Meta has announced that in the context of its efforts to align with EU’s new Digital Markets Act (DMA) legislation taking effect on March 7, 2024, it has rolled out significant updates to its messaging platforms, WhatsApp and Messenger.
Those updates aim to ensure legal compliance, making Meta’s platforms interoperable with third-party messaging services while maintaining end-to-end encryption (E2EE) under all circumstances.
The DMA is a regulatory framework introduced by the European Union aimed at promoting fair competition and innovation within the digital market. It particularly targets large online platforms that act as “gatekeepers” in the digital ecosystem. The DMA mandates eligible third-party services to interoperate with major messaging platforms, allowing users to communicate across different services.
For messaging app providers in particular, DMA mandates that “gatekeepers” like Meta give up the tactics of “walling” their digital ecosystems by opening up compatibility with smaller platforms/services, giving users flexibility and the freedom of choice. The framework also dictates that implementing interoperability technologies must be transparent to ensure that user data security and privacy aren’t discounted to achieve technical goals.
Maintaining E2EE
Meta uses the Signal protocol for E2EE on both WhatsApp and Messenger, which is a robust method for securing user communications. Maintaining E2EE while working with third-party messaging platforms was key in this case, and Meta says its engineers worked meticulously towards this goal.
The interoperability infrastructure builds on Meta’s existing client/server model, facilitating secure and reliable communication while minimizing user data exposure. This model allows for direct connections to Meta servers, ensuring high security and integrity checks.
WhatsApp’s technical architecture involves third-party clients connecting via XMPP (Extensible Messaging and Presence Protocol) and interfacing with WhatsApp servers for various operations, including user authentication and notifications. It also includes a unique identification system for third-party users, utilizing cryptographic proof and protocols like OpenID and JWT for verification. This ensures that only authorized third-party services can interact with Meta’s messaging platforms, adding an extra layer of security.
Though this approach lays the ground for secure interoperability, it is imperfect, as Meta admits in the announcement. For example, the tech giant says that although it would prefer that all third parties use the Signal protocol, which guarantees data safety, not all do. Moreover, messages still reach other services’ servers, so the challenge of ensuring privacy and security with third-party services remains.
“While we have built a secure solution for interop that uses the Signal protocol encryption to protect messages in transit, without ownership of both clients (endpoints), we cannot guarantee what a third-party provider does with sent or received messages, and we, therefore cannot make the same promise.”
Meta
The takeaway for users is that Messenger and WhatsApp are becoming more open to working with third-party services, and the Signal E2EE is still there. However, while messages are protected in transit, the overall privacy and security guarantees depend on the third-party services’ adherence to similar high standards.