New EU law could require iMessage and WhatsApp to work with other platforms
theverge.comDuplicate?!?
This is almost too good to actually go through. Protocol transparency, that is to say forcing companies to open up their APIs would be one of the simplest and effective ways to break platform effects and walled gardens.
It shouldn't just be limited to messaging. An internet where everyone can built a client against Facebook's API, or Youtube or what have you and users get actual choice and control about how they consume those services would be a big leap forward.
> It shouldn't just be limited to messaging. An internet where everyone can built a client against Facebook's API, or Youtube or what have you and users get actual choice and control about how they consume those services would be a big leap forward.
Or a wonderful leap backward, in the most positive sense.
In these days of proprietary wall gardens everywhere it might be difficult to remember, but earlier in the Internet that was how things worked. Every protocol was public, documented in RFCs and all implementations were interoperable (barrings bugs/etc, but mostly anyway).
Er, WhatsApp is based on Noise for client server protocol, and Signal protocol for peer to peer encryption. Both were open standards before WhatsApp implemented them.
The problem is less about how known the protocol is and more about whether the platform owner uses its influence to prevent others from implementing said protocol.
Even a completely obscure protocol can be reverse-engineered given enough time - in fact if you search on GitHub you can already find a lot of client libraries for proprietary services.
The problem is that at the moment the platform owners intentionally detect usage of these alternative clients and ban their users or abuse laws such as copyright to block their development & usage.
I dunno how to say this but Noise is really a set of possible handshakes with various security guarantees (or, more like, aims, which we are reasonably sure are met), which kinda followed on from X3DH/Signal Protocol. I'm unsure how you got that Noise is a client-server protocol and Signal is peer to peer. When you send a whatsapp message you still send it to WhatsApp servers and the client-server protocol here is probably just TLS. Likewise, when you receive it, probably TLS also. However that message is encrypted "end-to-end" in the sense that the server cannot decrypt the actual message payload on the way. Noise _also_ enables this. Critically this is not peer-to-peer: the clients are still relaying messages via a central server.
Peer-to-peer communication in WhatsApp in the network topology sense happens where possible when making Voice and Video calls, as this is probably WebRTC-derived (it is WebRTC in everything else these days), which concretely involves some kind of call signalling, then p2p setup to talk RTP if possible. This is not Signal Protocol or Noise: it is most likely the S in SRTP with key agreement done over the Signal Protocol. In other words, no key ratcheting between voice or video packets. I'm actually not sure if the session key is ever changed for a given call. To make this clear: call setup happens via a central server but the media streams will go from your IP to theirs directly, if possible (or proxied via WhatsApp if not). The reason for doing calls p2p like this is where possible is to reduce latency.
This is also, last time I looked, true of Signal. We are good at end-to-end text. We are less good at voice/video, particularly voice/video group calls that might not be p2p-able and rather require the server to do something with the RTP streams.
Now, what you're actually missing is that WhatsApp was in its early days based on a fork of ejabberd, the Erlang XMPP Server, with if I understand correctly custom extensions. Thus WhatsApp actually was at some stage somewhat compatible with open standards.
We've also kinda been here before. Google Talk used to interoperate with XMPP just fine and at one stage my own XMPP server could talk to my friends on Google Talk and they'd pretty much not notice.
I agree however that it would be better to have a new protocol that starts based on end to end key agreement like Signal/Noise, rather than use XMPP. Or perhaps use XMPP _inside_ this protocol. This is because "opt-in" crypto is a disaster that probably has happened. Signal and Noise are also missing what the body of those messages should look like and standards for agreeing for example calls, media transfer and so on, basically all the non-crypto parts.
Being a developer and implemented both, I know. Maybe I just mispoke.
Looks like I fired off a bit too hard as I saw peer to peer and... That means something specific. Sorry about that. There's far too much 'zero knowledge encryption' on the internet, eurgh.
Seems WhatsApp does use noise pipes for some some long running connections. Just checked their doc to be sure.
I misspoke, should have said end to end.
Doesn't WhatsApp do a bunch of customizations applied to the base protocol? Its not the vanilla standard
Yes, but if I remember correctly, one of the things FB internal document dump showed was that API for smaller and bigger players behaved differently. API access won't mean anything, if companies are allowed to pick and choose how it behaves against some IDs.
