Three ways the European Union might ruin WhatsApp

Platformer is an independent newsletter from Casey Newton that follows the intersection of Silicon Valley and democracy. Subscribe here.

Today, let's talk about Europe's aggressive move to require big online messaging services to be interoperability, and see howWhatsApp is thinking about the conflicting mandates it is receiving from regulators.

The people regulating technology companies in Europe have two big ideas. One way to make it easier to compete with tech giants is to force them to play nicely with other people. Data privacy is of paramount concern, and any data sharing between corporations is to be treated with suspicion.

It is not clear how regulators know that these ideas are often in conflict. It doesn't feel hyperbolic to say that the future of end-to-end encryption hangs in the balance at the moment.

I feel like a tedious party guest because I always steer the conversation back to my pet issue when I write about global threats to encryption. The ability to communicate privately in a world of ubiquitous expanding surveillance and data retention is one of the reasons why it all matters.

The Digital Markets Act is a landmark piece of legislation that would change the way in which tech giants compete with their rivals. The act applies to platforms that have a market cap of at least 75 billion or more in European revenue. Yes to both of them, but not to Signal and Telegram.

Among many other provisions, the DMA would likely bar Amazon from using data from its third-party sellers to inform its own product development, and require the use of alternatives to search and email.

The current text of the agreement is not available for public inspection. The last time I wrote about the European Union's legislative process, I had to publish corrections two days in a row. The final text of the law is still forthcoming, but my understanding is that what has been agreed upon is a rough framework for the law.

Legislation is being crafted in working groups and some of the language is leaking out and being posted to social media. Past public statements and previous draft legislation are how we know anything about Europe's plans for messaging apps.

Benedict Evans is the author of the draft proposal for interoperability.

“Allow any providers of [messaging apps] upon their request and free of charge to interconnect with the gatekeeper’s [messaging apps]. Interconnection shall be provided under objectively the same conditions and quality that are available or used by the gatekeeper, its subsidiaries or its partners, thus allowing for a functional interaction with these services, while guaranteeing a high level of security and personal data protection.”

Over the weekend, experts said that platforms might not be able to do this in a way that leaves messages secure. The law should allow for total interoperability without creating any privacy or security risks, as Alex Stamos put it to me.

The problems are simple enough that Corin Faife captured them.

Given the need for precise implementation of cryptographic standards, experts say that there’s no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

“Trying to reconcile two different cryptographic architectures simply can’t be done; one side or the other will have to make major changes,” Bellovin said. “A design that works only when both parties are online will look very different than one that works with stored messages .... How do you make those two systems interoperate?”

Disdain for the new requirements is not universal; Matrix, a nonprofit organization working to build an open-source standard for encrypted communication, published a post Friday explaining some possible technical paths forward.

It's clear that there isn't a way for services like iMessage and WhatsApp to work together to preserve encryption.

It hasn't been built yet.

Platforms have so far had little to say about the DMA and interoperability due to the confusion over what exactly is being proposed. The giants did a lot of lobbying against the DMA. I did not get a response from Apple or Google.

I spoke to Will on Monday. End-to-end encryption has become the signature project of the company, both on the product side and the policy side.

I asked him how he was feeling about it.

I have a lot of concerns about whether this will undermine privacy, whether it will break a lot of the safety work we've done, and whether it will be good for us.

It's easy to dismiss these concerns as self-interested, because of the fact that WhatsApp is going to oppose opening its doors to allow other apps to integrate themselves into its own user experience. When I asked what would be so bad about it, his answers offered a lot of things for regulators and everyday users to worry about.

Among them.

• Spam. The centralized nature of WhatsApp lets it identify and remove spam before it hits your phone; it removes millions of accounts each month for trying. Third-party services that connect to WhatsApp might not be as aggressive, or might openly accept spam. “We’ve seen a lot of apps that just go out and market themselves as bulk messaging on the WhatsApp network,” Cathcart said. “What happens when one of those comes in and wants to interoperate?”
• Misinformation and hate speech. WhatsApp adopted forwarding limits to limit the viral spread of messages there after it was used to promote election hoaxes and violence; third-party services may be under no obligation to do so. Would a WhatsApp forwarding service be allowed to use the API? Would WhatsApp be required to let it?
• Privacy. WhatsApp can guarantee users end-to-end encryption, and that its new disappearing messages actually get deleted, because it can see the entire chain of communication. It won’t be able to see what third-party apps do with messages after they’re delivered, though, raising fears that users could be exploited.

How much of this do European regulators know?

It's hard to say without knowing what they decided. Did they consult with security experts? The reactions from a bunch of security experts seem to suggest that they weren't consulted.

It is worth asking what interoperability will do to make the messaging market more competitive. Email is an open, consensual standard and has been for decades, but today, Apple, Google, and Microsoft own around 90 percent of the market. Even without interoperability, the market for messaging apps is much more dynamic.

Companies can add features more quickly if they don't have to create open APIs to support them. Two years ago, it was said that mandated interoperability would be an own goal of huge proportions for regulators, since the end effect would be to ossify the market.

I'm not completely immune to the lure of interoperability. The idea of having fewer places to send and receive messages is appealing to someone who spends most of their day switch between inboxes. I'm open to the idea that upstarts could use access to the likes of iMessage,WhatsApp and the like to put innovations in front of users faster than the typically slower- moving tech giants, and grow more quickly as a result.

Europe's push for increased competition and maximum user privacy feels like a case of one hand not knowing what the other is doing. Almost no one I have talked to or read about believes you can do both in the way that the EU has proposed. Privacy, misinformation, hate speech, and other danger zones may be open to new vulnerabilities if a solution is materialized.

Trying to solve old problems without trying to create new ones is always a matter of regulation. Developing a deep technical understanding of the issues at stake and discussing them with experts in public is what it takes to do that successfully. The European Union has not shown much evidence of doing either.

It's going to have to change soon to have a real future.