End-to-end encryption (E2EE) is a private communication system that safeguards the messages sent between two devices with cryptography, ensuring only the sending and receiver can see these messages. Only those involved directly in the communication channel can access the secure packages sent – not even the service provider can access these messages.
Many popular social media and messaging apps use E2EE, including WhatsApp and Signal, with many people valuing the near guarantee of privacy that using encryption offers. But not everybody feels the same about this form of data encryption. Despite many additional services adding E2EE as a feature in their services, such as Zoom last year, national governments and intelligence agencies around the world have been vying to break E2EE in the interests of fighting crime. The latest threat to the communication safeguard is the UK’s Online Safety Bill, but this is just one effort of many across the world to undermine it.
How end-to-end encryption works
In a system that uses E2EE, the message is encrypted by the user’s device and is only decrypted when it arrives on the recipient's device. This is to prevent data from being intercepted, deleted, or modified by unauthorized third parties.
As the service provider itself is unable to access the messages being sent between users, E2EE is considered one of the best ways to maintain user privacy. However, this also means companies are unable to hand over the contents of messages to law enforcement agencies on request. Indeed, there have been calls through recent years from Five Eyes nations for there to be encryption backdoors by design.
This is notably different from ‘encryption in transit’, another technique that only encrypts data as it travels between one device and a target server, and then from the server to a recipient device, with the data being decrypted and re-encrypted at each stage. This allows for a legitimate third party, such as a service provider, to access the contents of a message, but prevents unauthorized individuals from intercepting the messages as they travel.
Encryption in transit is by far the most common form of data encryption used by companies today. Only a handful of companies have adopted the more secure E2EE method, although many messaging application providers are turning to the technology as a way of differentiating themselves from their competition.
Although E2EE is considered to be the most secure method of encryption, it’s also by far the most contentious – many believe E2EE is essential for maintaining a user’s privacy and security online, while others believe it simply serves to hide online criminality and makes it more difficult for law enforcement agencies to tackle harmful or illegal content.
Who wants to ban end-to-end encryption?
Five Eyes governments
Broadly speaking, the Five Eyes nations of Australia, Canada, New Zealand, the UK, and the US publicly support the use of encryption but have all attempted to influence tech companies to implement measures to allow them to bypass it on demand. These nations want the power to, on a case-by-case basis, intercept messages protected by E2EE when needed, on national security grounds. The UK, for example, has made efforts in the form of the Investigatory Powers Act, which requires communication service providers to be active participants in the interception and acquisition of user data as part of investigations.
In addition to the national security upsides that would come with the government’s ability to monitor messages sent across communication networks, Five Eyes governments also argue E2EE inhibits law enforcement’s ability to gather data that could lead to the protection of vulnerable individuals. Protecting children from harmful content online is a commonly cited example of when E2EE can threaten the safety of individuals, another is how difficult it is to prevent the access to, and distribution of, extremist material.
E2EE presents a fascinating debate around our right to privacy as humans, and our right to a safe and secure society too. We haven’t seen much by way of laws, however, but the closest we’ve come is the UK’s recently passed Online Safety Bill, of which an earlier draft said communication services should add a backdoor to its encryption protocols. Those opposed to this argue that hackers would inevitably exploit the same backdoor, defeating the point of end-to-end encryption entirely.
This would have let it access messages that it had reason for believing were harmful in some way. When the law passed through parliament in 2023, however, it relaxed many of these provisions. Instead of requiring a backdoor by default, the government has given the regulator Ofcom the power to accredit any technology that can introduce backdoor access safely – when it’s been developed, eventually.
Charities
Charity groups, particularly those representing children and vulnerable adults, have similarly called for the scrapping of E2EE, or at least tougher rules on how it’s deployed.
The National Society for the Prevention of Cruelty to Children (NSPCC), for example, has long taken the stance that the debate around E2EE is skewed towards providing greater privacy to adults at the expense of safety for children.
Such charity groups believe that E2EE can exist in a limited capacity, but that decisions to use the technology should be weighed heavily against any potential risk of harm to children.
Law enforcement agencies
The International Criminal Police Organisation (Interpol) has expressed support for the dismantling of E2EE across communication services. In 2019, Interpol joined a list of law enforcement agencies in arguing that criminals hide behind E2EE and that technology companies should be doing more to grant law enforcement agencies access to these channels.
GCHQ has also argued against the use of E2EE, and has also claimed that technology companies could “relatively easily” add a third participant to an encrypted channel between two users, without also adding in a security vulnerability.
European Union
Although the EU once considered mandatory E2EE on communication services for all citizens, in recent years it has reversed its stance. Indeed, members of the union are split on this matter.
Leaked draft resolutions from the Council of the EU three years ago appear to show a willingness to ban the technology outright, arguing that although it firmly supports encryption, E2EE makes it too easy for criminals to evade justice. Spain, in 2023, advocated banning encryption for people in the EU, according to a leaked document. But these are simply proposals at this stage, and there is no indication that any such ban is on the horizon.
Who supports end-to-end encryption?
Privacy and digital rights groups
Privacy campaigners argue E2EE protects everyone on the internet, and is the only way to ensure users are free from unauthorized surveillance, either from the service provider, national governments, or cyber criminals. They view attempts to scrap E2EE as simply the dismantling of user privacy in favor of greater surveillance. Digital rights groups such as Open Rights Group (ORG), Big Brother Watch, Privacy International, and Statewatch, as well as trade lobby groups, have all expressed support for E2EE.