Beyond privacy concerns, it’s also going to open these and many other services up to an unending wave of SPAM.
So, I wouldn’t assume it’s great for end users without digging into the details. Don’t forget the last time they did privacy regulations they created an unending wave of click yes to accept cookies.
PS: Looking at rapid downvotes I see people disagree, but mandatory interoperability would presumably force them to accept SpamNetwork101, SpamNetwork102 … etc.
Luckily we’re kept totally safe by our benevolent overlords. Except for our good friend Jeff Bezos that got hacked through a WhatsApp image. Or the overt spam that any publicly posted business WhatsApp number receives.
WhatsApp replaced SMS as a free alternative with media. Sms is just a protocol. It is not necessary that a replacement is walled garden, especially not under the sole guise of spam protection - something that is being done very poorly anyway.
iMessage and WhatsApp are just a tiny selection of social networks.
Depending in the specifics everything from Yahoo! Messenger to MMO chat either needs to get shut down or made interoperable.
I can only expect the matter to be applied to large applications in some sense. Hopefully they learned a lesson or two from GDPR, and tangentially I don’t expect this roll out to happen anytime soon.
That’s possible, but they don’t have a great track record.
And this removes agency for those of us who try to keep as much of our data out of Google’s hands as possible. If they’re going to force interoperability it needs to come with restrictions about what they can collect about people who haven’t consented.
DMA has that (Google can't use Data obtained from Interop in anything but the market they sourced it from, ie E-Mail Data stays in the E-Mail sector) and the GDPR covers the rest (without consent, they are restricted to only processing necessary data to begin with).
Why? If your messaging app doesn't have the ability to block stranger requests, why are you still using it?
And even if you for some reason don't want to restrict your requests, you'll probably still be fine - Gmail handles protects me from spam pretty well.
That's like saying that you don't need a spam filter for email because you can press the "mark as spam" button a hundred times a day.
Good luck blocking a person that pretends to be 10000 different strangers.
“block stranger requests” could mean using your contacts as an allowlist
This. I am somewhat surprised allowlist isn't a thing. I get that there are times, you want to be open to the world ( say you are actually waiting for an interview call ), but this would easily solve a good portion of the issues. Am I missing something?
My concern is how broad the definition of social network. Tinder for example requires people to be open to new massages and simply doesn’t work as a whitelist.
Is say MMO chat a social network?
As long as you hardly ever meet new people, of course. Obviously this is not a trivial problem to solve, otherwise spam wouldn’t exist.
If you meet a new person and want to exchange messages, there's not a huge difference between adding them in your messaging app and adding them to your contact list.
Using this model it would better to have multiple lists though, or at least tagging within the general contacts list, so tag-based lists could be allowed by certain apps (to keep business and personal messaging separate for example).
Facebook messengers chat requests has basically solved this problem.
New person goes to chat requests, they communicate through another channel they've sent you a message, you go open the graveyard of chat requests and accept theirs.
Exactly this. Exactly if the common protocol is SMS/MMS. So what if I can block people on one platform they can just now hop to another.
or they can create a new account on the same platform. but that's why i don't like platforms that force me to use my phonenumber as a public ID. because already today, if i block you on whatsapp you can find me on signal because my number is the same. so really the interoperability doesn't make it worse than it already is.
Isn't this generally taken care of by only allowing messages from numbers that are in your contact list?
That approach doesn’t work for something like Tinder. It’s also kind of a pain rather than just letting everyone message you on a platform without SPAM.
I miss the days when I could fire up Pidgin (or Gaim when I started using it) and instantly connect to every IM service I ever needed. Hopefully this is a step back towards that.
Agreed. It genuinely feels like my online experience degraded over the course of the past decade or so, because I am less willing to join a specific walled garden. And then I remember that this is by design. The winner takes his/hers social circle to the winner garden.
Same here. That's why I paid to use beeper. It's amazing to have all my chats in one app again. (Not affiliated just love the experience)
I thought Whatsapp user terms phorbid users from using third-party clients. People were banned for that.
Could you please talk about the experience with Beeper? I always worried that I would get my accounts banned or similar.
What do you love, what is missing?
Can you organize the chats?
I too have been worried about that! They claim they'll offer a self-hosted version soon. I'd feel a lot more comfortable going that route so my IP is often from the same place.
