In simple terms, encryption is an algorithm that takes readable data like a photo or message and scrambles that data so it is unreadable. With only the intended user having the ability to unscramble the data with their key.
The Basics of Encryption
Let's take things back to basics. Encryption is a technical mechanism that stops someone who isn't meant to see something from seeing it - messages, photos, videos, documents, customer information, payment details, when they are stored digitally.
An encryption key is used in an algorithm to scramble the data that makes up, say, a document, protecting what is contained within it. In most cases an online service provider generates the key that is used to store customer content in encrypted form, and because they own and manage the key, they can reverse the scrambling and read that content.
However, not all types of encryption offer the same level of security. Many forms of encryption require the data to be temporarily decrypted as it passes through servers, creating vulnerabilities in security.
What is End-to-End Encryption
End-To-End encryption (E2EE) is a form of encryption that uses complex algorithms to secure data as it travels between users so that no third-party can ever view your communicated content, not even the service provider.
E2EE uses these algorithms to place a ‘lock’ on your data and communications and only people you give access to the unique ‘key’ can unlock this data. Unlike many other forms of encryption, E2EE data is never decrypted on its path to the viewer, even when passing through servers.
Why is it so Difficult to Understand Encryption?
If you've managed to understand our explanation of encryption, you have probably introduced yourself to a plethora of follow up questions. If you haven't, then perhaps you haven't fully understood what encryption is - or could be - for you. Depending on your context, meaning your threat model, privacy requirements, legal obligations, etc., encryption could be something completely different for you than the stranger who sits next to you on the bus, or friend you play golf with.
The question becomes more difficult to answer when the qualifiers typically attached to the term further complicate the matter: 128-bit, 256-bit, AES, ECC, encryption in transit, encryption at rest, encryption at work, end-to-end encryption (E2EE), covering just a few, creates a situation where there are multiple layers and degrees of complexity.
How Encryption Can Be Used To Mislead Consumers
Many wrongly assume that as soon as the word 'encryption' is present in a service provider’s security documentation, it means the content shared or stored is private even though it may not be. These assumptions can often be forgiven however when marketing terms are wrapped around technical terms to mislead a reader. It is no surprise that interpreting encryption and its various uses is difficult to understand, even at the simple level of classification.
A recent example in early 2020 saw Zoom describe on their website the protection of video conferences they host as ‘end-to-end encrypted’. This was not the case and highlights two things: the confusion around nomenclature that exists even at a corporate level, and the dangers of presenting a service as secured in a way that it is not. In regards to naming conventions, it is possible that a marketing team thought if one ‘end’ is the user and the other ‘end’ is the Zoom infrastructure, and encryption is used between these two points to stop eavesdroppers.
You might be able to see why the copywriters thought this was the appropriate way to classify the platform’s security. Individuals or groups that require the protections that E2EE affords can be placed in a compromising situation if they take what a provider says about their offering’s security at face value.
The follow-on challenge then becomes one of trust, and what a provider can do to earn the confidence of their users and customers. Independent validation and verification of claims by an accredited firm is an effective starting point, and will often assist the provider in discovering mistakes that may have been made in implementing security mechanisms or help introduce better development practices.
How Companies Use Encryption
There are many cases where this is a strict requirement of an interaction or relationship, for example a bank performing an identity check. The bank needs to access your documents to read them and safeguards the associated key(s) because of the privacy obligation they have to their customers, and hopefully, those safeguards stop anyone else from viewing that private content.
A ‘data breach’ happens when the keys to stored information are compromised giving attackers access to information secured by those keys.
The lifecycle of content given to a service provider using the same security model as described above can take a very different form. Google analyses its user data to serve precisely targeted advertisements and optimise their product offerings. It is of course in Google’s interest to safeguard this data from other parties because it is this data that drives their value as a company.
A message sent to a family member or friend on Gmail is secured using Google’s keys which means they can read those messages. The distinction here to the banking example is that from the user’s perspective the content is not intended for Google, but it is routinely accessed and read by the company; the trade-off is that a free app or service is offered to facilitate communication in exchange for intelligence on your interests and relationships.
