Leaf&Core

Apple is Right to Protect iMessage, But There’s Room for Compromise

Reading Time: 9 minutes.
Text reads: Messages are only seen by who you send them to. Apple can’t read your iMessages while they’re being sent between you and the person you’re texting.

iMessage marketing material via Apple

Ask most iPhone owners: no one likes a green bubble. A green bubble means lousy video and photo sharing, no read receipts, perhaps no reactions, no screen effects, and, worst of all, no security. iMessages are encrypted end-to-end, with Apple doing nothing with the messages once they reach your device. They don’t collect metadata, do topic recognition, use your texts for training a large language model, or track your location. You’re messages are yours and yours alone. Not every messaging app is like that. In fact, most aren’t. However, a new rule attached to the European Union’s Digital Markets Act (DMA) could change make Apple’s iMessage less unique.

The EU’s DMA has a new “Interoperability Rule.” This could eventually apply to social networks, but, for now, the EU has set their sights on messaging apps. The rule states that large companies with millions of users may have to make their service work with other services. It means Google could request that WhatsApp makes messages work with their own SMS and RCS messaging apps. Or, more accurately, they’ll go after Apple’s iMessage, the one thing that seems to be standing in Google’s way of complete smartphone dominance and a worldwide monopoly.

The EU would give companies between three months and four years to respond to a request before fining them. The rule would help small businesses compete with the large ones. It would help new messaging apps compete with established brands. However, it also would likely completely dismantle any messaging security. For end-to-end encrypted networks like Apple’s iMessage, it could mean privacy takes a back seat so Google can get in on iMessages.

Apple’s right to fight back, but there is some wiggle room.

The Good Side of Interoperability

Interoperability isn’t a bad word, even if it is a long one. It just means that services can work together. Think about your email, for example. You can use an email client like Apple’s Mail, Mozilla’s Thunderbird, or many others to read your mail. You don’t have to use Gmail for your Gmail account or Apple Mail for your iCloud. Instead, you can pretty much use any client for any email service. That means anyone can make an email client, and everyone can compete to be your one stop shop for email.

In the case of messaging apps, it means you wouldn’t have an iMessage app on your Android device. It means you could use Android’s stock messaging app to send iMessages. I could release an app on Google Play that allows you to send WhatsApp, iMessage, and Signal messages all from one place. It means I could do what even Meta has been incapable of doing: unite Meta’s messaging apps: Instagram, Facebook, and WhatsApp. It means choice for users. When it comes to social networks, it means you don’t have to use Reddit’s lousy app, you could use Apollo instead. You don’t have to use Twitter’s app, you could use Tweetdeck. And you could choose to access your social networks like Facebook and Instagram through a third party app that could strip and block tracking data, ensuring your privacy, even on these spying networks.

Interoperability sounds fantastic. But the issues especially come into play when considering messaging apps. Many apps are protected with security protocols that only work within a walled garden. Open them up, and no one ever has a private conversation again.

The Tough Road to Private Communications

“If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you. What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”

– Alec Muffett, “Internet security expert and former Facebook Engineer”, via The Verge

McDonald’s Sushi

So, you have the interoperability of the EU’s dreams. You placed a pickup order on McDonald’s app for a Big Mac, Medium Fries, two sodas, a salmon avocado roll, and an omakase sampler. Thanks to interoperability, McDonald’s got your sushi order from… somewhere, and stored it at their restaurant until you were ready to pick it up. McDonald’s keeps their burgers nice and warm when they’re waiting for someone under a heat lamp, so I’m sure that fresh, raw salmon will be fine under the heat lamp for 20 minutes until you can get to the restaurant. And, if it’s not safe? What, I don’t see a health inspector anywhere, do you?

