Security experts are increasingly concerned about the potential implications of the EU's new Digital Markets Law (DMA) and the effects it could have on WhatsApp and other secure messaging services.
For those unfamiliar, DMA aims to rule the big tech platforms in Europe so that smaller companies can better compete against Meta, Google, Microsoft and others.
Under the new bill, large tech companies with a market capitalization of more than €75.000 billion and a user base of more than 45 million in the EU would be required to create products that are interoperable with smaller platforms. While this is probably fine for online collaboration tools and desktop software, there are a number of security risks for messaging services like WhatsApp that include end-to-end encryption as part of their offerings.
The EU hopes the DMA will help smaller competitors by opening up some of the services provided by the big tech giants that are considered gatekeepers due to the size of their customer base as well as their revenue. As a result, iPhone users could install third-party apps outside of the App Store, third-party sellers could soon rank higher on Amazon's e-commerce platform, and messaging apps would be needed to allow users to send messages to across multiple protocols. according to a new report from The Verge.
End-to-end encryption issues
DMA poses a serious problem for secure messaging services that include end-to-end encryption as part of their offerings.
Cryptographers agree that it will be difficult, if not impossible, to maintain encryption between apps, which could put users at risk of having their messages and data exposed. Although Signal is small enough not to be affected by the new EU legislation, it is likely that WhatsApp, which uses the Signal protocol, will have to change the way its platform works.
Because cryptographic standards must be implemented precisely, security experts who spoke to The Verge warned that there is no easy way for secure messaging apps to provide security and interoperability to their users. Essentially, different forms of encryption with different design features cannot be easily merged for DMA compliance.
Steven Bellovin, an Internet security researcher and computer science professor at Columbia University, provided additional information on the matter in a statement to The Verge, saying:
“Trying to reconcile two different cryptographic architectures is simply impossible; one side or the other will have to make major changes. A design that only works when both parties are online will be very different from one that works with stored messages... How do you get these two systems to work together? »
As it stands, each email service is responsible for its own security, but by making them interoperable, users of one service could be exposed to vulnerabilities that may exist in another email platform.
Fortunately, there is still time for the EU to back down or for secure messaging app providers to find a way to make their services interoperable with smaller competitors, as the Digital Markets Law will not be implemented next year.
over the edge