According to the 2020 Cost of a Data Breach Report by Ponemon Institute and IBM Security, data breaches are costing enterprises $3.86 million on average, and they’re taking an average of 280 days to discover the problem. Clearly, hackers can and already do easily identify and access both corporate and personal information when files are transmitted from device to device unless certain cybersecurity measures are put into place. End-to-end encryption (E2EE) is the easiest solution for protecting this data so it doesn’t get into the wrong hands.
End-to-end encryption is the practice of encrypting data and information as it passes from device to device. The sending and receiving devices can see the original contents, but no other interceptors have the correct keys to decrypt the message. This approach to cybersecurity offers many benefits to companies and users that implement the protection, but there are still some drawbacks in areas like consumer-provider relationships. Read on to learn more about how end-to-end encryption works, as well as some of the pros and cons of this type of security.
“The total number of records compromised in 2020 exceeded 37 billion, a 141% increase compared to 2019 and by far the most records exposed in a single year since we have been reporting on data breach activity.” –Risk Based Security 2020 Year End Report
What is End-to-End Encryption?
- How it Works
- The Pros of End-to-End Encryption
- The Cons of End-to-End Encryption
- Apps & Software that Use End-to-End Encryption
But how does end-to-end encryption keep data encrypted while it travels? Two cryptographic keys, a public key and a private key, are generated on the sender’s device. The public key is public, in the sense that a public key can be generated by anyone.
However, the paired private key can only be generated by that particular sender and can only be used to decrypt data for the designated recipient device. Hackers can theoretically intercept the message in transit and service providers can access the encrypted message in order to store it, but it will remain completely illegible until it is received and decrypted by the recipient device. This practice ensures that the data can only be viewed in its true form on the sending and receiving devices, and nowhere in between.When end-to-end encryption is applied to data in transit, the data is first encrypted, or jumbled, on the sending device. The message cannot be decrypted by hackers, service providers, or anyone else until it is received by the end device.
Protection of Privacy
With end-to-end encryption, private communications and other details, like timestamps and significant locations, are not easily read if intercepted by hackers or service providers like Google or Apple. When E2EE is enabled, you can rest assured that personal privacy prevails and consumer data is protected from outside viewers.
Integrity of Data
In other security setups, outside users can potentially gain access to a piece of data and manipulate its contents before it reaches the recipient (or worse, they can stop its delivery entirely). End-to-end encryption means that these malicious actors do not have the necessary key to access data in transit, so the integrity of data is maintained.
Highly Sensitive Data Exchanges
Whether it’s due diligence for a high-profile M&A transaction or the sharing of sensitive government intelligence data, end-to-end encryption is one solution that makes sure that no one outside of the sending and receiving parties can spread highly sensitive information. The reasons are twofold: 1) The key system in end-to-end encryption prevents unauthorized devices from opening the message. 2) If users maliciously or accidentally come across the message, end-to-end encryption has made it indecipherable to them.
Device Level Over Server Level
Other types of encryption focus on encrypting data at the server level, but if a malicious actor or other outsider gains access to that server, they can decrypt any information in that server fairly easily. Overcoming end-to-end encryption requires hackers to perform device-level hacks to get the information that they want, which is considerably more difficult and time-consuming to do, leading most hackers to avoid those types of attacks altogether.
Avoiding High-Cost Attacks and Reputation Damage
Let’s take a look at the biggest data breach in history: Yahoo’s 2013 breach that compromised approximately 3 billion user accounts (all of their customers’ accounts at that time). Yahoo claims that no clear-text passwords or financial information were compromised in the attack, but experts believe that Yahoo’s “outdated, easy-to-crack” encryption still exposed those records—billions of records—to malicious actors.
Needless to say, this attack damaged Yahoo’s reputation with customers, but it also damaged their negotiation powers with other major businesses. In 2017, Yahoo was in acquisition negotiations with Verizon, and after this news came to light, they were forced to lower the price of their assets by at least $350 million.
Making Security Affordable: 8 Low-Cost Ways to Improve Cybersecurity
Although end-to-end encryption offers many high-value benefits to enterprises and users, the security practice still suffers from several shortcomings and has led to some public safety concerns:
Ledger is Still Available
End-to-end encryption jumbles all of your data’s contents in transit, but it does not hide the fact that data is being transferred. The ledger of communication remains, so people can still find records of transactions and possibly deduce the contents, based on sending and receiving parties.
Unreliable Receiving Devices
End-to-end encryption does not guarantee the protection of data once it reaches the receiving device. If there’s a security problem on that device or if that device falls into the wrong hands, the data has already been decrypted on the receiving device, leaving it susceptible to outside parties who gain access to the device.
Law Enforcement and Surveillance Concerns
One of the most important and highly controversial issues with end-to-end encryption is that it’s almost too successful at protecting data from third parties. This is a great feature as far as protecting private information against hackers, but what about for law enforcement and intelligence officers who need to conduct a serious investigation?
With this level of encryption, they cannot access evidence that has been encrypted, and neither can service providers if they are asked to cooperate in the investigation. Only participating devices can provide the information they need. In serious cases related to allegations like terrorism, murder, and physical abuse, this data protection becomes a major hindrance to public safety and national security.
Many national governments and international committees have fought against end-to-end protections in personal devices and applications for this reason. One of the most recent end-to-end encryption ban coalitions includes India, Japan, New Zealand, Australia, the UK, and the United States. In their International Statement on End-to-End Encryption and Public Safety on October 11, 2020, they called for a ban on end-to-end encryption in apps like WhatsApp and pushed for technology companies to allow greater data access to international law enforcement forces.
Learn More About Security at CISA: Cyber Agency Launches Security Awareness Campaign
Several major companies have added end-to-end features to their offerings over the years, and while some have experienced great success, others have become embroiled in controversy.
|Zoom||-Arrived in late October 2020 as a technical preview for free and paid users
-Zoom's traditional GCM encryption remains, but with public key cryptography and meeting participant key distribution
-Users can enable on meetings so that only participants have the decryption key (not even Zoom servers have access with this approach)
-Users can confirm that they are using end-to-end encryption by looking for a green shield on their Zoom window
-In November 2020, Zoom came to a settlement with the FTC regarding allegations that they had misled customers into thinking they offered end-to-end encryption since 2016. Their previous “end-to-end, 256-bit encryption” still gave Zoom full access to meeting data.
|Whatsapp/Facebook||-End-to-end encryption fully launched in April 2016
-Designed to secure messages, photos, videos, voice messages, documents, status updates, and calls
-Millions of users moved away from Whatsapp after finding out how their metadata could be used
|Amazon Ring||-Video end-to-end encryption launched in January 2021
-Only enrolled customer mobile devices can decrypt security footage
-Launched in response to several security breaches and concerns in previous years
|Microsoft Teams||-Announced end-to-end encryption plans at Ignite conference in March 2021
-Functionality is expected for both personal and business use cases, on Signal, Skype, Jabber, and Teams
-Expected to secure 1:1 meetings and communications between users on Microsoft Teams
Data breaches are costing enterprises around $3.86 million per year, and that number only seems to grow, particularly in key areas of infrastructure. Although there’s some controversy and concerns surrounding how end-to-end encryption works, it’s clear that the solution is a valuable security investment for the enterprises that select it and the consumers who benefit from it.