![](\"https:\/\/media.wired.com\/photos\/62432d8648046e8802c9c4fb\/master\/pass\/032822_WhatsAppiMessage.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Tue, 29 Mar 2022 16:06:52 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n The newest law<\/span> designed to rein in Big Tech aims to make all your favorite messaging apps work seamlessly together. Sounds great, right? Well, we have some bad news.<\/p>\n Every day, billions of messages are sent using end-to-end encryption<\/a>. Millions of people use iMessage, WhatsApp, and Signal to chat with friends, family, and colleagues, and those conversations are all automatically protected by strong encryption. But it\u2019s not possible to send a message from one encrypted app to another. If you use Signal<\/a> and your friends only use WhatsApp<\/a>, someone has to compromise.<\/p>\n Under the European Union\u2019s wide-ranging Digital Markets Act (DMA)<\/a>, which European lawmakers approved last week and is expected to be implemented this year, the owners of messaging apps will be required to make them interoperable if another company requests that they do so. As a result, the largest messaging platforms\u2014including WhatsApp, Facebook Messenger, and iMessage, which the DMA designates as gatekeepers\u2014will have to open up to rivals.<\/p>\n \u201cUsers of small or big platforms would then be able to exchange messages, send files, or make video calls across messaging apps, thus giving them more choice,\u201d the lawmakers said in an announcement<\/a>. Under the plans, Signal could ask to work with Messenger, for instance. Or Meta could request that WhatsApp be made compatible with iMessage\u2014a logistical challenge even if Meta and Apple weren\u2019t actively feuding<\/a>, but one EU lawmakers say is worth solving.<\/p>\n Proponents of interoperability say the law will give consumers more choice and will allow third-party clients to build out extra functions. And while MEP Andreas Schwab, the lead negotiator for the DMA, says that the politicians are not looking to weaken encryption, cryptography experts are concerned the proposals will not be technically possible without compromising end-to-end encryption, potentially putting those billions of messages we send each other every day at risk.<\/p>\n While end-to-end encryption has become seamless for people using messaging apps, no two apps implement encryption identically. WhatsApp uses a custom version of the Signal encryption protocol<\/a>, for example, but users still can\u2019t message each other across the apps. And while Apple\u2019s iMessage is interoperable with SMS, these standard text messages aren\u2019t encrypted<\/a>.<\/p>\n Many cryptographers and security experts have already pointed out flaws<\/a> in Europe\u2019s<\/a> plan<\/a>. \u201cInteroperable E2EE [end-to-end encryption] is somewhere between extraordinarily difficult and impossible,\u201d Steve Bellovin, one of the world\u2019s leading cryptographers and a former chief technologist at the Federal Trade Commission, tweeted<\/a> on Friday.<\/p>\n \u201cWhen you start talking about different companies exchanging encrypted communications with one another, there are many serious considerations here that are extremely difficult to resolve,\u201d says Nadim Kobeissi, an applied cryptographer and founder of decentralized publishing platform Capsule Social. \u201cIt is very likely that there will be a serious degradation of the cryptographic techniques that will be necessary in order to accommodate this proposal,\u201d Kobeissi says.<\/p>\n The proposals put forward as part of the DMA<\/a>\u2014which has yet to be fully published\u2014don\u2019t include technical details on how interoperability would work, but officials say the changes should be rolled out over a number of years. Basic features such as messages between two people should be implemented three months after a tech company is asked to provide them; audio and video calls have a four-year deadline.<\/p>\n \u201cMaking end-to-end encrypted messaging apps interoperable is technically challenging and creates real risks for privacy, safety, and innovation,\u201d Will Cathcart, Meta\u2019s head of WhatsApp, said in a statement. \u201cChanges of this complexity risk turning a competitive and innovative industry into SMS or email, which is not secure and full of spam,\u201d he says. In an interview with tech journalist Casey Newton<\/a>, Cathcart said the move could cause misinformation problems and moderation issues for WhatsApp. \u201cI have a lot of concerns around whether this will break or severely undermine privacy, whether it'll break a lot of the safety work we've done that we're particularly proud of, and whether it'll actually lead to more innovation and competitiveness,\u201d he said.<\/p>\n Apple did not respond to a request for comment about encryption but said it has general concerns that parts of the DMA will create \u201cunnecessary privacy and security vulnerabilities.\u201d Signal did not respond to a request for comment.