Right now everything is running on their servers with god knows what IP addresses and from where.
So far I haven't been banned but I have had to reset my Facebook password once.
Instagram suddenly stopped working and I had to reconnect a few times.
So far WhatsApp is ok.
IMHO the iOS app is close to useless and I stopped using it.
The desktop app is where it's at and I'm only using that for now.
You still can for many protocols, Pidgin has plugins for lots of modern protocols:
I still remember my ICQ number… 1057955. Been a long time since I tried accessing that account.
Just force monopolistic/abusive/anti-competitive companies to expose API's ; it's not a stretch; they did it for banks (psd2) and it's great for consumers and companies alike. Do it for everything; open systems make the world better. And they can still be monetized; it's not like forcing everyone to open source everything.
Edit: more subtle choice of words to indicate what I meant
As someone who works on a SaaS product, one of our biggest costs is our stable API surface. Internal APIs are essentially free, but for a public API we have to:
- Implement a conversion layer from our internal representation so we can keep it stable.
- Complicate all further feature work because we have to consider how it will affect existing customers of the API.
- Write and maintain documentation for the API.
- Keep the API working even after we no longer use it.
- Maintain multiple versions of the API in parallel.
- Make sure our error messages make sense to people not familiar with our internal systems.
- Be more careful with validation - for our internal APIs it's not the end of the world if a bad request results in a 500 rather than a 400, but it matters a lot for public APIs.
- Be more careful with rate limiting and other defenses against API misuse.
And this is to name just a few. A requirement that everyone expose a public API is pointless if it doesn't include a stability guarantee, and overly burdensome if it does.
> A requirement that everyone expose a public API is pointless if it doesn't include a stability guarantee, and overly burdensome if it does.
This isn’t a requirement that everyone expose a public API . https://www.theverge.com/2022/3/24/22994234/eu-antitrust-leg...:
“The DMA will force new obligations on companies deemed to be “gatekeepers” — a category defined by the legislation as firms with a market capitalization of at least €75 billion ($82 billion); at least 45 million monthly users; and a “platform” like an app or social network. Companies covered by this classification include well-known tech giants like Google, Microsoft, Meta, Amazon, and Apple, but also smaller entities like Booking.com.”
For smaller companies, I can see how that would be rough. However, for large tech companies, this law seems really necessary.
Also relevant: https://www.youtube.com/watch?v=rAlTOfl9F2w
It should be easy to make exceptions for smaller companies/services, and put the rule into force for larger services. Also, the API doesn't need to be stabilized. If Whatsapp wouldn't send DCMA notices to developers of third party clients, and ban users of such, it would be a good start already.
It’s worth noting that this (proposed) law already only applies to large companies, as I noted upthread. This is something that a lot of folks in this thread are missing, but which I think is pretty crucial.
> Included in the rules' scope will be platforms with a market capitalization of €75 billion or turnover in the European Economic Area equal to or above €7.5 billion. [0]
[0] https://www.politico.eu/article/eus-digital-markets-act-adop...
Most social media companies' businesses models rely on having complete control over the presentation of content. Forcing them to allow third-party client apps would ruin that, and it's going to be beautiful.
Complete control of the presentation of content, editorializing said content, and arbitrarily deciding what is and isn’t allowed. And they also still don’t want to be treated as publishers.
It’s hard for me to muster up even the smallest amount of sympathy for these vampires.
I expect this will take a decade to shake out as US tech firms work tirelessly to protect their spyware walled garden models.
You’re severely overreacting. These features you so passionately hate are an important part of the reason why the general population is using the apps, and the business model of the large majority of chat apps is definitely not ‘spyware’.
What’s going to happen, if this ever goes through, is that the networks will open some kind of api so outsiders can send and be sent basic messages. And you will never be happy using it because you’ll always look like an outsider.
And there is no way to fix this because a big draw of these networks is that they keep adding new features and they are not in the old api so you can’t use them.
And of course it’s going to be a big source of spam so users will get the ability to block the outside from sending messages to them, which means you can’t reach half the people you want.
>These features you so passionately hate are an important part of the reason why the general population is using the apps, and the business model of the large majority of chat apps is definitely not ‘spyware’.
Disagree, and disagree. Access to friends and family is why people use these apps. Once these tech companies are forced to tear down those walls people will be free to use the app of their choosing to communicate with whomever they prefer. Spyware is harvesting data without the explicit consent of the user.
