Meta Inc. has released further information about its plans to comply with the new EU law, the Digital Markets Act (DMA), which requires messaging apps like WhatsApp and Messenger to be interoperable with third-party services. In an effort to combat spam and scams, engaging with third-party chats on these apps will be optional for users. Previously, Meta had mentioned that third parties would have to sign an agreement but had not revealed the specific details it would include. However, today, Meta made clear that it will require third parties to use the Signal protocol, with a few exceptions that must meet the same security standards.
The company emphasizes the advantages of Signal, which is already utilized by WhatsApp and Messenger for encryption. While Messenger is gradually implementing end-to-end encryption (E2EE) as the default, WhatsApp has been using it since 2016. Meta views Signal as the “current gold standard” for E2EE chats and expresses a preference for third parties to also utilize this protocol.
To explain how this encryption will work, Meta provides the technical details of the process. Third parties would use Signal to encrypt message protobufs (Protocol Buffers), which is a series of key-value pairs, and then package them into message stanzas (a push mechanism) using XML. Meta’s servers would then push these messages to connected clients via a persistent connection.
Additionally, the responsibility of hosting any image or video files sent by client apps will fall on the third parties when connected with Meta. Meta’s messaging clients will obtain the encrypted media from the third-party messaging servers through a Meta proxy device.
These details are crucial for Meta’s messaging app users, especially those of WhatsApp who have been using E2EE as the default for years, as they want assurance that their conversations will remain secure despite the changes brought by the DMA.
However, Meta does hedge its statement by acknowledging that while it has developed a secure solution using Signal to safeguard messages in transit, it cannot guarantee what a third-party provider will do with the sent or received messages. This suggests that Meta may use the argument that third-party messaging interoperability may be less secure as a means of keeping its users engaged only with Meta’s messaging services.
The company’s blog post also reveals that this solution builds on Meta’s existing client/server architecture and is the best option, as it lowers obstacles for new participants. However, this also places Meta as the one dictating the rules and determining how interoperability will work. Meta states that this method will improve reliability due to its infrastructure already handling over 100 billion messages daily. Nevertheless, the company acknowledges that a different approach that eliminates the requirement for third parties to implement WhatsApp’s client-to-server protocol by adding a proxy between their client and the WhatsApp server is possible. However, this solution would require third parties to agree to additional safeguards to ensure Meta’s users are protected from spam and scams.
Moreover, Meta points out that third-party providers must sign an agreement with the company or WhatsApp before interoperability can be enabled. WhatsApp’s Reference Offer for third-party providers is being published today, and the Reference Offer for Messenger will be released soon.