Even before the pandemic, digital communication was the norm – via phone, text, email, and a plethora of messaging services. Now, with the pandemic transforming how we work, digital communication has cemented its position in workplaces globally.
Platforms such as Zoom, Microsoft Teams or Google Meet have become commonplace while more mature platforms like Whatsapp and Skype have expanded their user base.
However, in an age of data privacy, digital communication channels present a security risk. Every time a message is sent it could be seen by people other than the recipient. These range from criminals and malicious elements to governments and the companies that provide the services.
As such, end-to-end encryption (E2EE) has become a major selling point for messaging services to guarantee security and protection. However, its use has its controversies – governments have pushed back against it amid claims it prevents legal authorities gathering evidence.
“Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities, to exercise their lawful powers, both online and offline,” the draft said.
Given that the EU has one of the world’s most privacy-friendly regimes, the move against E2EE is significant development. Furthermore, the use and advocacy of E2EE by tech giants is part of a larger conflict between the companies and authorities across the West.
What is end-to-end encryption?
End-to-end encryption is a method to ensure that any digital communications remain between the sender and the recipient – no third parties can read it, including the server that facilitates the transmission.
Data is encrypted at the point of origin and decrypted at the end point, and only those two parties have the keys to do so. Anyone able to intercept the message would receive only encrypted data, and at present there is no reliable way to guess or decrypt the information without the key.
E2EE does have limitations, however. It does not hide message metadata, such as the time the message was sent and who it was sent to.
It also only protects the message in transit – once the message reaches its endpoint, it is still vulnerable to attack and needs to be covered by other security measures.
Whatsapp introduced E2EE in 2016 while Facebook Messenger offers it as a separate service, with plans to roll it out as standard.
Google recently began testing end-to-end encryption on its Messages service across one-to-one conversations. Similarly, Zoom began technical previews of E2EE in October, with feedback determining whether it will expand its use.
The case in favour
Perhaps ironically, the cases both for and against end-to-end encryption focus on crime. As a secure form of encryption, E2EE stops messages from being intercepted mid-transit. And although other encryption methods may prevent cybercriminals from eavesdropping on messages, what E2EE offers exclusively is keeping the service providers from accessing the messages.
This protects the sender and recipient from criminals who have managed to access the server’s systems, or potentially from rogue actors within the organisation itself.
It also guards against legitimate, if unwanted, use by organisations; such as the storage and analysis of personal data for commercial purposes.
For companies that deal with confidential and sensitive information such as health data, for example, having verifiable privacy credentials is vital. Using messaging services with E2EE helps ensure the integrity of the data.
That said, every company uses and produces sensitive information – financial data, customer data, information about job listings and redundancies. In many cases, there is a legal mandate to ensure that this information remains private.
As such, E2EE has a valid use case in maintaining compliance with data protection legislation. This is especially important in the age of GDPR, when a data breach can potentially put a company out of business.
However, the appeal offered by E2EE means that some companies have been falsely claiming to offer it. Zoom was taken to court in America earlier this year claims it exaggerated the level of encryption it offers.
The case against
Opponents of end-to-end encryption claim that it enables criminal activity, including child abuse and terrorism. It is telling that the recent EU draft proposals come in the wake of a series of terror attacks in France and Austria.
In additon, it was revealed that Facebook is behind the vast majority of reported online child abuse images. The UK’s National Crime Agency has warned that if Facebook rolls out E2EE, this could effectively reduce that number to zero, allowing the perpetrators to operate undetected and unhindered.
Despite this, Facebook has not said that it will delay or rethink plans to rollout E2EE.
- Comment | Shifting your cybersecurity processes left
- Data transfers could cost UK firms £1.6bn under no-deal Brexit
- Black Friday scams: How to stay safe online this festive season
This takes place against the background of a larger conflict between tech companies that has been playing out across the US and EU. In the US, for example, Apple and the FBI have been involved in a lengthy dispute over whether US courts can compel the company to unlock cell phones to provide evidence.
On a practical level, there are cases where E2EE is undesirable. Weaker forms of encryption that share unencrypted data with the server, increase the range of services the platform can offer. This includes storing message history and connecting additional participants using alternative channels into a conversation (useful for group calls).
Ironically, for a protocol designed to prevent cyberattacks, E2EE can actually interfere with cybersecurity operations by making it impossible to detect threats contained in messages, or to analyse them for potential data breaches.
The future of E2EE
As 2020 draws to a close, hope that 2021 will see an end to the pandemic is growing. However, new ways of working, such as the use of digital technology and flexible conditions, are likely here to stay.
That unfortunately means the growth in the number of cyberattacks is likely here to stay. As such, ensuring adequate data protection will be vital over the next few years, with E2EE providing one of the most secure standards available.
While its future may well be in question, it is undoubtedly wiser to take precautions now than risk a potential breach waiting for the authorities to decide its fate. And although both sides of the argument present compelling arguments, they have been deadlocked for years.
Join the Debate
The future of encryption will be a key area of discussion at the upcoming Data Protection Virtual Summit on 10th December.
Hear from leading experts from across the data protection landscape and explore the crucial issues facing frontline practitioners.
Register your free place now at https://www.dataprotection-summit.com/