>What’s going to happen, if this ever goes through, is that the networks will open some kind of api so outsiders can send and be sent basic messages. And you will never be happy using it because you’ll always look like an outsider.
They'll be fined 10% of their global revenue for trying to play such an obvious and silly game.
Since we’re talking about the messaging component of services , what messaging service “[editorize] said content?
[arbitrarily deciding what is and isn’t allowed] Everything so arbitrary. Either allowing everything or nothing is not sustainable for anything on the internet so you need arbitrary rules to stop arbitrary things.
This proposal covers more than messaging. I don't know of any messaging services which editorializes content.
>Either allowing everything or nothing is not sustainable for anything on the internet so you need arbitrary rules to stop arbitrary things.
It doesn't need to be so complicated. Allow lawful content and maintain your neutral status, or only allow content you choose and become a publisher.
Can you explain what TikTok does differently that makes it so open and free compared to evil US tech companies?
The only difference between TikTok and any other big tech company would be their (lack of) Congressional bribery.
Wow, "just force everyone". This is not freedom. I mean it doesn't feel that wrong because we ware talking about a big corporation, and sure I hate that WhatsApp replaced SMS here here claiming "privacy first, never any ads" but then gets bought by a big anti-privacy, ads-everywhere company. But still, imagine WhatsApp was written and maintained by an individual? Would we be so keen to use terms like "force"? This is all negative in the freedom dimension.
If you want a free, private, modern communication network, build it, don't steal it. In this case we are already very close to having a very nice solution in the form of Matrix. Throw some money and devs for things at Matrix/Element for issues we want to solve there. Push it as a government sanctioned solution. Offer services over Matrix, avoid WhatsApp.
> imagine WhatsApp was written and maintained by an individual? Would we be so keen to use terms like "force"? This is all negative in the freedom dimension.
These rules only apply to platforms with a market cap of over €75 billion or European Economic Area turnover of over €7.5 billion.[0] No one is proposing that we require single developers work with Apple and Facebook to make their apps interoperable.
[0] https://www.politico.eu/article/eus-digital-markets-act-adop...
The more freedom monopolistic entities have the less freedom the rest of the world has because these overpowered companies have turned freedom into a zero sum game.
You are right, I fixed my words to say what I actually meant with 'everyone'; I meant (more or less - it could be a applied to a bit smaller imho; a few billion Euros seems enough to ask for some type of openness, but yeah it should not apply to small companies anyway) what the EU is planning, not actually 'everyone'.
Limiting freedoms of megacorporations is a good thing.
They should be limited (blocked entirely) in their attempts to influence politics, I agree (sadly that is not the case). They should be limited in their attempts to create addictive products. Instead, we are now proposing to limit them in creating solutions according to viable business models that do no real harm.
There is no forcing necessary in other, imo preferred, scenarios. Like pushing Matrix. The solution, which uses the law to force a company will just block new attempts at creating similar but better products.
Agree! But first, can you point me to e-lab.nl's open API?
I believe forcing to expose APIs would kill messengers which are built around a single feature (like snapchat). The idea behind snapchat is that it's hard for users to save images without notifying the opposite party. You wouldn't be able to enforce this with third party clients.
Which is the dumbest excuse to keep walled gardens
John, don't call other people's opinions dumb, just because you disagree. Encourage dialogue, not hostility.
While I'm against walled gardens, I can see why these companies want to keep them closed. And if I'd work for e.g. snap, I would probably have this opinion as well.
Sawing off the branch you are sitting on is usually not a good idea.
It seems like this is an attempt to destroy the whole idea of a curated platform, though.
iMessage's advantages are a feature of the Apple ecosystem. WANTING it to interoperate with Facebook or whatever is one thing, but legally REQUIRING it seems to me to be very, very dangerous.
The banking API rule isn't that useful, you as a bank customer cannot get access to that bank's APIs, instead you have to go to another company who does have access.
Yes, like my company, who in turn make useful apps for consumers which was far harder (and more expensive) before. You had to jump through all kinds of hoops, you don't need to jump so many here in EU/UK. I did integrations in HK/AU/US and that was seriously painful without these in place. And far more expensive.
