Key points on DMA interoperability and encryption

There’s been a great deal of online discussion of the EU Digital Markets Act provisions on chat/call interoperability since the final deal on this legislation was announced last week by the European Commission, European Parliament and European Council. These are the three key EU institutions in the “trilogue” negotiations this year which reconciled the three versions of the DMA text: the Commission proposal of December 2020 (which required interoperability for “ancillary services” such as payment), and the final Parliament (which added chat/call and social networking service interoperability obligations) and Council (which did not) positions extensively debated and agreed during 2021. (EU jargon alert: these chat/call services are called “Number-Independent Interpersonal Communications Services” or NIICS, defined in the European Electronic Communications Code.)

It would certainly have led to a more productive debate if the EU institutions had at the same time published the precise text they agreed. It will however still take a few weeks for the European Commission’s lawyer-linguists to produce a final version in all the official EU languages, and then several further months for the Parliament and Council to agree that text. In the interests of focusing the debate, I’ve already shared the politically-agreed article on NIICS interoperability from last week which was unofficially shared with me by one of the participants. (It is far from ideal this is how detailed policy debate will have to continue for a few more weeks, unless the institutions choose to make further information available.)

The DMA interoperability obligations will only apply to the very largest “gatekeeper” services, such as WhatsApp and likely Facebook and Instagram Messenger, Apple’s iMessage, Microsoft’s Skype and perhaps Teams, and Google’s Meet and Chat. (“Gatekeepers” must have very high turnover/market capitalisation and user numbers in the EU, and their services must be an important mechanism for business users to reach end users, for them to be “designated” by the European Commission.)

The obligations will not apply to any smaller services, including Signal (whose founder Moxie Marlinspike is a well-known opponent of interoperability obligations — see also this thoughtful response.) It will be entirely up to those smaller organisations whether they wish to interconnect their services to those of the gatekeepers; and where they do, to their users as to whether they make use of them.

Some people are (understandably) concerned about the DMA’s impact on end-to-end encryption (E2EE) and user security/privacy more generally. I’ve been campaigning for E2EE since I was an undergraduate (the US government attempts to effectively ban it throughout the 1980s/90s were what first interested me as a teenager in technology policy.) I wrote e-mail encryption software as my final year computer science undergraduate project, and my computer science PhD title was End-to-end security in active networks; I’ve worked ever since as a consultant and academic in these and related areas. Much more recently, I’ve been an expert witness in several UK criminal trials on how the French and Dutch intelligence agencies/cybercrime police units hacked the EncroChat end-to-end encrypted communications system. I’ve been working with civil society colleagues in groups like Privacy International, FIPR and EDRi since the 1990s to support its availability as widely as possible. So I would not be advocating a policy (e.g. interoperability) I thought was irreconcilable or incompatible with E2EE, or damaging to users’ security and privacy.

Indeed, a key argument in favour of interoperability is it will make it easier for new, privacy-focused software to become mainstream by overcoming the incumbency advantage a very large user base gives today’s market leaders. But much more relevant than my personal advocacy to its inclusion in the DMA is the support of a number of major government reviews of digital competition, including for the UK Treasury (Unlocking digital competition) and the European Commission’s competition commissioner (Competition policy for the digital era). It has also been advocated by a major report by the US House of Representatives antitrust subcommittee, and articles by noted competition economists such as Prof. Fiona Scott Morton and colleagues, as well as digital rights groups such as EDRi, EFF and the Open Rights Group. A law with similar interoperability requirements (the ACCESS Act) is under debate in the US Congress.

Important details remain to be determined on the precise language of the final DMA text, including the “recitals” at the start which explain the substantive law in the articles. But one critical point is the obligation applies only “to the extent that the level of security, including end-to-end encryption where applicable, that the gatekeeper provides to its own end users is preserved across the interoperable services”. To me, that seems clear: a service such as WhatsApp which only provides end-to-end encryption to its own users is not going to have to introduce any features which are not end-to-end encrypted. (NB: I am not a lawyer, and we do not yet have detailed legal interpretation of the provision from the EU institutions or anyone else.)

E2EE means messages and audiovisual communications are encrypted on the sending/“calling” user’s own device, and decrypted on the recipient’s device(s). Even the service provider, eg WhatsApp, cannot read the message contents, although they will see some unencrypted “metadata” associated with it, such as the IP address of the sender, the time/date it is sent, and other user activity with the service — which are all useful in fighting spam, phishing, and other types of service abuse.

It seems from the final DMA text this kind of metadata might be required by the gatekeepers from interoperating services to continue operating these critical security features. This of course raises privacy issues: the text also specifies “The gatekeeper shall collect and exchange with the provider of number-independent interpersonal communication services that requests interoperability only the personal data of the end users that is strictly necessary to provide effective interoperability and in full compliance with the Regulation (EU) 2016/679 [GDPR] and Directive 2002/58/EC [ePrivacy Directive].” But paragraph 10 of the article further specifies:

The gatekeeper shall not be prevented from taking to the extent strictly necessary and proportionate measures to ensure that third party providers of number-independent interpersonal communication services requesting interoperability do not endanger the integrity, security and privacy of its services, provided that such measures are duly justified by the gatekeeper.

A second key point is the NIICS interoperability obligation applies only to specific “basic functionalities” of the gatekeeper services, initially only one-to-one text messaging, including images/video/other types of files. Two years later, support for text messaging (with attachments) within a group is required. Four years later, this will extend to voice/video calls between two individuals, and a group and an individual. These deadlines may be further extended by the European Commission if “the gatekeeper demonstrates that this is necessary to ensure effective interoperability and to preserve the necessary level of security, including end-to-end encryption where applicable.”

Nowhere in the text are disappearing messages specified, and it seems to me gatekeeper services with this feature would be free to refuse to allow a disappearing message to be sent to a user on an interoperating service (or, if they wished, only to other services which also support the feature, and demonstrate a reasonable level of assurance it will be enforced.)

A third key point is designated gatekeeper services must meet the interoperability obligation “by providing the necessary technical interfaces or similar solutions that facilitate interoperability, upon request, and free of charge”. The most straightforward option will most likely be public, limited versions of Application Programming Interfaces (APIs) and related functionality gatekeepers already use within their own systems. (Another option for gatekeepers would be to support open technical standards, such as the Matrix Foundation’s or the IETF’s Messaging Layer Security once completed, which would save competitors from having to support a set of APIs and related messaging protocols per gatekeeper.) Art. 36 of the final text specifies this could be changed in future by an implementing act on “operational and technical arrangements”. Art. 10 also allows the “basic functionalities” list to be changed in future by a delegated act following a market investigation.

Getting these and other security and privacy questions right is critical for a successful DMA. As I’ve explained, I don’t think the final text as agreed need get in the way of that happening.

I hope everyone continues to watch the further development and implementation of the Act carefully. It will be critical for the security, privacy, and choices of hundreds of millions of European Internet users, and most likely elsewhere in the world as the impact ripples outwards.

PS: Some useful further information is in the Internet Society report on Considerations for Mandating Open Interfaces, Netzpolitik, and the Matrix blog.