Originally Published By: Zak Doffman
Somewhat ironically, just as the backlash against Facebook continues for its forced change of terms on 2 billion WhatsApp users, Google seems yet again to have slipped by unnoticed. Now, hundreds of millions of Android users need to decide who they trust with their data, given recent harvesting revelations.
Android Messages is trying to fix the major security holes in its architecture. But after launching improvements in beta last year, Google has confirmed to me that there are still no public dates for an actual platform update and that those improvements are still heavily restricted. Until that changes, you should switch to an alternative.
Meanwhile, the number of impacted users is increasing, as Android Messages becomes the default for many Samsung users, replacing its own Messages app, expanding Google’s user base as its RCS rollout continues.
So, here’s a critical reminder that not all messengers are the same. You should use one that end-to-end encrypts by default—not SMS, not Facebook Messenger, not Telegram, and not Android Messages.
Android Messages is essentially an SMS client that has been upgraded for RCS—this is the updated version of SMS, supporting the chat and rich media features that are now commonplace on other messengers.
While RCS was conceived as an SMS upgrade that would be deployed by the same mobile networks that run the SMS ecosystem, Google has essentially taken control as it plays catch-up with Apple’s iMessage.
SMS has woefully poor security. And RCS has been criticized for the same—a fragmented architecture with too many points of failure, risking account hijacks… “enabling hackers to intercept and manipulate communication.”
Google running ever more of the RCS ecosystem has accelerated its rollout, it has also patched some of the security issues. But RCS—Google’s or otherwise—is not end-to-end encrypted at all, never mind by default, and that makes it a security no-no.
“The lessons of the past five years make it absolutely clear that technology companies and governments must prioritize private and secure communication.” WhatsApp’s CEO Will Cathcart said last month. He warned that full encryption is “essential,” that there is “serious pressure to take it away,” that it “should not be taken for granted.”
If you want to know how critical end-t0-end encryption is, just look at WhatsApp’s defense against the Facebook backlash. Don’t worry, it has basically said, your content is safe from Facebook, WhatsApp or anyone else, because it’s end-to-end encrypted. By contrast, Facebook has admitted in the past to monitoring Messenger content.
WhatsApp has warned its users that “if an app doesn’t offer end-to-end encryption by default that means they can read your messages.” And leaving WhatsApp over Facebook data sharing and opting for Android Messages would be a security nonsense.
“End-to-end encryption is now the way most messages are sent globally,” Cathcart said in his opinion piece. “Should people be able to have a private conversation when they are not together in person? I believe the answer must be yes. End-to-end encryption locks tech companies out of particularly sensitive information. Will we be able to have a private conversation, or will someone always be listening in?”
That statement came at an awkward time for Facebook, which has just admitted that its plans to fully encrypt its own Messenger platform are running later than planned—don’t expect progress on that front until next year “at the earliest.”
For its part, Google launched an end-to-end encryption beta for Android Messages last year. But it’s heavily limited. Only one-to-one messaging, no groups, and both ends of the chat must clearly have the beta installed. Google told me that it will explore options for groups “later,” and that there are no public dates as yet to progress beyond beta.
“We recognize that your conversations are private and it’s our responsibility to keep your personal information safe,” Google said when it announced the beta. “End-to-end encryption ensures that no one, including Google and third parties, can read the content of your messages as they travel between your phone and the phone of the person you’re messaging.” So, why would you use anything else?
On Android in particular, there’s no excuse to continue to use less secure options. Unlike iOS, Android users can select an alternative default messenger to the stock OS one. You can choose to use Signal instead of Android Messages, and this will manage both your SMS and Signal traffic, similarly to the way in which iMessage works.
This means that any time your contacts have Signal installed—and that’s a fast-growing number, you will automatically opt for a secure message. Forget Android Messages, this is the nearest you can get to Apple’s iMessage. SMS and secure messages in a single app, an easy distinction between the two, encryption across 1:1 and group messages, fully fathered chat functions.
Cathcart is right—encryption has never been more important or more under threat. And while many users may not view the security of their messages as important—there are 1.3 billion Facebook Messenger users after all, hopefully those reading this article will have a sense of the importance of their data security and privacy.
And remember, it’s not just the content that counts, the metadata, the data about your data—the who, when, how often of your messaging, is a data goldmine. Putting encryption aside, the more we take our data and comms away from default Facebook and Google options, the more we apply some brakes—however small—to this runaway data harvesting train. It’s your personal information, please take it seriously.
“Imagine if your government, or a foreign one, could see every transaction you made,” WhatsApp’s Cathcart asked, “or if your boss could see every text message you wrote or photo you sent. That’s the greatest risk of all.”
Yes, just imagine. There’s obviously a stark irony with that warning. Never mind “your government,” Cathcart is much more aptly describing Facebook, the company he works for. But the same equally applies to Google.
As ever, you have what you need to make an informed decision. And, as ever, unless users in their millions select apps and platforms that genuinely put their privacy and security first, what imperative do we give big tech to change?