No offense, but trusting third-party companies with financial data is unlikely for many people, they are probably more likely to write a scraper for their bank's horrible web interface or reverse engineer their bank's mobile app than do that.
For those wondering what exactly it means:
> (fa) allow end users, business users, providers and potential providers of on line social networking services access to and interoperability with the same industry-standard service features that are available or used in the provision by the gatekeeper of any social networking services; minimum interoperability requirements shall be in accordance with the relevant Union legislation or the industry standard, where applicable, by providing open standards, open protocols, including Application Programming Interface;
This annoys me. Rather than robbing Moxie of his vision and forcing Meta to break their business model, why do governments not just lead by example?
Start using Matrix, we all know that the signup process could be easier (among many other things), throw some money and devs at the project with that specific goal. Start offering services over Matrix. Public money, public code. The whole world benefits.
I'm pretty sure Signal wouldn't be subject to this. I think it's only for companies over 75 billion euro[1] market capitalization.
[1] https://www.theverge.com/2022/3/24/22994234/eu-antitrust-leg...
They are already using Matrix somewhat, for example the French:
https://matrix.org/blog/2018/04/26/matrix-and-riot-confirmed...
While I agree leading by example and using Matrix would be great, it is orthogonal to the proposed law.
More importantly, who cares about Moxie's (imo crappy) vision? If this were to force him to rethink his stance, that's a plus in my book.
Do you realize what you are saying? Would you feel the same when someone with the opinion that your vision is crappy, was to force you to rethink your stance on anything? Let alone on something your put insane amounts of time into?
I realize now that Signal will not be affected, only very large companies will. Nevertheless I find your attitude very concerning.
Why would requiring interoperability rob Moxie of his vision?
He indicated multiple times that he does not want other (third party) clients, does not want the server to be open and federated. Let him have it, it works for many people.
Imagine you were him and you are getting issues filed from people using services the government forced you to build, or were even build by others but forced on your once clean solution. I'd say "screw you guys, I'm going home" (Build your own solution). And I'd agree with him. Where would it end?
The same can be said about WhatsApp et al. I’m going to bet that Meta also indicated they don’t want other third party clients.
From my point of view, the advantages of opening up these platforms outweigh the disadvantages for those who don’t like that.
The whole idea of this type of regulation is that it tries to do what’s best for the consumer, and the market as a whole, not not necessarily for the businesses behind it.
And then we keep Moxie as a slave forcing him to get motivated to implement all this? Or will the government cease control of the code? Stop Moxie from Forking, then tell people to stay on the government branch?
And the arguments hold for Meta too if you ask me. WhatsApp is not a public service. It was not build (or in this case bought later on) with our interests at the top of the priority list. If we want public services with the public's interest at heart, we have to build those services, or sponsor those. Not take them from companies. In this case we already have a nice solution in the from of Matrix.
What are you suggesting?
No one is forcing anyone to do anything.
Countries (and citizens by proxy) have a right to decide how they want services to function in their respective countries. Any company can choose to follow those regulations or voluntarily stop services within that country.
The great part about the EU is that it's a big enough market for companies to want to target it. One doesn't object about food health standards or what standards electronics parts are required to follow, it's the same for internet services.
They don't have to be forced to do anything.
If these companies do not want to follow these laws, then they are within their right to not operate in the EU.
This proposes a very strict link between what is good for a society and the law. We should continue to debate decisions like this because what is good for society is very difficult to prove but the law has real repercussions, right now.
The point being here, is that these companies do not "own" these citizens. Citizens have the right to vote. And they can vote on laws. And if companies want access to these markets, then they should follow these valid laws.
If you want to talk about the benefits and drawbacks of these laws, thats fine. But please do not phrase it as if these companies are being forced into slavery.
Because that is an absurd framing, because those citizens are fully within their right to set consumer protections, for what is required of companies, if they want access to certain markets.
Law makers, and everyone else, would love to talk about the benefits and cons, to consumers for these laws. Please enter the conversation, and actually talk about that, instead of pretending like these corporations have some moral right to access certain markets, above and beyond the wishes of those citizens who vote on valid consumer protections.
We are not "taking them from companies". Instead, citizens are putting up valid consumer protections and requirements for access to their market, that does not belong to these corporations.
