Security experts say new EU rules will damage WhatsApp encryption

Illustration by Alex Castro / The Verge

On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act. The most eye-catching measure in the bill would require every large tech company to have a market cap of more than 75 billion dollars or a user base of more than 45 million people. Security experts worry that allowing end-to-end messaging services like WhatsApp to mingle with less secure protocols will undermine hard-won gains in the field of message encryption.

Gatekeepers are large tech companies defined by the size of their audience or revenue and the structural power they are able to wield against smaller competitors. The government is hoping that the new regulations will allow smaller businesses to compete. It could mean letting users install third-party apps outside of the App Store, or requiring messaging apps to send texts across multiple protocols.

It will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users, and this could pose a real problem for services promising end-to-end encryption. Signal is small enough that it wouldn't be affected by the DMA provisions, but it is owned by Meta and it uses the Signal protocol. The result could be that some of the end-to-end messaging security is weakened or removed, robbing a billion users of the protections of private messaging.

There is no simple fix that can reconcile security and interoperability for messaging services, given the need for precise implementation of ciphers. Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University, said that there would be no way to combine different forms of encryption across apps.

One side or the other will have to make major changes in order to reconcile two different architectures. How do you make those two systems work together?

Making different messaging services compatible can lead to a lowest common denominator approach to design, in which the unique features that made certain apps valuable to users are stripped back until a shared level of compatibility is reached. If one app doesn't support multi-party communication and another does, the communication between them would need to be dropped.

In which messages sent between two platforms with incompatible encryption schemes are re-encrypted when passed between them, is another approach suggested by the DMA.

Alec Muffett, an internet security expert and former Facebook engineer, told The Verge that it would be a mistake to think that Apple, Google, Facebook, and other tech companies were making identical and interchangeable products that could easily be combined.

If you went to McDonald's and said, "In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order," they would just stare at you. Is it possible for McDonald's to serve sushi to the customer? Was the person delivering the goods legitimate? Was it prepared well?

Muffett and others argue that by demanding interoperability, users of one service are exposed to vulnerabilities that may have been introduced by another service. Overall security is not as strong as the weakest link.

The problem of maintaining a coherent set of identifiers that are used to designate different devices in a network is a concern raised by security experts. A good job of identity management is essential to maintaining security because the basic principle of encryption is that messages are ciphers in a way that is unique to a known identity.

Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, spoke about how to tell your phone who you want to talk to. This is a privacy and security nightmare if the goal is for all of the messaging systems to treat each other the same.

Some security experts have responded negatively to the DMA. Some of the objections shared by Muffett and Stamos have been addressed in a project called Matrix.

The post acknowledges the challenges that come with mandated interoperability but argues that the benefits will come from challenging the tech giants.

In the past, the effort of interoperability was dismissed as not being worth it.

With users happy to centralized trust and a social graph in one app, it's unclear whether the top-down impose of cross- platform messaging is mirrored by demand from below.

Alex Stamos said that iMessage already has interop and that users dislike it.