I am not a computer security or cryptography expert.
I’ve been doing some research on this thing the EU recently passed, called the Digital Markets Act (DMA). Among other things the new law wants chat platforms like WhatsApp and iMessage to interoperate. This sounds great! There are too many different chat clients and everyone I’ve ever talked to about this is annoyed by them and only uses some subset of them. There’s the plethora of products (all of which are pretty jank and bad) trying to give consumers a single frontend. People want this.
And we want it with ‘end to end encryption’ (E2EE), which just means that nobody other than you and the people you’re talking with can read your messages. WhatsApp, iMessage, and so on implement this within their platform already–when you send a WhatsApp message (supposedly) it’s E2E encrypted and Facebook can’t read your messages. But you can’t use WhatsApp to send a message to someone on iMessage–yet. That’s what’s being discussed.
There are some extremely hysterical loud voices against this DMA:
> This is a mind numbingly foolish, privacy-destroying, encryption-busting, innovation-killing proposal, dressed up in clothes of anti-monopoly.Alec Muffett, security industry veteran and expert
> A cynic might say that this is a way to effectively outlaw E2EE while framing it as an antitrust move against tech.Alex Stamos, the former chief security officer at Facebook
Double yikes! These are both qualified people who probably know what they’re talking about, and they’re decrying this as the end of secure messaging and maybe the end of everything as we know it!?
Arguments look like:
- it’s impossible to achieve interop on a technical level while preserving E2EE
- it stifles innovation because standards are slow to update
Why, though? What makes this so complicated? Why is having standards for encrypted messaging going to ruin security for everyone forever?
The innovation claim is a little boring. What we’re talking about is chat apps. The biggest new feature any of them have implemented in the last 5 years is emoji reactions and inline ‘reply’ messages. Isn’t the gain offered by having interop between the clients worth a lot?
Interop is clearly something the various chat providers are disincentivized from doing. Meta benefits by having WhatsApp or Messenger lock-in, Apple benefits by having iMessage lock-in, etc. It’s hard to disentangle doomsayers with good pro-security intentions from the corporate incentives–both of which are at play here.
Regulation requires developing a deep technical understanding of the issues at stake, and discussing them with experts in public. So far, the EU hasn’t shown much evidence of doing eitherCasey Newton via this tweet
There needs to be cooperation between the technical side and the legislative side to craft good legislation. But, there’s an adversarial element here that’s hard to disentangle. Private companies are quick to shout that the EU or other government is not consulting them, all while simultaneously lobbying against those lawmakers.
In war you might first start off fully adversarially by trying to win outright and with the goal of annihilating your enemies. Then, if you see things aren’t going to go your way, you might shift towards trying to soften the blow and direct the outcome as best you can so things go well for both parties. It seems to me like both the governments and the tech companies in reality have the adversarial stance… but the above quote is stone-throwing that the governments should have the cooperative stance.
Here’s a writeup from someone at Matrix about potential paths forward. This strikes me as much more sober, compared to the hysterical tweeting about literally the end of all encrypted chat. The piece mentions some solutions to the key exchange problems at hand, including some that Matrix has already been exploring.
The suggestions are running a client-side bridge on the user’s device, which would allow crosstalk between the different chat platforms. Or switching to a decentralized / federated protocol at the interface between chat providers. Or to worst-case notify the user when they’re talking to an untrusted participant. Though, I worry that this last suggestion could lead us to more things like the annoying GDPR-mandated cookies notifications. It’s clear that care needs to be taken in crafting responsible legislation that actually does what we want it to do.
Zuckerberg has previously stated that he wants interoperability between Facebook chat and WhatsApp, but this person on twitter states that since they’ve been working on this problem since 2018 it’s too hard to solve. This is a good point! Why is Facebook having such a hard time unifying Messenger and WhatsApp?
The EU is running the show with respect to tech legislation. Meanwhile, American lawmakers are on the sidelines, as Casey Newton puts it.
Sure, these are hard problems, but they matter! Rather than a lot of excuses, I’d like to see if any experts can actually draft proposals on how to solve them. We want unified secure chat!