What is end-to-end encryption and why is everyone fighting over it?
End-to-end encryption is considered one of the best ways to protect user data, but not everyone thinks it's a good idea
End-to-end encryption (E2EE) is a private communication system that safeguards the messages sent between two devices with cryptography, ensuring only the sending and receiver can see these messages. Only those involved directly in the communication channel can access the secure packages sent – not even the service provider can access these messages.
Many popular social media and messaging apps use E2EE, including WhatsApp and Signal, with many people valuing the near guarantee of privacy that using encryption offers. But not everybody feels the same about this form of data encryption. Despite many additional services adding E2EE as a feature in their services, such as Zoom last year, national governments and intelligence agencies around the world have been vying to break E2EE in the interests of fighting crime. The latest threat to the communication safeguard is the UK’s Online Safety Bill, but this is just one effort of many across the world to undermine it.
How end-to-end encryption works
In a system that uses E2EE, the message is encrypted by the user’s device and is only decrypted when it arrives on the recipient's device. This is to prevent data from being intercepted, deleted, or modified by unauthorized third parties.
As the service provider itself is unable to access the messages being sent between users, E2EE is considered one of the best ways to maintain user privacy. However, this also means companies are unable to hand over the contents of messages to law enforcement agencies on request. Indeed, there have been calls through recent years from Five Eyes nations for there to be encryption backdoors by design.
This is notably different from ‘encryption in transit’, another technique that only encrypts data as it travels between one device and a target server, and then from the server to a recipient device, with the data being decrypted and re-encrypted at each stage. This allows for a legitimate third party, such as a service provider, to access the contents of a message, but prevents unauthorized individuals from intercepting the messages as they travel.
Encryption in transit is by far the most common form of data encryption used by companies today. Only a handful of companies have adopted the more secure E2EE method, although many messaging application providers are turning to the technology as a way of differentiating themselves from their competition.
Although E2EE is considered to be the most secure method of encryption, it’s also by far the most contentious – many believe E2EE is essential for maintaining a user’s privacy and security online, while others believe it simply serves to hide online criminality and makes it more difficult for law enforcement agencies to tackle harmful or illegal content.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Who wants to ban end-to-end encryption?
Five Eyes governments
Broadly speaking, the Five Eyes nations of Australia, Canada, New Zealand, the UK, and the US publicly support the use of encryption but have all attempted to influence tech companies to implement measures to allow them to bypass it on demand. These nations want the power to, on a case-by-case basis, intercept messages protected by E2EE when needed, on national security grounds. The UK, for example, has made efforts in the form of the Investigatory Powers Act, which requires communication service providers to be active participants in the interception and acquisition of user data as part of investigations.
In addition to the national security upsides that would come with the government’s ability to monitor messages sent across communication networks, Five Eyes governments also argue E2EE inhibits law enforcement’s ability to gather data that could lead to the protection of vulnerable individuals. Protecting children from harmful content online is a commonly cited example of when E2EE can threaten the safety of individuals, another is how difficult it is to prevent the access to, and distribution of, extremist material.
E2EE presents a fascinating debate around our right to privacy as humans, and our right to a safe and secure society too. We haven’t seen much by way of laws, however, but the closest we’ve come is the UK’s recently passed Online Safety Bill, of which an earlier draft said communication services should add a backdoor to its encryption protocols. Those opposed to this argue that hackers would inevitably exploit the same backdoor, defeating the point of end-to-end encryption entirely.
This would have let it access messages that it had reason for believing were harmful in some way. When the law passed through parliament in 2023, however, it relaxed many of these provisions. Instead of requiring a backdoor by default, the government has given the regulator Ofcom the power to accredit any technology that can introduce backdoor access safely – when it’s been developed, eventually.
Charities
Charity groups, particularly those representing children and vulnerable adults, have similarly called for the scrapping of E2EE, or at least tougher rules on how it’s deployed.
The National Society for the Prevention of Cruelty to Children (NSPCC), for example, has long taken the stance that the debate around E2EE is skewed towards providing greater privacy to adults at the expense of safety for children.
Such charity groups believe that E2EE can exist in a limited capacity, but that decisions to use the technology should be weighed heavily against any potential risk of harm to children.
