By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Shame on Google for Their Description of Google Messages’s Encryption Support

While writing the previous item regarding the FBI encouraging the use of E2EE text and call protocols, I wound up at the Play Store page for Google Messages. It’s shamefully misleading regarding Google Messages’s support for end-to-end encryption. As I wrote in the previous post, Google Messages does support E2EE, but only over RCS and only if all participants in the chat are using a recent version of Google Messages. But the second screenshot in the Play Store listing flatly declares “Conversations are end-to-end encrypted”, full stop. That is some serious bullshit.

I realize that “Some conversations are end-to-end encrypted” will naturally spur curiosity regarding which conversations are encrypted and which aren’t, but that’s the truth. And users of the app should be aware of that. “RCS conversations with other Google Messages users are encrypted” would work.

Then, in the “report card” section of the listing, it states the following:

Data is encrypted in transit
Your data is transferred over a secure connection

Which, again, is only true sometimes. It’s downright fraudulent to describe Google Messages’s transit security this way. Imagine a typical Android user without technical expertise who takes the advice (now coming from the FBI) to use end-to-end encryption for their messaging. A reasonable person who trusts Google would look at Google’s own description of Google Messages and conclude that if you use Google Messages, all your messages will be secure. That’s false. And depending who you communicate with — iPhone users, Android users with old devices, Android users who use other text messaging apps — it’s quite likely most of your messages won’t be secure.

Just be honest! The E2EE between Google Messages users using Android phones that support RCS is completely seamless and automatic (I just tried it myself using my Android burner), but E2EE is never available for SMS, and never available if a participant in the chat is using any RCS client (on Android or Apple Messages) other than Google Messages. That’s an essential distinction that should be made clear, not obfuscated.

While I’m at it, it’s also embarrassing that Google Voice has no support for RCS at all. It’s Google’s own app and service, and Google has been the world’s most vocal proponent of RCS messaging.

Lastly, I also think it’s a bad idea that Google Messages colors all RCS message bubbles with the exact same colors (dark blue bubbles with white text, natch). SMS messages, at least on my Pixel 4, are pale blue with black text. Google Messages does put a tiny lock in the timeline to indicate when an RCS chat is secure, and they also put a lock badge on the Send button’s paper airplane icon, so there are visual indications whether an RCS chat is encrypted, but because the messages bubble colors are the same for all RCS chats, it’s subtle, not instantly obvious like it is with Apple Messages, where green means “SMS or RCS, never encrypted” and blue means “iMessage, always encrypted”.

★ Wednesday, 4 December 2024