New EU law could require iMessage and WhatsApp to work with other platforms (opens in new tab)

The problem is less about how known the protocol is and more about whether the platform owner uses its influence to prevent others from implementing said protocol.

Even a completely obscure protocol can be reverse-engineered given enough time - in fact if you search on GitHub you can already find a lot of client libraries for proprietary services.

The problem is that at the moment the platform owners intentionally detect usage of these alternative clients and ban their users or abuse laws such as copyright to block their development & usage.

I dunno how to say this but Noise is really a set of possible handshakes with various security guarantees (or, more like, aims, which we are reasonably sure are met), which kinda followed on from X3DH/Signal Protocol. I'm unsure how you got that Noise is a client-server protocol and Signal is peer to peer. When you send a whatsapp message you still send it to WhatsApp servers and the client-server protocol here is probably just TLS. Likewise, when you receive it, probably TLS also. However that message is encrypted "end-to-end" in the sense that the server cannot decrypt the actual message payload on the way. Noise _also_ enables this. Critically this is not peer-to-peer: the clients are still relaying messages via a central server.

Peer-to-peer communication in WhatsApp in the network topology sense happens where possible when making Voice and Video calls, as this is probably WebRTC-derived (it is WebRTC in everything else these days), which concretely involves some kind of call signalling, then p2p setup to talk RTP if possible. This is not Signal Protocol or Noise: it is most likely the S in SRTP with key agreement done over the Signal Protocol. In other words, no key ratcheting between voice or video packets. I'm actually not sure if the session key is ever changed for a given call. To make this clear: call setup happens via a central server but the media streams will go from your IP to theirs directly, if possible (or proxied via WhatsApp if not). The reason for doing calls p2p like this is where possible is to reduce latency.

This is also, last time I looked, true of Signal. We are good at end-to-end text. We are less good at voice/video, particularly voice/video group calls that might not be p2p-able and rather require the server to do something with the RTP streams.

Now, what you're actually missing is that WhatsApp was in its early days based on a fork of ejabberd, the Erlang XMPP Server, with if I understand correctly custom extensions. Thus WhatsApp actually was at some stage somewhat compatible with open standards.

We've also kinda been here before. Google Talk used to interoperate with XMPP just fine and at one stage my own XMPP server could talk to my friends on Google Talk and they'd pretty much not notice.

I agree however that it would be better to have a new protocol that starts based on end to end key agreement like Signal/Noise, rather than use XMPP. Or perhaps use XMPP _inside_ this protocol. This is because "opt-in" crypto is a disaster that probably has happened. Signal and Noise are also missing what the body of those messages should look like and standards for agreeing for example calls, media transfer and so on, basically all the non-crypto parts.

Doesn't WhatsApp do a bunch of customizations applied to the base protocol? Its not the vanilla standard

Luckily we’re kept totally safe by our benevolent overlords. Except for our good friend Jeff Bezos that got hacked through a WhatsApp image. Or the overt spam that any publicly posted business WhatsApp number receives.

WhatsApp replaced SMS as a free alternative with media. Sms is just a protocol. It is not necessary that a replacement is walled garden, especially not under the sole guise of spam protection - something that is being done very poorly anyway.

And this removes agency for those of us who try to keep as much of our data out of Google’s hands as possible. If they’re going to force interoperability it needs to come with restrictions about what they can collect about people who haven’t consented.

Why? If your messaging app doesn't have the ability to block stranger requests, why are you still using it?

And even if you for some reason don't want to restrict your requests, you'll probably still be fine - Gmail handles protects me from spam pretty well.

Isn't this generally taken care of by only allowing messages from numbers that are in your contact list?

I thought Whatsapp user terms phorbid users from using third-party clients. People were banned for that.

Could you please talk about the experience with Beeper? I always worried that I would get my accounts banned or similar.

What do you love, what is missing?

Can you organize the chats?

> A requirement that everyone expose a public API is pointless if it doesn't include a stability guarantee, and overly burdensome if it does.

This isn’t a requirement that everyone expose a public API . https://www.theverge.com/2022/3/24/22994234/eu-antitrust-leg...:

“The DMA will force new obligations on companies deemed to be “gatekeepers” — a category defined by the legislation as firms with a market capitalization of at least €75 billion ($82 billion); at least 45 million monthly users; and a “platform” like an app or social network. Companies covered by this classification include well-known tech giants like Google, Microsoft, Meta, Amazon, and Apple, but also smaller entities like Booking.com.”