Muffett’s McDonald’s sushi is a succinct way to explain the whole issue here. Take the apps WhatsApp and Signal. WhatsApp actually uses the same encryption protocol as Signal, Signal’s encryption protocol. There’s still no interoperability between the apps. Signal goes above and beyond to ensure their chats are private, that people’s identities can be protected, and that they collect nothing on you. WhatsApp, however, does collect data on you, including your contacts, location, and other metadata. They didn’t even encrypt message backups until 2021, after years of storing your “end-to-end” encrypted messages unencrypted in backups on their servers. One of these deserves your trust. The other will put the chef’s choice sushi under a heat lamp.

Even if a message is encrypted end-to-end, that doesn’t guarantee security. There’s a lot that can be done client-side, that is, on your device. Client-side, a company could store a copy of your message before sending it to your friend, as well as copy everything you receive. For data-hungry companies who profit from data collection, they have no incentive not to. If there’s no one ensuring that these apps are protecting your data, including looking at every single piece of code that every single messaging app creator makes, then it would be far too easy to clone anything that’s securely encrypted once it’s decrypted on your device. There’s no way for Signal to block a third party developer from copying that data if they have to open up their service to any third party app developer. Just as there’s no way for the sushi restaurant to stop McDonald’s from using the heat lamps on your sushi.

No iMessage for RCS

My own mother called me out for green bubbles!

RCS does support some encryption across messages. While it also has unencrypted messaging support, your device may be capable of sending end to end encrypted chats. But it’s not a guarantee. That means if you send a message you want secure from one platform that forces end-to-end encryption to one that doesn’t, it will be decrypted before it goes through everyone’s servers as plain text. It’s free for anyone along the way to grab and do whatever they want with it.

“iMessage already has interop: it’s called SMS, and users really dislike it, and it has really bad security properties that aren’t explained by green bubbles.”

– Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, via The Verge

iMessage already has interoperability with standard SMS. If you can’t send an iMessage to someone because they have an Android device, you can send your message as SMS. We know this for its ugly green chat bubbles, pushing our group chats back to more secure grounds in iMessage. But what if Apple can’t treat messages from insecure sources like SMS or, potentially, RCS, any differently? You wouldn’t know if your messages were secure or not. In fact, if you don’t know if your messages are encrypted and private, then they are never truly secure. As soon as you have to incorporate lesser technologies into your own, the security and privacy levels drop to the lowest common denominator. iMessage becomes as secure as shouting your message in a quiet, crowded room.

Impossible Standards

Obviously, there’s a solution we haven’t discussed yet: a new standard, or wide adoption of an existing standard. So, you get a new standard that all the major messaging apps agree on. It can do all the things the EU demands for interoperability: text messages, file transfers (including photos and videos), and live video calling. All of it’s encrypted end-to-end using the same protocol, so it never has to be decrypted during its journey. Then, to make sure everyone treats the data the same once it lands in their app, third party or government auditors will examine every single piece of code that every single developer making messaging apps will use. They’ll get certification, and have to submit any code updates (including remote code activation) through this third party auditor for release. If they don’t, they lose certification. That will either be handled by taxes or by charging the developers, which already makes it a bit harder for anyone without the money of Apple to make an app.

And that’s it! See? Easy! We just have to get Meta and Google to agree to an encryption standard they can’t get any data from, ensure the security is tight, block any and all would-be hackers, government entities, and spoofers constantly or the entire worldwide system becomes insecure, and then get everyone on board. Easy!

Disagreements and Conflicting Desires

Yeah, you can probably tell that was sarcasm. Meta has three messaging platforms. Facebook, Instagram, and WhatsApp. WhatsApp is encrypted end-to-end, but Meta does collect some information from your device. Facebook and Instagram messaging apps, however, are less secure. Facebook could be encrypted, but it’s a tricky process and has to be done on a per-chat basis. Instagram is a free-for-all. What does the company that collects user data to sell them ads do with those chats? Who knows? It’s a black box, we can’t see inside. But I did start seeing more videos and ads for keyboards after a friend asked me if I made any new setups recently.

