End-to-End Encryption: The Good, the Bad and the Politics
Here’s what you need to know about the debate over
end-to-end encryption
It’s that time of the year when we grab our
popcorn and witness another chapter in the age-old battle between governments
and tech companies. Once again, governments are attacking tech companies for
giving criminals a “safe place” for their communication, while the
companies say they are protecting privacy.
After Apple and WhatsApp, Facebook is the latest platform to make the headlines in the ongoing encryption debate — end-to-end encryption to be precise. In an open letter addressed to Mark Zuckerberg, co-founder & CEO of Facebook, the governments of the U.S., U.K. and Australia have asked the social networking giant not to proceed with its plans to implement end-to-end encryption across Facebook’s messaging services. And not only that, they’ve also reaffirmed their request for a backdoor in the encryption of messaging services.
But before you form any opinions on this situation, it’s essential to know what end-to-end encryption is and what it does.
Let’s hash it out.
What is End-to-End Encryption? How is it Different from
Other Encryption?
How Encryption Works
We’ll get to “end-to-end” encryption in a
bit — but before that, let’s first understand what encryption is and what it
does.
Consciously or unconsciously, we all send
and receive a lot of information when we use the internet through our devices.
And some of this information is confidential (passwords, financial information,
personal photographs, etc.) and could cause a lot of damage if someone steals
or tampers with it. So, how do we make sure that no one does that? Well, this
is where encryption comes in.
Encryption is the technique that turns our
data into an undecipherable format so that no third party can read or alter it.
It’s what keeps us safe in the ocean of the internet.
Here’s an example of a phrase of text
that’s been encrypted:
- Plain text: This is a Facebook message.
- Encrypted text: eXP3jH+7giCt1gIg0zHm3j3DPI1xuFRvbhmaKJx/uQQ=
As you can see, there’s no way to figure
out what the encrypted text means — unless, of course, you have the private key
to decrypt it.
Facebook Messenger Is Already Encrypted — Here’s How It
Works
Facebook Messenger already uses encryption —
just not end-to-end encryption. “Normal” encryption (a.k.a. link encryption)
works like this:
- Sender forms an encrypted
connection with Facebook’s servers. - Sender submits the encrypted
message to Facebook’s servers. - Facebook decrypts the message
and stores it on their servers. - Facebook’s servers form an
encrypted connection with the recipient. - Recipient downloads the message
via an encrypted connection.
Note that in this scenario, Facebook
controls the encryption/decryption, and Facebook has access to the decrypted
message.
How End-to-End Encryption Works
Now, let’s get to end-to-end encryption. It’s precisely what it sounds like — end-to-end encryption facilitates the type of encrypted communication that only the sender and receiver can read/see. No one in the middle — including Facebook, the government, or another messaging service provider — can read/decrypt messages being sent from one device to another.
In other words, the messages you send are
decrypted at the endpoint of the communication — the device you’re sending
messages to. The server you’re sending the data through (i.e. Facebook) won’t
be able to decrypt or view your messages.
Facebook Can’t See Your Messages When They’re End-to-End
Encrypted
The distinction between the two is that while normal or link encryption encrypts the data, the server transmitting information between two devices has the ability to decrypt the encrypted data. End-to-end encryption, on the other hand, uses the server to transmit the data (how else would the data transfer take place?), but it doesn’t allow the server to decrypt the data. Therefore, the server is just a medium that facilitates data transfer of encrypted information. Hence, WhatsApp or any other end-to-end encrypted app won’t be able to read your information (even if they want to).
End-to-End Encryption: The Good
Security professionals and privacy experts largely
support the idea of end-to-end encryption because it better protects your data
from hackers and other parties who may want spy on you. When you allow the data
transmitter (the messaging service provider in this case) to decrypt your
messages, you’re leaving a significant potential security hole that could cause
problems if the server is compromised, hacked, or surveilled.
If the information is protected end to end,
though, there’s no point in intercepting information halfway down the line as
it’s in an encrypted format. Thus, it protects the privacy of millions of
people and assures them that no one — not even the messaging service itself —
could read their private information. For this reason, experts (including
organizations such as the Electronic Frontier Foundation (EFF), the Center for
Democracy & Technology, and others) are advocating for the use of
end-to-end encryption in messaging apps.
