Texts are no longer private.
Getty
Updated on Dec. 3 with advice on other encrypted messaging platforms following this update, including WhatsApp.
Microsoft triggered a viral furor when it revealed a Teams update to tell your company when you’re not at work. Now Google has done the same. Forget end-to-end encryption. A new Android update means your RCS and SMS texts are no longer private.
As reported by Android Authority, “Google is rolling out Android RCS Archival on Pixel (and other Android) phones, allowing employers to intercept and archive RCS chats on work-managed devices. In simpler terms, your employer will now be able to read your RCS chats in Google Messages despite end-to-end encryption.”
This applies to work-managed devices and doesn’t affect personal devices. And in certain regulated industries it just adds RCS archiving to existing SMS archiving. But employees in regular organizations view texting as different to emailing, especially given the expectations around end-to-end encryption. That’s no longer the case.
This underlines the widespread misunderstanding of end-to-end encryption. The security protects your messages when they’re being sent, but once they’re on your phone, they’re decrypted and available to anyone controlling the device.
ForbesCISA Warns Samsung And Pixel Users—Update Or Stop Using Your PhoneBy Zak Doffman
Google says this is “a dependable, Android-supported solution for message archival, which is also backwards compatible with SMS and MMS messages as well. Employees will see a clear notification on their device whenever the archival feature is active.”
Suddenly, the perk of being given a phone at work is not as good as it might seem. While employees have long been aware of the risks in over-sharing on email — a woefully insecure technology that is easy for employers to monitor, texting has been seen as different. And this isn’t just for regulated industries. All organizations can play along.
Google says “this new capability, available on Google Pixel and other compatible Android Enterprise devices gives your employees all the benefits of RCS — like typing indicators, read receipts, and end-to-end encryption between Android devices — while ensuring your organization meets its regulatory requirements.”
In response to the furor around this update, Google told me “this update does not change or impact the privacy of personal devices. This is an optional feature for enterprise-managed work phones in regulated industries where employees are already notified that their communications are archived for compliance reasons.
There has long been a concern that employees have been turning to shadow IT systems to communicate with colleagues — WhatsApp and Signal in particular. This latest update won’t help make that situation any better.
In the last 48 hours, I have been asked repeatedly now whether this change affects other messaging platforms, specifically WhatsApp. The answer is no. This update is specific to RCS within Google Messages, and works by enabling “third-party archival apps to integrate directly with Google Messages on a work device.”
ForbesMillions Of Androids Hijacked By Botnets—Click Here To Check YoursBy Zak Doffman
SMS and now RCS messaging is built into the phone’s OS itself, handled by Android (or iOS). Over-the-top platforms are not. They control their encryption and decryption. Their databases can be included in a general phone archive, but don’t need to be.
This is specific to general texting. “Previously,” Google says, “employers had to block the use of RCS entirely to meet these compliance requirements; this update simply allows organizations to support modern messaging — giving employees messaging benefits like high-quality media sharing and typing indicators — while maintaining the same compliance standards that already apply to SMS messaging.”
But for RCS, it’s exhaustive. Anything sent can be archived. “When configured by your IT organization on a fully managed device, the archival application is notified upon the receipt of each RCS message, not only when a message is sent or received, but also if a message is edited or deleted too.” So, making changes after the fact doesn’t work.
This highlights that while Google Messages may appear as the same kind of encrypted (within Android) message platforms as WhatsApp or Signal, it’s not. It’s an overlay on carrier-level messaging, and it’s deeply embedded into the phone’s OS.
“Older methods for archiving text messages often relied on carrier-level logging,” Google says, “which is incompatible with modern encrypted messaging. Our new solution allows third-party archival apps to integrate directly with Google Messages on a work device.” In other words, it removes the privacy that encryption has brought for users messaging on work-managed devices.
While WhatsApp is not affected by this change, you do need to beware WhatsApp backups that are wrapped into a general phone backup. If those backups are not encrypted, then your saved messages can be accessed.
So, for example if you backup your iPhone to iCloud without Apple’s Advanced Data Protection in place — the security the U.K. has removed, then backups can be accessed. WhatsApp offers fully encrypted backups that are standalone from a phone’s backup. If you use that instead, then your old messages are fully secure.
ForbesMicrosoft Will Tell Your Boss When You’re Not At Work—‘Starts January’By Zak Doffman
The other issue this Google change highlights is counterparty risk. It doesn’t matter if your messages are fully encrypted, if the recipient of your message takes a screenshot or has an unsafe backups or uses Windows Recall or a scree-reading AI, then your content can be compromised. Now you can add work-phone archival to the mix.
This risk has been highlighted again with the news that spyware browser extensions have been discovered affecting millions of PCs. The risk of message compromise is much greater when linked devices are outside the app-to-app core message enclave.
Clearly, you won’t know if any of these potential risks exist on the phones you’re messaging. As such, you do noted to beware of anything you send.
Meanwhile, if you have a work managed Android phone, watch for the message that warns your texts are no longer as private as they were.