Quick Links
Key Takeaways
- Encryption is a way of scrambling data to ensure that only those with the decryption key can access it, providing security for your online activities.
- End-to-end encryption ensures that only the sender and recipient of messages can see the contents, providing increased privacy and security for sensitive conversations and data storage.
What is end-to-end encryption (E2EE), and why is it so controversial? Should you use it? Here's everything you need to know about it.
This Cybersecurity Awareness Week article is brought to you in association with Incogni.
Encryption Basics
First, let's start with the basics of encryption. Encryption is a way of scrambling (encrypting) data so that it can't be read by everyone. Only the people who can unscramble (decrypt) the information can see its contents. If someone doesn't have the decryption key, they won't be able to unscramble the data and view the information.
(This is how it's supposed to work, of course. Some encryption systems have security flaws and other weaknesses.)
Your devices are using various forms of encryption all the time. For example, when you access your online banking website — or any website using HTTPS, which is most websites these days — the communications between you and that website are encrypted so that your network operator, internet service provider, and anyone else snooping on your traffic can't see your banking password and financial details.
Wi-Fi uses encryption, too. That's why your neighbors can't see everything you're doing on your Wi-Fi network — assuming that you use a modern Wi-Fi security standard that hasn't been cracked, anyway.
Encryption is also used to secure your data. Modern devices like iPhones, Android phones, iPads, Macs, Chromebooks, and Linux systems (but not all Windows PCs) store their data on your local devices in encrypted form. It's decrypted after you sign in with your PIN or password.
Encryption "in Transit" and "at Rest": Who Holds the Keys?
So encryption is everywhere, and that's great. But when you're talking about communicating privately or storing data securely, the question is: Who holds the keys?
For example, let's think about your Google account. Is your Google data — your Gmail emails, Google Calendar events, Google Drive files, search history, and other data — secured with encryption?
Well, yes. In some ways.
Google uses encryption to secure data "in transit." When you access your Gmail account, for example, Google connects via secure HTTPS. This ensures that no one else can snoop on the communication going on between your device and Google's servers. Your internet service provider, network operator, people within range of your Wi-Fi network, and any other devices between you and Google's servers can't see the contents of your emails or intercept your Google account password.
Google also uses encryption to secure data "at rest." Before the data is saved to disk on Google's servers, it is encrypted. Even if someone pulls off a heist, sneaking into Google's data center and stealing some hard drives, they wouldn't be able to read the data on those drives.
Both encryption in transit and at rest are important, of course. They're good for security and privacy. It's much better than sending and storing the data unencrypted!
But here's the question: Who holds the key that can decrypt this data? The answer is Google. Google holds the keys.
Why It Matters Who Holds the Keys
Since Google holds the keys, this means that Google is capable of seeing your data — emails, documents, files, calendar events, and everything else.
If a rogue Google employee wanted to snoop on your data — and yes, it's happened — encryption wouldn't stop them.
If a hacker somehow compromised Google's systems and private keys (admittedly a tall order), they would be able to read everyone's data.
If Google was required to turn over data to a government, Google would be able to access your data and hand it over.
Other systems may protect your data, of course. Google says that it has implemented better protections against rogue engineers accessing data. Google is clearly very serious about keeping its systems secure from hackers. Google has even been pushing back on data requests in Hong Kong, for example.
So yes, those systems may protect your data. But that's not encryption protecting your data from Google. It's just Google's policies protecting your data.
Don't get the impression that this is all about Google. Most of the companies you're familiar with probably have the same practices. Even Apple, a company usually lauded for its privacy practices, only added end-to-end encryption for iCloud at the end of 2022.
How End-to-End Encryption Works
Now, let's talk chat apps. For example: Facebook Messenger. When you contact someone on Facebook Messenger, the messages are encrypted in transit between you and Facebook, and between Facebook and the other person. The stored message log is encrypted at rest by Facebook before it's stored on Facebook's servers.
But Facebook has a key. Facebook itself can see the contents of your messages.
