Not all encryption is equal, and why you should care.
Yes, of course, there are privacy issues, and perhaps assumptions we shouldn’t be making when using services provided by large corporations like Meta, Google, Microsoft, and others. This isn’t about that.
There’s a bit of technology you need to understand if privacy really matters to you.
Become a Patron of Ask Leo! and go ad-free!
End-to-end encryption ensures that information being communicated is visible only to the individuals at either end and not to anyone in the middle, including the service provider. Given that service providers can be compelled to hand over information to law enforcement, end-to-end encryption ensures they have nothing to hand over. When exchanging sensitive information, make sure to use tools that explicitly use end-to-end encryption.
End-to-end encryption is nothing more than data being encrypted in such a way that it can be seen only by individuals involved in a communication and not anyone anywhere in the middle.
Your ISP can’t see it, the other person’s ISP can’t see it, even the service you’re using can’t see it. All they see is encrypted blobs of random data. The data is visible only at the endpoints.
It’s encrypted from one end to the other.
Facebook would not be able to turn over anything that crosses their server using end-to-end encryption because they couldn’t understand what it contained.
End-to-middle encryption is quite common.
In this scenario, information is encrypted as it’s sent to the service you’re using, where it’s decrypted. It’s then re-encrypted and sent on to the final recipient, where the tool being used decrypts it.
The important thing to notice is that the service in the middle can see the unencrypted information. If you trust them, that’s peachy. If you don’t, it’s a problem.
Why would this scenario even exist?
In a word (or rather, an acronym): https. Https1 is the most common way of encrypting communication between your computer and the services you use. The whole intent of https is to provide encryption between you and the services you use. This protects you from a variety of issues, including your ISP seeing the data you’re exchanging, as well as anyone snooping in on the connection, such as on an open Wi-Fi hotspot.
The encryption is between you and the service you’re using, but no further. The service can see what you’re up to. Sometimes that’s necessary. Making a post on social media, for example, requires that the service have access to what you want to post. In other cases, it’s enough encryption as long as you trust the service.
It’s more than the service
As our Facebook users learned, it’s not always about trusting the service. Regardless of how you feel about Facebook specifically, this issue transcends service providers.
It’s often about the laws, rules, and regulations the service providers operate under. In Facebook’s case, it didn’t matter whether they wanted to provide the information or not; they were legally compelled to.
So, do you trust the government entities that regulate the provider you’re using? And if your conversation crosses jurisdictions — be it a city, state/province, or country boundary — do you trust the regulators at both ends? Any of them might compel information disclosure.
With true end-to-end encryption, there’s no information for the service, or anyone else in the middle, to see or disclose.
If it matters to you, the solution is to use an end-to-end encrypted service.
While there are supposedly plans for Facebook’s messaging service to be end-to-end encrypted someday, that day is not today. Clearly Facebook currently has access to all your Messenger messages.
WhatsApp, also owned by Facebook, highlights its end-to-end encryption.
Tools like Telegram and Signal also highlight this feature.
Not a solution: VPNs
VPNs do not solve this problem.
A VPN encrypts everything, but only as far as the VPN provider’s servers. Using the Facebook Messenger example, which is not end-to-end encrypted, here’s what happens with a VPN.
- Facebook Messenger encrypts the data to send to Facebook.
- Your VPN encrypts the data again to send to the VPN server.
- The VPN Server decrypts its layer and sends the data — still encrypted by Facebook Messenger — on to Facebook.
- Facebook decrypts the data. At this point, the messages are visible to Facebook.
- Facebook encrypts the data.
- Facebook sends the data on to the Facebook Messenger recipient.
- Facebook Messenger decrypts the message on the recipient’s machine.
- The recipient can read the message.
The VPN provided an additional layer of encryption and security, but only between your machine and the VPN service’s servers.
If your privacy truly matters, then it’s important you know how the tools you use work, and choose one with an appropriate level of privacy and security.
Personally, I use Facebook Messenger all the time, but I have no expectation of privacy. If privacy matters, I use Telegram.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.