Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Apple’s new security update comes with a catch.
Timing really is everything. Apple has just confirmed one of iPhone’s longest awaited security upgrades, plugging a major weakness and expected to come with iOS 19 this fall. This should be good news for millions of users. But don’t get too excited. In reality the timing could not be worse, and that’s very bad news for users.
Apple has confirmed that it’s finally extending iMessage encryption to include chats between iPhones and Android users — kind of. What’s actually happening is the mobile standards setter (GSMA) is updating its RCS protocol and both Apple and Google have confirmed they’ll adopt this. It brings a raft of improvements to messaging, but the headline is cross-platform end-to-end encryption coming to RCS.
When the FBI and America’s cyber defense agency warned iPhone and Android users to stop texting after Chinese hackers were caught marauding through U.S. networks, their advice was simple — only use fully encrypted messaging. The hackers were pulling metadata and even some content. Encryption is your friend. we were all told.
Yet just a few weeks later, we’re talking about encryption for very different reasons. The U.K. is reportedly ensconced in private talks with U.S. officials after its secret/not secret demands (under appeal) for Apple to build a backdoor into everyone’s data. Meanwhile, France (rejected for now) and Sweden are pushing for legislation to access secure messaging, ahead of the lingering risk that the entire European Union does the same. This is much wider than just messaging, it impacts the core iPhone proposition itself.
And before my American readers reach for the popcorn, assuming all this is far from home, the FBI has confirmed that it wants the same, “lawful access,” and the proposed “STOP CSAM” bill would, per EFF’s warning, “endanger encrypted messages.”
Upgrading iPhones to securely message Androids is still a game-changer. It will be the first time we have had fully secure stock messaging between platforms. It’s also a huge technical milestone, “the first large-scale messaging service to support interoperable E2EE between client implementations from different providers,” says GSMA.
And while on the surface it doesn’t add anything WhatsApp and other over-the-tops don’t already provide, in reality it should be the final expansion of fully secured messaging across the mainstream. This is especially important in the U.S., where iMessage and texting more generally remains a holdout to the likes of WhatsApp.
It’s also significant because for Apple in particular, it changes the major reason why iMessage has been a walled garden differentiator, notwithstanding regulatory pressure for this to change in the U.S. and Europe. Not only does RCS 3.0 finally secure content, it also adds a range of other features that should make it as usable as iMessage.
But there are genuinely dark clouds on the horizon. The encryption battleground is now an “emergency for us all,” EFF warns, and as privacy advocate Naomi Brockwell puts it, “we need privacy, not because our actions are questionable, but because your intentions are.” That perfectly sums it up.
There are two parallel issues. First, messaging itself under pressure from legislators to access “dark” content by any means possible, or to push platforms to regulate meaning they’d have to do the same. And second, with encrypted backups under pressure, the cloud-based architectures deployed to sync messages cross device, to restore content to new devices, and to backup content also enables lawful access via those backups. This is the implication from Apple’s decision to remove encrypted iCloud backups in the U.K., and while Google was quick to confirm its own encryption, it has not denied receiving a similar “backdoor” mandate from the U.K. government.
And so while Apple’s upgrade is still very welcome and certainly addresses the transmission security weaknesses in SMS and current RCS that was highlighted by Salt Typhoon, it’s not the unambiguous privacy victory it should have been. The landscape has suddenly changed and it may already be too late to deliver what’s been promised.
