Last month I was at my pharmacist’s picking up a prescription. It was the end of a frustrating process in which my doctor faxed the pharmacist who sent another fax back to my doctor. I’ve been told over the years this transaction needs to be done via fax for security reasons. Which is odd, because while I was waiting I could see a document coming out of the pharmacy’s fax machine about 12 feet away from me across the counter.
Any blister-packed camera with even a 3X zoom could have easily gotten a clear shot of whatever information the emerging paper contained. In security parlance that fax machine was a gaping analog hole — that is, unencrypted data sitting in plain sight.
This happened during the week Mark Zuckerberg was testifying before a U.S. congressional committee about the Cambridge Analytica data breach. So, the sight of a public fax machine spitting out private medical information was more than a tad metaphorical.
And, just a couple of weeks after the Facebook disaster-that-kept-on-giving, Google seemed to be as laissez-faire about text message privacy as a pharmacist with a public-facing fax.
An exclusive April 19 article on theverge.com explained how the search giant had thrown its support behind a new text message standard — Rich Communication Services (RCS). The RCS protocol, a more modern replacement for plain text SMS, allows easy group chat, typing indicators, and photo exchange. Google will be using the RCS standard to create a new messaging service, Chat.
There’s no doubt SMS needs an upgrade. While it’s a base-level standard for text messaging across mobile operating systems, cellphone manufacturers and carriers, the protocol can’t handle rich media. On the other hand, it also doesn’t require data or Wi-Fi connections to work, so any phone with a plain old voice plan can send and receive SMS messages. That’s why folks with just feature phones and a pay-as-you go voice plans can use the very democratic SMS.
Meanwhile, messaging applications like Apple’s iMessage or WhatsApp can handle rich media and group chats easily. But iMessage is iOS-only and WhatsApp is a third-party application that requires that everyone you want to talk to with it must have it installed.
While WhatsApp is cross-platform, folks on Android phones can’t participate in the group chats and photo-sharing that goes on between iPhone users communicating via the Apple-only iMessage application.
For years Google has been trying to launch an iMessage competitor of its own: Allo, Duo, Android Messages and Hangouts come to mind. But none really caught fire. And, not all phone manufacturers use even the basic Android Messages. So, Google has really been without a modern, default rich-media messaging platform.
At first blush, the search giant getting behind a platform-agnostic messaging solution sounds like a win for Google and a win for consumers. Well, it would, except for this. The RCS standard is not end-to-end encrypted.
On platforms like WhatsApp and iMessage, your messages are encrypted before they leave your phone. They’re only decrypted on the phone of the person or persons you sent the message to. Not even WhatsApp or Apple can read the messages. Both platforms have end-to-end encryption burned deep into their DNA.
On the other hand, RCS uses client-to-server encryption. Your message is encrypted on your phone, decrypted on a Google or carrier server and then encrypted again before it is sent to the recipient. This is much the way Gmail messages are handled. It means, of course, Google or any number of carriers could read, store or hand over to authorities the content of your RCS messages.
That is hardly an ideal situation, especially because the strength of the encryption of a message is only as strong as the weakest encryption a carrier in the transfer chain uses. So, a RCS message from someone in Canada to someone in China will likely risk having the message exposed to the Chinese government since laws in that country force carriers to make messages available to the government authorities.
So, astonishingly, at a time when privacy is foremost in everyone’s mind, Google is backing a messaging service that potentially keeps nothing secret from anyone. Why? Because Google doesn’t fully control the Android ecosystem so it can’t run all the text traffic through its own servers. Is RCS a better privacy solution than SMS? Sure. SMS is basically a fax machine in the middle of a pharmacy aisle with a sign on it that says, “Please, take one.” But when it comes to data security, “better than nothing” isn’t a great sales slogan. Especially not these days. Especially not from a Silicon Valley giant. That’s just a prescription for disaster. At least, we can hope so.
Wayne MacPhail has been a print and online journalist for 25 years, and is a long-time writer for rabble.ca on technology and the internet.
Like this article? rabble is reader-supported journalism. Chip in to keep stories like these coming.