The solution is end-to-end encryption. With end-to-end encryption, the provider in the middle — whoever you replace Google or Facebook with, in these examples — will not be able to see the contents of your messages. They do not hold a key that unlocks your private data. Only you and the person you're communicating with hold the key to access that data.
Your messages are truly private, and only you and the people you're talking to can see them — not the company in the middle.
Why It Matters
End-to-end encryption offers much more privacy. For example, when you have a conversation over an end-to-end encrypted chat service like Signal, you know that only you and the person you're talking to can view the contents of your communications.
However, when you have a conversation over a messaging app that isn't end-to-end encrypted — like Facebook Messenger — you know that the company sitting in the middle of the conversation can see the contents of your communications.
It's not just about chat apps. For example, email can be end-to-end encrypted, but it requires configuring PGP encryption or using a service with that built in, like ProtonMail. Very few people use end-to-end encrypted email.
End-to-end encryption gives you confidence when communicating about and storing sensitive information, whether it's financial details, medical conditions, business documents, legal proceedings, or just intimate personal conversations you don't want anyone else having access to.
End-to-End Encryption Isn't Just About Communications
End-to-end encryption was traditionally a term used to describe secure communications between different people. However, the term is also commonly applied to other services where only you hold the key that can decrypt your data.
For example, password managers like 1Password, BitWarden, LastPass, and Dashlane are end-to-end encrypted. The company can't rummage through your password vault — your passwords are secured with a secret only you know.
In a sense, this is arguably "end-to-end" encryption — except that you're on both ends. No one else — not even the company that makes the password manager — holds a key that lets them decrypt your private data. You can use the password manager without giving the password manager company's employees access to all your online banking passwords.
Another good example: If a file storage service is end-to-end encrypted, that means that the file storage provider can't see the contents of your files. If you want to store or sync sensitive files with a cloud service — for example, tax returns that have your social security number and other sensitive details — encrypted file storage services are a more secure way to do that than just dumping them in a traditional cloud storage service like Dropbox, Google Drive, or Microsoft OneDrive.
One Downside: Don't Forget Your Password!
There's one big downside with end-to-end encryption for the average person: If you lose your decryption key, you lose access to your data. Some services may offer recovery keys that you can store, but if you forget your password and lose those recovery keys, you can no longer decrypt your data.
That's one big reason that companies like Apple, for example, might not want to end-to-end encrypt iCloud backups. Since Apple holds the encryption key, it can let you reset your password and give you access to your data again. This is a consequence of the fact that Apple holds the encryption key and can, from a technical perspective, do whatever it likes with your data. If Apple didn't hold the encryption key for you, you wouldn't be able to recover your data.
Imagine if, every time someone forgets a password to one of their accounts, their data in that account would be wiped out and become inaccessible. Forget your Gmail password? Google would have to erase all your Gmails to give you your account back. That's what would happen if end-to-end encryption was used everywhere.
Examples of Services That Are End-to-End Encrypted
Here are some basic communication services that offer end-to-end encryption. This isn't an exhaustive list — it's just a short introduction.
For chat apps, Signal offers end-to-end encryption for everyone by default. Apple iMessage offers end-to-end encryption, but Apple gets a copy of your messages with the default iCloud backup settings. WhatsApp says that every conversation is end-to-end encrypted, but it does share a lot of data with Facebook. Some other apps offer end-to-end encryption as an optional feature that you have to enable manually, including Telegram and Facebook Messenger.
For end-to-end encrypted email, you can use PGP — however, it's complicated to set up. Thunderbird now has integrated PGP support. There are encrypted email services like ProtonMail and Tutanota that store your emails on their servers with encryption and make it possible to more easily send encrypted emails. For example, if one ProtonMail user emails another ProtonMail user, the message is automatically sent encrypted so that no one else can see its contents. However, if a ProtonMail user emails someone using a different service, they'll need to set up PGP to use encryption. (Note that encrypted email doesn't encrypt everything: While the message body is encrypted, for example, subject lines aren't.)
End-to-end encryption is important. If you're going to have a private conversation or send sensitive information, don't you want to make sure that only you and the person you're talking to can see your messages?