On May 12, 2026, Apple released iOS 26.5, switching on end-to-end encrypted RCS messaging by default between iPhone and Android. Built on the Messaging Layer Security (MLS) protocol in the GSMA's RCS Universal Profile 3.0, the change means that, in Apple's words, encrypted RCS messages "can't be read while they're sent between devices" — not by carriers, not by Apple, not by Google. The Electronic Frontier Foundation called it a victory, "a significant step forward for the privacy of millions of conversations worldwide."
Predictably, the milestone reignited the perennial objection: that default encryption is a gift to criminals. The timing sharpens the question, because the same months produced an alarming surge in "digital arrest" fraud — a scam run largely over messaging and video-call apps, including end-to-end-encrypted WhatsApp. If encryption is the problem, this is where it should show. It doesn't.
The strongest case for lawful access
The argument for weakening encryption deserves a fair hearing. When a fraud network operates inside an encrypted channel, investigators cannot read the conversation where coercion happens, cannot reconstruct the script in real time, and cannot easily map who spoke to whom. India's government has leaned on exactly this point: its Attorney General told the Supreme Court that WhatsApp banned over 9,400 accounts tied to digital-arrest scams in a 12-week stretch beginning January 2026, and pressed for AI-based detection of officials being impersonated. Faced with grandmothers held on video calls for hours and drained of their savings, "give police a way in" is an understandable instinct, not a strawman.
What the scam actually requires
But look at the mechanics, and message secrecy turns out to be irrelevant to the crime. In a digital-arrest scam, the criminal wants to be heard. A victim receives a call — often from a spoofed number — from someone claiming to be a police officer, a tax agent, or a customs official. The target is told they are implicated in money laundering or drug trafficking and placed under "digital arrest": kept on a video call, forbidden from hanging up or contacting anyone, and pressured to transfer funds to a "safe account."
The FBI's own November 13, 2025 advisory describes the U.S. variant precisely. Criminals impersonating Chinese law enforcement and U.S. health insurers use "video communication software" to flash fake invoices and warrants, threaten extradition, demand "bail," and in some cases require victims to "maintain connectivity for video surveillance" around the clock. None of that depends on the platform hiding message contents from a third party. It depends on a convincing uniform, a forged document on screen, a spoofed caller ID, and a terrified person who has been isolated from anyone who might break the spell.
Encryption protects the contents of a message from outsiders. A digital-arrest scam is not an outsider intercepting a secret — it is the criminal addressing the victim directly. Breaking encryption for everyone would not have stopped a single one of these calls, because the fraudster is a party to the conversation, not an eavesdropper on it.
The numbers point at deception, not secrecy
The fraud is real and growing. The FBI's 2025 Internet Crime Report logged roughly $20.9 billion in reported losses, with Americans 60 and older losing about $7.7 billion. Government-impersonation complaints, the category that captures digital arrest, nearly doubled to about 32,500, with losses jumping from roughly $405 million to $797 million in a single year. The FBI attributes the spike to AI-driven voice and messaging tools that let scammers "impersonate officials at scale" — synthetic voices, deepfake video, and automation, not cryptographic protection.
That distinction matters for policy. The defenses that actually bite this fraud operate at the metadata and behavioral layer, which encryption leaves fully intact. WhatsApp's 9,400 bans came from spotting newly created accounts blasting unsolicited messages — a pattern visible without reading a word. Caller-ID authentication (the FCC's STIR/SHAKEN regime), bank-side transfer friction, in-app scam warnings, and public education all attack the spoofing and the fear, the parts that make the con work. Mandating a backdoor would do none of this while creating a master key that the very networks running these scams would race to steal.
The proportionate conclusion
The RCS encryption rollout shows that strong, default protection can ship to hundreds of millions of ordinary users — exactly the people whom scammers, and occasionally over-broad surveillance, would otherwise expose. Digital-arrest fraud is a serious harm that demands a serious response. But it is a social-engineering crime wearing a digital costume, and the cure is to disrupt the deception: kill the spoofed numbers, slow the panic transfer, ban the bot accounts, warn the public. Weakening encryption to fight a scam that never needed broken encryption would trade everyone's security for no gain — protecting victims by stripping them of the one tool that genuinely keeps their private messages private.