Download all your Google account data and find out.
The NSA certainly does keep a copy regardless.
this post was submitted on 19 Aug 2025
43 points (97.8% liked)
Privacy
41376 readers
577 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
Also the ISP, all three US mobile providers are currently in legal battles about selling user data, which is then bought by EVERYBODY
Meanwhile I applied for reimbursement on my failing Pixel 6a battery and Google keep asking for proof that I own this phone. They won't even allow it on RCS. The trust issue goes both ways.
I do find it suspicious that governments are targeting Signal's E2E encryption but not RCS, FB Messenger or WhatsApp. It's clear which ones are compromised.
FB messenger and WhatsApp use the same encryption on the message content. The difference is metadata. FB and WhatsApp keep all metadata of who users contact and when.
Short answer: Yes
If you're able to successfully navigate the fucking maze of settings both on your device and your account, and stay up to date when Google silently opts you into new "features" so you can opt out of them, then probably not. But honestly, no one knows except Google, and they've given you every reason not to trust them.
In regards to RCS, probably the same as every other quasi-private messaging platform: the content of your messages is encrypted and private, but your social graph, who you talk to, when, and how often, is property of the corporation. Or if you're messaging someone on a Samsung or Apple device, then multiple corporations.
Of course they do.
And if they don't, someone else does.
Google software is not secure, nor are they interested in preserving anyone's privacy against third parties or honoring their own terms about data sharing.
Your shit is everywhere.
Linux also is not secure if you install random open source packages without audit though.
Who mentioned linux?
linux is the only alternative to android when it comes to computing. I consider ms-windows a non-option.
So you started another conversation. Gotcha.
I’ve read that the encryption keys are stored on Google servers. If so, they could decrypt them if they wanted.
Exactly! If you don't hold the encryption key (private), then it's not really secure.
Always assume Google is stealing all your data possible
I know that SMS and MMS text messages are transmitted unencrypted, but are RCS text messages different? Serious question.
MMS is not a text message, it's a media message (that's what the M stands for).
Yes, RCS chats are encrypted (supposedly)
MMS is not a text message, it’s a media message (that’s what the M stands for).
See, that's interesting because I was always taught that "text message" is just an overarching term used to describe SMS and MMS. The notion that a text message is a synonym of SMS and only SMS is a new one to me!
Yes, RCS chats are encrypted (supposedly)
Good to know! Do you happen to know if the decryption keys are stored offline or on the carrier's end? Because if the latter, then okay it's more secure than SMS or MMS but only in the sense that some encryption is better than none. Lol.
I mean it's in the name. A message containing media and not text is simply not a text message. Many people use them incorrectly but it's literally in the name.
RCS is (supposedly) E2EE so keys are stored locally.
I mean it’s in the name. A message containing media and not text is simply not a text message. Many people use them incorrectly but it’s literally in the name.
Hey, I get it now. Lol. I was just explaining what my mindset was.
RCS is (supposedly) E2EE so keys are stored locally.
Well, you can have E2EE with keys stored server-side. It's just kind of pointless from a security/privacy standpoint, but I've seen it happen.
No you cannot. E2EE = end to end encrypted. If it can be decrypted from anywhere other than a sender or recipient (the ends) then it's not E2EE.
You are clearly misunderstanding me.
If the keys are stored server-side, that means it's stored by either the "sender or recipient". The server is among those two options.
I am not misunderstanding you. You just do not understand what E2EE means. Th server is not a sender or a recipient. It is not an "end".
Okay, so, originally, I was going to look it up to prove you wrong, but after looking it up across multiple sources, it seems that you're right and I'm wrong.....mostly.
How-To Geek, Proton, and CloudFlare all mirror what you say.
However, the Wikipedia page section "Definitions" does back me up somewhat. It says:
The term "end-to-end encryption" originally only meant that the communication is never decrypted during its transport from the sender to the receiver.[23] For example, around 2003, E2EE was proposed as an additional layer of encryption for GSM[24] or TETRA,[25] ... This has been standardized by SFPG for TETRA.[26] Note that in TETRA, the keys are generated by a Key Management Centre (KMC) or a Key Management Facility (KMF), not by the communicating users.[27]
Later, around 2014, the meaning of "end-to-end encryption" started to evolve when WhatsApp encrypted a portion of its network,[28] requiring that not only the communication stays encrypted during transport,[29] but also that the provider of the communication service is not able to decrypt the communications ... This new meaning is now the widely accepted one.[30]
(Relevent text is embolded.)
So, I'm not misunderstanding, just misinformed that the definition changed.
Make no mistake, of course: I do appreciate you correcting me as I hadn't realized the definition had changed. Lol.
If you login with Google on your phone with an OS made by Google then you can expect ALL the content on that phone to be potentially at least processed by that company which might including sending back data in some form.
That's not just Google or Microsoft, it's any operating system. The OS can see everything you can see and more. If you do not trust the maker of the OS then you have a problem that no application ran by that OS can solve. encryption in all its forms, e.g. encrypted disk, E2EE or homomorphic encryption do not matter if you are on an "end" (e.g. your phone or desktop) that you do not trust.
Yep.
As the Messages RCS implementation is supposedly E2EE from device to device; No. It is not possible that a log of your messages' contents are being kept.
Can it stop them from storing your encrypted messages to decrypt later if law enforcement should be able to confiscate your phone and extract the encryption key? Also No. It is not possible for E2EE to prevent "Store ciphertext and decrypt later" attacks.
It also cannot prevent companies from logging who you are conducting an encrypted conversation with; even if the contents cannot be seen and this information cannot be used to infer anything about the contents. It cannot stop companies from making inferences about your messaging activity due to timing of messages sent or who they are sent to.
If these kinds of attacks are on your threat model; you need to ensure you are not sending messages or information via electronic means via your phone to begin with, wherever possible.
It is absurd to assume that they have backdoored the RCS protocol without proof or evidence. This isn't saying it's a verifiably secure or private protocol; but I think you could trust an E2EE RCS message for long enough to help you get someone else onboarded on to Signal or another more properly encrypted messenger without needing to worry about being put on a watch list. I would trust it with my grocery list or trivial communications with family; even if I wouldn't trust it with my truly personal or private conversations.