What is end-to-end encryption and why is everyone fighting over it?
End-to-end encryption is considered one of the best ways to protect user data, but not everyone thinks it's a good idea
End-to-end encryption (E2EE) describes the process of encrypting data between two devices so that only the sender and receiver are able to view the message’s contents. A common application of E2EE is with mobile messaging apps like Signal, iMessage, and Telegram. Messages sent between two devices on these platforms use E2EE and are therefore only visible to the sender and receiver.
E2EE represents just one way in which security safeguards can be applied to the transmission of data, though it is considered to be one of the most effective. Essentially, E2EE transmits data in a highly secure package so only those who are permitted to view its content are able to.
How end-to-end encryption works
In a system that uses E2EE, the message is encrypted by the user’s device and is only decrypted when it arrives on the recipient's device. This is to prevent data from being intercepted, deleted, or modified by unauthorised third parties.
As the service provider itself is unable to access the messages being sent between users, E2EE is considered one of the best ways to maintain user privacy. However, this also means that companies are unable to hand over the contents of messages to law enforcement agencies.
This is notably different from ‘encryption in transit’, another technique that only encrypts data as it travels between one device and a target server, and then from the server to a recipient device, with the data being decrypted and re-encrypted at each stage. This allows for a legitimate third party, such as a service provider, to access the contents of a message, but prevents unauthorised individuals from intercepting the messages as they travel.
Encryption in transit is by far the most common form of data encryption used by companies today. Only a handful of companies have adopted the more secure E2EE method, although many messaging application providers are turning to the technology as a way of differentiating themselves from their competition.
Although E2EE is considered to be the most secure method of encryption, it’s also by far the most contentious – many believe E2EE is essential for maintaining a user’s privacy and security online, while others believe it simply serves to hide online criminality and makes it more difficult for law enforcement agencies to tackle harmful or illegal content.
Who wants to ban end-to-end encryption?
Broadly speaking, the UK government publicly supports the use of encryption but for years it has attempted to implement measures that would allow it to bypass barriers to accessing secured data if it needed to, often arguing the case on national security grounds. Such attempts include the enactment of the Investigatory Powers Act, and its previous iterations, which require communication service providers to be active participants in the interception and acquisition of user data as part of investigations.
In addition to the national security upsides that would come with the government’s ability to monitor messages sent across communication networks, the government also argues that E2EE inhibits law enforcement’s ability to gather data that could lead to the protection of vulnerable individuals. Protecting children from harmful content online is a commonly cited example of when E2EE can threaten the safety of individuals, another is how difficult it is to prevent the access to, and distribution of, extremist material.
E2EE presents a fascinating debate around our right to privacy as humans, and our right to a safe and secure society too. The government is firmly on the side of protecting the state, naturally, and as far back as 2017 has called for communication services to cease implementing the technology in its current form. Former Home Secretary Amber Rudd has previously demanded that UK spy agencies be granted access to WhatsApp’s encrypted services, describing the technology as a “place to hide” for terrorists.
Recently, the UK government maintains that communication services should implant a backdoor to its encryption protocols, allowing it to access messages it believes may be illegal or harmful. This has been set out in the Online Safety Bill, a draft for which was published in May 2021.
Those opposed to this method argue that a backdoor would inevitably be exploited by hackers, defeating the point of end-to-end encryption entirely.
Charity groups, particularly those representing children and vulnerable adults, have similarly called for the scrapping of end-to-end encryption, or at least tougher rules on how it’s deployed.
The National Society for the Prevention of Cruelty to Children (NSPCC), for example, has long taken the stance that the debate around end-to-end encryption is skewed towards providing greater privacy to adults at the expense of safety for children.
Such charity groups believe that end-to-end encryption can exist in a limited capacity, but that decisions to use the technology should be weighed heavily against any potential risk of harm to children.
Law enforcement agencies
The International Criminal Police Organisation (Interpol) has expressed support for the dismantling of E2EE across communication services. In 2019, Interpol joined a list of law enforcement agencies in arguing that criminals hide behind the technology and that technology companies should be doing more to grant law enforcement agencies access to these channels.
GCHQ has also argued against the use of E2EE, and has also claimed that technology companies could “relatively easily” add a third participant to an encrypted channel between two users, without also adding in a security vulnerability.
Although the EU once considered mandatory E2EE on communication services for all citizens, in recent years it has reversed its stance.
Leaked draft resolutions from the Council of the European Union appear to show a willingness to ban the technology outright, arguing that although it firmly supports encryption, E2EE makes it too easy for criminals to evade justice. These are simply proposals at this stage, and there is no indication that any such ban is on the horizon.
Who supports end-to-end encryption?
Privacy and digital rights groups
Privacy campaigners argue that end-to-end encryption protects everyone on the internet and is the only way to ensure users are free from unauthorised surveillance, either from the service provider, national governments, or cyber criminals. They view attempts to scrap E2EE as simply the dismantling of user privacy in favour of greater surveillance.
Digital rights groups such as Open Rights Group, Big Brother Watch, Privacy International, and Statewatch, as well as trade lobby groups like techUK, have all expressed support for E2EE – over thirty of these groups recently signed a letter demanding that MPs block the proposed Online Safety Bill, which would in effect ban the use of end-to-end encryption.
These groups have long argued that any attempts to dilute E2EE would simply invite cyber criminals or foreign adversaries to steal or manipulate the data of UK citizens. They also argue that E2EE protects users from malicious activity, such as unauthorised individuals gaining access to photos or geolocation data for the purpose of stalking or online bullying.
They have also argued that the government has unfairly conflated the issue of child abuse with E2EE in a bid to gain wider public support for its measures. The Open Rights Group, in particular, has argued that the Online Safety Bill sets out provisions elsewhere for protecting children online, namely by requiring service providers to address inappropriate, harmful, or illegal content at the point of access between the service and the user. As a result, they claim that any attempts to scrap E2EE between users are not only unjustified, but entirely unnecessary.
What services use end-to-end encryption?
Although companies are required to secure customer data, most use some form of ‘in-transit' encryption, and it’s still considered a bold move for a company to adopt end-to-end encryption.
However, most popular messaging services have already moved to end-to-end encryption, either by enabling this by default or offering a way of switching it on.
Apple’s iMessage platform, for example, protects users with E2EE by default across iOS and macOS. However, if you have iCloud backup enabled, which is a commonly-used feature for most users, this will create a copy of the data that can be read by Apple – in effect creating a hole in iMessage’s E2EE.
WhatsApp is another example of a company that has long supported the use of E2EE. Since April 2016, all users have been protected in this way, regardless of the type of content being shared.
Although Facebook has offered users limited forms of E2EE in the past, in May 2021 the company committed to making it the default security approach across all of its messaging platforms, although this is unlikely to appear until 2022 at the earliest. The UK government has opposed such plans, and may even force the company to abandon its UK rollout.
Twitter is one example of an exceptionally high-profile company that does not use E2EE on its platform. Despite a number of celebrity hacks and message leaks in recent years, including a massive Bitcoin scam involving accounts belonging to Elon Musk, Jeff Bezos, and Kanye West, direct messages between users are still not protected with E2EE, although Twitter is facing plenty of pressure to change its stance.
Defending against malware attacks starts here
The ultimate guide to building your malware defence strategyFree Download
Datto SMB cyber security for MSPs report
A world of opportunity for MSPsFree Download
The essential guide to preventing ransomware attacks
Vital tips and guidelines to protect your business using ZTNA and SSEFree Download
Medium businesses: Fuelling the UK’s economic engine
A Connected Thinking reportFree Download