End-to-end security does not require identical endpoints
I hesitated even in linking to this preposterous article. But its definition of ‘end-to-end’ encryption as requiring ‘identical endpoints’ is not one I’ve seen before (and my PhD title literally includes the phrase!) So two users of gpg and PGP aren’t exchanging E2EE messages? Any web browser talking to any web server over TLS isn’t getting E2EE? The Internet Engineering Task Force is wasting its time in developing and testing standards for interoperable E2EE communications?
Ian is perfectly correct in saying that the ends of communication do not have to be “identical” for E2EE to work. The article is not only clickbait full of unnecessary scaremongering but also missed the point that the obligation in DMA to preserve security and E2EE by itself requires that WhatsApp ensures the security of those end points, such as through code audits. In fact those end points may be more secure if they are open-source (which WhatsApp is not) or provide better guarantees of at-rest encryption, key shredding, backups, etc. WhatsApp for biz messaging may also (but not necessarily) “break” E2EE but only because the biz end could be the biz itself or whatever messaging platform they use. WhatsApp is nowhere near as explicit about those warnings. Even WhatsApp’s own ends aren’t equally secure. Android doesn’t have Apple’s Lockdown Mode so I guess the author should next suggest to blacklist anyone that doesn’t have it enabled or uses a phone that no longer receives security updates. Endpoints should be treated to the same standard and hopefully EC knows that (I can help them know that).
For the record, I think Art. 7(3) DMA’s equivalent level of security between interoperating services is a tad too aspirational since interop across different end points and services increases the trust surface (though diversity in some circumstances may have benefits), but may also have benefits like metadata hiding. A gatekeeper could make an argument that maintaining the same level of security is an impossibility, especially if this is a consequence of third-party endpoints running on less secure devices/OSes (which Apple could make).
I don’t think the CJEU would accept that because teleological/purposive interpretation would reveal that the legislator clearly still intended for interop to happen so some differences in security are inevitable. Perhaps a qualifier that the greatest possible level of security should be implemented while still making interoperability a possibility across similarly situated (security-wise) services should have been inserted into the text.