And these corporations can decide to either follow these laws, or leave the market, because those markets do not belong to them.
these rules will only apply to platforms with a market cap of over €75 billion or European Economic Area turnover of over €7.5 billion (https://www.politico.eu/article/eus-digital-markets-act-adop...)
I don’t think he has he ambition to even get half-way there, and if he ever gets there, I expect he’ll be able to pay others to worry about that.
More importantly who is Moxie?
Yeah, that could have used a citation indeed. I use Moxie [0] because he is a face to a popular messaging app (Signal [1]), and I think it is important to realize he is the brain behind this wonderful creation.
Try putting yourself in his shoes as the government contemplates publicly about how they are going to force some changes to the project you build based on your very private vision of privacy and subsequently made available for free to millions, based on your hard work.
Moxie Marlinspike is the creator of Signal, a popular secure messaging app.
Why did we as consumers accept this?
I remember back when MSN/Windows Live Messenger used to be one of the most popular options out there. Even though I used Ubuntu, I could still chat with my friends through the Pidgin messenger. This was all possible through the XMPP interface, which still exists by the way.
It's not just that these new messaging platforms are adding no extra value, they are creating worse experiences, and we're buying into it. You now have to install half a dozen messaging apps just to keep up (WhatsApp, Telegram, Facebook, etc.) . And now we're suddenly talking about reinventing the wheel.
How easy is it to send full quality videos and pictures via XMPP? I feel like the main difference from my Pidgin days and today is that these days there is a metric ton of large media files being sent around.
It's as easy as via any other method. XMPP supports both server-intermediated transfers (where the file is uploaded to the server - this is what almost all platforms choose to do these days), but it also supports negotiated p2p streamed transfers (suitable for huge files, essentially unlimited, but less reliable, e.g. it requires both sender and recipient to be online at the same time).
I assumed it costs Apple quite a bit for the bandwidth and storage of all the media files they send, and hence why Apple is the only one that offers to do it at full quality.
I assume it costs Meta a lot too, and so they reduce the quality of media flying around on WhatsApp.
Would others have to be able and willing to pick up these costs if the networks were opened up? I am thinking even if Apple/Meta were forced to open their networks, they would balk at subsidizing outsiders.
I am not clear what the backend costs and cost allocation would be, for example, if someone using iMessage sends me a 4K video to me and I am not using iMessage, and I am offline, but I will expect to see it next time I open up Pidgin on my laptop.
The way it generally happens on XMPP and Matrix is that the upload is stored at the sending user's server, and a URL is passed around. That means the choice is up to the operator of the sender's service as to what size files they allow, and how long for.
Applying this model to the case of a 4K video sent from iMessage, the file would be hosted by Apple, and you would merely receive a reference to it (i.e. URL) so you can fetch it when you come back online. It's natural to assume this model, as most platforms are already using it today, but of course this is all speculative until things get opened up.
On a final note, Pidgin is a poor choice of example in this case. It supports a much older version of XMPP, its support for the protocol actually hasn't evolved much in the past ~10 years or so. In particular it's missing support for this very file transfer mechanism, and a whole bunch of other things such as multi-device and modern E2EE (though there are third-party plugins attempting to plug some of these gaps). If you're planning to do XMPP in 2022, practically any other XMPP app that's actively developed supports the newer mechanism and many other modern features Pidgin lacks. For desktop that includes Gajim (cross-platform), Dino (Linux, experimentally Windows) and Beagle IM (MacOS).
Thanks for the explanation. Seems like no one would be forced to subsidize anyone else if they did not want to simply because they used the same char protocol.
Easy, on some clients/with some servers. These days they do it the same way as most other platforms, by uploading the media to a web server. It took the ecosystem a while to catch up to that though, and there are plenty of clients out there that still don’t support it.
> there are plenty of clients out there that still don’t support it
Which ones don't?
Pidgin on Windows, for one. And even on other platforms you have to compile and install the third-party plugin for it yourself, it doesn’t ship with Pidgin - this is beyond what I would expect most users to do. (I imagine the same is true for Adium as they’re both libpurple clients, but I don’t have a Mac handy to check.)
Those two alone are the clients that most Windows/Mac XMPP users I know reach for first, probably out of familiarity.
Because SMS was expensive
> Why did we as consumers accept this?
