Another day, another attack on encryption, with security experts warning the EU’s DMA legislation will likely break, or severely weaken, encryption.
The EU unveiled the Digital Markets Act (DMA) as its latest effort to crack down on Big Tech. In addition to severe fines, and even possible breakups, of companies that fail to abide by the legislation, the DMA calls for “gatekeeper companies” to make their services interoperable with smaller rivals.
Messaging, in particular, is one of the most obvious areas impacted by this clause, with services like WhatsApp, Facebook Messenger, and Apple’s iMessage likely forced to open up and work with competitors. Unfortunately, since all of these services provide end-to-end encryption (E2EE), experts warn there is no easy way for the the services to work with each and still maintain the level of security and privacy they currently offer.
In speaking with The Verge, one expert used a very low-tech example to illustrate the issues, especially with compatibility and accountability between various services.
“If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Alec Muffett, former Facebook engineer and internet security expert, said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”
Similar questions plague potential implementation of the DMA. How will messages be securely sent across various platforms? If two different services use two different types of encryption, which company will modify its service to be compatible with the other? Will services opt to simply drop encryption when sending messages across services? Or will companies adopt some method of decrypting and re-encrypting as the message is passed from one service to another, making the communication vulnerable to interception, and thereby compromising privacy and security?
Unfortunately, as has been stated time and time again, the encryption protocols people, companies, and governments rely on for privacy and security are not created, managed, or dictated by policies. They are, instead, bound and constrained by basic mathematics.
Unfortunately for privacy and security, the mathematics of the DMA don’t quite add up.