Meta wants your data. Google wants your data. Apple wants everyone on their devices and uses iMessage as a selling point for iOS devices. Signal wants to make the most private and secure messaging app and hopes you’ll pay for it. They all have different desires and motivations for creating messaging apps. Hell, Meta only bought WhatsApp after realizing it saw more internet traffic than their own apps thanks to a tracking VPN they installed on volunteers’ phones. These companies can’t agree on how to send a message because they all have different desires. Apple wants iMessage to be secure and private, without you thinking about it. Signal wants you to be able to verify the identity of senders to evade spies and state-sponsored actors.

Do you really think you could get them all to agree to the same encryption standards?

After that, could they agree to the same privacy policy on your device? Will Meta give up collecting information on your location because Signal and Apple don’t want them doing that? Will users have to see who they’re messaging and what platform they’re using to know if it’s actually secure or if the message could be copied out to a third party automatically once it reaches its recipient? That’ll be a clunky interface that Apple won’t like. In this envisioned world of interoperability, you’d have more security hand delivering notes to your friends. Otherwise, you’ll have to be constantly vigilant. No one wants that.

Not Enough Time

The DMA gives companies between three months and four years to comply with interoperability requests they’ve deemed legitimate. They’ve also stated that this can happen in phases, with things like text messaging coming before files or video chat. However, this still may not be enough time.

In March of 2019, Meta (then Facebook) announced they would merge their three messaging platforms. Meta would bring interoperability to WhatsApp, which they acquired, and Facebook Messenger and Instagram messages. The three apps would have the ability to send messages to each other.

Four years and eight months later, and Meta still hasn’t been able to accomplish that task. Maybe they laid off too many employees. Maybe they ruined their image by contributing to a genocide and struggle to hire talent. Or maybe they just don’t have the motivation to do anything. After all, bringing interoperability may mean bringing WhatsApp’s encrypted messaging to messaging apps that send messages unencrypted through Meta’s servers. If Meta wanted their apps to use encrypted messaging, they would by now.

Either way, it illustrates the issue. Not all companies will have the same goal. Departments within a company may not even have the same goal. Despite that they’re all working towards the success of the same company, Facebook, Instagram, and WhatsApp haven’t been able to achieve interoperability in over four years. What chance does any other company have when the interoperability features would be harming their bottom line?

EU’s Interoperability Law is Ignorant, But Carries Merit

“We remain concerned that some provisions of the DMA will create unnecessary privacy and security vulnerabilities for our users while others will prohibit us from charging for intellectual property in which we invest a great deal. We believe deeply in competition and in creating thriving competitive markets around the world, and we will continue to work with stakeholders throughout Europe in the hopes of mitigating these vulnerabilities”

– Apple Statement from Fred Sainz to The Verge

This almost feels like a deliberate attack on encryption and privacy. It’s not a crazy conspiracy theory. After all, world powers have wanted to stamp out encrypted messaging apps for some time, as they get in the way of surveilling their own citizens. Still, security and privacy are mandatory requirements for free speech. No one has free speech if they’re too afraid to speak up. A whistleblower too afraid to talk to a journalist because their company or the government could hear is a silenced citizen, a citizen with something to say without the freedom to say it. Encryption and the privacy it gives us is freedom, and preserving it must be top priority.

We can’t protect privacy if we open the doors to every company or person who wants to make an app. We’d need strict standards and review boards for every piece of code that accesses messaging standards. It just isn’t feasible, especially not within a span of, at most, four years.

Monopolies like iMessage are most certainly stifling competition, but the way to handle it is to force them to make an Android app, not force them to destroy what makes iMessage good. Privacy and security are key reasons people choose an iPhone over an Android device, and iMessage is a huge part of that. Still, simply offering that security to more people is a great first step towards leveling the playing field. After that, challenge these messaging app makers to agree on standards including what each participant can do with data client-side. Force them to require authentication at a service level and cut off anyone who would abuse that data. There are methods to remove chances of misuse, but walled gardens are safer than open fields, and right now, we just have to work with that until we can make something better.


Sources:
Exit mobile version