Short term thinking and focus on new shiny features over long term sustainability. It's a pattern we see repeated in many aspects of society, not just messaging. Combine this with network effects and it ceases to matter that a minority of people have the time and interest to think about the long term, the majority have already made the decision, and your choices are to either be left out, or participate. It's frustrating, but it's one of those things when a large enough sample of the population are living lives which have much bigger problems than messenger lock-ins.
tl;dr: stickers
> Why did we as consumers accept this?
You don't have to. If you say you're only reachable with apps that support XMPP then generally people who care about chatting with you will use that. That's what I have been doing since January last year when WhatsApp changed its ToS.
Is this an indirect attack on the encryption... seems to be.
You can still enforce PKI on top of open APIs.
Likely not. Europe is in to open standards, interoperability, and things like this. Far more than the US.
I largely agree. But there is also a lot of user-hostile stuff being discussed on the EU-level like https://chatcontrol.eu
Surveillance is an area where there are still plenty of politicians who try to sabotage (digital) freedoms.
Imagine there is a break in a cryptographic algorithm, say AES256-CBC. Now can I replace it in my messaging app, without having to coordinate with every other messaging app provider? Suddenly governments have a lever to prevent adoption of securer standards.
Why wouldn't you be able to bump the API of your messaging app? Sounds orthogonal to me. You are required to publish a working and open API. You are doing it. They can consume the new API with the new default cypher.
So no guarantee of interoperability.
> So no guarantee of interoperability.
Why not? Can you come up with examples? Are you worried that they would use automation to generate a new "API" per second, so consumers would need to play catch-up? Do you think that would hold in court, if/when this initiative has been legislated?
A messenger just refuses to upgrade. So Alice who was sending Bob messages with no problem yesterday, today breaks. So back to having to use the same messenger.
> A messenger refuses to upgrade.
Well yes, if a messenger refuses to upgrade and consume a working API, it will not consume much. This law is not about forcing all messengers to interoperate with the infinite messengers out there. This law is about forcing those with capitalisation of ~7 billion to provide a sane endpoint.
AES256-CBC is already not IND-CCA secure, FYI.
iMessage and WhatsApp both already have encryption backdoors that escrow the endpoint secret keys or plaintext to cloud services, undermining the end-to-end encryption. That ship has sailed.
Not sure about this, but related: https://news.ycombinator.com/item?id=22098473
The thing is, there doesn't appear to be any way to know whether this is the case.
But future messaging apps shouldn't be getting less secure.
I wasn't aware of this, do you have a link for me to read more?
https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...
iCloud Backup was introduced in iOS 5, released in 2011. It escrows either message plaintext or device secret keys (depending on OS version and configuration) to Apple, encrypted with Apple keys (non-e2e) and readable to Apple (and the FBI and others, some of whom access the data without probable cause or a warrant under FAA Section 702).
WhatsApp backup backs up chat plaintext to cloud services (I think Google is the default), also non-e2e and readable to the cloud storage service (who often shares it with government snoops without a search warrant, also under FAA Section 702). They added an e2e option late last year but it doesn't matter if you turn it on because none of the people you chat with are likely to have it enabled (so all of your chats will be backed up in plaintext from the other end).
>iCloud Backup
OK so that doesn't support what you said at all. That's an optional feature (that I do not use), and it's not in any way a "backdoor". Unencrypted backups are a front door. Yes, that iCloud Backups aren't E2EE is bad. Arguably worse (and this would be a more productive area for the EU and others to focus on) is that they're the only general wireless option, that's MUCH more of a nasty tie than messaging. iOS should have a standard API for backing up that any service at all (including a server one runs themselves) can implement and then get pointed at. But none of that is a backdoor in the encryption of iMessage and you do the whole space a real disservice by conflating them.
> That's an optional feature (that I do not use),
It doesn't matter. Everyone you chat with uses it because it's on by default, so all of the iMessages you send and receive are backed up in effectively plaintext to Apple (who turns them over to third parties).
> But none of that is a backdoor in the encryption of iMessage and you do the whole space a real disservice by conflating them.
Unencrypted (or encrypted to the ZK middle service, in this case Apple, being the operator of both iMessage and iCloud Backup) key escrow of end-device secret key material in a system that is advertised as end-to-end encrypted is indeed a backdoor in the end-to-end encryption of that system, as now the secret keys don't exist just on the endpoints - the transit service in the middle has a copy of them, allowing message decryption on a non-endpoint as they transit the middle service.
