Three ways the European Union might ruin WhatsApp – The Verge

Posted on by

Today, lets talk about Europes aggressive move to require big online messaging services to be interoperable, and see how WhatsApp is thinking about the contradictory mandates its receiving from regulators.

In Europe, two big ideas currently hold sway among the people regulating technology companies. One is that it should be easier to compete with tech giants, and that a good way to accomplish this is to force their services to play nicely with others. Two is that users data privacy is of paramount concern, and any data sharing between corporations is to be treated with the utmost suspicion.

Its unclear the extent which regulators realize that, in hugely important ways, these ideas are often in conflict. But at the moment they are on an absolute collision course, and it doesnt feel hyperbolic to say that the future of end-to-end encryption hangs in the balance.

I have now written about global threats to encryption enough that I feel like a somewhat tedious party guest, always steering the conversation back to my pet issue no matter what else is happening elsewhere. But the aftermath of Russias invasion of Ukraine, in which Moscow police stopped antiwar protesters and rifled through the messages on their phones, offered only the latest illustration of why it all matters: the ability to communicate privately in a world of ubiquitous expanding surveillance and data retention is of real, practical importance to almost all of us.

On Thursday, European officials reached an agreement on the Digital Markets Act, a landmark piece of legislation that would reshape the ways in which tech giants compete with their rivals. The act applies to what it calls gatekeepers defined as any platform that has a market capitalization of 75 billion, or more than 7.5 billion in European revenue. So: yes to WhatsApp and iMessage; no to Signal and Telegram.

Among many other provisions, the DMA would likely bar Amazon from using data from its third-party sellers to inform its own product development, and require Android to offer users alternatives to Google search and email.

I say likely because the current text of the agreement is not available for public inspection. I never feel more at risk of making an error than I do writing about the European Unions legislative process; the last time I did so I had to publish corrections two days in a row. But my understanding is that what has been agreed upon is essentially a rough framework for the eventual law, and the final text is still forthcoming.

Meanwhile, legislation is now being crafted in working groups; some of the language they are considering is leaking out and being posted to Twitter by various parties. Those leaks, combined with past public statements and previous draft legislation, is how we know anything about Europes plans for messaging apps.

For example, what we know about the DMAs plans for interoperability comes in part from Benedict Evans tweeting language from the draft proposal:

Allow any providers of [messaging apps] upon their request and free of charge to interconnect with the gatekeepers [messaging apps]. Interconnection shall be provided under objectively the same conditions and quality that are available or used by the gatekeeper, its subsidiaries or its partners, thus allowing for a functional interaction with these services, while guaranteeing a high level of security and personal data protection.

Over the weekend, cryptography experts sounded the alarm about this idea, saying that platforms might not be able to do this in a way that leaves messages encrypted. As Alex Stamos of the Stanford Internet Observatory put it to me: Writing the law to say You should allow for total interoperability without creating any privacy or security risks is like just ordering doctors to cure cancer.

The problems are straightforward enough; Corin Faife captured some of them here at The Verge:

Given the need for precise implementation of cryptographic standards, experts say that theres no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

Trying to reconcile two different cryptographic architectures simply cant be done; one side or the other will have to make major changes, Bellovin said. A design that works only when both parties are online will look very different than one that works with stored messages .... How do you make those two systems interoperate?

Disdain for the new requirements is not universal; Matrix, a nonprofit organization working to build an open-source standard for encrypted communication, published a blog post Friday explaining some possible technical paths forward.

But its clear that, to the extent that there might be a way for services like iMessage and WhatsApp to interoperate and preserve encryption, that way has yet to be invented.

At the very least, it hasnt yet been built.

Owing in large part to the confusion over what exactly is being proposed, platforms have so far had little to say about the DMA and interoperability. (The giants lobbied against the DMA heavily, but apparently without much success.) Apple and Google did not respond to requests for comment from me.

But on Monday afternoon, I spoke to WhatsApp chief Will Cathcart over Zoom. End-to-end encryption has become WhatsApps signature project under Cathcart, both on the product side (it rolled out encrypted backups last fall) and the policy side (fighting an ongoing legal battle to preserve encryption in India).

I asked how he was feeling about the DMA as he understands it so far.

I have a lot of concerns around whether this will break or severely undermine privacy, whether itll break a lot of the safety work weve done that were particularly proud of, and whether itll actually lead to more innovation and competitiveness, Cathcart said.

Its easy to dismiss these concerns as self-interested: of course WhatsApp is going to oppose opening its doors to allow other apps to integrate themselves into its own user experience. But when I pressed Cathcart on WhatsApp on what would be so bad about it, his answers offered plenty of things for regulators and everyday WhatsApp users to worry about.

Among them:

How much of this do European regulators understand?

Its really hard to say without being able to see what they decided, Cathcart said. I dont know. Did they consult extensively with security experts? The reactions from a bunch of security experts that Ive seen suggests that those experts, at least, werent consulted.

Its also worth asking what interoperability will actually do to make the messaging market more competitive. Email is an open, interoperable standard and has been for decades; but today, Apple, Google, and Microsoft own around 90 percent of the market. Meanwhile, the market for messaging apps is much more dynamic even without interoperability: it includes apps from Meta, Telegram, Signal, Snap, and others.

In part thats because companies can add features more quickly when they dont have to create open APIs to support them. Notably, Snap said two years ago that mandated interoperability would be an own goal of huge proportions for regulators, since the end effect would be to ossify the market, foreclosing it to innovative newcomers.

All that said, Im not totally immune to the lure of interoperability. As someone who spends most of my day switching between inboxes, the idea of having fewer places to send and receive messages has clear appeal. And Im open to the idea that upstarts could use access to APIs from iMessage, WhatsApp and the like to put innovations in front of users faster than the typically slower-moving tech giants, and grow more quickly as a result.

But Europes simultaneous push for increased competition and maximum user privacy feel like a clear case of one hand not knowing what the other is doing. The fact of the matter is that almost no one I have read or spoken with believes you can do both, at least not in the way that the EU has proposed. And any solution that materializes may open up worrisome new vulnerabilities around privacy, misinformation, hate speech, and other danger zones.

Regulation is always a matter of attempting to solve old problems without trying to create too many new ones in the process. But doing that successfully requires developing a deep technical understanding of the issues at stake, and discussing them with experts in public. So far, the European Union hasnt shown much evidence of doing either.

For encrypted messaging to have a real future, thats going to have to change, and soon.

Read more here:
Three ways the European Union might ruin WhatsApp - The Verge

Related Posts
This entry was posted in $1$s. Bookmark the permalink.