Key Takeaways
Encryption is a way of scrambling data to ensure that only those with the decryption key can access it, providing security for your online activities.
End-to-end encryption (E2EE) guarantees that only the sender and receiver of messages have access to the information, thereby enhancing privacy and security for confidential discussions and data storage. Discover the full scope of E2EE and explore the reasons behind its controversial nature. Determine whether it is advisable for you to utilize this encryption method. Gain comprehensive insights on the subject.
This Cybersecurity Awareness Week article is brought to you in association with Incogni.
Encryption Basics
Encryption is the process of encrypting data to prevent unauthorized access. By scrambling the information, only those with the decryption key can interpret its contents. However, it is important to note that certain encryption systems may have vulnerabilities and weaknesses.
Your devices consistently employ different encryption methods. When you use online banking or visit any website with HTTPS, the transmission of information between you and the website is encrypted. This encryption ensures that neither your network operator, internet service provider, nor anyone else monitoring your network can access your banking password and financial information.
Additionally, Wi-Fi networks also utilize encryption. This means that unless your Wi-Fi security standard has been compromised, your neighbors cannot view your online activities on your Wi-Fi network.
Encryption "in Transit" and "at Rest": Who Holds the Keys?
Securing your data is a critical aspect of encryption. Devices such as iPhones, Android phones, iPads, Macs, Chromebooks, and Linux systems employ encryption to store data locally in an encrypted format. Upon signing in with your PIN or password, the data is then decrypted. Please note that not all Windows PCs offer this feature.
Encryption is ubiquitous, which is highly advantageous. However, when it comes to confidential communication and secure data storage, one must ponder: Who possesses the key?
Consider your Google account as an illustration. Is the encryption employed to safeguard your Google data, encompassing Gmail emails, Google Calendar events, Google Drive files, search history, and additional data?
Yes, Google utilizes encryption to protect data while it is being transferred. For instance, when you log into your Gmail account, Google establishes a secure HTTPS connection. This guarantees that no unauthorized individuals can eavesdrop on the communication between your device and Google's servers. Your internet service provider, network operator, individuals near your Wi-Fi network, or any other intermediary devices cannot access the contents of your emails or intercept your Google account password.
Google employs encryption to ensure the security of data when it is stored or not in use. Prior to being stored on Google's servers, the data undergoes encryption, rendering it unreadable even if an unauthorized individual manages to obtain the physical hard drives. The application of encryption both during transmission and when at rest is crucial for safeguarding security and privacy, significantly surpassing the alternative of sending and storing unencrypted data.
But here's the question: Who holds the key that can decrypt this data? The answer is Google. Google holds the keys.
Why It Matters Who Holds the Keys
Google's control implies that it has access to your data, encompassing emails, documents, files, calendar events, and more.
Even though encryption is in place, it wouldn't be an obstacle if a dishonest Google employee intended to invade your privacy, as notable instances have occurred.
The potential for a hacker to breach Google's systems and private keys, though difficult, could have severe implications as they could gain access to the data of all users.
In the event of a government mandate, Google would possess the capability to retrieve and disclose your data.
While other systems may offer data protection measures, Google claims to have implemented stringent safeguards against unauthorized access by rogue engineers. Its commitment to keeping its systems secure from hackers is evident. As an illustration, Google has demonstrated its refusal to comply with data requests in Hong Kong. Hence, these systems can indeed safeguard your data, but it is important to note that encryption is not employed by Google for this purpose. Rather, it is Google's policies that ensure the protection of your data.
Don't assume that this is solely focused on Google. Many of the companies you're likely acquainted with employ similar methods. Even Apple, a company renowned for its privacy standards, only implemented end-to-end encryption for iCloud towards the close of 2022.
How End-to-End Encryption Works
Now, let's discuss chat applications, such as Facebook Messenger. When communicating with someone through Facebook Messenger, the messages are encrypted both during transit between you and Facebook, and between Facebook and the recipient. Moreover, Facebook encrypts the stored message log before it is stored on their servers.
However, it is important to note that Facebook retains a key, granting them access to the content of your messages.
