Apple’s iMessage could pass its toughest test yet
Once Apple finally confirms the adoption of RCS messaging alongside iMessage, something much bigger will come along and mess things up. We’ve known for a while that 2024 will be a huge year for reporting, but it turns out that while the landscape will still change forever, it won’t be in a good way.
As expected, Apple presented RCS – essentially an upgrade to SMS – at its WWDC event. No surprises. Green bubbles remain green, security remains limited at least for now, and the walls of iMessage’s walled garden remain largely intact.
But RCS is about to take a back seat. Europe’s attack dogs are not satisfied with the changes that have already been forced on Apple and its peers. Not only are there potentially huge fines on the horizon as Brussels investigates compliance with app store rules, but iMessage is now firmly in its sights. Their intention is to reach an agreement before the end of June.
Putting aside the exciting AI and RCS news from WWDC, the biggest change to the iPhone this year has been regulatory rather than innovative. The Brussels Eurocrats have forced Apple to open up to third-party app stores and give users freedom of choice over which stock of Apple apps they keep and which they remove. Competition 1 — Security 0.
And so also for iMessage and a similarly worrying new risk from the same source. This time it’s about the police’s lack of access to the fully encrypted content sent via iMessage (and WhatsApp, Signal, Google Messages, Facebook Messenger). With end-to-end encryption, only the sender and recipient can decrypt the content, making interception of the data stream unproductive. Security and law enforcement agencies have lobbied for the installation of backdoors so they can eavesdrop. The industry has given a clear no and parliaments have so far agreed.
But not to be deterred, and led by CSAM prevention – a battle that is more difficult for big tech than for general law enforcement – Europe has a shiny new idea. Think of this as a backdoor inserted into the idea of a backdoor.
When it was released earlier this year, crypto expert Matthew Green described parts of the proposal as “the most terrifying thing I have ever seen… a new mass surveillance system that reads private text messages, not to detect CSAM, but to ‘clean.'” That nightmarish prospect is now much closer.
Signal has confirmed it will leave EU markets rather than comply. Apple reportedly considered the same thing as Britain investigated its own encryption compromises. These EU proposals look much more realistic, and last year’s 9to5Mac joined the dots and warned that these much more realistic EU proposals could lead to Apple withdrawing iMessage.
In her role as President of the Council of Europe, the world-renowned (or not) technical experts within the Belgian government have come up with a clever ruse. Users consent to scanning media attachments for CSAM (image, video, URL) marks on the side of the device, otherwise they lose access to sending attachments and are limited to plain texts.
This idea is sometimes called “chat control,” and yes, it is as silly as it sounds.
Normally, such proposals come and go and don’t stick around. That’s certainly what we’ve seen before when it comes to encryption compromises. But Europe is on a roll and this idea will not go away. It is being debated and reformed. But it remains.
The EU parliament had rejected even more far-reaching backdoors for encryption, but this new compromise is receiving support. The Netherlands has now said it “partially agrees” with the latest Belgian chat control proposal Netzpolitics warns that it could become even more difficult. “Several states criticize the restriction to images and videos. Ireland fears chat control will ‘effectively lose’. Denmark demands that ‘the text must also be covered’… Many states support the basic direction of the new proposals. This includes chat control advocates such as Romania, Bulgaria and Denmark.”
Separately, but highlighting how serious the European attack on big tech could become, The Financial Times has reported that “Brussels to sue Apple for allegedly stifling competition in its mobile app store, the first time EU regulators have used new digital rules to target a Big Tech group.”
This could mean billions of dollars in fines.
None of us really expected Apple to open up to other app stores or WhatsApp to introduce its messaging chat hub, but here we are now. What is now being reviewed in Brussels is much more important. Once device-side scanning is made mandatory, there’s no going back. CSAM will expand into serious crime and counter-terrorism, and then we will move into the realm of political dissidents and even sexual niches. Where platforms have an option, this opens the door to formulating local laws.
“We are concerned about developments in the Council of the EU,” warned in a joint statement from the sector at the end of May. “We call on ministers in the Council of the EU to reject all scanning proposals that are inconsistent with the principle of end-to-end encryption, including client-side scanning and moderation of uploads, and to ensure the protection of digital rights throughout the proposal. . These intrusive techniques would only endanger the security and rights of internet users.”
But there’s a good chance Europe will call big tech’s bluff as Apple’s iMessage, Signal and Meta’s WhatsApp and Facebook Messenger face a serious decision. And bravado aside, DMA has shown that while big tech companies are warning of the consequences, they will be reluctant to heed them. This is a much more important test.
Reports suggest this will be discussed privately with the aim of arriving at a workable proposal that will be agreed upon by the states before the end of June. This affects you. This is serious. The industry has so far shown no willingness to get involved in this discussion and tolerate anything like this, but Europe has been just as stubborn over the past year. Apple and its peers forced Britain to backtrack on this point, the question now is whether they can do the same here.