The EU's new digital competition rules are a problem for cryptography

The EU's new digital competition rules are a problem for cryptography

The Digital Markets Act (Dma), the new legislative initiative of the European Union designed to keep the technological giants in check, aims to integrate messaging apps in a more fluid way. While it may sound fantastic on paper, the scenario is not as rosy as it might appear.

Billions of messages are sent every day using end-to-end encryption. Millions of people use iMessage, WhatsApp and Signal to chat with friends, family and colleagues, and their conversations are automatically protected by an effective encryption system. However, it is not possible to send a message from one encrypted app to another. If you use Signal and your friends only have WhatsApp, someone will be forced to compromise.

The new rules for digital competition from the European Union It's called the Digital Markets Act and it's a package of rules to contain dominance of the big tech companies. Agreement between Commission, Parliament and European Council Read the article With the DMA, which European legislators approved last week and which is expected to be implemented this year, the owners of messaging apps will be required to make their platforms interoperable, in the in case another company requests it. This means that the largest messaging platforms - such as WhatsApp, Facebook Messenger and iMessage, which the DMA identifies as gatekeepers - will have to open up to rivals.

"Users of small or large platforms would then be able to exchange messages between them, send files or make video calls through the messaging apps, thus having more choice", reads a statement from the European Parliament. According to the new rules, Signal could for example request to work with Messenger. Meta would have the possibility to ask that WhatsApp be made compatible with iMessage, something that would represent a significant problem from the logistical point of view even if Meta and Apple were not arguing, but which according to the EU legislators is worth solving. br>
Supporters of interoperability say the regulation will give consumers more choice and allow third-party customers to develop additional functions. But while Andreas Schwab, MEP and lead DMA negotiator, points out that politicians are not trying to weaken encryption, experts fear the proposal will not be technically possible without compromising end-to-end encryption, potentially exposing them to risk. the billions of messages we exchange every day.

Although it has become the norm for people using messaging apps, no platform implements encryption in the same way as another. WhatsApp for example uses a customized version of Signal's encryption protocol, but users cannot exchange messages between the two apps. And while Apple's iMessage integrates with texting, standard text messages are not encrypted.

The concerns in the industry Many crypto and security experts have already pointed out the flaws of the EU plan: "The interoperability of E2ee [end-to-end encryption] is somewhere between extraordinarily difficult and impossible, "tweeted Steve Bellovin, one of the world's leading cryptographers and former chief technologist of the Federal Trade Commission, the agency of United States dealing with consumer protection and anti-competitive practices.

"When you start talking about different companies exchanging encrypted communications with each other, there are many serious issues that are extremely difficult to solve - explains Nadim Kobeissi, an applied cryptography expert and founder of the decentralized publishing platform Capsule Social -. It is very likely that there will be a serious worsening of cryptographic techniques to accommodate this proposal. "

WiredLeaks, how to send us an anonymous report Read the article The proposals presented under the DMA - which has yet to be published in its full version - they do not specify technical details on how interoperability works, but officials argue that the changes should be introduced over several years. Basic functions, such as exchanging messages between two people, should be implemented three months after the request from a technology company, while for audio and video calls the deadline is four years.

"Making interoperable End-to-end encrypted messaging apps are technically demanding and generate real risks to privacy, security and innovation. competitive and innovative sector in text messages or e-mails, which are unsafe and full of spam ". In an interview with tech reporter Casey Newton, Cathcart said the decision could cause WhatsApp problems with disinformation and moderation. "I am very concerned that this will destroy or severely undermine privacy, that it will destroy a lot of the work we have done on security that we are particularly proud of, and [I have doubts that, Ed.] Will actually lead to more innovation and competitiveness, "explains Cathcart.

Apple did not respond to a request for comment on cryptography but said it was generally concerned that parts of the DMA could create" unnecessary vulnerabilities on the privacy and security front. " Signal did not respond to a request for comment.

API or single standard? Not everyone is against the combination of interoperability and end-to-end encryption. Matrix, a nonprofit developing an open source standard for cryptography, has posted several blog posts illustrating how the organization believes the EU's proposals could work. "The main challenge is the trade-off between interoperability and privacy for gatekeepers who provide end-to-end encryption," explains the Matrix team.

Broadly speaking, there are two avenues that could enable encryption to work between apps run by different companies. The first requires technology companies to allow access to application programming interfaces (APIs) connected to their messaging services, and is the option Schwab and lawmakers are moving towards. The second involves a more radical change: all companies should adopt and implement a universal encryption standard. However, neither is easy to implement.

To connect to an open API, a company may need to use a "bridge" that joins the two platforms. Signal, for example, would have to implement multiple bridges in case it wanted to work with different applications. Using a bridge would result in messages being decrypted, potentially on a user's device, and then appearing in the target app. Removing end-to-end encryption would mean introducing a new layer that could be attacked by cybercriminals or malicious actors. Kobeissi adds that the proposal does not clarify who should handle the exchange of public cryptographic keys and how cryptographic metadata would be shared between companies. If Signal and iMessage became interoperable, which of the two companies would modify their encryption system to suit the other?

See more Choose the newsletters you want to receive and subscribe! Weekly news and commentary on conflicts in the digital world, sustainability or gender equality. The best of innovation every day. It's our new newsletters: innovation just a click away.

Arrow One of the main unanswered questions is how interoperability would ensure a user that the person they are chatting with is actually who they think they are . People use different usernames on each platform, and not knowing exactly who you are talking to could lead to identity problems, explains Alan Duric, co-founder of the encrypted messaging app Wire: "If you communicate between Wire and WhatsApp, how can you 'Wire user be sure that the person he is talking to on WhatsApp is really who he believes? ". According to Duric, the solution would be to verify the identity of each user, a strategy that could help reduce abuse and spam.

Those in favor of interoperability argue that the best way to achieve it would be to ensure that all companies adopted the same encryption standard and adhered to it. These standards already exist, such as the Matrix messaging protocol, the Xmpp standard, and the upcoming Messaging layer security. "If every actor in the industry - gatekeepers as well as smaller actors - connects to the same standard, this would end up being a great glue between the different services," says Amandine Le Pape, co-founder of the Matrix standard. This would save companies from having to implement APIs through a piecemeal process, even if it is not the solution the European Union is currently aiming for. "Dma is just the first step," says Le Pape.

Getting all messaging apps to use the same standard would be a major challenge and time consuming. "Potentially, it could lead to a situation where everyone switches to the Matrix - explains Kobeissi -. But Matrix is ​​a fundamentally different security architecture, not only from an end-to-end encryption perspective but also from a modeling perspective. of threats ". As each app faces different potential attacks, based on its user base and operations, moving to a single model would force companies to reevaluate the ways their users could be compromised.

Businesses would have to rebuild their entire cryptographic systems and change several functions in their apps, a process that could take years. Take Meta: In 2019, the company said it would apply end-to-end encryption to Instagram and Messenger direct messages by default, integrating their infrastructure with WhatsApp. Three years on, the company is still trying to navigate its systems and add security features. In this case the transition was more difficult than expected despite Meta controls all the technologies involved.

Ultimately, the extent of changes to companies could depend on the different technical realities and the level of pressure exerted by the European Commission, who will have to apply the DMA. As with the GDPR, the DMA could also lead to multimillion-dollar fines for companies that fail to comply. However, the GDPR - which includes a provision that allows users to carry their data from one app to another - has been applied in an ineffective way. If the European Commission were to enforce the DMA, tech companies might have no choice; but that may be the least of their concerns.

This article originally appeared on UK.

Powered by Blogger.