The EU Parliament passes a law that requires Whatsapp and other messengers to enable cross-platform communication. This seems like a great development for users, but it could also compromise their security and privacy.
The European Parliament passed two laws on Tuesday that would place large tech companies such as Facebook, Google, Amazon and Apple, with more than 45 million active users per month, under stricter supervision and strengthen consumer protection. The Digital Services Act (DSA) aims to restrict the spread of hate speech and illegal content, while the Digital Markets Act (DMA) aims to increase user freedom of choice and make competition fairer. This means, among other things, that cross-platform communication between the leading messengers must be made possible.
From the user's point of view, this is initially very good news, even though the companies have been granted a two-year transitional period and smaller messenger providers such as Threema or Signal have the choice and not the obligation to participate in cross-platform communication. But getting the different services under one roof is anything but straightforward and, in the end, the security and privacy of the users could suffer.
The communication itself is not the problem, but experts have great doubts that this is possible with secure end-to-end encryption that ensures that the messages cannot be read by third parties. Nadim Kobeissi, cryptographer and founder of decentralized publishing platform Capsule Social, told The Wire it was unclear who would manage the exchange of public encryption keys and how cryptographic metadata would be shared between companies.
Steven Bellovin, a cybersecurity researcher and professor of computer science at Columbia University, told The Verge there was no way to reconcile different cryptographic architectures. Compatibility of different encryption designs can only be based on the lowest common denominator. In principle, this means that all functions that are not offered by all other participating messengers would have to be thrown overboard. Bellovin cites encrypted group chats as an example.
However, Article 7 of the DMA does not provide for "slimmed down" communication. On the contrary, it states that end-to-end encrypted group chats must be made possible between the major messengers within two years. In four years, EU law will even require this for phone calls and video calls.
One option would be to decrypt the messages at one point and then encrypt them again. For security experts, however, this is an absolute no-go, because wherever this would take place, it would be possible for criminals or authorities to follow a communication.
Former Facebook engineer and security expert Alec Muffett told The Verge it's wrong to think that Apple, Google, Facebook and other tech companies made identical and interchangeable products that could easily be mixed and matched. A vulnerability in one service threatens all others, he warns. In the end, overall security is only as strong as the weakest link.
A basic principle of encryption is that it is based on fixed cryptological identities, Facebook's former head of security, Alex Stamos, told the website. Good identity management is essential for security. "How do you tell your phone who you want to talk to and how does the phone find that person?" For a common end-to-end encryption, it is imperative to blindly trust every participating service in terms of identity management. This would be a "privacy and security nightmare."
Bellovin explained the issue on Twitter with an example: "Twitter knows me as @SteveBellovin, Apple knows me by my Apple ID, which is a personal email address. Signal knows me by my phone number, Google knows me by my official university e Email address. Facebook doesn't know me... You receive a message from Whatsapp user StevenBellovin: Who is it? Is it me? An attacker? Or someone else with the same name?"
Meta's Whatsapp boss Will Cathcart sees the benefits of interoperability, "but if not done carefully it could lead to a tragic weakening of security and privacy in Europe," he tweeted.
Threema sees this similarly. "Even if it is well intentioned, interoperability would mean a reduction in security and data protection to the lowest level of the services involved, which is why we will not participate," the service commented on Twitter in a ZDF post.
One organization that likes cross-platform communication is Matrix. It promotes the development of a secure open source communication standard. In a long blog post, co-founder Matthew Hodgson outlines how the problem could be solved by some kind of interface bridges between the platforms.
"The bottom line is that we shouldn't fear interoperability just because we've gotten used to a broken world where nothing connects," writes Hodgson. "There are understandable ways to solve the problem in a way that empowers and informs the user - and the DMA has now given the industry an opportunity to show that it can work.
The Electronic Frontier Foundation (EFF) also considers cross-platform messenger communication to be desirable, but points out "difficult security problems for encrypted message transmission". She demands the utmost care. One must ensure that interoperability is not used as an excuse for security reductions, but one must also not allow that pretended security needs serve to shield a company from competition in the market.
