On May 11, 2026, the most consequential US encryption policy event of the year arrived without a single new statute. Apple and Google began rolling out default end-to-end encrypted (E2EE) RCS messaging in beta — iOS 26.5 for iPhones on supported carriers, the latest Google Messages on Android. For the first time, a text between an iPhone and an Android phone can be encrypted such that, in Apple's words, "encryption is on by default," with a lock icon marking secured chats. Google's announcement confirmed the same default-on posture across the two ecosystems.
This is a genuine privacy milestone, and it is worth being precise about why. The cross-platform text — the "green bubble" conversation that hundreds of millions of Americans send daily — had been the last mass-market messaging channel still readable in transit by carriers and platforms. That gap is now closing by default, not by opt-in, for ordinary users who will never read a privacy policy.
A standard, not a statute, did the work
The technical engine here is the GSMA's RCS Universal Profile 3.0, published March 14, 2025, which specifies how to apply the IETF's Messaging Layer Security (MLS) protocol inside RCS. The GSMA's own framing is the headline policymakers should absorb: "RCS will be the first large-scale messaging service to support interoperable E2EE between client implementations from different providers." Interoperable is the operative word. Signal and WhatsApp are strongly encrypted, but only within their own walls. RCS encrypts across competing implementations from competing companies — an engineering problem that the standards process, not Congress, solved.
That sequence matters for the policy debate. For a decade, the dominant US legislative instinct on encryption has pulled the other way — toward mandated access. The EARN IT Act, reintroduced across multiple Congresses, would have stripped Section 230 protections in ways critics argued created liability pressure to weaken or abandon E2EE. The premise of that approach is that strong encryption is a problem to be managed by law. The RCS rollout is a working counter-example: the market and a standards body delivered privacy at population scale, on their own timeline, because users and platforms demanded it.
Steelmanning the case for lawful access
The strongest argument against ubiquitous default encryption deserves a fair hearing. Law enforcement's "going dark" concern is real: when E2EE becomes the default for billions of messages, lawfully authorized warrants increasingly return ciphertext, and investigations into child exploitation, terrorism, and organized crime lose a source of evidence they once had. The FBI's proposed "responsibly managed encryption" is an attempt to square that circle — to preserve lawful access without, in its telling, building a crude backdoor. No serious analyst should dismiss the underlying public-safety interest.
But the case for mandated access collapsed on contact with reality in 2024. The PRC-linked Salt Typhoon campaign breached US telecom carriers — including AT&T, Verizon, and Lumen — and reached the very lawful-intercept systems that carriers are required to maintain under the 1994 Communications Assistance for Law Enforcement Act (CALEA). The FBI reported the operation hit targets in more than 80 countries. The government's response was telling: on December 3, 2024, CISA issued hardening guidance urging traffic be "end-to-end encrypted to the maximum extent possible," and FBI and CISA officials advised Americans to move to encrypted messaging apps. The same agencies that had warned about encryption were now recommending it.
Salt Typhoon is the empirical refutation of the backdoor compromise. A lawful-access mechanism is, by construction, a deliberately engineered point of decryption — and as the breach demonstrated, a system built to be accessed by the right people is also a system that can be accessed by the wrong ones. There is no golden key that opens only for warrants. The EFF, calling the RCS launch a "victory," put the broader stakes plainly: with default E2EE, "neither Google, Apple, nor the cellular carriers have access to the contents of messages." That is precisely the property Salt Typhoon could not defeat.
What proportionate policy looks like now
None of this means the work is finished, and honest advocates should say so. The EFF flags real limits: metadata is still collected, cloud backups may sit unencrypted absent protections like Apple's Advanced Data Protection, and the rollout remains a carrier-dependent beta. Encryption claims also need policing — Texas's May 2026 suit against Meta alleging WhatsApp's E2EE is overstated drew criticism for thin factual support, but it underscores that "encrypted" must mean what it says.
The policy lesson is about humility. Washington's most productive role in encryption is not to mandate access but to get out of the way of the standards process, fund the deployment of strong cryptography across critical infrastructure, and align procurement with the security advice its own agencies now give. The RCS rollout proves that proportionate, pro-innovation policy — letting industry and standards bodies ship privacy by default — protects more Americans, faster, than any access mandate ever could. The government's own pivot after Salt Typhoon is the strongest endorsement of that approach on the record.