Encryption is one of the key technologies that make our modern internet-connected life possible. Without it, most services we take for granted these days wouldn’t be safe or practical. Every time you shop online, use a bank website or anything that requires security and trust, you’re making use of modern encryption technology.
Encryption is everywhere, but it’s not at all implemented the same way. Since most modern encryption is too hard to crack, those who want to listen in on private conversations need to take a different approach.
One method would be to look for weak places in the communication chain. For example, if the connection between your computer and router isn’t encrypted, it doesn’t matter if the router has a VPN encrypting everything going out on the web. An attacker could just intercept the data before it’s encrypted. This is one of the reasons that technologies like HTTPS are so important. They make sure that your communication is encrypted from the moment it leaves your computer until it reaches its destination. That’s all well and good, but there’s still one serious weakness in the encryption chain that needs to be addressed.
The Keeper of the Keys
This weakness revolved around who has access to the encryption keys. The way modern computer encryption works is by taking a generated alphanumeric key and using it in a complex algorithm to scramble information. Without the key, there’s virtually no hope of ever cracking the code.
Getting your hands on the key is, therefore, the most efficient and effective way to decrypt the information. In a perfect world, only you and the person you are communicating with will have copies of the keys. Unfortunately, that’s not how it works most of the time. While your communication is still encrypted from eavesdropping, you don’t actually hold the key. Instead, the service provider is the custodian of the encryption keys.
This is bad for a couple of reasons. It means that you have to have trust in a faceless company, hoping that they will handle your information ethically. After all, they can read and sift through whatever information you send through the channel.
That’s not all! It gets worse because the provider itself can be the target of an attack from hackers who might want to steal the keys. If they’ve been intercepting encrypted data for a while it might mean exposure of everything that’s been transmitted through the system. If the keys can be stolen without detection, all future communication is compromised.
The government also has the power to seize encryption keys from the company or otherwise compel it to decrypt the information. Either way, what you’ve said or sent over this sort of encrypted channel is hardly secure where it really matters.
End-To-End Encryption to the Rescue
The solution to this is an encryption method known as “end-to-end” encryption (E2EE). Here the encryption keys and all encryption and decryption happens at the two ends of the communication. No one in the middle of the stream intercepting the communication can make any sense of it.
When I say no one, I also include the actual company whose product you are using to communicate in the first place. They also have absolutely no idea what you are saying to the person on the other end.
How It Works
To understand how end-to-end encryption works, we have to talk briefly about encryption keys. There are broadly speaking two types of keys in use: symmetric and asymmetric.
With symmetric encryption solution, there is only one key. The key can be used both to encrypt and decrypt information. Obviously, this means that the key itself can never be shared publicly or massive security issues arise.
That might sound like a deal breaker, but we all use symmetric encryption virtually every day. The WiFi hotspot you connect to at home and at the coffee shop uses symmetric encryption. The key is the WiFi password, known as a pre-shared key. Anyone who knows that password can intercept and decrypt everything that passes through the WiFi network. Which is why, incidentally, you must use a VPN (e.g. ExpressVPN) when using public WiFi!
Since it’s easy to privately install the key on both the router and device that has to access it, symmetric encryption is just fine for WiFi. When you need to contact someone over the web, how do you get the key to the other person safely? If the key is intercepted it all means nothing after all. The answer lies in the magic of asymmetric encryption.
The Genius of Asymmetric Encryption
With asymmetric encryption, there isn’t just one key, but a pair of keys. One is known as the private key and the other as the public key. The two keys are mathematically related. Information that you encrypt using the public can only be decrypted by your private key.
This means you and the other person can exchange your public keys and never share your private keys. The best anyone can do with the public key is to send you a message that only you can read.
This is what makes end-to-end encryption possible.
What About the Private Keys?
Ah! Good catch. If the private keys are provided to you by the service then that still doesn’t solve the problem of government or corporate eavesdropping. You have no way of knowing whether the keys were destroyed or not.
In end-to-end encryption, the keys are generated on the user side. Only the public key is submitted. Therefore a service such as WhatsApp can’t see what you and the other person are saying at all.
Not As Simple as It Sounds
The above is a little oversimplified if you compare it to how actual end-to-end encryption is implemented. For example, in the case of WhatsApp, every single message has its own freshly-generated set of keys. In the case of Signal, a powerful and complex set of various keys known as a “key bundle” are used to independently handle various aspects of the communication. It’s one of the most sophisticated end-to-end encrypted messaging app available to the public today.
Why Should You Care?
I think it’s obvious from the discussion above that anyone who cares about the privacy of their conversations should take note of end-to-end encryption.
Even if you have nothing to hide, your privacy still matters. Governments, corporations, and criminals can use the information they steal from you to harm you. At the very least they can exploit you by lumping your data together with everyone else and creating predictive algorithms to manipulate us with advertisements and other schemes.
The final reason you should care is that of free speech. It seems we now live in an age where free speech is under attack in many parts of the world. By using end-to-end encryption you can still ensure that ideas some people don’t want out in the world can still get into the zeitgeist. Privacy is a human right, but any rights we don’t enforce we are liable to lose. This is a tool that helps do just that.