Message app rule raises privacy doubts in new EU Digital Act

28 March 2022

A person holds a mobile phone showing a Whatsapp group chat for the exchange of scarce products in Caracas on June 13, 2016. (Photo by FEDERICO PARRA / AFP) / TO GO WITH AFP STORY BY MARIA ISABEL SANCHEZ

  • The European Union’s new Digital Markets Act will require an unprecedented level of message app cross-cooperation 
  • But critics say the ease and ‘fair play’ of interoperable messaging systems could lead to privacy nightmares

The EU will require tech giants to drop barriers between their hugely popular message app services in a revolutionary bid to boost digital competition, but critics warned last week that the change could come at the cost of millions of users’ privacy.

Praise poured in after negotiators from the European Parliament and EU member states agreed late the previous week on a sweeping law to curb market dominance of US firms like Google, Facebook owner Meta, Amazon, and Apple.

But the provision in the legislation that looks set to make big services such as WhatsApp and Apple’s iMessage provide access to smaller operators, drew concerns it would compromise the encryption that guards users’ data across individual message app services.

“What we will see here, of course, is a trade-off — a policy that is good for competition but bad for privacy and bad for the product,” tweeted analyst Benedict Evans. “You can never have all three.”

Unlike on cell phones or email, app users can’t send a message from one company’s app or service to a rival’s, raising the concern that people stick to the biggest platforms because that’s where their contacts are concentrated.

“Users have no choice,” Amandine Le Pape, co-founder of messaging app Element, told the Euractiv news network. “Smaller companies cannot compete because they need to build their own user base from scratch.”

In an attempt to address this, the EU’s new Digital Markets Act (DMA) will impose “interoperability” between apps — all while demanding that communications remain encrypted from user to user.

WhatsApp, for example, has default end-to-end encryption, which means that normally only the sender and recipient have access to a message’s content. Critics of the new EU rules argued it’s all but impossible to have end-to-end encryption across several platforms.

Message app interoperability vs privacy

“Example: Twitter knows me as @SteveBellovin. Apple knows me by AppleID, a personal email address. Signal knows me by my phone number,” tweeted Columbia University computer science professor Steven Bellovin. “Google knows me by my official university email address.”

“You receive a message from WhatsApp user StevenBellovin,” he added. “Who is it? Is it me? An attacker? Or someone else with the same name?”

Evans, the analyst, added in a tweet that “at an absolute minimum you will have to expose metadata. Hilariously, that breaks EU privacy law.”

EU’s competition chief Margrethe Vestager said that after the bloc’s member states and MEPs formally approve the text, it should be published around October. The first possible fines for non-compliance — as high as 10% of a company’s annual global sales and even 20% for repeat offenders — are not expected before the first quarter of 2024.

However, other experts noted that there are ways to make message apps secure and interoperable. “From a technical perspective, it is not particularly complex,” internet regulation specialist Ian Brown told AFP. “Large companies have strongly resisted the obligation precisely because a lack of interoperability is one of the key factors supporting their incumbency.”

Some of the biggest tech giants that could see their dominance eroded or profits impacted under the DMA have offered a chilly welcome. Apple, reacting generally to the new law, said last week it will create “unnecessary privacy and security vulnerabilities for our users.”

However, Tim Sweeney, who heads Epic Games and has been locked in a legal battle with the iPhone maker over its App Store policies, poked fun at critics. “Good morning! Today is international ‘If we open up platforms the world will explode day’ sponsored by Big Tech lobbyists and astroturfers,” he tweeted on Friday.