If you send an email mentioning that you discussed the pros and cons of electric toothbrushes during your recent dental appointment, you will probably be served ads for electric toothbrushes the next day - and your friend probably will too! Google’s privacy and security information page goes into great depth describing the methods they employ to protect your information using encryption, but encryption clearly does not result in absolute privacy.
Why Companies Should Use End-To-End Encryption
To achieve truly private communication the key used to secure your data must be inaccessible to the service provider. A message sent by you that makes it to your friend without the possibility of it being read by anyone else can be facilitated by a mechanism called end-to-end encryption, which is regarded as the most secure way to transmit information.
Not only does E2EE mean that a provider cannot access your data, it also means that even if an attacker managed to steal your data from the provider, it is encrypted without the key present and is therefore useless.
This may leave you wondering, why isn’t all communication secured using E2EE? Like answering the question of what encryption is or can be, it depends on the context. The simplest summation is that E2EE is difficult to manage for everyone involved: the sender, the recipient, the service provider, and in some cases, regulators and law enforcement. Another common reason is that if you can’t access customer data it cannot be monetised.
The Challenges of End-To-End Encryption
The challenges of E2EE for broad use primarily stem from the question of who generates, owns, manages and distributes the keys used for encryption.
In 1999 the first production version of the GNU Privacy Guard (GPG) system was released, developed in response to the need for a universal communication security mechanism that could be used by anyone, anywhere, which guaranteed perfect message security, integrity and in most cases, author identity.
To use GPG one needs to use dedicated software to generate their own key pair; a public and private key. The private key is to be stored somewhere safe, protected by a complex passphrase, and the public key is distributed to anyone that might want to send you a message. If one wanted to send a message to a specific individual they would need to first get that person’s public key (assuming they have one) and use the GPG software suite to encrypt the message, scrambling it with another, uniquely generated key in combination with the recipient’s public key. Once received, the message then needs to be decrypted using the GPG suite.
While robust when used appropriately, using GPG requires technical capability well beyond what would be considered a normal or average level. The process is complicated and fraught with easy mistakes - a common one is sharing your private key instead of your public key - and even draws criticism in the modern context by Open Whisper Systems (OWS) founder Moxie Marlinspike.
Apps such as OWS’s Signal packages E2EE communication into an accessible format by hiding the complicated parts from the user, only requiring that they create an account using their phone number and add a contact from their address book, then they can start messaging privately. The keys used for encryption are generated by the app on your phone and can’t be accessed by OWS.
Law Enforcement and End-To-End Encryption
E2EE that is easily accessible presents a challenge for law enforcement agencies who often describe its use by criminals as ‘going dark’, as compared to traditional methods of intercepting phone calls or retrieving stored copies of unsecured SMS.
The balance of privacy and public safety is a delicate one as the technology that enables private communication cannot satisfy both perfectly. If a ‘backdoor’ is implemented into an E2EE service so that law enforcement could analyse streams of messages between suspects, that same mechanism could be exploited by an attacker to invade the privacy of any individual, innocent of a crime or not, that uses the system.
Businesses and government agencies communicate and collaborate now more than ever. The shift towards outsourcing, Software as a Service and distribution of teams presents a challenge where potentially sensitive data is moving everywhere constantly and if it doesn’t, outcomes can be restricted. Technology that enhances security is typically viewed by buyers as an element that hinders work and everyday tasks, for example stopping a worker from sending documents electronically if they exceed a certain threshold of sensitivity.
Security technology, especially when considering communication, has the potential to enhance outcomes by enabling workflows rather than hindering them, accompanied by the benefit of making processes that would otherwise be manual much more efficient. If a service offers E2EE that is wrapped with features that satisfy business and government such as seamless key management, data sovereignty and system certification, a truly effective communication tool can be offered.
Security must always cover the essential mediums that make the basis of collaboration: messaging, document sharing, conferencing, optionally workflow specific tools such as document approval.