Shawdesh Desk:

On the surface, the change to WhatsApp’s terms of service to comply with Europe’s Digital Markets Act (DMA) is straightforward. Those impacted will see their terms of service change by default on April 11. But all WhatsApp users should take note.

Europe’s DMA has become a pipe cleaner for regulatory scrutiny of big tech elsewhere—especially in the US. The Department of Justice and others will watch to see the impact of changes to Apple, Google and Meta’s platforms, amongst others. And on the messaging front, WhatsApp’s changes are furthest advanced.

It is interesting timing-wise that the DOJ lawsuit served on Apple features iMessage front and center, with its lock on iPhone messaging being claimed as both anti-competitive and detrimental to users from a security perspective. In essence, the lack of an encrypted iMessage to Android solution, combined with Apple’s lock on the SMS API on its devices, DOJ says, means users cannot message securely.

Apple has responded by highlighting user choice, suggesting that the so-called over-the-tops—like WhatsApp—that work seamlessly cross-platform invalidate the point. Meta already has its own government challenges, of course, and has just “filed a motion for summary judgment, asking the District Court to dismiss the FTC’s effort to unwind the decade-plus acquisitions of Instagram and WhatsApp.”

All of which is made more interesting by the news over the weekend that Sunbird—the Android bridge into iMessage that claims to maintain encryption—is back. It was around in 2022/23 but dropped from the scene almost immediately after something of a privacy nightmare, completely undermining its security claims.

WhatsApp’s change of service terms deal with its need to engage with platforms like Sunbird, to enable its third-party chat hub to work. This will be the first time one of the hyper-scale secure messengers has opened its walled garden to allow other platforms to engage its users. It’s a game-changer.

Sunbird says it has plans for WhatsApp integration, “to continue to unify the world’s most popular messaging apps, including Facebook Messenger and WhatsApp, into one app inbox on your Android device and the web.” And as such can be seen as a concrete example of the kind of small third-party likely to join WhatsApp’s hub. We have seen no interest from any other majors as yet in doing the same.

With iMessage, Sunbird handles the same concept differently. It provides a unified platform that pulls messages from various sources—iMessage and Google Messages for now. The lack of easy enablement for this kind of unification platform was another DOJ criticism. The government had the Beeper Mini fiasco in mind, but the point could just as easily be made for Sunbird’s convoluted relay architecture to get around the restrictions in the way of blue-bubble equality.

Sunbird’s current iMessage security challenges are much higher risk than WhatsApp opening its platform by way of APIs and enforced transmission encryption rules. But Meta still issued a stark warning as to the WhatsApp user risks from DMA.

“The end-to-end encrypted promise Meta provides to users requires us to control both the sending and receiving clients,” the company warned. “While we have built a secure solution for interoperability that uses the Signal Protocol encryption to protect messages in transit, without ownership of both clients (endpoints) we cannot guarantee what a third-party provider does with sent or received messages, and we therefore cannot make the same promise.”

Put simply, Meta says (on WhatsApp’s and Facebook Messenger’s behalf) that while transmission will be secure under its model, once the other endpoint receives the secure message, it cannot assure how that message is handled or whether that endpoint is fully legitimate and should be part of a secured chat.

The situation for iMessage and Sunbird is worse, because the actual Android endpoint is outside of the end-to-end encryption enclave, and so iMessage is being tricked into attesting to a level of (blue bubble) security that isn’t really there.

Why is all this so important for WhatsApp’s two-billion-plus users? Because the narrative is changing, and the locked down nature of secure messaging is now under a new wave of regulatory pressure that’s different to the law enforcement one of old. And once those walled gardens are breached, it builds pressure for more changes.

WhatsApp users are not going to quit instead of accepting new terms—that’s not the issue. What is the issue is that the new terms and the warning that Meta issued will receive little notice and attention. And then come those DMA changes and anything DOJ throws into the mix later, third-party chats will be the new normal.

WhatsApp has made its change of terms mandatory to comply with DMA—saying “you can easily delete your account if you prefer not to accept our Terms, though we’ll be sorry to see you leave WhatsApp.” This isn’t like the last time WhatsApp materially changed its terms, flirting with the idea of sharing more of your data with Meta. That isn’t the case now. Beyond opening up third-party chat data sharing, the only other major change is the legal basis on which data is sent internationally.

But the Sunbird news should be a wake-up call. As soon as the fully integrated nature of end-to-end encrypted messaging is broken, the risks increase immediately. So exercise caution. And while you won’t quit WhatsApp and you will accept its new terms, before you enable third-party chats be sure to understand the risks.

04/09 update: Google has just inadvertently added to the ongoing WhatsApp narrative with a new beta warning for its Google Messages users about the dangers of accepting content from unknown numbers. This is a huge issue for RCS, the SMS update that is going head-to-head with WhatsApp, which is struggling with uncontrollable levels of spam on the platform.

WhatsApp is much more secure than Google Messages because—in addition to its ability to un end-to-end encrypted cross-platform, it operates on the basis of known numbers, and most users ignore or filter out unknown numbers. It’s also easy for Meta to identify and block fraudulent numbers on its platforms, as they’re not traversing public cellular networks across different operators.

The specific issue that Google is preparing to warn about is links sent via RCS from unknown numbers. There has been a cautionary notification before, but this time it looks like that warning is about to become much more stark.

Courtesy of AssembleDebug via PiunikaWeb, we have just seen the new warning in beta. It seems, Piunikaweb says referring to Apple’s expected adoption of RCS, that Google is looking “to secure the platform in as many ways it can before RCS goes live to millions of iPhone users, which invariably will result in even more spam links.”

Here WhatsApp has a much better solution, explaining that “if someone who isn’t saved to your contacts sends you a link, you won’t be able to tap or click on it to open it. You can choose to save their phone number to your contacts if you know or trust the person. You should then be able to tap or click any links they send to open it… When you’re added to a group with people who aren’t saved to your contacts, you’ll need to message the group to tap or click on any links.”

This is a much stronger defense against casual or inadvertent clicking of dangerous links, which have become major threat as smishing campaigns surge.

Apple’s introduction of RCS to iPhone users for the first time with this fall’s iOS 18—absent a surprise—will prompt many comparisons between WhatsApp and the new combination of Google Messages and iMessage over RCS. Yes, the Android-iPhone combo will be missing end-to-end encryption, but it will be a huge step up from the aging SMS technology in use today.

This will likely coincide with some niche players—maybe including Sunbird—starting to play in WhatsApp’s DMA inspired third-party chat hub, and the type of campaign we’ve seen from WhatsApp before, highlighting its end-to-end security. But for the first time, that will have some vulnerabilities given WhatsApp’s own warning that DMA brings less secure content into its platform for the first time.

On the subject of this links and WhatsApp’s market-leading privacy and security options, the platform intends to let users disable link previews, even when those links come from known users. This is seen as a tandem security feature to the option to mask your IP address when making WhatsApp calls, by routing those calls via WhatsApp’s servers and so preventing any inference on your location. The quality and latency might be an issue, but the trade-off might be worth it.

Link previews have been exposed as a threat in the past, where they have been generated receiver-side, meaning that the app goes online and pulls content, opening a door to tracking and malicious behavior. WhatsApp relies on send-side previews instead, meaning the risk is not yours on the receiving side, but it still might be that you don’t want content and images popping up unexpectedly.