A decision by the European Union parliament could make the encryption of WhatsApp and other messaging apps less secure.

The DMA (Digital Markets Law), which regulates the performance of technology companies on the continent, included in its text the interoperation between communication applications in the countries that are part of the bloc. This item obliges large messaging platforms to create mechanisms so that it is possible to exchange messages, voice or video calls also with other smaller applications.

The new rule covers companies with a market value above €75 billion (R$396 billion) and with a user base of at least 45 million people in Europe. By these criteria, it would affect WhatsApp, Telegram, Messenger and iMessage.

In practice, a WhatsApp user, for example, will be able to interact with another person who only has Signal, a platform considered smaller in the European market. Currently, WhatsApp only allows conversation between people using the same app.

The European Parliament says that the measure breaks the exclusivity of communication, giving users more freedom of choice. The idea is that they would no longer be required to install multiple apps to interact with different people.

Despite the approval of the item, the new rule can still be changed, as the DMA is being prepared by European parliamentarians.

Why can this make apps insecure?

The measure will also go through demonstrations by large technology companies affected by the legislation.

One of the issues to be addressed during the debates is the end-to-end encryption security of applications.

The implementation of an interaction between different messaging applications would force the execution of a single security system by all, or shared between large companies with smaller ones, which have less secure protocols.

WhatsApp and Telegram, for example, use so-called “end-to-end encryption”. It is a technology that guarantees that the message can only be seen by the sender or the recipient. Even if the message was intercepted midway, it could not be decoded.

But this only works because both users use the same app. Now, with DMA, this security can be affected as different applications use different security protocols.

For Internet security researcher and professor at Columbia University (USA), Steven Bellovin, it is not possible to reconcile two different security protocols.

“Trying to reconcile two different cryptographic architectures simply cannot be done. One side or the other will have to make big changes,” he assured, in an interview with the US website The Verge.

“A protocol that works only when both parties are online will be very different from one that works with stored messages. How do you make these two systems work with each other?”, he exemplifies.

Former Facebook engineer Alec Muffet has the same concern. He believes the new EU rule leaves applications vulnerable because it is “unthinkable” that companies would have created the same encryption systems that could someday be combined. Each has its specificity.

“If you walked into a McDonald’s and said, ‘In the interests of breaking corporate monopolies, I demand that you include a plate of sushi from some other restaurant in my order,’ they would just stare at you,” Muffett said.

In addition, if the measure takes effect, the applications will have to fight a battle with each other to reach a consensus on which is the most appropriate protocol to be adopted, as each one understands that theirs is the most secure. It will be a trust dispute.

“There’s no way to enable end-to-end encryption without trusting each provider to handle identity management,” concluded Alex Stamos, director of the Stanford Internet Observatory and former director of security at Facebook.

*With information from The Verge website.