Meta today is offering more details about how it plans to make its messaging apps, WhatsApp and Messenger, interoperable with third-party messaging services, as required by the new EU law, the Digital Markets Act (DMA). The company had earlier shared that engaging with third-party chats would be an opt-in experience for users, given that the new integrations could be a source of spam and scams. It also said that third parties would have to sign an agreement, but hadn’t until today shared the details of what that would include. In addition, Meta now says it will ask third parties to use the Signal protocol, though it may make exceptions to this in the future.
Specifically, Meta says that it will only allow third-party developers to use another protocol besides Signal, “if they are able to demonstrate it offers the same security guarantees as Signal.”
The company touts the benefits of the Signal protocol, which is used by both WhatsApp and Messenger for their encryption. Messenger is still rolling out E2EE (end-to-end encryption) by default, but WhatsApp has offered E2EE by default since 2016. Because Signal represents the “current gold standard” for E2EE chats, Meta says it would “prefer” that third parties also use the same protocol.
The company also outlines the high-level technical details as to how this encryption would work, which involves the third-party constructing message protobuf (Protocol Buffers) structures — a series of key-value pairs — which are encrypted using Signal, then packaged into message stanzas (a pushing mechanism) using XML. Meta’s servers, meanwhile, will push messages to any connected clients using a persistent connection.
The third parties who connect with Meta will be responsible for hosting any image or video files their client apps send to Meta’s users. Meta’s messaging clients will download the encrypted media from the third-party messaging servers using a Meta proxy device, it notes.
These details are important because Meta’s messaging app users, particularly WhatsApp users, who have had E2EE on by default for years, want to know that their conversations will remain secure, despite the DMA’s changes.
However, Meta hedges on this a bit by saying that, although it has built a secure solution using the Signal protocol to protect messages in transit, it can’t guarantee “what a third-party provider does with sent or received messages.” This suggests that Meta may use an argument that third-party messaging interoperability is potentially less secure as a means of keeping its users engaged only with Meta’s messaging services.
The company blog post also explains that the solution, which builds on Meta’s existing client/server architecture, is the best, as it would lower the barriers for new entrants to participate. But this sets up Meta as the one making the rules and deciding how interop will work, of course. Meta notes that doing it this way will improve reliability, as Meta’s infrastructure has already been scaled to handle over 100 billion messages daily. Still, the company says there may be an approach that would remove the requirement that third parties implement WhatsApp’s client-to-server protocol, by adding a proxy between their client and the WhatsApp server instead. But that solution will require third parties to agree to additional protections to keep Meta’s users safe from spam and scams.
In addition, Meta says that third-party providers will need to sign an agreement with Meta or WhatsApp before it will enable interoperability. It’s publishing WhatsApp’s Reference Offer for third-party providers today and will soon publish the Reference Offer for Messenger, as well.
techcrunch.com