Embedded Files
In the early days of instant messaging, end-to-end protection wasn't standard. Typically, cryptography secured data only while it traveled between your device and the messaging service's server. On the server, it was decrypted, stored unencrypted, and then re-encrypted for delivery to the recipient, where their device would finally decrypt it. While some services encrypted data even when stored on their servers, the crucial point was that the service provider generated and therefore possessed the secret keys. Users had to trust that this intermediary would safeguard these keys, maintain data confidentiality and integrity under all circumstances (avoiding unauthorized access to the unencrypted content), and implement robust security measures to prevent malicious actors from accessing either the keys or the plaintext.
However, controversies surrounding the roles and responsibilities of these intermediaries led major instant messaging, audio, and video communication providers to adopt end-to-end encryption (E2EE). E2EE aims to ensure confidentiality, integrity, and authenticity directly between the communicating parties. The term E2EE signifies not just encryption from one end to the other, but critically, that "confidentiality is broken if content can be decrypted at any intermediate point" (Knodel et al., 2023). In instant messaging, E2EE "conceals communications between one user's instant messaging application through any intermediate devices and servers all the way to the recipient's instant messaging application" (Gillmor, ACLU and Oever, 2015), effectively preventing any intermediary from compromising data confidentiality. In practice, this means the secret keys are generated and accessible solely by the communicating users. Consequently, data can only be decrypted at its final destination, preventing service providers and other third parties from decrypting it during transit or while stored on the providers' servers. Services that rely on processing user information for marketing, profiling, or targeted advertising cannot implement true E2EE without fundamentally altering their business model. Nevertheless, these services can often still utilize metadata, such as communication partners, timestamps, and duration, for profiling purposes.
In cloud storage services like Dropbox, Microsoft OneDrive, or Google Drive, data is usually protected with cryptographic protocols during upload and download. However, depending on the service, the data might not be encrypted while stored on the provider's systems. Even if it is encrypted at rest, the cloud service provider often controls the secret keys. End-to-end encryption (E2EE) offers a solution to these security concerns in the cloud as well.
While numerous communication and storage providers claim to offer E2EE, their implementation is frequently incomplete because they retain access to the secret keys. Nevertheless, growing user awareness regarding security and privacy is driving platforms like Facebook to introduce end-to-end encrypted features to their existing, less completely encrypted services (Meta, 2021). Implementing E2EE introduces greater complexity, particularly in scenarios involving multiple users, such as group chats or when files on network drives are shared. Homomorphic cryptography holds promise for expanding the scope of what E2EE can achieve.
Page updated
Google Sites
Report abuse