WhatsApp’s 2 billion users now face the biggest ever change to the platform, bigger even than its landmark completion of end-to-end encryption across its user base six years ago. But be warned—this new update has been described by experts as a “security and privacy nightmare,” and WhatsApp users should be very concerned.
The intent is laudable—as is so often the case when regulators and lawmakers mess with technologies they don’t fully understand. Those of you above a certain age will recall the game-changer that was SMS network interoperability, almost 25-years ago. You’ll also recall the significance when “chat apps,” led by WhatsApp, overtook SMS for the volume of messages sent and received just 15-years later.
The EU now wants to fix this. Its lawmakers, it announced last week, have “agreed that the largest messaging services (such as Whatsapp, Facebook Messenger or iMessage) will have to open up and interoperate with smaller messaging platforms if they so request.” This would allow, in theory, a Google Messages or Signal or Threema user “to exchange messages, send files or make video calls” with someone on WhatsApp.
The Digital Markets Act has competitive fairness in mind—it’s the latest regulatory attempt to clip the wings of big tech and ensure that markets are open to new entrants and smaller players and that the network effect that underpins the dominance of Facebook, Apple, Google, and others doesn’t remain insurmountable. And while the legislation is much broader than just WhatsApp, it’s really WhatsApp that it has in mind and which has by far the most to lose.
Android phones have provided some level of such interoperability for years—users can select Facebook Messenger or Signal as the standard SMS client, and the phone will then use its contact list to identify the best, most secure means of contact. If the recipient is also on the rich chat app, then it will use that, if not it will default to SMS. Google’s deployment of RCS, including its newish encryption update, does the same. The issue is that a chat app only interoperates with SMS, it cannot manage anything more than that simple failover, it doesn’t level the playing field.
This new legislation goes much, much further. And the first hurdle at which its proposals will fail is purely technical. SMS is a horribly unsecured technology—easy to hack, exposing unencrypted traffic to a fragmented ecosystem of networks and servers, according to ESET. As such, SMS interoperability between iPhones and Androids is dangerous. The fix is end-to-end encryption. Apple’s iMessage offers this between its users, and Google has now started to deploy the same on Android. The divide, though, can’t be crossed.
That doesn’t really matter, because WhatsApp has brought full end-to-end encryption to the masses—freely available, cross-platform, secure and reliable. More than 2 billion users exchanging trillions of messages and placing billions of calls—all fully secured. Just because WhatsApp is owned by Facebook, don’t overlook the sheer scale of this innovation or withhold the credit it deserves for democratising high-end security.
Forcing WhatsApp, Apple and Google to open up their end-to-end encryption without compromising its security is almost certainly impossible. It can certainly be made to work technically, but only be weakening its architecture. The entire point of end-to-end encryption is assuring both (or multiple) ends of a call or chat. If a platform doesn’t operate at each of those ends, such assurances cannot be achieved.
From an encrypted content perspective, any solution whether operating on-device or somewhere in the ether would need to decrypt and re-encrypt content from one platform’s standards to another. We can debate all day long whether this is secure, but one thing it’s certainly not is end-to-end encrypted.
As ESET’s Jake Moore warns, “allowing WhatsApp to work with other services undermines the privacy and security protections it has worked so hard on creating. The encryption between apps will potentially be impossible to keep up with and once again, users will suffer.”
Proponents of such “bridge” solutions correctly point out that “trans-encryption” device-side is open to the same endpoint compromise—essentially a hack of your phone rather than your messaging platform—that already exists. True, but at a totally different scale, with the potential for multiple vulnerabilities, and making it near impossible for a user to vouch for the integrity of their connection.
“People need a helping hand when it comes to privacy as most are unaware of the reasons why it is so important,” cautions Moore. “By removing the walled environment such end to end encryption messaging services already provide could cause security issues further down the line.”
The fallback is the dreaded green bubble approach, differentiating between end-to-end secure content and unsecured content. This is how iMessage warns between its own platform and SMS, Google Messages and Signal (on Android) do something similar.
Signal SMS Client on Android
The other major technical challenge is identifying users who might have different personas on different platforms—that’s readily resolved using phone numbers as unique identifiers, albeit it would disadvantage those platforms that do not, including moves underway to remove such personally identifiable information.