Digital rights groups such as Open Rights Group, Big Brother Watch, Privacy International, and Statewatch, as well as trade lobby groups like techUK, have all expressed support for E2EE – over thirty of these groups recently signed a letter demanding that MPs block the proposed Online Safety Bill, which would in effect ban the use of end-to-end encryption.
These groups have long argued any attempts to dilute E2EE would simply invite cyber criminals or foreign adversaries to steal or manipulate user data.
They also argue E2EE protects users from malicious activity, such as unauthorized individuals gaining access to photos or geolocation data for the purpose of stalking or online bullying. They have also argued the government has unfairly conflated the issue of child abuse with E2EE in a bid to gain wider public support for its measures.
What services use end-to-end encryption?
Although companies are required to secure customer data, most use some form of ‘in-transit' encryption, and it’s still considered a bold move for a company to adopt E2EE. However, most popular messaging services have already moved to E2EE, either by enabling this by default or by offering a way of switching it on.
Apple’s iMessage platform, for example, protects users with E2EE by default across iOS and macOS. However, if you have iCloud backup enabled, which is a commonly used feature for most users, this will create a copy of the data that can be read by Apple – in effect creating a hole in iMessage’s E2EE. WhatsApp is another example of a company that has long supported the use of E2EE. Since April 2016, all users have been protected in this way, regardless of the type of content being shared.
Although Facebook has offered users limited forms of E2EE in the past, in May 2021 the company committed to making it the default security approach across all of its messaging platforms, although this is unlikely to appear until 2022 at the earliest. Although X, previously known as Twitter, is one example of an exceptionally high-profile company that doesn’t use E2EE on its platform.
Can end-to-end encryption be broken safely?
RELATED RESOURCE
KuppingerCole leadership compass report - Unified endpoint management (UEM) 2023
Get an updated overview of UEM vendors and their offerings.
DOWNLOAD NOW
Governments have long proposed backdoors as a way to intercept the messages of potential criminals so they can gather the intelligence needed to prevent crime or prosecute people for it. But is it possible to create backdoors in E2EE without undermining the technology itself to the extent it becomes unrecognizable?
There may be arguments in favor of – and some merit to – implementing a secure government backdoor, but the security of any such protocol very much depends on who has devised it and how secure it actually is, which isn’t by any means guaranteed. Any backdoor adds another element of risk to a system, and especially to encrypted channels, and it may only be a matter of time before cyber criminals find a way to abuse it anyway – no matter how well-designed these backdoors may be.
But another danger looms large in the form of quantum computing. Many fear that powerful quantum computers can begin to break today’s widely used encryption algorithms, meaning the E2EE technology becomes useless overnight. Indeed, there are fears that cyber criminals will be leaning on ‘steal now, crack’ later’ techniques to crack into encrypted data in the future. There’s every reason to believe governments may also lean on quantum computers to undermine E2EE encryption. Regardless of how E2EE is undermined, it’s almost impossible to do so without fundamentally compromising the entire point of the technology and why it’s used by so many.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
Most Popular
As an expert in cybersecurity and encryption technologies, I bring a wealth of knowledge to shed light on the intricate details surrounding end-to-end encryption (E2EE). I have a deep understanding of the underlying cryptographic principles and the broader implications of E2EE on privacy, security, and the ongoing debates in the realm of digital communication.
End-to-end encryption, at its core, is a robust private communication system that utilizes cryptographic techniques to secure messages exchanged between two devices. The fundamental principle is that only the sender and the intended recipient can access these messages, as they are encrypted by the sender's device and decrypted by the recipient's device. Even the service provider is unable to access the content of these messages, providing a high level of privacy and security.
The article touches upon the fact that many popular social media and messaging apps, such as WhatsApp and Signal, employ E2EE, emphasizing the growing significance of encryption in safeguarding user communications. The debate surrounding E2EE is multifaceted, with a dichotomy between those valuing privacy and those concerned about potential misuse for illegal activities.
In terms of how E2EE works, it ensures that messages remain encrypted during transmission and are only decrypted upon reaching the recipient. This prevents unauthorized third parties from intercepting, deleting, or modifying the data in transit. It stands in contrast to "encryption in transit," which only encrypts data during its journey between devices and allows legitimate third parties, such as service providers, to access message contents.
The article discusses the various entities with differing views on E2EE. Five Eyes governments, including the UK, have expressed support for encryption but have also sought measures to bypass it on demand for national security reasons. The UK's Online Safety Bill is highlighted as a recent effort to regulate E2EE. Additionally, charity groups, law enforcement agencies, and even the European Union have varying stances on the use of E2EE, with some advocating for its dismantling to address concerns about criminal activities and the safety of vulnerable individuals.
On the opposing side, privacy and digital rights groups strongly support E2EE, considering it essential for protecting user privacy from unauthorized surveillance. These groups argue that attempts to weaken or ban E2EE could lead to increased cyber threats and compromises in user data security.
The article also touches upon specific messaging services that utilize E2EE, such as Apple's iMessage and WhatsApp, while highlighting the rarity of companies adopting this more secure encryption method. The ongoing debate over the potential risks and benefits of introducing backdoors to break E2EE is explored, acknowledging the complex challenges associated with maintaining both privacy and security.
Furthermore, the article raises concerns about the potential impact of quantum computing on E2EE. The fear is that powerful quantum computers could render current encryption algorithms obsolete, posing a significant threat to the security provided by E2EE.
In conclusion, my comprehensive knowledge of encryption technologies allows me to provide a nuanced understanding of the intricacies surrounding end-to-end encryption, covering its principles, applications, debates, and potential future challenges.
