what-matters-in-security

Why I agree with end-to-end encryption (E2EE) - Let's discuss

This post builds on the topic introduced in "Does your privacy matter? Why you may need to value E2EE (Non-Technical analysis)". We then proceeded to understand the arguments in favour and against E2ee in "Does end-to-end encryption (E2EE) matter to you? Which side are you on?"

In this post, I do a bit more of my thing, where I try to navigate objectively, express my understanding, and take a position.

Analysis

Hearing both sides, I became intrigued to learn a bit more about the usage of the technologies in modern applications.

I knew that WhatsApp was of interest to people often due to its secure and private end-to-end reputation. I also noticed personal networks start their usage of WhatsApp built on the same drivers i.e. it is known to be hard for non-authorised people to access their chats (and, of course, network effects driven by friends of friends etc.).

What I found was eye-opening:

  • The adoption of WhatsApp dwarfed all other messaging applications globally.
  • WhatApp consistently came up as the most popular chat globally.
  • It keeps on leading messaging services both in usage and number of active users.
The market is spoke, globally

The global public rewarded and continues to reward solutions from vendors that are demonstrably using E2EE. It appeals to their sense of privacy and enables them to trust the providers of their tools.

Equipped with this Unique Selling Point (E2EE), WhatsApp was the consistent de-facto winner across all messaging platforms used globally by individuals and business users.

It also explains why there was such widespread public push to adopt E2EE amongst incumbent providers. All Big tech businesses are taking very tangible and public steps to show their customer base that they are doing all they can to keep their data safe and only accessible to intended audiences.

WOW! This is one heck of a pickle!

There are compelling arguments both for and against E2EE. For example, while the debate about protection and privacy is legitimate and valid, the question remains whether removing E2EE or sabotaging its integrity is the best way to go about this.

Blanket surveillance can be inefficient in targeting bad actors, especially when many take steps to hide their identity online. I struggle to support the argument for the erosion of privacy by outlawing E2EE, essentially opening the doors to abuse of information by criminal organisations and rogue states, i.e. the very people such regulation is intended to protect us from.

  • Social networks, social sharing, chat and digital communications will continue being used in increasing volumes for entertainment, health,  work, friendships and more.
  • The emergence of the metaverse, hybrid entertainment, and hybrid work cultures on a hyper-global scale will only worsen the amount of information we generate!
  • The systems that power these metaverses represent enormous honeypots of user data, private conversations, methods of expression, and personal likings that, once accessed, can help third parties build a "digital copy" of a person to be used for illicit reasons.
  • We have seen bad actors heavily abuse and wreak havoc using information that is all too easily accessible.
  • We have seen the extent of how individuals and entities use to hide their illicit activities (Panama papers, anyone?).
  • We have seen governments and organisations abuse the scale of modern processing and data (Cambridge Analytica, anyone?) to create an unfair advantage and scenario for crowd manipulation.
  • Any individual/organisation could exploit these purpose-built vulnerabilities/backdoors with sufficient technical ability worsening the danger of abuse of access as it goes undetected and unreported.
  • While the arguments made by regulatory bodies make sense, there is always a question mark around these organisations' real and full intentions. While leveraging the minimisation of crime as an excuse, they gain access to a much broader set of data. Based on historical evidence, both cases seem likely to be true.

Analogy

Oversimplifying the proposals being put forward by regulatory bodies to eliminate or wholly or partially disable E2EE is akin to either:

  • Forbidding all buildings and vehicles from having doors with locks, or
  • Giving a spare key to the authority for them (or anyone who happens to steal that key) to walk in whenever they see fit.

The analogy above is quite flawed as police can enter my property with a proper warrant. However, in full knowledge of the power of data, I am both aware and scared to give that power to individuals that have all too often put the personal gain at the forefront of their agenda hidden under a message of National interest.

The power of manipulating crowds, identifying ideologies and targeting selected individuals for censorship is all too easy.

Just because someone can abuse a thing doesn't make the thing bad, it makes the person who commits the abuse bad.

With a similar analogy, I would have to favour banning all instances of guns under all conditions. While I disagree with some applications of the right to bear arms, we have to realise some legitimate cases.    

If we support E2EE are we doing it because we prefer guilty people to go free more than innocent people to get convicted?

We do not ban cars to fight drunk driving, and we shouldn't eliminate our right to privacy in the name of lazy approaches towards enforcing the traditional way of applying the law. We need to make changes and expect both:

  • Parents and technology companies at being better at putting technology in the hands of children.
  • Authorities to upgrade their way of governing.
  • Figure out new alternative ways to govern in a new borderless virtual world.

My current position (subject to change with new information)

I find it hard to embrace a concept that sees me voluntarily giving up my security or the limited tooling/knowledge I have to keep safe (or as safe as one can be in the circumstances).

I also believe that this E2EE is such a small piece in a much bigger security ecosystem that must be considered (Technologically and Morally). Acquiescing to removing E2EE will only lead to the subsequent demands of having 24/7/365 devices snooping and actively listening to conversations, and recording every action. The slippery slope of losing one's autonomy is crazy steep! The removal of E2EE removes a basic tool that an individual can use to achieve that bit more personal security in a new world that needs it.

It starts from this, and very soon, you find authorities:

  • monitoring your health vitals (for your health and safety)
  • accessing recording and analysing all private conversations (for your health and safety)
  • tracking where you go, how you go and with whom you go (for your health and safety)
  • etc.

The usages of encryption are not there to support criminal organisations. Sure criminal organisations will use them, but opportunity and freedom to communicate and transact in the knowledge of secure privacy is a freedom I cherish and think is fundamental to everyone.

Right now, my vote goes towards E2EE.

However, I remain faithful to one of my principles:

Be radically open-minded but not easily persuaded

I would love to learn more about your opinion. This is not an easy topic, and I fully expect to change my mind as I learn new information.


Let us know what you think!. We believe in productive discourse and welcome opportunities to refine our understanding through discussion. Comment in the comments area below or reach out on hi@andremuscat.com

Comments

Follow Andre Muscat and join the conversation. As a follower, you will also receive new posts by email (you can unfollow at any time).

Share on


Tags

Follow today!

Keep up to date on new postings and materials

Follow Now