Skip to main content

Security experts say new EU rules will damage WhatsApp encryption

Security experts say new EU rules will damage WhatsApp encryption

/

Big names in internet security have been fiercely critical of the new DMA legislation

Share this story

Illustration by Alex Castro / The Verge

On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company — defined as having a market capitalization of more than €75 billion and a user base of more than 45 million people in the EU — create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS — which security experts worry will undermine hard-won gains in the field of message encryption.

The main focus of the DMA is a class of large tech companies termed “gatekeepers,” defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to “break open” some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols.

The main focus of the DMA is a class of large tech companies termed “gatekeepers”

But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users. Signal is small enough that it wouldn’t be affected by the DMA provisions, but WhatsApp — which uses the Signal protocol and is owned by Meta — certainly would be. The result could be that some, if not all, of WhatsApp’s end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging.

Given the need for precise implementation of cryptographic standards, experts say that there’s no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.

“Trying to reconcile two different cryptographic architectures simply can’t be done; one side or the other will have to make major changes,” Bellovin said. “A design that works only when both parties are online will look very different than one that works with stored messages .... How do you make those two systems interoperate?”

“Trying to reconcile two different cryptographic architectures simply can’t be done”

Making different messaging services compatible can lead to a lowest common denominator approach to design, Bellovin says, in which the unique features that made certain apps valuable to users are stripped back until a shared level of compatibility is reached. For example, if one app supports encrypted multi-party communication and another does not, maintaining communications between them would usually require that the encryption be dropped.

Alternatively, the DMA suggests another approach — equally unsatisfactory to privacy advocates — in which messages sent between two platforms with incompatible encryption schemes are decrypted and re-encrypted when passed between them, breaking the chain of “end-to-end” encryption and creating a point of vulnerability for interception by a bad actor.

Alec Muffett, an internet security expert and former Facebook engineer who recently helped Twitter launch an encrypted Tor service, told The Verge that it would be a mistake to think that Apple, Google, Facebook, and other tech companies were making identical and interchangeable products that could easily be combined.

“If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Muffett said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”

Currently, every messaging service takes responsibility for its own security — and Muffett and others have argued that by demanding interoperability, users of one service are exposed to vulnerabilities that may have been introduced by another. In the end, overall security is only as strong as the weakest link.

Another point of concern raised by security experts is the problem of maintaining a coherent “namespace,” the set of identifiers that are used to designate different devices in any networked system. A basic principle of encryption is that messages are encoded in a way that is unique to a known cryptographic identity, so doing a good job of identity management is fundamental to maintaining security.

“How do you tell your phone who you want to talk to, and how does the phone find that person?” said Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook. “There is no way to allow for end-to-end encryption without trusting every provider to handle the identity management... If the goal is for all of the messaging systems to treat each other’s users exactly the same, then this is a privacy and security nightmare.”

“There is no way to allow for end-to-end encryption without trusting every provider to handle the identity management”

Not all security experts have responded so negatively to the DMA. Some of the objections shared previously by Muffett and Stamos have been addressed in a blog post from Matrix, a project geared around the development of an open-source, secure communications standard.

The post, written by Matrix co-founder Matthew Hodgson, acknowledges the challenges that come with mandated interoperability but argues that they are outweighed by benefits that will come from challenging the tech giants’ insistence on closed messaging ecosystems.

“In the past, gatekeepers dismissed the effort of [interoperability] as not being worthwhile,” Hodgson told The Verge. “After all, the default course of action is to build a walled garden, and having built one, the temptation is to try to trap as many users as possible.”

But with users generally happy to centralize trust and a social graph in one app, it’s unclear whether the top-down imposition of cross-platform messaging is mirrored by demand from below.

“iMessage already has interop: it’s called SMS, and users really dislike it,” said Alex Stamos. “And it has really bad security properties that aren’t explained by green bubbles.”

Today’s Storystream

Feed refreshed Sep 24 Striking out

E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


A
Youtube
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.


A
Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.


A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
J
Twitter
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.


T
Twitter
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.


A
External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.


A
External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.