Facebook owner Meta Platforms has explained how it enabled third-party interoperability in its WhatsApp and Messenger services while maintaining end-to-end encryption as far as possible.
Due to the EU’s introduction of the Digital Markets Act (DMA), Meta and other designated messaging services must interoperate with other apps and platforms.
The DMA mandates preserving security and privacy, which Meta said was paramount in its compliance approach.
“For nearly two years our team has been working with the [European Commission (EC) to implement interop in a way that meets the requirements of the law and maximises the security, privacy and safety of users.”
This will ensure the end-to-end encryption (E2EE) protocol used by apps like WhatsApp and Messenger is not compromised, it said.
“In both cases, we are using the Signal Protocol as the foundation for these E2EE communications, as it represents the current gold standard for E2EE chats.”
How security will be maintained
“To maximise user security, we would prefer third-party providers to use the Signal Protocol.”
If third-party providers choose to use an alternative protocol to Signal, however, they must demonstrate that it is compatible and offers the same level of security.
Messages must implement “protobuf” protocol buffer structures, encrypted using Signal Protocol, and employ eXtensible Markup Language (XML) to package them into message stanzas.
Meta servers will push messages over a consistent connection. However, third-party servers will be responsible for hosting any media files their client applications send.
WhatsApp and Messenger will then download the media files via a Meta proxy service.
Meta will need control over both sending and receiving clients to guarantee end-to-end encryption.
This seems to suggest that Meta will not guarantee E2EE when communicating with a third-party platform.
“[Having this control] allows us to ensure that only the sender and the intended recipient(s) can see what has been sent, and that no one can listen to your conversation without both parties knowing.”
Why clients should connect to Meta infrastructure
Meta insists that third-party clients should build on their own existing client/server architecture for the best interoperability experience.
They provide the following reasons for this:
- Maximises security by administering integrity checks
- Lowers the barrier to entry by offering a “plug-and-play” model
- Limits exposure of personal data to Meta servers only
- Improves overall reliability of the interoperable service
The DMA states that a service must be granted interoperability within three months of providing a request.
The Whatsapp Reference Offer, outlining requirements to interoperate with Whatsapp, was released on the 6th of March.
“The reference offer for Messenger will follow in due course.”
Loading ...
Join the conversation Autoload comments
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.