Introduction
In the world we live in today, secrecy is sacred to everyone; there are many things that are said and done that we do not want others to know. Over time in our society conversations have moved from many different platforms. We started with communications face-to-face, then strictly over the telephone, and after the enhancements made to computers and cellphones, much of our daily communications have involved some sort of messaging or email application. Many of these conversations contain information meant only for the eyes of the sender and receiver.
In an effort to keep our most secure messages to and from each other secure, many people turn to End-to-End encryption (E2EE). When sending unencrypted messages back and forth to people using various programs and service providers, your messages are stored unencrypted in their servers for anyone to be able to access. However, when you use programs that use E2EE, this prevents the ease of access. With E2EE, the sender and receiver only know the decrypt key. Therefore, when the message is stored in the company’s server, it remains encrypted.
Through this paper we will take a closer look at E2EE and how it truly works. We will also identify some key programs that use E2EE and look at how effective the E2EE is in real life situations. Lastly, I will look at how the E2EE plays a role in our intelligence community today. Hopefully by the end of this paper you will have a better understanding of E2EE and be able to decide whether this is the appropriate option for you and your personal conversations.
What is End-to-End (E2EE) Encryption?
The first step to understanding whether or not E2EE is the appropriate means of encryption for you, we must first fully understand what E2EE is and how it works. In today’s world there is not a day that goes by that does not have some sort of news article or IT forum comprised of questions or concerns about E2EE. When people use the term End-to-End encryption, they are referring to communications that are only accessible by the communicating parties. “Messages are encrypted in a way that only the unique recipient of a message is allowed to decrypt it, and not anyone in between. No “eavesdroppers” can access the cryptographic keys required to decrypt the conversation, including telecom and Internet providers or the service provider who runs the messaging services,”(Yeldiren, 2016).
Public Keys vs. Private Keys
When using E2EE, the encryption involved is also know as public-key encryption. When using this type of encryption, each user’s program will create a pair of keys to be used. The pair of keys will consist of the public and the private key. The public key is accessible by anyone that wants to send messages back and forth with that specific user. Therefore, when a user compiles a message ready to be sent, they attach the public key of the recipient to the message so that it is recognizable and securely encrypted so that it can only be opened by the designated recipient. When the recipient receives the message, they will then use their own private key to decrypt and read the message. The private key is specific to each user, but unlike the public key, it never leaves the user’s system, (Public Keys and Private Keys). This same process is used every time messages are sent via an E2EE enabled program that helps to ensure the confidentiality of the messages and their content.
History of End-to-End (E2EE) Encryption
Although many are not aware of this, E2EE is not necessarily a new concept for secure messaging. Some of the first forms of free E2EE messaging applications date back to the 1990s. In 1991 Phil Zimmerman developed Pretty Good Privacy, which was a program that used to encrypt messages for the users. However, soon afterwards, Phil Zimmerman became a target of a three-year criminal investigation because he spread his program around the world as freeware and the US government accused him of breaching export restrictions for cryptographic software (History, 2016). A form of the program still exists today, better known as OpenPGP.
For the most part, the concept of E2EE remained relatively quiet over the years, until around 2014 after Facebook bought WhatsApp. Shortly afterwards, WhatsApp announced that it would begin offering E2EE messaging for it’s users. WhatsApp would be using the same security protocol developed by Open Whisper Systems, better known for their secure messaging application Signal. Later, in 2016, E2EE became the default option for all WhatsApp users. Shortly after, Google released their plans to use E2EE in their own messaging application, Allo (Burrell, 2017).
Program Use
Currently E2EE is available in many different secure messaging programs. Some of the most widely known programs that use E2EE are WhatsApp, Signal, Allo, Facebook Messenger, Viber, iMessage, and Telegram. Below is a brief description of each showing how they may or may not differ from each other (Ranosa, 2016).
