This is exactly correct. Apple engineered that page to read to people who are scanning quickly that "it's encrypted, it's fine" when in fact iCloud Backup, which includes complete plaintext message history (and SMS history too, which Apple normally would not see, plus all iMessage/SMS attachments like photos and videos) is NOT end to end encrypted but encrypted with Apple keys, and can be decrypted by Apple at any time without the user's device or password.
It's perhaps the most shady thing they do. Nothing on that page is a lie, yet if you read it without an intimate knowledge of Apple's services ("iCloud", vs "Messages in iCloud", vs "iCloud Backup") you will get an impression of the opposite of what is true.
Additionally, they were going to e2e encrypt backups, but the FBI asked them not to, and so they didn't, and Apple and the FBI can read every message in every backup without a warrant.
It's Section 702 of the FISA Amendments Act, aka FAA702, cited in Apple's transparency report as FISA (they turned over 30,000+ users' data without a warrant in 2019), and better known to the general public by its internal NSA codename of PRISM, thanks to Ed Snowden telling us that this is the primary, #1 source of information used by NSA spies.
Apple wasn't lying when they said they "had never heard of PRISM"—until Snowden, it was not known by that name outside of the NSA/IC.
It is regularly used against US users, in the US, as well as people in other countries. Snowden cited this use (resulting from a classified, private interpretation of FAA702 made by the classified FISA court) against US citizens as one of his main reasons for going public in the summer of 2013 with the fact that this is happening.
However, the context of this thread is to compare the relative security of Apple iMessage and iCloud backups with what happens to those messages when they are exfiltrated by Beeper.
I do not see the existence of Prism belying the practical expectation of security Apple users get from iCloud and iMessage.
It doesn’t make the point that beeper’s service has a similar level of security.
But to your point, some apple iMessage users will unknowingly have their data shared with a third party if the recipient is using beeper and doesn’t tell them.
Which makes having a friend quietly using beeper a bit like having a prism inquiry.
> belying the practical expectation of security Apple users get from iCloud and iMessage.
What practical expectation of security? iCloud backups are not E2E encrypted.
If you're expecting that it should be impossible for anyone else to read your messages, then don't use iCloud. If you don't trust the people you're messaging, then don't message them. Trying to build a platform that guarantees security regardless of who you message is a fallacy, that system doesn't exist and people shouldn't think about security in those terms. If you send someone information, you can not guarantee with any messaging system that they won't copy that information and send it to someone else. Recipient trust is part of the equation.
Any one of your friends can just copy and paste text out of iMessage, you have no technical guarantee that your messages are going to stay in Apple's ecosystem. If you send a message to someone with an Android phone, it gets sent in plaintext over SMS. If they're in a group chat, boom, no more encryption. Apple themselves can't keep your data in the iMessage environment, they exfiltrate it for you whenever you text someone who's not on iOS.
And even if you don't have any friends on Android, all of the data that you're worried about leaking gets stored non-E2E encrypted to Apple's servers whenever anyone in your messaging pool turns on backups -- and I guarantee most of your contacts on iOS have backups turned on.
But you're worried about security flaws in the Matrix protocol? Based on what?
If you actually need E2E encryption, you shouldn't be using iMessage in the first place, you should be using something like Signal, a program where the default settings for you and your contacts aren't going to leak your messages and break their encryption. And at least Signal warns you in advance if a contact isn't on the same platform. At least it works on multiple operating systems so you aren't virtually guaranteed that it'll be impossible to do E2E chat with some of your friends.
Sms conversations are green to iMessage users. So the practical expectation of a blue message is at least the content is not going one or more carriers.
So it is obvious when texting with someone that the content is flowing unencrypted over sms, and easily read by the phone company, let alone a request from LE.
The problem with this service is it makes the conversation look like it is over iMessage. And while your comments about the factual trust level of the user or their choices around iCloud backups and password protection is always the base consideration—-beeper is being additionally introduced, possibly using a wholly unprotected iOS device along with their own cloud storage of the content.
So the attack surface now includes not only the recipient and their trustworthiness and opsec in using the apple product but the entire opsec of this third party service.
Dialing it up to, “well prism” or “trust of the other person” deliberately ignores my point which is beeper is being added as a listener in an opaque way to the iMessage user.
When I say practical expectation, I am not worried about my contacts copying and pasting a conversation. They might but there would be a reason and I’m not worried about some kind of betrayal.
Nor am I overtly concerned about a contact having their iCloud backup stolen and read. There are fairly robust measures Apple takes to prevent this including mandatory 2FA. It would take true determination.
