The U.S. Antitrust Case Against Apple, and iPhone Privacy and Security

Gaby Del Valle, the Verge:

The complaint emphasizes that, unlike iMessages, iPhone users’ SMS communications with Android users — i.e., green bubble texts — lack encryption. 

“Apple forces other platforms to use SMS messaging. It doesn’t allow them to integrate with iMessage or another encrypted message platform built-in,” Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told The Verge in a phone interview. Since SMS messages aren’t encrypted, they’re less secure by default.

Apple has previously said its devices would begin supporting RCS, a more secure messaging protocol that will make communications with Android devices encrypted, later this year.

There is a theoretically good discussion in this story about the compromises of the iPhone’s privacy and security model, and its dependence on a benevolent dictator. But these three paragraphs are silly.

It is obviously true that the SMS standard does not have any support for encrypted messages, but that is also true of RCS. Del Valle links to the Verge’s own reporting of Apple’s RCS support in which it says it “could enable support for encryption”, but any end-to-end encryption of RCS messages is currently thanks to implementation decisions made by Google — and Apple will not match that support. Instead, it says it will advocate for end-to-end encryption standards in the RCS spec. The claim that it will “will make communications with Android devices encrypted” is simply untrue.

The key phrase in what Steinhauer said is “built-in” and that will not change when RCS support is added. In fact, it is not even clear to me that most conversation between iOS and Android users happens over SMS. I would not be surprised if that were true, given that it is a universal standard, but most popular third-party messaging applications are now or are in the process of becoming end-to-end encrypted.

It seems to me like the rest of this article raises good arguments about how Apple runs the iPhone and the App Store, from a range of perspectives. One person says commercial spyware impacts Android phones more often, another says a moderate increase in risk is worth it for loosening Apple’s control, and so on. But it feels like a moot discussion because this article is nominally about the U.S. Department of Justice’s case against Apple — and its primary complaints are barely related to App Store policy. The closest the DoJ gets is with questions about super apps, cloud streaming gaming apps, and digital wallets, but most of its issues are with Apple’s restrictions around private APIs. The region with a big opening-up of app distribution on iOS is the E.U., and it will be a good experiment in which concerns shake out as true and which are mongering.

Security is one thing to watch out for but, if there are privacy concerns, the U.S. should pass a sweeping nationwide legal framework for privacy. If individual privacy ought to be a right, then it should be spelled out in law, and no company should be able to use it as paper-thin justification for its platform choices. There are times when Apple’s policing decisions seem entirely legitimate, and there are times when it seems — as the DoJ memorably put it — like an “elastic shield”. It would be better for everyone, I think, if there were universal privacy standards that did not depend on the user’s hardware and software choices. Any company could be restrictive if they would like, but there should be a baseline substantially higher than the one that exists today.