Demystifying End-to-End Encryption: A Comprehensive Guide

Related: The Essential Cybersecurity Incident Response Playbook for Law Firms

Demystifying End-to-End Encryption: A Comprehensive Guide

In an increasingly digital world, where our personal and sensitive information is transmitted across networks and stored in the cloud, encryption plays a crucial role in safeguarding our data. Among various encryption methods, end-to-end encryption (E2EE) stands out as a gold standard for privacy and security. Let’s dive into what E2EE is, how it compares to other forms of encryption, and why it’s superior.

What Is End-to-End Encryption?

End-to-end encryption is a process that ensures data remains confidential from the moment it leaves the sender’s device until it reaches the recipient’s device. Unlike other encryption methods that may only protect data during transit or while stored on servers, E2EE ensures that only the sender and recipient can access the information. Here’s how it works:

Unique Encryption Keys: When a user sends a message, their device generates a unique encryption key. This key encrypts the data before transmission.

Recipient’s Decryption Key: The recipient’s device uses a matching decryption key to decrypt the data upon receipt. No one else, including service providers, has access to these keys.

Protection at Every Stage: Even if intercepted during transmission, the data remains secure because only the sender and recipient hold the necessary keys.

E2EE vs. Other Encryption Methods

Client-Side Encryption

Client-side encryption refers to encryption performed on the user’s device before data is transmitted. While it enhances security, it doesn’t guarantee end-to-end protection. Service providers still have access to the keys during server-side processing.

Transport Layer Security (TLS)

TLS encrypts data while it travels between the sender and the service’s server and between the server and the recipient. However, when it reaches the server, it is briefly decrypted before being re-encrypted. Imagine a postal service that opens your letter, transfers it to a new envelope, and delivers it. The content could be exposed to postal employees. With E2EE, this middle step is eliminated.

Encryption at Rest

Encryption at rest is a security method where stored data is encrypted. It refers to data not in use or being transferred. The data is scrambled into using encryption algorithms, making it unreadable without a decryption key. This protects sensitive data from unauthorized access, especially as stored data is often targeted by hackers.

So there is encryption at the sender end (client side), encryption in transit (TLS), and encryption at the destination (encryption at rest), isn't that "end to end?" Simply, no. Each time the data changes hands there is a chance for interception, but more importantly, as with Gmail, and most email providers, your data is often safely encrypted on their servers. The dilemma, however, is that Gmail or the service provider has the keys! Think of it as your landlord having a master key to unlock your door at their pleasure. Would you not prefer to have the only key?

Some companies deliberately play fast and loose with these terminology to fool consumers into believing their data is safe and sound, but it is not. 

Zoom’s Misuse of “End-to-End Encryption”

During the pandemic, video conferencing platform Zoom faced controversy when it claimed to offer end-to-end encryption. However, it was later discovered that Zoom’s definition differed from true E2EE. They defined the term using some strained interpretation that data was encrypted in transit and at its destination, but they somehow neglected to mention that they held the keys.

The scandal highlighted the importance of understanding encryption terminology. As a result of the scandal, Zoom was forced to roll out true end-to-end encryption but very few people have toggled that in as it remains buried in a lengthy settings page.

Real-World Examples of E2EE

Messaging Apps:

Signal: Known for its robust E2EE, Signal ensures that only the sender and recipient can read messages, voice calls, and video calls.

WhatsApp: WhatsApp uses the Signal Protocol for E2EE, protecting user privacy even from WhatsApp itself. WhatApp, however is closed source, is run by Meta, and collects metadata (information about the sender and receiver) that Signal deliberately does not collect.

Even trusted iMessage is end-to-end encrypted. But there is a major caveat here. If you are like most, you use iCloud backup. If you use iCloud backup and back up your iMessages, without enabling Advanced Data Protection, your backups are not end-to-end encrypted, thereby constituting a gaping hole in the protection offered. If you rely on iMessage for private communication, it is imperative that you and those you communicate with enable ADP. If you're in an exchange with green bubble recipients (sms text messages), all bets are off. There is no encryption whatsoever. For these recipients, you must urge them to adopt Signal or at least WhatsApp. It should also be noted that, like WhatsApp, iMessage is closed source meaning you have to trust Apple that it is doing what it says. Contrasted with Signal, and Proton Mail which are open source meaning that their code is available to anyone to audit and confirm they are doing what they say they are doing.

Phone and Video Calls

FaceTime audio and video calls are end-to-end encrypted. Signal audio and video calls are as well. 

Similarly, MySudo, a privacy focused company offering alias phone numbers, emails, and text messaging offers true end-to-end encryption in all three categories, provided the person on the other end is using MySudo as well. It should be noted that even when that is not the case, MySudo offers excellent privacy and security gains worthy of your consideration.

Regular old phone calls, however, again, all bets are off. You are far better off encouraging people to use Signal for phone or video calls. If you cannot convince them, insist that your phone and video calls take place via FaceTime.

Email Communication

ProtonMail and Tuta: These email services offer E2EE, though they use different protocols, securing email content from prying eyes. It is important to note that Proton Mail is only E2EE between two Proton accounts, just as Tuta is only E2EE between two Tuta accounts. While it is possible with each service to send a password protected email to an email address from any other provider, thus providing E2EE, there are still benefits even if only you are using Proton or Tuta. Specifically, your emails are stored with Zero Access Encryption. 

Zero Access Encryption is a method of encrypting all of the emails in your inbox immediately upon receipt such that even Proton or Tuta cannot access them after receipt (excluding a brief time needed to scan for malware, phishing, and spam). Unlike Gmail, they thus have no ability to profile you or sell information about your purchase habits collected by scanning your inbox.

If you're like most, you have years worth of restaurant order confirmations, amazon orders, travel records, medical records, and bank records laying around in your Gmail inbox. Think of the power they hold being able to scan that data and sell it as they please.

There's no denying it, Gmail holds a vast majority of market share. But companies like Proton and Tuta are steadily gaining popularity as people become more knowledgeable about what is really going on.

File Transmission and Storage Services:

C2 Transfer: C2 Transfer provides end-to-end encryption for file sharing, ensuring data privacy during transmission.

iCloud Drive with Advanced Data Protection: Apple’s Advanced Data Protection extends E2EE to iCloud Backup, Photos, Notes, and more.

Proton Drive, like its other privacy-oriented offerings offers end-to-end encrypted storage solutions. 

Note Taking Apps

If you are like most, you have an iPhone full of "notes." Maybe you even keep passwords or account numbers there (please don't). Once again, if you have enabled ADP, your data is safely E2EE. 

If not, or if you prefer an open source cross-platform option, Notesnook is an excellent alternative to consider. It is E2EE, it offers encrypted sharing of notes, and a host of features normally found in mainstream options from titans like Microsoft.

Why E2EE Matters

Privacy: E2EE prevents unauthorized access, even by service providers, and a potential rogue employee.

Security: It protects against data breaches and surveillance.

Trust: Users don’t need to trust service providers; the encryption process is transparent.

In a world where data breaches are common, E2EE empowers users to take control of their privacy and security. Let’s embrace E2EE and ensure our digital communications remain confidential and safe.

---

Related Articles

• Analyzing the role of multi-factor authentication in mitigating security risks
• Key to Security: Locking Down Your Data with USB Encryption
• Building Privacy-By-Design Frameworks In Corporate Compliance Programs