WhatsApp is better known for the recent controversy that has erupted in the news about how they use their E2EE and how secure it really is. WhatsApp was started by two ex-Yahoo employees (Rastogi, N., & Hendler, J., 2017), has more than 1 billion users, and is believed to be the world’s most popular messaging app. WhatsApp is highly touted because it uses the Signal protocol to, “o encrypt all messages, including multimedia messages and group chats, for all users, including those on iOS, by default,” (Lee, 2016).
Signal
Developed by Open Whisper Systems, Signal is believed to the secure messaging program that started it all. Although it does not match the number of users that WhatsApp has, it has been well advertised by ex-NSA whistleblower Edward Snowden (Tung, 2016).
Allo
Allo is a messaging app that is produced by the well-known company Google. Although it does not set its messages as using E2EE as the default option, the option to have “incognito” messaging is available for users. Google struggles with using E2EE as a default option for all of the messages being sent in the app due to the various artificial intelligence features available via Allo (Ranosa, 2016).
Facebook Messenger
Facebook messenger has slowly moved into the game of offering E2EE to its users. An interesting feature that Facebook messenger offers that many other applications do not is that you can set a time to indicate how long a secret message would actually stay visible. E2EE is not a default option, and is only available if both users are in secret conversation mode. Additionally, if the user switched devices, the secret messages will no longer be available (Ranosa, 2016).
Viber
Viber has had the E2EE option available for a long time now. Similar to many other applications, Viber is able to encrypt both voice and chat messages. An interesting feature that Viber offers is to show various colored locks in the massages to differentiate between different E2EE settings (Ranosa, 2016).
iMessage
Apple has long been using E2EE for their messages via the iMessage application. However, unlike other companies, Apple has been fighting for a long time against giving the user’s secured messages to authorities when requested. The way that apple has avoided this fine line is the use of the cloud and storing messages. If the user stores their messages to the iCloud, all of the stored messages can be turned over to the authorities (Ranosa, 2016).
Telegram
Last, but not least is Telegram. Like many of the aforementioned programs, the only way to utilize the E2EE while in the program is to go into your settings and select it, because it is not the default option. One feature that not many users are aware of is that all of the communications from the Telegram application are stored on the Telegram servers. Therefore, not only will your messages be willingly handed over to the authorities requested, but also anyone with access to the Telegram servers is able to view your messages (Ranosa, 2016).
Downfalls
Although E2EE is sought after today due to the increase in awareness of personal security and privacy, with every up there is always a down. One of the biggest vulnerabilities with using E2EE is your own personal computer. The first rule of using E2EE is to always keep your private key private, but all it takes is one hack of your personal computer and your private key could be stolen. With this anyone can read the encrypted messages intended solely for you. Even if your private key were not taken when your system were hacked, they could still easily access any of the decrypted messages that you have not deleted from your messaging apps (Greenberg, 2014, & Friedersdorf, 2015).
Another interesting thing to note about using E2EE is that it, “does nothing to protect the metadata around a message, such as details about the sender and recipient, when it was sent and the location it was sent from,” (Tung, 2016). Therefore, at most when you are using the E2EE for messaging, the only thing you are possibly securing is the content of the messages.
Lastly, although E2EE may secure the messages that are composed, if the program that you are using does not main their security protocols, your messages are no more secure than if you were an ordinary messaging app. The security of your messages relies highly on the programs security protocols, especially whether they store the messages on their server or not. As previously mentioned, if the messages are stored on the program’s servers, it is likely that those messages would have to be handed over to the authorities when legally requested (Jones, 1997).
Conclusion
E2EE remains a high priority for many users as secrecy remains sacred to everyone. With little to no effort a user is able to send a secure message to another user of choice with a sense of confidence in knowing that no one but the intended user will have access to that message. What many users are not aware of is that just because a program promotes that they provide E2EE, it does not necessarily mean that every message sent with utilize it. Almost half of the aforementioned programs that offer E2EE for their messages do not notify the user that E2EE is not default and has to be enabled.
Additionally, even if you use the most secure encryption available, you are still faced with the same security concerns as you would if it was sent unencrypted. Your security of your messages lies in the hands of the messaging program that you chose to use and whether or not your system itself is as secure as possible.