Can interoperable apps ever be secure?

In discussions around interoperability, some people question whether it can go hand in hand with privacy and encryption of communications. If multiple services and applications have to work together, how can you make sure that they all respect the highest privacy and encryption standards?

Most modern encryption is based on standardised algorithms and protocols; the use of open, well-tested and thoroughly analysed encryption standards is generally recommended. WhatsApp, Facebook Messenger, Skype, and Google Messages now all use the same encryption standard (the Signal protocol) because it has proven to be secure and reliable. Even if weaknesses are found in such encryption standards, solutions are often quickly made available thanks to the sheer number of adopters.

Open standards enable interoperable encryption

As a consequence of standardisation, encryption can be interoperable as well. If different apps speak the same language, they can communicate with each other — provided the developers or companies behind the apps allow it. Thus, if the apps speak the same ‘encryption language’, they can communicate securely with each other.

Examples for chat apps that already use interoperable encryption are Conversations (which uses an open encryption standard called OMEMO, again based on the Signal protocol) and Element, an open, professional team chat solution adopted by — among others — the French government and the German army for its security, scalability, and: interoperability.

Standardisation does not mean that the technology gets stuck in time. Standards are generally designed to be extended, and to be flexible enough to improve gradually without breaking compatibility. For example, when a browser connects to a website, or email servers to each other, the two parties tell each other which encryption methods they support and the most secure one supported by both sides is picked. The industry continuously deploys new encryption algorithms and deprecates older ones as they become insecure, without necessarily having to update the standard itself.

Of course, the real world can be messy. Some apps may not keep up with the latest developments, or may implement insecure encryption algorithms, resulting in occasional trade-offs between interoperability and security. This does not cause unsurmountable problems, either: Apps can be programmed not to communicate with another party if, on first contact, it determines that the other party does not support an adequately secure encryption algorithm. Or it can inform the user and ask whether to continue or abort.

Building open standards

In well-balanced, competitive markets there are often leading players who are the first to deploy a new encryption algorithm, which in turn incentivises other parties to support it, too. Once support is broad enough, the leading players start to phase out older algorithms, which pushes slower market players to upgrade. Normally, this process is able to ensures an adequately fast migration to newer encryption algorithms by the large majority of providers without the need for centralised deployment or enforcement.

Moreover, there already are regulations, not least the GDPR, that require communication providers to adopt industry-standard data protection and security practices, including encryption. These should be considered basic safety requirements for the release of a product, much like seatbelts are for cars. Nobody suggests that there should be only a single car maker, or that no third-party seatbelt maker should exist; standards and regulation make it possible to have multiple car makers and multiple seatbelt makers without reducing safety levels or restricting competition and consumer choice.

Already today, national authorities such as the German BSI officialy certify and recommend interoperable encryption standards (for example standard TR 03108-1 for secure email). Under a European interoperability obligation for digital gatekeepers, national or European authorities could maintain an evolving list of minimum encryption and privacy requirements for each type of service.

Providing well-designed and secure encryption is never easy, neither in interoperable systems nor in closed “walled garden” services that are managed by a single company. Recognising the big responsability that the provision of internet services like chat apps entails for providers, it seems only fitting that EU rules should give users the possibility to choose the app or service provider they trust most from a broad number of available choices.

This freedom of choice which interoperability enables does more for privacy and security than any technical mechanism deployed within a closed, monopolistic system that forces its practices onto its users. Not only can interoperable apps be secure, interoperability could increase privacy and security for all European users.

Vittorio Bertola is Head of Policy & Innovation at Open-Xchange AG.