The December 2022 issue of IEEE Spectrum is here!

Close bar

In Privacy Versus Security, End-to-End Encryption Is Definitely Winning

Viber and WhatsApp have switched it on to protect 1.7 billion users worldwide

2 min read
In Privacy Versus Security, End-to-End Encryption Is Definitely Winning
Photo: Chris Ratcliffe/Bloomberg/Getty Images

While the U.S. Federal Bureau of Investigation publicly feuds with Apple over access to the iPhones of criminals, a quiet but monumental shift in mobile security could upend the agency’s plans to keep private lines of communication pried open. Mobile messaging companies are embracing end-to-end encryption, which puts conversations permanently out of reach of both law enforcement and the companies themselves.

This month, Viber and WhatsApp announced end-to-end encryption as a default setting, protecting the communications of 1.7 billion combined users worldwide. End-to-end encryption is a security mechanism that fully encrypts a message from the moment it is composed through its final delivery.

With this method, the key required to decrypt messages is only shared between sender and receiver. It is not known or stored by the company that shuttles messages between two parties. That means there’s no way for law enforcement to force a company to decrypt messages, because the company itself does not hold and cannot access the key to decode them.  

The widespread use of this protection on popular messaging apps propels the privacy versus security debate into new terrain. In the United States, the FBI claimed earlier this year that it needed Apple to provide access to an iPhone owned by a man who committed a mass shooting in San Bernardino, Calif., so that the agency could recover information for its investigation.

But iPhone access does not unlock the data held within apps, especially if that data was protected by another passcode or exchanged using end-to-end encryption. Even if law enforcement gains access to iPhones in future investigations, they will likely run up against these barriers. Though WhatsApp and Viber do not have built-in passcode protection, users can download third-party apps to add a password to any app on their phones.

To fight back, several countries including the U.K. and U.S. are weighing legislation and proposals to prohibit companies from using end-to-end encryption. Security experts have argued that these measures are nearsighted, since companies elsewhere could easily build apps that use end-to-end encryption and offer them to users anywhere in the world.

Recent developments reflect a prediction shared with IEEE Spectrum by Matthew Green, a cryptography expert at Johns Hopkins University, in Baltimore: that instant messaging services would be first to roll out end-to-end encryption, even ahead of email providers. Both Google and Yahoo have invested resources into developing end-to-end encryption for email, but the technical challenges are greater than for instant messaging. Implementing this protection would also clash with business priorities such as Google services that automatically schedule flights or meetings by perusing users’ emails.

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
An illustration of a series
Carl De Torres

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less