Meta to Use Signal Protocol for WhatsApp, Messenger Interoperability Under EU Rules

Meta has outlined its approach for enabling messaging interoperability between its services like WhatsApp and Messenger and third-party messaging apps as required by the European Union's new Digital Markets Act (DMA).

The DMA, which comes into force on March 7th, mandates that major messaging platforms like WhatsApp and Messenger allow third-party messaging services to become interoperable with their systems.

The requirement represents a major technical challenge for Meta as it seeks to comply with the law while maintaining robust privacy, security and safety protections for its users. 

According to the blog post Meta has been working for nearly two years with the European Commission to develop an interoperability solution that meets the DMA's requirements.

Under the DMA's first year requirements, WhatsApp, Messenger and approved third-party apps must enable basic one-to-one text messaging between users as well as sharing images, voice messages, videos and other files between individuals. Future requirements will expand to enabling interoperable group messaging and calling functionality.

Preserving End-to-End Encryption

A core focus for Meta has been preserving the strong end-to-end encryption (E2EE) that secures messages on WhatsApp and the roll-out of E2EE on Messenger. Both services use the industry standard Signal encryption protocol.

To enable interoperability while maximizing security, Meta will require third-party apps to use a compatible encryption protocol offering the same guarantees as Signal. 

In order to maximize user security, we would prefer third-party providers to use the Signal Protocol. Since this has to work for everyone however, we will allow third-party providers to use a compatible protocol if they are able to demonstrate it offers the same security guarantees as Signal." - said Meta 

"Messenger is still rolling out E2EE by default for personal communication, but on WhatsApp, this default has been the case since 2016. In both cases, we are using the Signal Protocol as the foundation for these E2EE communications, as it represents the current gold standard for E2EE chats."

Messages will be encrypted by the third-party app before being packaged into XML message formats that WhatsApp and Messenger's servers can route to the intended recipient.

However, Meta acknowledges that because it does not control the third-party messaging apps at both endpoints, it cannot make the same blanket promise of E2EE privacy that it provides between its own users on WhatsApp or Messenger. 

The technical details involve third-party apps cryptographically signing authentication tokens that WhatsApp will verify to confirm user identities.

Technical Architecture Builds on Existing System

Rather than building an entirely new infrastructure, Meta's interoperability solution extends its existing client-server architecture for WhatsApp and Messenger. Third-party apps will connect to Meta's servers using the standard XMPP protocol, with Meta's servers facilitating authentication of third-party users and push notifications over HTTPS connections to the third-party servers hosting any media files.

"The WhatsApp server will interface with a third-party server over HTTP in order to facilitate a variety of things including authenticating third-party users and push notifications."

Meta believes this "plug-and-play" model lowers barriers for new third-party messaging apps, improves reliability by leveraging Meta's globally scaled infrastructure, and limits exposure of user data only to Meta's servers. 

A simplified illustration of WhatsApp’s technical architecture. | Image: Meta

However, it is also exploring an optional intermediary proxy architecture to give third-parties more control, albeit with some trade-offs around safety signals.

Shared Responsibility for Safety and Privacy

Meta gives the key emphasis on preserving privacy and security for interoperable messaging is a "shared responsibility" between Meta and the third-party apps. 

Meta says it will need to collaborate closely with third-party providers in order to provide the safest experience for users.

Notably, the post stresses that under interoperability, Meta cannot make the same guarantee of complete privacy and security as it does for its own self-contained messaging environments. There will be clear messaging to users explaining how the interoperable experience differs.

"We believe it is essential that we give users transparent information about how interop works and how it differs from their chats with other WhatsApp or Messenger users," the post states. "This will be the first time that users have been part of an interoperable network on our services, so giving them clear and straightforward information about what to expect will be paramount."

Next Steps and Third-Party Sign-Up

As of today, Meta has published its "WhatsApp Reference Offer" outlining requirements that third-party apps must meet to connect to WhatsApp. A similar document for Messenger interoperability will follow.

While Meta must be technically ready for interoperability requests within 3 months under the DMA, it may take longer for public-facing interoperable messaging functionality to roll out as third-party apps go through the technical requirements and approval process.

The complex technical undertaking underscores the challenges of allowing disparate messaging platforms to interconnect while upholding robust privacy and security models like end-to-end encryption. 

As a major milestone for messaging interoperability, Meta's approach will likely influence how other major messaging players interpret and adhere to similar regulatory requirements going forward.