The new law that will regulate the messaging application market in Europe is a threat to advances in the cryptography sector and could put the end-to-end system of WhatsApp and other messengers in check. This is the assessment of experts consulted by the The Vergewhich presented the challenges for the European Union’s Digital Markets Act (DMA) to come into force in 2022.
Last week, the EU moved towards passing the DMA — a law that could set a precedent for messengers like WhatsApp, Facebook Messenger and iMessage to be compatible with Telegram or Signal. The proposal predicts that companies like Apple and Meta would have to open their applications to programs developed by smaller companies.
The EU bill would make it possible for a user to communicate via Telegram on PC with another user using iMessage on iPhone. Through the EU parliament, European governments hope to break the monopoly of Apple, Meta and Google — companies called “gatekeepers” — over messaging services.
But the DMA worries cryptographers heard by the The Verge. They argue that it will be difficult, if not impossible, to maintain encryption between messaging applications with interoperability. They say that if the bill goes into effect, WhatsApp should have its system that makes private conversations weakened or completely removed, negatively impacting 1 billion users.
Steve Bellovin, researcher and professor of Computer Science at Columbia University, says that it is not possible to make two different encryption systems compatible.
“Trying to reconcile two encryption architectures simply cannot be done; one way or the other, we would have significant changes. The design of when a messenger only works online is quite different from one that stores messages. How would you make it work?”
Steve Bellovin, Professor of Computer Science at Columbia
In the case of making two messengers compatible, one can reach the “minimum point” of the design to achieve interoperability. This means removing many features that attract users, such as encrypted messages for more than one platform.
Law may open breach for spying on WhatsApp
DMA proposes an alternative for two platforms with different encryption schemes: decoding the message and re-encoding it as it is transmitted. However, that would be the end of end-to-end encryption and would create a third-party eavesdropping vulnerability.
Former Facebook engineer and web security expert Alec Muffet says it’s a mistake to believe that Apple, Google and Meta will make identical, highly compatible products with smaller services.
Muffet, who helped Twitter create a version of the social network for the Tor browser, says that each messenger is responsible for its own security and, by requiring them to be compatible, the vulnerability of one ends up affecting the protection of the other.
Another encryption-related concern is maintaining the “namespace” of devices on the network. This mechanism classifies and differentiates devices and gives messages a unique code in the application’s security system.
“How do you tell your device who you want to talk to? And how does he find that contact?” asks Alex Stamos, director of Stanford’s Internet Observatory and former head of security at Facebook. He continues:
“There is no way to allow end-to-end encryption without trusting that all providers can keep the identity of accounts… if the purpose of messengers is to treat every user exactly the same, then we will have a privacy and security nightmare .”
But not all experts were critical of the European Union bill. Matthew Hodgson, co-founder of Matrix — an initiative that seeks to develop an open source communication standard — wrote in a note that DMA challenges the closed ecosystem of big tech. Therefore, the risks would be less than the benefits.
“In the past, gatekeepers (Meta, Apple, and Google) have been against interoperability because they didn’t think it was worth it,” Hodgson commented to The Verge. “After all, the pattern is to build a wall and, once you’ve built it, try to house as many users as possible.”