EU messaging service provision draws privacy concern from experts

The EU will require tech giants to drop barriers between their hugely popular messaging services to boost competition, but critics warned Friday that could come at the cost of millions of users’ privacy.

Praise poured in after negotiators from the European Parliament and EU member states agreed late Thursday on a sweeping law to curb market dominance of US firms like Google, Facebook owner Meta, Amazon and Apple.

But the provision in the legislation that looks set to make big services such as WhatsApp and Apple’s iMessage provide access to smaller operators drew concerns it would compromise the encryption that guards users’ data.

“What we will see here, of course, is a trade-off — a policy that is good for competition but bad for privacy and bad for the product,” tweeted analyst Benedict Evans. “You can never have all three.”

Unlike on cell phones or email, app users can’t send a message from one company’s service to a rival’s, raising the concern that people stick to the biggest platforms because that’s where their contacts are concentrated.

“Users have no choice,” Amandine Le Pape, co-founder of messaging app Element, told the Euractiv news network. “Smaller companies cannot compete because they need to build their own user base from scratch.”

In an attempt to address this, the EU’s new Digital Markets Act (DMA) will impose “interoperability” between apps, all while demanding that communications remain encrypted from user to user.

WhatsApp, for example, has default end-to-end encryption, which means that normally only the sender and recipient have access to a message’s content.

Critics of the new EU rules argued it’s all but impossible to have end-to-end encryption across several platforms.

‘World will explode’?
“Example: Twitter knows me as @SteveBellovin. Apple knows me by AppleID, a personal email address. Signal knows me by my phone number,” tweeted Columbia University computer science professor Steven Bellovin. “Google knows me by my official university email address.”

“You receive a message from WhatsApp user StevenBellovin,” he added. “Who is it? Is it me? An attacker? Or someone else with the same name?”

Evans, the analyst, added in a tweet that “at an absolute minimum you will have to expose metadata. Hilariously, that breaks EU privacy law.”

EU’s competition chief Margrethe Vestager said that after the bloc’s member states and MEPs formally approve the text, it should be published around October.

The first possible fines for non-compliance — as high as 10 percent of a company’s annual global sales and even 20 percent for repeat offenders — are not expected before the first quarter of 2024.

However, other experts noted that there are ways to make message apps secure and interoperable.

“From a technical perspective, it is not particularly complex,” internet regulation specialist Ian Brown told AFP.

“Large companies have strongly resisted the obligation precisely because a lack of interoperability is one of the key factors supporting their incumbency,” he added.

Some of the biggest tech giants that could see their dominance eroded or profits impacted under the DMA have offered a chilly welcome.

Apple, reacting generally to the new law, said Thursday it will create “unnecessary privacy and security vulnerabilities for our users.”

However, Tim Sweeney, who heads Epic Games and has been locked in a legal battle with the iPhone maker over its App Store policies, poked fun at critics. AFP