While this legislation seemingly targets so-called big tech gatekeepers, “with a market capitalisation of at least 75 billion euro or an annual turnover of 7.5 billion [as well as] at least 45 million monthly end users in the EU and 10,000 annual business users,” from a messaging standpoint it mainly impacts Apple and Facebook.
While Google would seemingly also be hit, it would actually like nothing more than interoperability with iMessage, knocking down Apple’s walled garden. Its open request to Apple to bring iMessage inside RCS has been greeted with silence, and we know that Apple sees iMessage as a major competitive advantage, especially in the US.
There are reasons why forcing such a shift on Apple would be good—I’ve argued as much before. iMessage is the stock iPhone messenger—iPhone users cannot select an alternative, and it’s tightly integrated into Apple’s cross-platform OS. Apple’s latest updates—to expand content sharing over iMessage and to introduce on-device content screening for illicit content (for minors for now) do not have security in mind.
And so to Facebook—and to WhatsApp in particular. WhatsApp is the elephant in the room, so to speak, where this new legislation is concerned. It is the global messenger, its user base is so ubiquitous as to be the only genuine SMS alternative. Opening up WhatsApp to other platforms is the real game-changer here—and notwithstanding the negative connotations around Meta’s ownership, it’s a terrible idea.
WhatsApp is unique. As I’ve commented before, its status as a quasi global phone network (forget messaging, just think of the billions of voice and video calls) has made it a critical infrastructure utility for hundreds of millions around the world. Beyond Europe and North America, WhatsApp dominates in hugely populous countries where it is used as by many as the default network for calls. This was behind the backlash in places like India and South America over Facebook’s perceived meddling last year, which prompted threats of regulatory action.
Facebook/Meta is on shaky ground arguing against the new proposals, given its own long-delayed plans to integrate WhatsApp, Facebook Messenger and Instagram DMs—another terrible idea. But WhatsApp’s boss, Will Cathcart, has warned that “making end-to-end encrypted messaging apps interoperable is technically challenging and creates real risks for privacy, safety, and innovation.” And he’s right.
WhatsApp isn’t well integrated into the wider Facebook gatekeeper, its dominance has been earned by innovation and its network effect, it competes with other messengers such as Telegram on an equal footing. It was this competition that forced Facebook to famously u-turn last year and has resulted in regular WhatsApp features updates since.
There’s nothing innovative about setting up a messaging app and demanding access to WhatsApp’s network—any more than there would be in setting up a cheap postal service and expecting UPS, FedEx and the US Postal Service to deliver your letters.
Platforms such as Signal and Telegram have built market share offering something different to WhatsApp—more security in Signal’s case and less security but more expansive channel and group messaging options in Telegram’s. Furthermore the argument that innovators cannot surmount big tech’s dominance has been wholly undermined by TikTok, which is currently eating Facebook’s lunch.
Lawmakers and regulators have proven time and again their limited understanding of end-to-end encryption. But they have also shown how itchy their regulatory fingers are to compromise communications security where their security agencies are “in the dark” on content being exchanged.
A cynical view of these proposals might consider that regulating messaging, which may seek to standardize encryption so as to open it up in the name of competition, would also make such compromises easier. In which case, the fact the EU is also considering mandatory message screening in the name of child safety, despite its unpopularity might not be completely coincidental.
“Coercing private companies to scan all user data,” EEF warns, “checking against government databases, and reporting to the authorities… [is] unacceptable, and no matter what they say, completely incompatible with end-to-end encryption.”
The full scope of the Digital Markets Act, including technical proposals for deployment, is due soon. And for WhatsApp’s 2 billion users this could be a genuine game-changer. Clearly, the legislation will apply in Europe, but it will have security and privacy ramifications across the entire user base.
Again, those of a certain age will remember the IM aggregators that cropped up during the era of AOL’s IM, and MSN and Yahoo’s respective Messengers, an ugly client-side experience to address the perceived need for interoperability. Today’s SMS is the modern-day equivalent. Let’s not go backward.
This new update will be here alarmingly quickly, the EU has said. Once the legal text is finalised and approved, it will be published and come into force 20 days later. “The rules will apply six months after… It will now be up to the European Commission to implement the new rules quickly.