End-to-End Encryption: The Bad
The main argument against end-to-end
encryption (and in favor of link encryption) is that end-to-end encryption creates
a “safe space” for criminals to communicate where there’s no third
party who can read and perform security checks on their messages. In other
words, the technology that’s supposed to protect the privacy of millions of
people and businesses protects the confidentiality of criminals as well.
I’m not saying that I’m in favor of this
argument, but it undeniably does hold some water. If the server was able to decrypt
the data, we can have a system that would help in catching the bad guys. In the
case of end-to-end encryption, this option is gone. I don’t know what other
motives they may have, but this is the argument that the governments of the U.S.,
U.K., and Australia are using to do away with end-to-end encryption.
End-to-End Encryption: The Politics
While the argument made by various
governments might make sense to a certain extent, there’s always a question
mark regarding their full intentions. Do they care about the crimes that may be
hidden because of end-to-end encryption, or are they crying foul in order to
serve a bigger agenda: having the power to easily spy on people?
So far, seeing the evidence that’s
available to us, both seem likely to be true.
And it’s worth noting here that Edward
Snowden, the famous National Security Agency whistle-blower, previously
revealed that the intelligence services in the U.K. and U.S. had been
intercepting communications through various channels for many years on a mass
scale. So, where do you draw the line as far as governments’ interference is
concerned? Encryption can be used for good and for bad, but so can
surveillance!
An Encryption Backdoor Is Not the Solution
If you’ve been following this entire encryption saga, you must have stumbled across the term “backdoor.”
Basically, a backdoor is a mathematical feature of the encryption key exchange that could decrypt the end-to-end encryption, and no one knows about this except the ones who made it (the messaging service). In popular words, it’s like a secret key. So when, let’s say, a judge orders a warrant to hand over certain information in a decrypted format to the government, the messaging app (or the government agency) could use this “backdoor” to give your decrypted information to the government.
But, again, this comes with a danger — a massive one. What if this powerful tool falls into the wrong hands? If a cybercriminal somehow gets hold of this “secret key,” they could have access to all of your private pictures, messages, etc. and do who knows what with them! And that’s why creating a backdoor could be even more dangerous than concerns about standard encryption.
Don’t Get Breached
91% of cyber attacks start with an email. 60% of SMBs are out of business within six months of a data breach. Not securing your email is like leaving the front door open for hackers.
Why Does Facebook Want to Implement End-to-End Encryption?
(Is Facebook Running Away from Its Responsibility?)
Implementing end-to-end encryption would
mean that even Facebook itself won’t have access to the information being
shared through its messaging service. This seems quite contrary to the business
model that Facebook has built around data monetization.
So, why doesn’t Facebook want the data? Does
it really care about privacy, or is there something else hiding behind the
curtain?
One possible reason why Facebook plans to implement end-to-end encryption is to simply move away from the pressure of law enforcement, court orders, warrants, and controversies. Currently, Facebook uses artificial intelligence (AI) and a team of human moderators to monitor the content and messages sent via its platform. They then report suspicious communication/content to authorities. This content moderation system is the source of a lot of expense, negative news coverage and even lawsuits for Facebook.
With end-to-end encryption in place, this could
all go away because Facebook won’t be able to decipher the communication. They
can simply say “sorry, we can’t access the content even if we want to.” That
could save Facebook a lot of time, money, and hassle.
A Not-So-Final Word
Considering that Facebook has already implemented end-to-end encryption in WhatsApp, the most extensively used messaging service that it owns, it seems likely that end-to-end encryption will be implemented in Facebook’s other services as well. The question is — what happens next? I expect the governments championing the call to eliminate end-to-end encryption to shift gears and attack the tech companies with more ferocity. Further down the road, this never-ending battle could spark into a fire, and ordinary users could be its witnesses or become engulfed in it.
As always, leave any comments or questions below…
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Jay Thakkar. Read the original post at: https://www.thesslstore.com/blog/end-to-end-encryption-the-good-the-bad-and-the-politics/
