public key, which theoretically ensures secure delivery. However, without forward secrecy, a feature that frequently updates encryption keys, past and future messages could be compromised if an attacker gains access to a stored private key.
The Key Storage Problem
A major flaw in XChat’s security model is how it stores users’ private encryption keys. Instead of keeping those keys exclusively on user devices, X retains them on its own servers using a method called Juicebox. Juicebox distributes key materials across multiple servers, an approach meant to make unauthorized access more difficult. While this may prevent simple attacks, the ultimate authority over these keys still rests with X, allowing the company to potentially access user messages if needed.
This setup is similar to Meta’s approach for encrypted messaging within Facebook Messenger and Instagram. While Meta claims its encryption protects user conversations, critics argue that the company has built backdoor access into its system. Allegations have emerged suggesting that Meta retains the ability to read users’ Messenger, WhatsApp, and Instagram messages despite advertising encryption as a safeguard.
Green and Garrett highlight that the mere existence of stored private keys creates a risk—even if the company does not routinely access them. If X is legally compelled by a government request, enacts new policies that allow broader internal data access, or faces a server breach, users’ supposedly secure messages could be decrypted.
Market Impact: The Need for Truly Private Messaging
The shortcomings of XChat, Messenger, and Instagram messaging underscore a growing issue in digital communications: many platforms advertise encryption without delivering genuine privacy. This discrepancy presents an opportunity for services that prioritize user control over corporate convenience.
To be truly private, a messaging system must:
Store encryption keys exclusively on user devices, preventing platform-level interference.
Implement forward secrecy, ensuring older messages cannot be decrypted if a key is compromised.
Avoid centralized key storage, ensuring only users—not the company—hold the means to decrypt their conversations.
These principles have driven the success of secure messaging applications like Signal and ProtonMail, which have built reputations for refusing to store user decryption keys. Unlike XChat, which takes control of encryption keys, these services use end-to-end encryption that eliminates any possibility of platform access to message content.
For businesses that rely on secure communication, whether they are corporations handling sensitive negotiations or individuals seeking privacy from oppressive governments, the need for encrypted messaging services that guarantee privacy has never been greater. A unified communications platform offering truly secure and private messaging would be well-positioned to gain significant market traction.
Conclusion: Encryption Alone Isn’t Enough
XChat’s encryption may offer some protection against external attackers, but it does not guarantee privacy from X itself. As Green and Garrett’s analyses make clear, storing private keys on company-controlled servers presents a fundamental vulnerability that undermines user trust. For those who assume that encrypted messaging automatically means complete privacy, this case serves as a stark reminder: encryption alone is not enough.
For users who rely on digital messaging for confidential conversations, whether they are journalists, business leaders, political dissidents, or everyday individuals concerned about privacy, it is critical to question whether a platform’s encryption model truly protects them or simply serves the company’s interests. As scrutiny of digital security intensifies, demand for platforms offering actual private messaging, not just encryption buzzwords, will only grow.
For a deeper technical breakdown, Green’s full analysis can be found here (https://blog.cryptographyengineering.com/2025/06/09/a-bit-more-on-twitter-xs-new-encrypted-messaging/), and Garrett’s critique is available here (https://mjg59.dreamwidth.org/71646.html). Their expertise in cryptography and security highlights why platform-controlled encryption does not equal privacy, and why users should remain skeptical of messaging services that claim otherwise.



