And although WhatsApp continues to offer end-to-end encryption in its conversations between users, a new European Union law could affect this encryption and therefore make the app less secure.
DMA Act: Digital Markets
Last week, on March 24, EU governing bodies announced that they had reached an agreement on the most sweeping legislation against big tech companies in Europe, known as the Digital Markets Law (DMA). Considered an ambitious law with far-reaching implications, the bill’s most striking measure would require that all big tech companies – defined as those with a market capitalization of more than €75 billion or a user base of more than 45 million people in the EU – create products that are interoperable with smaller platforms.
In the case of messaging apps, that would mean allowing end-to-end encrypted services like WhatsApp to mix with less secure protocols like SMS, which security experts say will undermine the gains so far made. effort in the field of message encryption.
Reduce the reach of big tech
According an extract from the website of the European Parliament“the objective of the regulation is to equalize the conditions for all digital companies, regardless of their size. PIn order to put an end to unfair practices on companies and consumers, the Digital Markets Law will establish clear rules on what large internet platforms can and cannot do in the EU. Gatekeeper platforms will no longer be able to rate their own services and products more favorably than similar ones offered by third parties on the same website. They also won’t be able to prevent users from uninstalling pre-installed programs or apps if they want to.
The standards, which seek to promote innovation, development and competitiveness, they will help smaller companies and new companies to compete with the big ones”. The new law will establish the criteria for considering a large online platform an “access gatekeeper.” In addition, it will allow the European Commission to carry out market investigations and anticipate corrective measures to deal with systematic breaches of the rules.
whatsapp less secure
But what about applications like WhatsApp, which base much of their appeal on offering conversations with a high degree of encryption in terms of security? According to crypto experts it will be difficult, if not impossible, to maintain encryption between applications, with potentially huge implications for users. Signal is small enough not to be affected by the DMA provisions, but WhatsApp – which uses the Signal protocol and is owned by Meta – would be.
The result could be that some, if not all, of WhatsApp messaging’s end-to-end encryption is weakened or removed, affecting billions of active users of the app. According to several experts have confirmed to The Verge sitethere is no simple solution that can reconcile the security and interoperability of encrypted messaging services, so “nor would there be a way to merge different forms of encryption in applications with different design characteristics” as stated by Steven Bellovin, Internet security researcher and professor of computer science at Columbia University.
“Trying to reconcile two different cryptographic architectures is simply impossible; one side or the other will have to make major changes. UA design that works only when both parties are online will be very different from one that works with stored messages…. How to make these two systems interoperate? Trying to reconcile two different cryptographic architectures just can’t be done.”
According to Bellovin, making different messaging services compatible can lead to a lowest common denominator design approach, in which “unique features that made certain apps valuable to users are removed until a shared level of compatibility is reached. For example, if one application supports encrypted multiparty communication and another does not, maintaining communications between them will typically require the encryption to be removed.
Decrypt and re-encrypt
The EU is aware of this, and the DMA Law suggests as a satisfactory alternative that messages sent between two platforms with incompatible encryption schemes be decrypted and re-encrypted when passing from one to another. The problem is that this would directly break the “end-to-end” encryption chain and create a point of vulnerability for interception by any cybercriminals on the prowl.
Alec Muffett, an Internet security expert and former Facebook engineer who recently helped Twitter launch an encrypted Tor service, told The Verge that It would be a mistake to think that Apple, Google, Facebook and other technology companies make identical and interchangeable products. that can be easily combined. And he gave an example with the popular McDonalds: “SIf you walked into a McDonald’s and said: ‘For the sake of breaking corporate monopolies, I demand that they include a sushi plate from some other restaurant with my order’No wonder they would stare at you.
What happens when the requested sushi arrives by courier at McDonald’s from the supposedly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier service legitimate? Was it prepared safely?
Nowadays, each courier assumes responsibility for its own security, and Muffett and others have argued that by requiring interoperability, users of one service expose themselves to vulnerabilities that may have been introduced by another. The European Union wants to limit the power of technology companies, as it says “put an end to unfair practices on companies and consumers”, and the DMA Law goes ahead.
Will this cause WhatsApp to be less secure and see a new exodus?