However this is marketed as an innocuous gateway for iMessage and it isn’t. As I mentioned above Beeper takes no responsibility for the loss of data and does not bear much reprisal if they leaked data. They can’t because it’s a startup.
> deliberately ignores my point which is beeper is being added as a listener in an opaque way to the iMessage user.
I'm ignoring that point because I disagree it's a valid point that's worth making or acknowledging.
iCloud backups are added in an opaque way to the iMessage user. Screenshots happen in an opaque way to the iMessage user. And while you'll get a blue bubble in iMessage when sending over SMS, you won't see that until after you start the conversation. The point is, if you don't trust someone to have a secure phone, that's a talk you need to have with that person, it's not a problem with the Matrix protocol.
If you think that Matrix presents a novel, undetectable way to exfiltrate data, then you trust iMessage too much and you should rethink your approach to secure communication. Thinking in terms of, "the bubble is green so my contact can't be doing anything weird" is the wrong way to think about security. Don't do that.
Especially since, again, you should not be using iMessage for seriously private conversations in the first place, you should be using Signal, or in a pinch (ironically) Matrix/Element itself, since both platforms actually have full E2E encryption that forces users to validate sessions and doesn't break itself by default.
It's fine for you to be skeptical about the security of this company, but if you think it breaks some taboo or compromises your phone in some unique way just because it's a bridge, then you're putting too much faith in Apple and approaching message security from the wrong perspective.
> possibly using a wholly unprotected iOS device
Just as a sidenote, this in particular is weird to me. Your argument is based on the idea that you trust Apple. But Apple is the one that makes messages from those old devices show up green. If your argument is that they might be unpatched, shouldn't you bring that up with Apple and ask them to start requiring updates to be installed before green bubbles appear in chat?
Why is it Matrix's fault that Apple considers old iPhones to be secure?
I co-founded one of the first consumer-focused, secure messaging startups. I’m more than familiar with what it takes to have probably secure comms over text.
I also know that people so tin foil hat about security can never be satisfied and that this hamstrings UX and resulting in lesser use and less used secure tools.
So there is a happy medium and there’s reasonable protection to cover 96 or more % of consumer comms.
Is iMessage secure? Maybe enough to send an SSN, but maybe not to send bank info. Would I send either over sms? Nope. That’s a call anyone can make on their own.
I don’t like this service hooking into iMessage. I don’t like the always connected jailbroken phone bridge idea.
I do think apple, of all consumer products companies, has made privacy and security core values and, at least for now, I trust the company.
I don't care how matrix is involved in the beeper’s bridge functionality nor am I evaluative of the technology.
I don’t know beeper, and don’t want the product hooking into my contacts’ end of our iMessage comms.
> I don’t like the always connected jailbroken phone bridge idea. [...] I don’t know beeper, and don’t want the product hooking into my contacts’ end of our iMessage comms.
At the end of the day though, that's a conversation you have to have with your contacts. The fact is that your contacts may jailbreak their phones already, and they'll still show up as green bubbles, and at some point you'll either trust your contacts to be secure with the tools that are provided to them or you won't.
It is not Beeper's job to sort all of this out for you. It's not their problem that you dislike people jailbreaking their phones, that's a personal choice you can make about who you communicate with.
To jump from, "I would prefer not to communicate with jailbroken iPhones or bridged services" to "this program is comparable to malware" is a massive leap in logic and a dismissal of personal responsibly. People have the right to jailbreak their phones and to use services that securely bridge their communication platforms, and if your security model requires you to avoid communicating over those channels, that's a personal choice you can make by checking with the people you communicate with and talking to them about security.
As to why these messages show up as green, it's because Apple doesn't have a visual indicator of jailbroken phones in iMessage, and because Apple allows old phones running old firmware/software to show up as green, and if you have a problem with that then you should take it up with Apple. Beeper didn't write iMessage, they're not the reason why the messages are green.
> So there is a happy medium and there’s reasonable protection to cover 96 or more % of consumer comms.
And if that happy medium for most users ends up including bridged services? What then?
What line are you drawing that says it's OK for Apple to avoid notifying you in iMessage about contacts with outdated firmware, but critically important that they let you know a contact is bridging? You're comparing this app to malware based on a completely subjective, personal security criteria -- one that it doesn't look like most other people share with you.
It's fine for you to be uncomfortable with bridges, but it's not fine for you to claim they're some kind of unique/novel threat that compromises iMessage when iMessage is already willingly making similarly large security compromises in other areas -- compromises that are also just as opaque to end users as Beeper is.
