What is end-to-end encryption and why is everyone fighting over it?
End-to-end encryption is considered one of the best ways to protect user data, but not everyone thinks it's a good idea
End-to-end encryption (E2EE) describes the process of encrypting data between two devices so that only the sender and receiver are able to view the message’s contents. It represents one of a number of security techniques that can be applied to safeguard the transmission of data, although it is considered to be one of the most secure.
E2EE, in effect, places the communications between two devices into a vacuum, preventing any third party, including the service provider itself, from viewing the contents of the messages.
How end-to-end encryption works
In a system that uses E2EE, the message is encrypted by the user’s device and is only decrypted when it arrives on the recipient's device. This is to prevent data from being intercepted, deleted, or modified by unauthorised third parties.
As the service provider itself is unable to access the messages being sent between users, E2EE is considered one of the best ways to maintain user privacy. However, this also means that companies are unable to hand over the contents of messages to law enforcement agencies.
This is notably different from ‘encryption in transit’, another technique that only encrypts data as it travels between one device and a target server, and then from the server to a recipient device, with the data being decrypted and re-encrypted at each stage. This allows for a legitimate third party, such as a service provider, to access the contents of a message, but prevents unauthorised individuals from intercepting the messages as they travel.
Encryption in transit is by far the most common form of data encryption used by companies today. Only a handful of companies have adopted the more secure E2EE method, although many messaging application providers are turning to the technology as a way of differentiating themselves from their competition.
Although E2EE is considered to be the most secure method of encryption, it’s also by far the most contentious – many believe E2EE is essential for maintaining a user’s privacy and security online, while others believe it simply serves to hide online criminality and makes it more difficult for law enforcement agencies to tackle harmful or illegal content.
Who wants to ban end-to-end encryption?
Although the UK government ostensibly supports the use of encryption, it has for many years sought to implement mechanisms that could bypass a service’s safeguards if needed. This includes the implementation of the Investigatory Powers Act, and its previous iterations, which requires service providers to be active participants in the interception and acquisition of user data as part of investigations.
The government’s position is that E2EE makes it impossible to track what content is being shared between users, and therefore it is unable to protect vulnerable people from harm. In particular, it’s argued that E2EE prevents authorities from protecting children from being exposed to inappropriate, harmful, or illegal content, and also makes it difficult to clamp down on extremist material.
Simply put, E2EE frustrates the ability of law enforcement to gather data associated with an investigation, which is why the UK government is so adamant that companies be prohibited from applying the technology in its current form to communication services. This has been the case as far back as 2017, when then Home Secretary Amber Rudd demanded that UK spy agencies be granted access to WhatsApp’s encrypted services, describing the technology as a “place to hide” for terrorists.
The government’s most recent approach is to demand that services maintain a backdoor to their encryption, in the event that authorities require access to messages to monitor for illegal or harmful content. This has been set out in the Online Safety Bill, a draft for which was published in May 2021.
Those opposed to this method argue that a backdoor would inevitably be exploited by hackers, defeating the point of end-to-end encryption entirely.
Charity groups, particularly those representing children and vulnerable adults, have similarly called for the scrapping of end-to-end encryption, or at least tougher rules on how it’s deployed.
The National Society for the Prevention of Cruelty to Children (NSPCC), for example, has long taken the stance that the debate around end-to-end encryption is skewed towards providing greater privacy to adults at the expense of safety for children.
Such charity groups believe that end-to-end encryption can exist in a limited capacity, but that decisions to use the technology should be weighed heavily against any potential risk of harm to children.
Law enforcement agencies
The International Criminal Police Organisation (Interpol) has expressed support for the dismantling of E2EE across communication services. In 2019, Interpol joined a list of law enforcement agencies in arguing that criminals hide behind the technology and that technology companies should be doing more to grant law enforcement agencies access to these channels.
GCHQ has also argued against the use of E2EE, and has also claimed that technology companies could “relatively easily” add a third participant to an encrypted channel between two users, without also adding in a security vulnerability.
Although the EU once considered mandatory E2EE on communication services for all citizens, in recent years it has reversed its stance.
Leaked draft resolutions from the Council of the European Union appear to show a willingness to ban the technology outright, arguing that although it firmly supports encryption, E2EE makes it too easy for criminals to evade justice. These are simply proposals at this stage, and there is no indication that any such ban is on the horizon.
Who supports end-to-end encryption?
Privacy and digital rights groups
Privacy campaigners argue that end-to-end encryption protects everyone on the internet and is the only way to ensure users are free from unauthorised surveillance, either from the service provider, national governments, or cyber criminals. They view attempts to scrap E2EE as simply the dismantling of user privacy in favour of greater surveillance.
Digital rights groups such as Open Rights Group, Big Brother Watch, Privacy International, and Statewatch, as well as trade lobby groups like techUK, have all expressed support for E2EE – over thirty of these groups recently signed a letter demanding that MPs block the proposed Online Safety Bill, which would in effect ban the use of end-to-end encryption.
These groups have long argued that any attempts to dilute E2EE would simply invite cyber criminals or foreign adversaries to steal or manipulate the data of UK citizens. They also argue that E2EE protects users from malicious activity, such as unauthorised individuals gaining access to photos or geolocation data for the purpose of stalking or online bullying.
They have also argued that the government has unfairly conflated the issue of child abuse with E2EE in a bid to gain wider public support for its measures. The Open Rights Group, in particular, has argued that the Online Safety Bill sets out provisions elsewhere for protecting children online, namely by requiring service providers to address inappropriate, harmful, or illegal content at the point of access between the service and the user. As a result, they claim that any attempts to scrap E2EE between users are not only unjustified, but entirely unnecessary.
What services use end-to-end encryption?
Although companies are required to secure customer data, most use some form of ‘in-transit' encryption, and it’s still considered a bold move for a company to adopt end-to-end encryption.
However, most popular messaging services have already moved to end-to-end encryption, either by enabling this by default or offering a way of switching it on.
Apple’s iMessage platform, for example, protects users with E2EE by default across iOS and macOS. However, if you have iCloud backup enabled, which is a commonly-used feature for most users, this will create a copy of the data that can be read by Apple – in effect creating a hole in iMessage’s E2EE.
WhatsApp is another example of a company that has long supported the use of E2EE. Since April 2016, all users have been protected in this way, regardless of the type of content being shared.
Although Facebook has offered users limited forms of E2EE in the past, in May 2021 the company committed to making it the default security approach across all of its messaging platforms, although this is unlikely to appear until 2022 at the earliest. The UK government has opposed such plans, and may even force the company to abandon its UK rollout.
Twitter is one example of an exceptionally high-profile company that does not use E2EE on its platform. Despite a number of celebrity hacks and message leaks in recent years, including a massive Bitcoin scam involving accounts belonging to Elon Musk, Jeff Bezos, and Kanye West, direct messages between users are still not protected with E2EE, although Twitter is facing plenty of pressure to change its stance.
B2B under quarantine
Key B2C e-commerce features B2B need to adopt to surviveDownload now
The top three IT pains of the new reality and how to solve them
Driving more resiliency with unified operations and service managementDownload now
The five essentials from your endpoint security partner
Empower your MSP business to operate efficientlyDownload now
How fashion retailers are redesigning their digital future
Fashion retail guideDownload now