Meta today shared more information on how it will make WhatsApp and Messenger interoperable with third-party messaging services to comply with the new EU law, the DMA. It had communicated earlier that that interaction with third-party chats would be an opt-in experience for the user because the integrations could be a point of spam and scams. The company also said today that third parties would need to sign an agreement, but until today, it had given no details on what that would be. Additionally, Meta now says it will require third parties to use the Signal protocol, though it said that might change over time in some instances.
In fact, Meta says it will allow third-party developers to use another protocol besides Signal "only if they are able to demonstrate that it offers the same security guarantees as Signal.".
It claims the benefits of the Signal protocol, used by both WhatsApp and Messenger for their encryption. Messenger is still rolling out E2EE (end-to-end encryption) by default, but WhatsApp offered E2EE by default since 2016. Because Signal stands for the "current gold standard" of E2EE chats, Meta says it would "prefer" that third parties use the same protocol as well.
The company also shares the high-level technical information as for how this encryption would work, such as third-party construction of message protobuf structures — a set of key-value pairs — that are encrypted using Signal, then packaged into message stanzas, a pushing mechanism, using XML. Meta's servers will then push messages to any connected clients using a persistent connection.
Third-party connecting parties will be responsible for hosting any image or video files their clients send to Meta's users, as stated by the company. Meta's messaging clients will download encrypted media content from third-party messaging servers with the use of a Meta proxy device.
This is critical because the users of Meta's messaging application, especially on WhatsApp, look forward to being assured that the conversations, albeit insecure, will continue to be secured even as changes brought about by the DMA improve their lives.
However, Meta qualifies this in saying that, although it has built a secure solution using the Signal protocol to protect messages in transit, it can't guarantee "what a third-party provider does with sent or received messages." This seems to suggest that Meta would use an argument that third-party messaging interoperability is potentially less secure as an excuse to keep Meta's users only using Meta's messaging services.
That way, the company blog post also explains that because the solution is to build off of Meta's existing client/server architecture, this is best because that would lower the barrier for new entrants to participate. Of course, this sets up Meta as the one who makes the rules and determines how interop works, though. Meta says that would make it more reliable, as Meta's infrastructure has already been scaled to handle over 100 billion messages daily. However, the company says there may be an approach that would remove the need for third parties to implement WhatsApp's client-to-server protocol, by adding a proxy between their client and the WhatsApp server instead. But that will depend on third parties agreeing to further protections to ensure the users of Meta stay safe from spam and scams.
In addition, third party providers will have to enter an agreement with Meta or WhatsApp before interoperability is enabled, the company says. It is publishing WhatsApp's Reference Offer for third-party providers today and will soon publish the Reference Offer for Messenger, as well.