Republished on December 9 with new FBI encryption warning that could mean the end of blue bubbles as well, a game-changer for all iPhone users.
Apple seems all set to launch iOS 18.2 next week, bringing the long-awaited release of feature-rich Apple Intelligence tools held back from iOS 18’s launch in the fall. But the next iPhone firmware release also brings the most surprising update in years—a change to how your iPhone works and—finally—an end to those pesky green bubbles.
The saga of green bubbles versus blue bubbles is very much an American thing—the US has been the only significant market which has held WhatsApp at bay, and clearly when your entire social network moves to WhatsApp—whether on iPhone or Android, all users look the same. It’s refreshingly democratic and socially leveling.
That said, Americans are trying it. Meta and its CEO Mark Zuckerberg celebrated WhatApp hitting the 100 million US users milestone in the summer, and those of you in the US will have noticed the billboards and Modern Family ads pointing out the benefits of seamless, secure cross-platform messaging.
None of which actually killed the green bubbles. It seems that this will come down to two government players—China’s Ministry of State Security and America’s FBI. The Chinese started it—not actually MSS themselves, but one of its arm’s length hacking groups which managed to infiltrate US telco networks. The FBI then understandably warned that US citizens should stop sending unsecured text messages.
That’s what those green bubbles are of course. They weren’t actually designed to distinguish social standing amongst teen and gen-z users. What they actually highlight it a lack of end-to-end encryption. To put it simply, blue is secure and green is not. It doesn’t matter if it’s old school SMS green or new kid on the block RCS green. Blue is still secure and green is still not. And so, when the FBI warns Americans to stop sending unsecured text messages, they mean green bubbles.
Cue Apple and that surprising update. iOS 18.2—now expected next week—will allow iPhone users to change default apps for the first time. Importantly, this includes your phone dialer and messenger, the very two apps the FBI and CISA have pointed out should be encrypted if at all possible. As you’ll all know by now, given the headlines over the last 72-hours, standard network calls or messages between Androids and iPhones are never end-to-end encrypted.
And so, following the logic, iPhone users should change their default dialer and messenger to WhatsApp or Signal or other fully secured options. Apple offers FaceTime for calls and iMessage for texts, but both only secure iPhone-to-iPhone, so that doesn’t work. In one respect, the timing of iOS 18.2 could not be better, but in another—perhaps for Apple and for Google’s RCS push, it could not be worse.
Not everyone will do this, of course. But many will. Especially given the FBI warning making headlines across the US in the wake of Salt Typhoon’s ongoing Chinese hacks, and with no firm end in sight. If some users do change, if enough users do change, then perhaps we can end the green bubble nonsense once and for all. The bubbles would still be green if texting Android to iPhone from iMessage—but if you’re using a fully encrypted platform as your default instead, this becomes irrelevant.
As we entered 2024, I suggested that it would be the year messaging changed forever, but I did not expect it to run quite like this. We really are in uncharted territory, and will watch with interest to see what happens through December as users respond to the network hacking news and the fallout that will inevitably follow.
What we really need is the green bubbles to turn blue, for RCS to be fully secured as another option for users. But despite the GSMA and Google working on this, it’s not yet in sight, unlike iOS 18.2 which is now just days away.
While this is straightforward for Apple’s US iPhone users, there was a risk it was about become more complex for users in Europe. Fortunately that risk seems to have just diminished—this has huge implications for the future of secure messaging.
As I have reported before, the EU’s so-called Chat Control would mandate the operators of messaging and other communication platforms to screen/scan private chats to flag material suspected of being CSAM—child sexual abuse material. While this singles objective is hard to argue, once end-to-end encryption is breached in this way, any material can be screened—political, moral, ethical, sexual, etc.
Chat Control dropped out of the news agenda some months ago, but then returned this week with fears that there was a renewed push to find a working majority of EU governments that would support pushing this forwards to policy.
Thankfully, as TechRadar now reports, “on December 6, the European Pirate Party reported that the European Council Committee stopped the proposal (yet again) as more governments joined the list of countries against it.”
This is important, because had the EU pushed this forwards, it would have provided the new US administration with some impetus to do the same. When the FBI warned users to switch from text messaging to secure platforms, they referred to responsible encryption. This essentially means encryption with black doors for law enforcement to use to monitor content when warranted, rather than find themselves “in the dark.”
Interestingly, EFF’s warning on responsible encryption, issued when it was first touted in 2017, has an interesting twist on this week’s news. “By definition, when the customer sends end-to-end encrypted messages—in any kind of reasonably secure implementation—the carrier does not (and should not) possess the information necessary to decrypt them.” Hard to argue against that given Salt Typhoon.
Should Chat Control ever succeed, there would be no such thing as a blue bubble. And now, more worryingly, the FBI has clarified its wording, suggesting that blue bubbles might disappear for everyone anyway, at least in what they signifiy today.
Apple assures its 2 billion users that “Apple doesn’t log the contents of messages or attachments, which are protected by end-to-end encryption so no one but the sender and receiver can access them. Apple can’t decrypt the data.”
This is critical, and Apple’s deployment of multi-device, end-to-end encryption sets an industry standard. “When a user turns on iMessage on a device, the device generates encryption and signing pairs of keys for use with the service. The private keys are saved in the device’s keychain and only available after first unlock. The public keys are sent to Apple Identity Service (IDS) where they are associated with the user’s phone number or email address, along with the device’s APNs address.”
Apple’s entire approach to iMessage is content security and user privacy. If the iMaker had bowed to public pressure and developed an Android client for iMessage, then it would have arguably the best cross-platform messenger, but it hasn’t and there’s no sign that it ever will. And when third-parties try to do the same, they are fairly quickly shut down on security grounds.
But end-to-end encryption is a binary, content is either secure or it’s not. That’s why Apple emphasizes that it can’t access content and what it has ended the vulnerability whereby it stored user keys in iCloud backups that it could access—that’s no longer the case, and users can ensure absolutely no access to iMessage content bar an endpoint compromise of one of their devices.
Cue the FBI and a critical clarification on what could be coming for iPhone users. The Bureau has now confirmed to me that the deliberately phrased “responsibly managed encryption” in its “stop texting” warning means that “law enforcement supports strong, responsibly managed encryption. This encryption should be designed to protect people’s privacy and also managed so U.S. tech companies can provide readable content in response to a lawful court order.”
This is a game-changer for Apple, and goes beyond iMessage into its industry-leading iCloud encryption which can now protect almost all iPhone content, including from Apple itself, and even protects that content in the event of a cloud breach.
“Responsible encryption” has been pushed by since 2017, when then Deputy U.S Attorney General Rod Rosenstein said that while “encryption is a foundational element of data security and authentication… the advent of ‘warrant-proof’ encryption is a serious problem… The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns. Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection… But that is the world that technology companies are creating.”
Rosenstein’s comments were made during the first Trump administration, and speculation is now rife as to what might happen under the second one. There is a perfect storm building, with U.S. encryption warnings, EU chat-control proposals and a new lawsuit claiming harm from Apple’s failure to scan content for illicit CSAM, again as a result of its end-to-end encryption.
Apple—alongside Meta and Google—will fight hard to maintain the encryption status quo and prevent monitoring or backdoor access from being mandated. And so it should. The stakes are frighteningly high. Once the encryption bubble is burst, it won’t come back. It will be good to see green bubbles go, but it now seems that blue bubbles may also be more under threat now than ever before.
Read the full article here
