Three ways the European Union can screw up WhatsApp

Today let’s talk about Europe’s aggressive move to demand that major online messaging services be interoperable, and see how WhatsApp feels about the conflicting orders it’s getting from regulators.

In Europe, there are currently two big ideas among the people who regulate technology companies. One is that it should be easier to compete with tech giants, and a good way to achieve this is to force their services to play well with others. Two is that user data privacy is paramount and data sharing between companies should be treated with the utmost suspicion.

It’s unclear to what extent regulators realize that these ideas often conflict in hugely important ways. But right now they are on an absolute collision course, and it doesn’t feel hyperbolic to say that the future of end-to-end encryption is at stake.

I’ve now written enough about global threats to encryption that I feel like a somewhat annoying party guest, always redirecting the conversation back to my pet, no matter what happens elsewhere. But the aftermath of the Russian invasion of Ukraine, which saw Moscow police stop anti-war protesters and search the messages on their phones, provided just the last illustration of why it all matters: the ability to communicate privately in a world of ubiquitous growing surveillance and data retention is of real, practical importance to almost all of us.

On Thursday, European officials reached an agreement on the Digital Markets Act, a groundbreaking piece of legislation that would reshape the way tech giants compete with their rivals. The law applies to what it calls “gatekeepers” – defined as any platform with a market capitalization of €75 billion, or more than €7.5 billion in European revenue. So: yes to WhatsApp and iMessage; no to Signal and Telegram.

Among many other provisions, the DMA would likely prohibit Amazon from using data from its third-party sellers to inform its own product development, and require Android to provide users with alternatives to Google Search and email.

I say probably because the current text of the agreement is not available to the public. I am never more at risk of making a mistake than when I write about the European Union’s legislative process; the last time I did, I had to post corrections two days in a row. But it is my understanding that what has been agreed is essentially a rough framework for the final law, and the final text is yet to come.

Working groups are now working on legislation; some of the language they are considering leaks out and becomes… posted on Twitter by different parties. Those leaks, combined with previous public statements and previous draft legislation, tell us something about Europe’s plans for messaging apps.

For example, what we know about the DMA’s plans for interoperability comes in part from: Benedict Evans tweets language from the draft proposal

“Allow all providers of [messaging apps] at their request and free to connect to the gatekeepers [messaging apps]† Interconnection is provided under objectively the same conditions and quality available or used by the gatekeeper, its subsidiaries or its partners, allowing functional interaction with these services while guaranteeing a high level of security and protection of personal data.”

Over the weekend, crypto experts raised the alarm over this idea, saying platforms may not be able to do it in a way that leaves messages encrypted. As Alex Stamos of the Stanford Internet Observatory put it to me, “Writing the law to say ‘You must allow total interoperability without creating privacy or security risks’ is like instructing doctors to cure cancer.”

The problems are clear enough; Corin Faife captured a few here on The edge

Given the need for precise implementation of cryptographic standards, experts say there is no simple solution that can reconcile security and interoperability for encrypted messaging services. In fact, there would be no way to merge different forms of encryption in apps with different design features, said Steven Bellovin, an acclaimed Internet security researcher and professor of computer science at Columbia University.

“Trying to reconcile two different cryptographic architectures just isn’t possible; one side or the other will have to make big changes,” Bellovin said. “A design that only works when both parties are online looks very different from a design that works with saved messages…. How do you make those two systems work together?”

Contempt for the new demands is not universal; Matrix, a nonprofit organization working to build an open-source standard for encrypted communications, released a blog post Friday explaining some possible technical paths.

But it’s clear that, as far as there is a way for services like iMessage and WhatsApp to work with each other and maintain encryption, that way has yet to be invented.

At least it’s not there yet built

In large part because of the confusion about what exactly is being proposed, platforms have little to say about the DMA and interoperability thus far. (The giants have lobbied heavily against the DMA, but apparently without much success.) Apple and Google have not responded to requests for comment from me.

But on Monday afternoon I spoke to WhatsApp chief Will Cathcart via Zoom. End-to-end encryption has become WhatsApp’s signature project under Cathcart, both on the product side (it rolled out encrypted backups last fall) and on the policy side (waging an ongoing legal battle to keep encryption in India) .

I asked how he felt about the DMA as he understands it so far.

“I am very concerned about whether this will invade or seriously undermine privacy, whether it will break much of the security work we’ve done that we are particularly proud of, and whether it will actually lead to greater innovation and competitiveness said Kathcart.

It’s easy to dismiss these concerns as self-interest: or Class WhatsApp is going to oppose opening its doors so that other apps can integrate themselves into its own user experience. But when I pressed Cathcart on WhatsApp about what would be so bad about it, his answers provided plenty of things for regulators and everyday WhatsApp users to worry about.

Amongst them:

  • spam† WhatsApp’s centralized nature allows it to identify and remove spam before it reaches your phone; it deletes millions of accounts every month to try. Third-party services that connect to WhatsApp may not be as aggressive or may openly accept spam. “We’ve seen a lot of apps that just go out and market themselves as bulk messages on the WhatsApp network,” Cathcart said. “What happens when one of them comes in and wants to collaborate?”
  • Misinformation and hate speech† WhatsApp has introduced forwarding limits to limit the viral spread of messages there after it was used to promote election hoaxes and violence; services of third parties cannot be obliged to do so. Would a WhatsApp forwarding service be allowed to use the API? Would WhatsApp be required to allow it?
  • Privacy† WhatsApp can guarantee users end-to-end encryption and that the new disappearing messages are actually deleted as it can see the whole communication chain. However, it won’t be able to see what third-party apps do with messages after they’ve been delivered, raising fears that users could be exploited.

How much of this do European regulators understand?

“It’s really hard to say without being able to see what they’ve decided,” Cathcart said. “I don’t know. Have they consulted extensively with security experts? The responses from a bunch of security experts I’ve seen suggest that at least those experts weren’t consulted.”

It’s also worth asking what interoperability will actually do to make the messaging market more competitive. Email is an open, interoperable standard and has been for decades; but today Apple, Google and Microsoft control about 90 percent of the market. Meanwhile, the messaging app market is much more dynamic even without interoperability: it includes apps from Meta, Telegram, Signal, Snap, and others.

In part, that’s because companies can add features faster if they don’t have to create open APIs to support them. Notably, Snap said two years ago that mandatory interoperability would be “a goal of its own of enormous proportions” for regulators, “since the ultimate effect would be to stiffen the market and close it off to innovative entrants.”

That said, I’m not completely immune to the temptation of interoperability. As someone who spends most of my day between inboxes, the idea of ​​having fewer places to send and receive messages has a definite allure. And I’m open to the idea that upstarts could use access to APIs from iMessage, WhatsApp, and the like to bring innovations to users’ attention faster than the usually slower-moving tech giants, and grow faster as a result.

But Europe’s simultaneous drive for more competition and maximum user privacy feels like a clear case of one hand not knowing what the other is doing. The fact is that hardly anyone I’ve read or spoken to believes you can do both, at least not in the way the EU has proposed. And each solution that emerges could create worrying new vulnerabilities around privacy, misinformation, hate speech and other danger zones.

Regulation is always a matter of trying to solve old problems without creating too many new ones. But to do that successfully, you need to develop a deep technical understanding of the issues at stake and discuss them publicly with experts. So far, the European Union has not shown much evidence either.

For encrypted messages to have a real future, that will have to change, and soon.

Show Love ❤️