A guide to navigating the Digital Markets Act
A couple of weeks ago the European Parliament, the European Commission and the Council of Europe agreed on the main guidelines for the Digital Markets Act (DMA). The DMA is legislation aiming to create a more competitive digital market in Europe by mandating competition-friendly practices from the ‘gatekeepers’ i.e. the largest tech companies (see below for full definition).
The interoperability obligation (see latest provisions here) for messaging and voice services has probably been the most debated part of the DMA. Opponents claim that it is impossible to implement in a user-friendly manner and without negatively impacting the privacy of these services.
We have published a lot of information while the debates were progressing in order to answer the various concerns expressed by critics, but now that the EU’s position is pretty much final, let’s look at the full picture, recap the situation, answer all these claims and give an idea of how interoperability can be implemented.
It has been difficult to figure out the right balance between detailed answers and easy to consume summaries, so we’ve ended up providing both: if you’re trying to quickly understand the situation keep reading this article, or if you want more detailed answers head over to our comprehensive FAQ.
The Digital Markets Act currently requires the “gatekeepers” to make interfaces (known as APIs) available to other services so that they can interoperate for basic functionalities (1:1 and group messaging, file transfer and voice / video calls). If the gatekeeper provides end-to-end encryption (E2EE), like WhatsApp does, they must expose their encryption protocol too, so E2EE can be preserved. The timelines on implementing this are six months after the DMA gets into place (which in itself could take at least six months) for 1:1 messaging and file transfer, and several years for voice, video and group messaging.
The corporations designated as “gatekeepers” are only ones with considerable revenue in Europe (more than €7.5bn) or market capitalisation (more than €75bn), and a very big customer base (at least 45 million monthly active end users), which means only the tech giants are in scope.
There are different ways of implementing interoperability and they all have different pros and cons. For example, bridging (the ability to connect two messaging services by adding a sort of “translator” between them) has little impact on a gatekeeper but it may require decrypting and re-encrypting the messages sent from an end-to-end encrypted gatekeeper. However, there is an option to implement bridges client-side (in the app or as a dedicated app on the device; typically safer than on a server): current client-side bridges are not perfect but the DMA will definitely boost their development.
Other approaches to interoperability (namely using an open standard like Matrix) require the gatekeeper to implement a major change on their side, but would preserve end-to-end encryption for encrypted messengers. However the DMA does not mandate gatekeepers to throw away their current tech stack and implement an open standard. Similarly, the DMA does not require them to break E2EE within their services.
Some opponents believe the DMA will be disastrous for users’ privacy as they believe it is opening the door to unencrypted chats, and they argue it is technically not feasible. As explained by different players in the industry and demonstrated by Matrix and others, interoperable E2EE communication is feasible, although there are some challenges to make it a seamless experience.
But before getting into the challenges, let’s look at the privacy breach question. WhatsApp has been doing a tremendous job by transparently adding end-to-end encryption into their users’ daily lives. End-to-end encryption is very important, and this is why Element is implementing it by default, and our goal is to transparently bring data sovereignty and security to our users, the same way WhatsApp did for security. However, as Facebook demonstrated when they deployed the ability to break E2EE in WhatsApp for messages sent to some businesses, having unencrypted messages flying around may be justified in some circumstances, and potentially better for the user. The key things are trust and transparency, and unlike WhatsApp’s implementation, or Telegram’s marketing the user needs to be made aware of the lack of encryption and accept the risks.
Neither WhatsApp or Telegram are clear that E2EE is broken and messages are not private in some circumstances
The user may decide that being able to talk from WhatsApp to their grandparents who use a custom app for elderly is more important than having said conversation stay fully end-to-end encrypted. Meanwhile they would probably choose to preserve end-to-end encryption for conversations sharing sensitive data.
Additional value that the DMA can bring and which may require breaking E2EE in the short-term includes interoperability between a gatekeeper and an app which processes your messages to provide a specific service. An example is a messaging app which translates a discussion into a different language in real-time. If today I chat with someone who can only speak Spanish on WhatsApp I’ll have to copy-paste all the messages into DeepL or Google Translate, which means E2EE is broken without them knowing. With the DMA at least a translation service could be deployed and all participants will know that E2EE is broken, but the value they get from it would be invaluable - and could even be lifesaving.
It is important to note that if the chosen implementation of interoperability breaks the end-to-end encryption it can be a good thing for the gatekeeper as it means end-to-end encryption can be marketed enthusiastically as a value that their users get by staying inside their ecosystem.
But as mentioned there are some unsolved challenges to make the experience seamless. One of them is user discoverability, as no one wants to trust one single company to host the list of everyone’s details and which app they are using. Doing this mapping in a centralised manner would also create a giant honey pot of sensitive data. But today there is no standard way to automatically tell which service a person is using: to talk to someone you have to know what service they are using which is straight-forward enough in a 1:1 chat context, but slightly more complicated in a group context. This is why the timeline to implement group interoperability is longer: it allows time for the industry to come together and find a solution. Many people have been working on the problem and there are more or less complicated solutions that can be explored.
Ultimately, interoperability sits at the heart of technological innovation (look what it did for the web!) and whilst it’s a paradigm shift for the communication market, and the ideal experience won’t be implemented overnight, it will pave the way for a much more competitive market which can only be net-positive for the end users.