The solution for ensuring utmost privacy is through the implementation of end-to-end encryption. By utilizing this method, any intermediate provider, such as an alternative to Google or Facebook, will have no visibility into the content of your messages. They are devoid of any capability to access your private data, as they lack the corresponding decryption key. Your messages remain exclusively between you and the intended recipient, guaranteeing complete confidentiality, and eliminating any involvement from the intermediary company.
Why It Matters
End-to-end encryption provides enhanced privacy. As an illustration, when utilizing an end-to-end encrypted chat platform such as Signal, you can be assured that only you and the intended recipient have access to the messages exchanged between you.
Nevertheless, when engaging in a conversation through a messaging application that lacks end-to-end encryption, such as Facebook Messenger, it is important to acknowledge that the company facilitating the conversation possesses the ability to access the contents of your communications.
This concern extends beyond chat applications. To illustrate, although email has the capability to be end-to-end encrypted, it necessitates configuring PGP encryption or utilizing a service like ProtonMail that has this feature embedded. Unfortunately, only a small fraction of individuals make use of end-to-end encrypted email.
End-to-end encryption offers assurance as you converse or store sensitive information, be it financial data, medical records, corporate paperwork, legal matters, or private personal discussions that you wish to keep solely between yourself and the intended recipient.
End-to-End Encryption Isn't Just About Communications
End-to-end encryption has traditionally referred to secure communication among individuals, but it is now frequently used to describe other services where the user possesses the sole decryption key for their data.
Take password managers such as 1Password, BitWarden, LastPass, and Dashlane as an example. These platforms employ end-to-end encryption, meaning the company cannot access your password vault. Your passwords remain safeguarded with a unique secret known exclusively to you.
This could be considered as a form of "end-to-end" encryption, where you have control over both ends. No one, including the company that produces the encryption software, has access to a key that can decrypt your personal data. By using this password manager, you can securely manage your online banking passwords without giving the company's employees access to them.
Another illustration of this concept is seen with end-to-end encrypted file storage services. With these services, the provider is unable to view the contents of your files. If you need to store or synchronize sensitive files, such as tax returns containing your social security number and other confidential information, using encrypted file storage services is a more secure option compared to traditional cloud storage services like Dropbox, Google Drive, or Microsoft OneDrive.
One Downside: Don't Forget Your Password!
End-to-end encryption has a notable drawback for the average individual: the potential loss of data access due to a misplaced decryption key. Although certain services may provide recovery keys for safekeeping, the situation becomes more troubling if one forgets their password and misplaces these recovery keys, consequently rendering the data decryption impossible.
This is a major reason why companies like Apple may choose not to implement end-to-end encryption for iCloud backups. By holding the encryption key, Apple can assist users in resetting their passwords and regain access to their data. This convenience is possible because Apple has control over the encryption key and is able to manipulate the data as needed. If Apple did not possess the encryption key, it would be impossible for users to retrieve their data.
Consider the scenario where every time someone forgets their password for any of their accounts, the data within that account would be erased and rendered inaccessible. For instance, if you forgot your Gmail password, Google would have to delete all your emails in order to restore your account. This is the outcome that would arise if end-to-end encryption were implemented universally.
Examples of Services That Are End-to-End Encrypted
Here are some basic communication services that offer end-to-end encryption. This isn't an exhaustive list — it's just a short introduction.
Signal provides default end-to-end encryption for all users of chat apps. Although Apple iMessage offers end-to-end encryption, messages are backed up on iCloud by default. WhatsApp claims to have end-to-end encryption for conversations, but it does share data with Facebook. Other apps like Telegram and Facebook Messenger offer end-to-end encryption as an optional feature that requires manual activation.
To achieve end-to-end encryption for emails, PGP can be used, but the setup process can be complex. Thunderbird now has integrated PGP support, making it easier to set up encrypted email. Encrypted email services such as ProtonMail and Tutanota store emails on their servers with encryption, simplifying the process of sending encrypted emails. For instance, when a ProtonMail user emails another ProtonMail user, the message is automatically encrypted, ensuring that only the intended recipient can access its contents. However, if a ProtonMail user emails someone using a different email service, PGP setup is necessary for encryption. It is important to note that not all elements of an email are encrypted, as subject lines, for example, remain unencrypted.
Ensuring end-to-end encryption is crucial. When engaging in confidential discussions or exchanging sensitive data, it becomes essential to guarantee that solely the intended recipient and you possess the ability to access and read your messages.