Law enforcement agencies
The International Criminal Police Organisation (Interpol) has expressed support for the dismantling of E2EE across communication services. In 2019, Interpol joined a list of law enforcement agencies in arguing that criminals hide behind E2EE and that technology companies should be doing more to grant law enforcement agencies access to these channels.
GCHQ has also argued against the use of E2EE, and has also claimed that technology companies could “relatively easily” add a third participant to an encrypted channel between two users, without also adding in a security vulnerability.
European Union
Although the EU once considered mandatory E2EE on communication services for all citizens, in recent years it has reversed its stance. Indeed, members of the union are split on this matter.
Leaked draft resolutions from the Council of the EU three years ago appear to show a willingness to ban the technology outright, arguing that although it firmly supports encryption, E2EE makes it too easy for criminals to evade justice. Spain, in 2023, advocated banning encryption for people in the EU, according to a leaked document. But these are simply proposals at this stage, and there is no indication that any such ban is on the horizon.
Who supports end-to-end encryption?
Privacy and digital rights groups
Privacy campaigners argue E2EE protects everyone on the internet, and is the only way to ensure users are free from unauthorized surveillance, either from the service provider, national governments, or cyber criminals. They view attempts to scrap E2EE as simply the dismantling of user privacy in favor of greater surveillance. Digital rights groups such as Open Rights Group (ORG), Big Brother Watch, Privacy International, and Statewatch, as well as trade lobby groups, have all expressed support for E2EE.
Digital rights groups such as Open Rights Group, Big Brother Watch, Privacy International, and Statewatch, as well as trade lobby groups like techUK, have all expressed support for E2EE – over thirty of these groups recently signed a letter demanding that MPs block the proposed Online Safety Bill, which would in effect ban the use of end-to-end encryption.
These groups have long argued any attempts to dilute E2EE would simply invite cyber criminals or foreign adversaries to steal or manipulate user data.
They also argue E2EE protects users from malicious activity, such as unauthorized individuals gaining access to photos or geolocation data for the purpose of stalking or online bullying. They have also argued the government has unfairly conflated the issue of child abuse with E2EE in a bid to gain wider public support for its measures.
What services use end-to-end encryption?
Although companies are required to secure customer data, most use some form of ‘in-transit' encryption, and it’s still considered a bold move for a company to adopt E2EE. However, most popular messaging services have already moved to E2EE, either by enabling this by default or by offering a way of switching it on.
Apple’s iMessage platform, for example, protects users with E2EE by default across iOS and macOS. However, if you have iCloud backup enabled, which is a commonly used feature for most users, this will create a copy of the data that can be read by Apple – in effect creating a hole in iMessage’s E2EE. WhatsApp is another example of a company that has long supported the use of E2EE. Since April 2016, all users have been protected in this way, regardless of the type of content being shared.
Although Facebook has offered users limited forms of E2EE in the past, in May 2021 the company committed to making it the default security approach across all of its messaging platforms, although this is unlikely to appear until 2022 at the earliest. Although X, previously known as Twitter, is one example of an exceptionally high-profile company that doesn’t use E2EE on its platform.
Can end-to-end encryption be broken safely?
KuppingerCole leadership compass report - Unified endpoint management (UEM) 2023
Get an updated overview of UEM vendors and their offerings.
DOWNLOAD NOW
Governments have long proposed backdoors as a way to intercept the messages of potential criminals so they can gather the intelligence needed to prevent crime or prosecute people for it. But is it possible to create backdoors in E2EE without undermining the technology itself to the extent it becomes unrecognizable?
There may be arguments in favor of – and some merit to – implementing a secure government backdoor, but the security of any such protocol very much depends on who has devised it and how secure it actually is, which isn’t by any means guaranteed. Any backdoor adds another element of risk to a system, and especially to encrypted channels, and it may only be a matter of time before cyber criminals find a way to abuse it anyway – no matter how well-designed these backdoors may be.
But another danger looms large in the form of quantum computing. Many fear that powerful quantum computers can begin to break today’s widely used encryption algorithms, meaning the E2EE technology becomes useless overnight. Indeed, there are fears that cyber criminals will be leaning on ‘steal now, crack’ later’ techniques to crack into encrypted data in the future. There’s every reason to believe governments may also lean on quantum computers to undermine E2EE encryption. Regardless of how E2EE is undermined, it’s almost impossible to do so without fundamentally compromising the entire point of the technology and why it’s used by so many.
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.