The Possible Impact of the Digital Markets Act on Messaging Privacy

Casey Newton interviewed Will Cathcart, who runs WhatsApp, about the unknown effects of the E.U.’s recently advanced Digital Markets Act. Cathcart has concerns about what this means for the ability of a specific platform to control for spam, and is one of many who worries about what messaging service interoperability may mean for security and privacy:

Over the weekend, cryptography experts sounded the alarm about this idea, saying that platforms might not be able to do this in a way that leaves messages encrypted. As Alex Stamos of the Stanford Internet Observatory put it to me: “Writing the law to say ‘You should allow for total interoperability without creating any privacy or security risks’ is like just ordering doctors to cure cancer.”


[…] it’s clear that, to the extent that there might be a way for services like iMessage and WhatsApp to interoperate and preserve encryption, that way has yet to be invented.

At the very least, it hasn’t yet been built.

To be clear, it does not appear that the draft law mandates the creation of no privacy or security risks; the segment posted by Benedict Evans — the full draft text is currently confidential — says platform providers must create a “high level of security and personal data protection”. It is about finding an appropriate level of risk with the caveat that it will never get to zero. But the core of the question seems correct: is there a way to make encrypted messaging services work together while ensuring negligible difference in security and privacy levels?

It is worth reading Newton’s piece in full because it is quite good, but this paragraph bugged me:

It’s also worth asking what interoperability will actually do to make the messaging market more competitive. Email is an open, interoperable standard and has been for decades; but today, Apple, Google, and Microsoft own around 90 percent of the market. Meanwhile, the market for messaging apps is much more dynamic even without interoperability: it includes apps from Meta, Telegram, Signal, Snap, and others.

In the second sentence, Newton conflates the open protocol of email with the market share of email clients. These are not comparable — at least, not in this way. For what it is worth, in terms of email servers that W3 Techs is able to query, Google and Microsoft do indeed dominate, but the third most popular provider is Newfold Digital Group, better known as the worst collection of hosts on the web. This is followed by a list of over a hundred other providers used by at least 0.1% of all domains.

Since it is an open standard, anyone with the technical knowledge can deploy an email server or create a client to improve upon it. That benefits users because the ability to use email is not tied to any specific company, and someone may use a client with a feature set that is more appealing to their needs. Imagine if you could download an iMessage client that gave you capabilities Apple’s own app does not, or removes unnecessary features.

In the final quoted sentence above, Newton says the messaging market is more competitive. I am not sure that is correct — it is not possible to separate protocol from client, so a direct comparison is not fair. But it is possible there are so many messaging clients used by so many people because each of our friends use a different mix. We are never trying to use messaging apps; we are only trying to communicate with people. It would be great if all of my messages from any provider could be collected in a single application in much the same way that my emails from different accounts on different hosts all appear in the same inbox. I would prefer that. But it is not possible with today’s applications, so I must switch between a handful of apps to chat with all of my friends.

Remember Adium? That is a great piece of software I have not touched in about ten years as phone-centred messaging clients have replaced desktop-based ones. Something like that could be possible again. If that is possible, it cannot be at the expense of privacy and security.