Under the Digital Markets Act, a new EU regulation, WhatsApp is required to make basic functionalities of its messaging service interoperable with other third party providers of messaging services on request.
The act was created “to ensure that these platforms behave in a fair way online,” and passed by a European Union vote in July 2022, entering into force November 1 of that year. The platforms had until March 6, 2024 to comply with the law.
WhatsApp’s new terms go live this week—you have until the end of day Wednesday to accept by default or delete your account—but the issue behind those terms has just become headline news, highlighting the risks for millions of users.
On the surface, the change to WhatsApp’s terms of service to comply with Europe’s Digital Markets Act (DMA) is straightforward. Those impacted will see their terms of service change by default on April 11. But all WhatsApp users should take note.
Europe’s DMA has become a pipe cleaner for regulatory scrutiny of big tech elsewhere—especially in the US. The Department of Justice and others will watch to see the impact of changes to Apple, Google and Meta’s platforms, amongst others. And on the messaging front, WhatsApp’s changes are furthest advanced.
All of which is made more interesting by the news over the weekend that Sunbird—the Android bridge into iMessage that claims to maintain encryption—is back. It was around in 2022/23 but dropped from the scene almost immediately after something of a privacy nightmare, completely undermining its security claims.
WhatsApp’s change of service terms deal with its need to engage with platforms like Sunbird, to enable its third-party chat hub to work. This will be the first time one of the hyper-scale secure messengers has opened its walled garden to allow other platforms to engage its users. It’s a game-changer.
Sunbird says it has plans for WhatsApp integration, “to continue to unify the world’s most popular messaging apps, including Facebook Messenger and WhatsApp, into one app inbox on your Android device and the web.” And as such can be seen as a concrete example of the kind of small third-party likely to join WhatsApp’s hub. We have seen no interest from any other majors as yet in doing the same.
With iMessage, Sunbird handles the same concept differently. It provides a unified platform that pulls messages from various sources—iMessage and Google Messages for now. The lack of easy enablement for this kind of unification platform was another DOJ criticism. The government had the Beeper Mini fiasco in mind, but the point could just as easily be made for Sunbird’s convoluted relay architecture to get around the restrictions in the way of blue-bubble equality.
Sunbird’s current iMessage security challenges are much higher risk than WhatsApp opening its platform by way of APIs and enforced transmission encryption rules. But Meta still issued a stark warning as to the WhatsApp user risks from DMA.
“The end-to-end encrypted promise Meta provides to users requires us to control both the sending and receiving clients,” the company warned. “While we have built a secure solution for interoperability that uses the Signal Protocol encryption to protect messages in transit, without ownership of both clients (endpoints) we cannot guarantee what a third-party provider does with sent or received messages, and we therefore cannot make the same promise.”
Put simply, Meta says (on WhatsApp’s and Facebook Messenger’s behalf) that while transmission will be secure under its model, once the other endpoint receives the secure message, it cannot assure how that message is handled or whether that endpoint is fully legitimate and should be part of a secured chat.
The situation for iMessage and Sunbird is worse, because the actual Android endpoint is outside of the end-to-end encryption enclave, and so iMessage is being tricked into attesting to a level of (blue bubble) security that isn’t really there.
Why is all this so important for WhatsApp’s two-billion-plus users? Because the narrative is changing, and the locked down nature of secure messaging is now under a new wave of regulatory pressure that’s different to the law enforcement one of old. And once those walled gardens are breached, it builds pressure for more changes.
WhatsApp users are not going to quit instead of accepting new terms—that’s not the issue. What is the issue is that the new terms and the warning that Meta issued will receive little notice and attention. And then come those DMA changes and anything DOJ throws into the mix later, third-party chats will be the new normal.
WhatsApp has made its change of terms mandatory to comply with DMA—saying “you can easily delete your account if you prefer not to accept our Terms, though we’ll be sorry to see you leave WhatsApp.” This isn’t like the last time WhatsApp materially changed its terms, flirting with the idea of sharing more of your data with Meta. That isn’t the case now. Beyond opening up third-party chat data sharing, the only other major change is the legal basis on which data is sent internationally.
But the Sunbird news should be a wake-up call. As soon as the fully integrated nature of end-to-end encrypted messaging is broken, the risks increase immediately. So exercise caution. And while you won’t quit WhatsApp and you will accept its new terms, before you enable third-party chats be sure to understand the risks.