WhatsApp privacy under threat

Cybersecurity experts have warned that incoming legislation targeting Big Tech in Europe could have devastating consequences for encryption in messaging apps like WhatsApp.

The European Union (EU) recently announced the new Digital Markets Act (DMA), which is aimed at curbing large tech companies’ power and increasing the competitiveness of smaller players.

Among its requirements is that dominant apps such as Facebook’s WhatsApp and Messenger, and Apple’s iMessage, must be interoperable with smaller platforms.

That means that end-to-end encrypted services will have to be able to interact with less secure protocols, including SMS.

According to cryptographers who spoke to The Verge, it would be difficult, but more likely, impossible, to maintain encryption across apps.

“Trying to reconcile two different cryptographic architectures simply can’t be done; one side or the other will have to make major changes,” said Internet security researcher at Columbia University, Steven Bellovin.

“A design that works only when both parties are online will look very different than one that works with stored messages. How do you make those two systems interoperate?”

Under the legislation, WhatsApp would have to remove or significantly weaken its end-to-end encryption — among the app’s most promoted features.

End-to-end encryption ensures messages sent between two parties are only viewable by the sender and recipient, providing complete privacy of communication.

Without this capability, messages could be susceptible to attackers or authoritarian governments.

An alternative approach the DMA proposed is decrypting and re-encrypting messages sent between incompatible platforms.

However, experts have cautioned that it would create a vulnerable point in the messaging chain that malicious actors could potentially exploit.

Matthew Hodgson, the founder of Matrix, a secure, open-source communication standard project, addressed some of the cryptographers’ concerns in a recent blog post.

Hodgson believes an open-source platform could eliminate gatekeeper companies like Apple and Facebook from building walls around their ecosystems to trap as many users as possible.

“On balance, we think that the benefits of mandating open APIs outweigh the risks that someone is going to run a vulnerable large-scale bridge and undermine everyone’s end-to-end encryption,” Hodgson stated.

“It’s better to have the option to be able to get at your data in the first place than be held hostage in a walled garden.”

He has listed several possibilities to keep messages private while ensuring platforms are interoperable, including client-side bridges and having the gatekeepers switch to an open, decentralised encryption protocol.

The legislation is expected to come into effect sometime in October 2022, with the tech companies required to adhere to obligations in a staggered period.

Failure to comply with the requirements could see companies fined up to 10% of their global turnover in the preceding financial year, and 20% for repeated violations.

Now read: How criminals can use stolen data from the TransUnion hack