For smaller companies, I can see how that would be rough. However, for large tech companies, this law seems really necessary.

Also relevant: https://www.youtube.com/watch?v=rAlTOfl9F2w

It should be easy to make exceptions for smaller companies/services, and put the rule into force for larger services. Also, the API doesn't need to be stabilized. If Whatsapp wouldn't send DCMA notices to developers of third party clients, and ban users of such, it would be a good start already.

Complete control of the presentation of content, editorializing said content, and arbitrarily deciding what is and isn’t allowed. And they also still don’t want to be treated as publishers.

It’s hard for me to muster up even the smallest amount of sympathy for these vampires.

I expect this will take a decade to shake out as US tech firms work tirelessly to protect their spyware walled garden models.

> imagine WhatsApp was written and maintained by an individual? Would we be so keen to use terms like "force"? This is all negative in the freedom dimension.

These rules only apply to platforms with a market cap of over €75 billion or European Economic Area turnover of over €7.5 billion.[0] No one is proposing that we require single developers work with Apple and Facebook to make their apps interoperable.

[0] https://www.politico.eu/article/eus-digital-markets-act-adop...

The more freedom monopolistic entities have the less freedom the rest of the world has because these overpowered companies have turned freedom into a zero sum game.

You are right, I fixed my words to say what I actually meant with 'everyone'; I meant (more or less - it could be a applied to a bit smaller imho; a few billion Euros seems enough to ask for some type of openness, but yeah it should not apply to small companies anyway) what the EU is planning, not actually 'everyone'.

Limiting freedoms of megacorporations is a good thing.

Which is the dumbest excuse to keep walled gardens

Yes, like my company, who in turn make useful apps for consumers which was far harder (and more expensive) before. You had to jump through all kinds of hoops, you don't need to jump so many here in EU/UK. I did integrations in HK/AU/US and that was seriously painful without these in place. And far more expensive.

Do you realize what you are saying? Would you feel the same when someone with the opinion that your vision is crappy, was to force you to rethink your stance on anything? Let alone on something your put insane amounts of time into?

I realize now that Signal will not be affected, only very large companies will. Nevertheless I find your attitude very concerning.

He indicated multiple times that he does not want other (third party) clients, does not want the server to be open and federated. Let him have it, it works for many people.

Imagine you were him and you are getting issues filed from people using services the government forced you to build, or were even build by others but forced on your once clean solution. I'd say "screw you guys, I'm going home" (Build your own solution). And I'd agree with him. Where would it end?

More importantly who is Moxie?

It's as easy as via any other method. XMPP supports both server-intermediated transfers (where the file is uploaded to the server - this is what almost all platforms choose to do these days), but it also supports negotiated p2p streamed transfers (suitable for huge files, essentially unlimited, but less reliable, e.g. it requires both sender and recipient to be online at the same time).

Easy, on some clients/with some servers. These days they do it the same way as most other platforms, by uploading the media to a web server. It took the ecosystem a while to catch up to that though, and there are plenty of clients out there that still don’t support it.

I largely agree. But there is also a lot of user-hostile stuff being discussed on the EU-level like https://chatcontrol.eu

Surveillance is an area where there are still plenty of politicians who try to sabotage (digital) freedoms.

Imagine there is a break in a cryptographic algorithm, say AES256-CBC. Now can I replace it in my messaging app, without having to coordinate with every other messaging app provider? Suddenly governments have a lever to prevent adoption of securer standards.

Not sure about this, but related: https://news.ycombinator.com/item?id=22098473

The thing is, there doesn't appear to be any way to know whether this is the case.

But future messaging apps shouldn't be getting less secure.

I wasn't aware of this, do you have a link for me to read more?

Matrix would be a nice approach, if not for weird edge cases like spamming IRC (if that still happens).

Karma be damned. Uncomfortable truth must be made cognizant.

But they won’t do it exactly given their widely disparate privacy and security model. Unless some kind of an instant messaging standard surfaces.

As is, it would become another cat-n-mouse security theater in leveraging one IM provider’s API weakness to gain additional insight of a subscriber using another IM provider’s API.