Decrypting RCS Encryption: Why an Upgrade from SMS Means More User Protection By: 3C

Since Rich Communication Service (RCS) began gaining momentum in early 2017, there has been some concern from critics over its encryption systems. Drawing comparisons to its OTT messaging counterparts, critics have claimed that RCS’s lack of end-to-end encryption blatantly disregards user privacy rights by allowing “easy access for governments and criminals to snoop on the communications of Android users.” (Business Insider)

This argument, however, is not what it seems. RCS has actually gained a security upgrade from SMS to add more user protections, and current RCS encryption does not, in fact, allow for easy access to consumer messages. Below, we’ll answer some common questions regarding RCS encryption and what it means for the average consumer.

What does it mean that RCS is not encrypted end-to-end?

End-to-end encryption can be described as a closed communication system where only the sender and intended receiver can read the contents of the message. Simply put, the message contents are scrambled (encrypted) in-transit and storage, and can only be read (decrypted) by the sender’s and receiver’s devices.

While this seems like the obvious way that messaging among users should operate, carrier-based messaging services like SMS and RCS are government regulated and therefore subject to decryption within the operator’s core network—but only under the pretense of warranted, lawful intercept. Because of these limited cases of decryption, RCS is not categorized as an end-to-end encrypted messaging channel.

What protection upgrades does RCS have over traditional SMS?

RCS is subject to the same lawful intercept standards as SMS. However, with the launch of RCS, carrier messaging has received a few upgrades that are intended to protect users from cases of fraud or other malicious, third-party activities.

RCS is built on the latest Universal Profile standards. As part of its latest release, Universal Profile 2.2 has added more protection for users by enacting a message verification and brand certification process. Before a brand is able to launch an RCS chatbot to the chatbot directory or initiate an RCS broadcast, it must first be approved through an official verification process by the carrier and messaging provider—ensuring user interaction with legitimate brands and protecting users from fraudulent accounts, impersonators, or phishing attempts. Verified chatbots are clearly marked to distinguish them from non-verified entities.

In addition to protections from the latest Universal Profile standards, RCS has received more secure encryption systems than SMS and uses a completely different protocol. Legacy SMS traffic runs over SMPP or SS7 protocols, whereas RCS traffic is SIP traffic over TLS secured by several carrier interfaces between the device and the network. The communication between the messaging providers and the RCS chatbot platforms for business messaging have also been secured by using either VPN or TLS.

When could an RCS message be intercepted?

As RCS is a carrier-based messaging service, it operates in a highly-regulated industry. But despite this regulation, decryption of user RCS messages can only be permitted in cases of lawful intercept. Meaning, the only situation in which user messages could be intercepted between the intended users would be by lawful agencies that have obtained a legal warrant to do so and have to work with the carriers to obtain the requested information. So, outside of these limited cases of lawful intercept, RCS is an extremely secure channel for any law-abiding citizen.

In the case of A2P messaging specifically, these policies are not extraordinary. The level of encryption and lawful intercept rules that are in place are entirely sufficient for how businesses interact with consumers and they are similar to those used in other forms of B2C communication such as email and telephone.

Why is RCS still a better messaging option compared to OTT?

Despite the minor push back around RCS encryption, RCS is still gaining rapid momentum in replacing SMS as one of the most used messaging services on the planet. It’s app-like features and capabilities mirror those of OTT apps (I.e. ability to send large media files, read receipts, typing bubbles, etc.)—all, of course, with the tremendous benefit of getting these capabilities out-of-the-box from the default messaging app without having to download a third-party application.