<\/p>\n Not everyone is against interoperability and end-to-end encryption. Matrix, a nonprofit that\u2019s building an open source standard for encryption, has published multiple<\/a> blog posts<\/a> outlining how it believes the EU's proposals could work. \u201cThe main challenge is the trade-off between interoperability and privacy for gatekeepers who provide end-to-end encryption,\u201d the team behind Matrix say.<\/p>\n There are broadly two routes that could allow encryption to work across apps operated by different companies. The first involves tech companies allowing access to APIs that connect to their messaging services\u2014this is the option Schwab and lawmakers are leaning toward. The second involves more radical change: All companies would have to adopt and implement one universal encryption standard.<\/p>\n Neither is easy.<\/p>\n Connecting to an open API could involve a company using a \u201cbridge\u201d that joins the two platforms together. Signal would, for instance, have to implement multiple bridges if it wanted to work with different apps. \u201cEvery device has to speak every language, but at least users have the building blocks to get at each other\u2019s messages, rather than then being arbitrarily locked away by the gatekeepers,\u201d Ian Brown, a visiting professor at Funda\u00e7\u00e3o Getulio Vargas Law School in Rio de Janeiro, wrote for Interoperability News<\/a>.<\/p>\n Using a bridge would involve decrypting messages, potentially on someone\u2019s device, and then making them appear in the destination app. Removing the end-to-end encryption would open up a new layer that could be attacked by hackers or malicious actors. \u201cHow do you guarantee that the things sitting next to your messaging app are benevolent and not malicious,\u201d says Robin Wilton, director of internet trust at the Internet Society. Kobeissi adds that it\u2019s unclear under the proposals who would manage the exchange of public encryption keys<\/a> and how cryptographic metadata would be shared between companies. If Signal and iMessage become interoperable, which one changes its encryption to match the other?<\/p>\n One of the biggest unanswered questions is how interoperability would ensure you are chatting with the people you think you are. People use different usernames on each platform, and not knowing who someone is could lead to identity issues, explains Alan Duric, cofounder of encrypted messaging app Wire. \u201cIf you\u2019re communicating across Wire and WhatsApp, how can the Wire user be certain that the person they are talking to on WhatsApp is authentic?\u201d he says. \u201cHow can they be sure the person they're talking to is even using WhatsApp at all?\u201d Duric says this can be combated by verifying each user's identity, which can then help reduce abuse and spam.<\/p>\n Those in favor of interoperability say the best way to do this would be for all companies to adopt one encryption standard and stick to it. These standards already exist\u2014for instance, the Matrix messaging protocol<\/a>, the XMPP<\/a> standard, and the upcoming Messaging Layer Security<\/a>. \u201cIf every player in the field\u2014so the gatekeepers but also the smaller player\u2014all connect to the same standard, it ends up being a big glue between the different services,\u201d says Amandine Le Pape, a cofounder of the Matrix standard. This would avoid companies implementing APIs via a piecemeal process, although this isn\u2019t what the European Union has opted for at the moment. \u201cThe DMA is just the first step,\u201d Le Pape says.<\/p>\n Getting all messaging apps to use one standard would be a significant, time-consuming challenge. \u201cPotentially, you could just have a situation where everyone switches to Matrix,\u201d Kobeissi says. \u201cBut Matrix is a fundamentally different security architecture, not just from an end-to-end encryption perspective, but also from a threat modeling perspective.\u201d Each app faces different potential attacks against it\u2014based on its user base and operations\u2014so moving to one model would require companies to reassess how their users could be compromised.<\/p>\n Companies would have to rebuild their entire encryption systems and change multiple features in their apps, a process that could take years. Take Meta: In 2019, the company said it was going to make Instagram DMs and Messenger end-to-end encrypted by default and integrate their infrastructure with WhatsApp. Three years later, the company is still trying to untangle its systems and add safety features<\/a>. The transition has been harder than expected\u2014and Meta controls all of the technology involved.<\/p>\n Ultimately, how much companies change may come down to the technical realities and the degree of pressure the European Commission, which will enforce the DMA, puts on them. Like GDPR<\/a>, the DMA could lead to multimillion-dollar fines for businesses that don't comply. However, GDPR has been poorly enforced\u2014including a provision that says people should be able to transport their data from one app to another. Tech companies may have no choice if the European Commission enforces the DMA\u2014but that could be the least of their worries.<\/p>\n