That is definitionally not end-to-end encrypted. It's end-to-middle-and-end encrypted if the middle device has a usable copy the endpoint secret keys, which Apple does.
Yes! Like another comment mentioned I'd love a return of pidgin.
Further, the law should specificy that the protocol allows E2EE, and we have traction.
Double yes! I had thought for the longest time that a Linux-like open landscape would develop for messaging and social. I no longer believe this is going to be the case. I truly believe we are at a Standard Oil / AT&T moment (as documented would happen by Tim Wu in the Master Switch[1][2]) There is no conceivable way other than politically/legally that big tech will of their own volition lower their drawbridges to span their moats.
This needs to happen. Mandate interop and federation please.
[1] https://www.penguinrandomhouse.com/books/194417/the-master-s...
Matrix would be a nice approach, if not for weird edge cases like spamming IRC (if that still happens).
Pidgin is still here and supports modern protocols via plugins.
Would it also force Facebook to open up its Events section, so events become available to the outside world?
This is a step in the right direction. I'm pretty certain that they will make their open APIs a pain in the ass to work with so that nobody actually uses it but they still comply with the law.
So, I think further revisions of this law will somehow need to take this into account.
Digital Markets Act give very broad executive powers to EU Commission to make sure that it will get implemented.
They don't need to change law to address issues.
Specifically:
- article 7: Compliance with obligations for gatekeepers
- article 10: Updating obligations for gatekeepers and
- article 11: Anti-circumvention
It's hard to be optimistic about this. Regulators, lawmakers and courts are working with very blunt instruments and making up for it by being gentle.
Whether or not they succeed at improving choice and reducing centralised power over comms is up to dumb luck, mostly.
This would basically kill WhatsApp on iOS. Which is fine by me.
Step 1: Your encrypted chat service used by activists must work with other platforms by law.
Step 2: So... the encryption your application uses doesn't work well with other platforms.
Step 3: Everyone must use this one kind of encryption for interoperability with our tracking ser... I mean other platforms.
Step 4. Hey, look at all the stuff these activists are talking about.
Step 5. Gulag for the activists
The most interesting part of the law is that users will be able to choose their own browser.
https://www.theverge.com/2022/3/24/22994234/eu-antitrust-leg...
IMVHO communication protocols of anything public MUST be open, peering MUST be allowed as a general policy. It's not a matter of scale: communications exists to communicate, not to create walled gardens.
Would this also require Signal to provide an open client API for messaging by 3rd party clients?
This is going to make it difficult for small startups to compete.
Since right now it's so easy to compete with WhatsApp?
On the contrary, the whole point of this law is to make it not just easy, but even possible for alternative messaging providers to compete.
Why? (Note that the idea is to force the big players to allow interop with small ones, but small startups are not forced to do anything.)
What's the reasoning for that? I think the opposite is true, because open protocols allow a startup to interact with existing users, without needing to overcome the hard barrier of network effects. Closed protocols only help entrenched groups, and are actively harmful to both users and startups.
This only applies to companies with a market capitalization of at least 75 billion euro.
On the contrary it is literally the only way to beat the big platforms that already have a billion users.
Ah, a new tack in the effort to break encryption.
This would be great for consumers but not so great for Apple and Facebook. They want people into their locked down walled garden.
Yeah, and trade certain security for certain freedom?
They could implement EXACTLY the same security requirements via a public-facing API as they do via their existing "private" API. How would that be trading security? lack of obscurity?
Clearly they cant be expected to integrate with any 3rd party, so the expectation is that 3rd parties would integrate with them.
You can do this at present via their private API (as per pidgin, etc) - but thats against their terms of service. It seems this law will prevent them imposing such terms.
Karma be damned. Uncomfortable truth must be made cognizant.
But they won’t do it exactly given their widely disparate privacy and security model. Unless some kind of an instant messaging standard surfaces.
As is, it would become another cat-n-mouse security theater in leveraging one IM provider’s API weakness to gain additional insight of a subscriber using another IM provider’s API.
So no more security , innovation and progress for EU? Everything including encryption usage and data transfer will be decide by old fat bureaucrats. Forgot to add a pop up window about transferring message to different country and your own 1 billion eurofiats to them.
How about you simply don’t transfer their information, then there’s no worry about getting permission to do so.