Is End-to-End to end?

Modern communication services (like Messenger, WhatsApp, Signal and Zoom) almost invariably make use of End-to-End encryption (E2E), meaning users can message and call each other safe in the knowledge that their communications are encrypted and can only be deciphered by the intended recipient. However, moves by some countries to increase online safety may be putting E2E at risk.

What is E2E?

E2E uses an “asymmetric public key infrastructure” to secure your messages. This is the digital version of writing your message in a secret cypher that only your friends know how to decode. Let’s say my friend and I want to exchange encrypted messages. Before we start communicating, each of us generates a pair of linked digital keys: public keys that we exchange, and private keys (AKA “decryption keys”) that we keep. It’s important to note that the public key can only be used for encryption, while the private key can only be used for decryption, thus “asymmetrical”.  When I want to message my friend, I use her public key to encrypt the message before I send it, turning it into an apparently meaningless string of letters and numbers. This message can only be decrypted by using her private key, which only she has. When she responds, she encrypts her response with my public key, and I can then decipher the message with my private key.

While this sounds complicated, most people never have to worry about the nuts and bolts of it, as the messaging apps and services take care of all of this in the background. When you call or message someone with an app that makes use of E2E, your device and the recipient’s device automatically create and exchange public and private keys (called a “handshake”) and then you’re free to communicate without risk of someone intercepting your juicy gossip.

E2E sounds great!? Why would anyone want to ban it?

Very few people are explicitly calling for a ban on E2E (with some notable exceptions – more on that later), but there’s a chance it will end up a casualty of the war on online harm. For example, the UK’s recently introduced Online Safety Act is designed to reduce online harm by placing a duty of care on the providers of online services to safeguard their users (particularly children) from harmful content, such as cyber-bullying, pornography, or hate speech. As part of their duty of care, captured service providers will be required to proactively scan data uploaded by their users (including private communications like direct messages) for potential illegal or harmful activity, and make such information available to law enforcement agencies. This will not be possible for data exchanged using E2E.

There is precedent for allowing law enforcement agencies access to communications that the public might assume are private. For example, New Zealand’s Telecommunications (Interception Capability and Security) Act 2013 (usually referred to as TICSA) requires that telecommunications providers (or “network operators” in the parlance of TICSA) “must ensure that every public telecommunications network that the operator owns, controls, or operates, and every telecommunications service that the operator provides in New Zealand, has full interception capability”. This is one of the reasons your phone calls and good old fashioned SMS texts are not E2E encrypted, which explains some of the popularity of messaging services like Signal and Messenger, often referred to as “over-the-top” (or OTT) as they run on a telco network but are not provided by the network operator themselves. So, in a sense, the Online Safety Act and similar legislation are simply trying to put the sort of interception obligations that TICSA and the like require of old-fashioned telcos onto the new generation of OTT services.

Similar laws are making their way through the USA’s legislative process as well. Both the STOP CSAM Act (Strengthening Transparency and Obligation to Protect Children Suffering from Abuse and Mistreatment Act of 2023) and the EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2023) would, if enacted, make tech platforms liable for the content posted by their users. Some commentators have suggested this would essentially force tech companies to surveil their users more than they already do, and one of the easiest ways to do that is to remove E2E from their platforms.

But, for a ringside seat at the front line of the battle for E2E, we need to head to Brussels, where the European Union’s member states are debating how to implement the long-gestating Child Sex Abuse Regulation (or CSAR). A leaked report from last year shows that most member states were in favour of forcing companies to build some sort of interception capability into their E2E services. Spain, however, wanted to deal a knock-out blow and ban E2E altogether.

So how likely is it that we’ll lose E2E encrypted services?

That’s still up in the air, but it’s likely that a compromise will be found, and at least initially it may come down to what the EU decides. Multiple member states have voiced concerns over the proposed CSAR, which, among other things, could compel service providers to scan digital communications and, in effect, outlaw E2E. In fact, the current draft is a watered down version, as one of the early CSAR drafts included provision for Client-Side Scanning, essentially meaning the contents of EU citizens’ devices would need to be scanned, not simply intercepted while in transmission. This is a far greater intrusion on privacy than simply forcing messages to be unencrypted (but that provision was taken off the table late last year).

France, however, has argued that banning E2E communications services will damage the bloc’s ability to compete in the tech space, and that, on a more fundamental note, E2E encryption is key to safeguarding an EU citizen’s fundamental right to privacy. And it now looks like they have some substantial legal precedent on their side. The European Court of Human Rights (ECHR) delivered a judgment in February that essentially banned any weakening of E2E. In PODCHASOV v. RUSSIA (while Russia is no longer a party to the European Convention for the Protection of Human Rights and Fundamental Freedoms (the Convention), and therefore no longer subject to the ECHR’s decisions, this case was first brought in 2019 when Russia was still party to the Convention) the Court ruled that the requirement under Russian law for all “internet communication organisers” to store all records of communications for at least six months, and, if requested by an applicable law enforcement agency, to submit those communications along with the means to decrypt them, is in breach of the Convention.

The ECHR stated that:

legislation providing for the retention of all Internet communications of all users [...][and the] requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society. In so far as this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications, it impairs the very essence of the right to respect for private life under Article 8 of the Convention.

While that looks like (and is being touted by some in the pro-E2E camp as) a big win for E2E, it is always difficult to predict how the various member states (and ultimately, those who do business within and across their borders) will respond to this. For now, all we can safely say is that the battle for E2E is not over. Watch this space...

‍