Compliance

What Is End-to-End Encryption? The Basics You Need to Know

What Is End-to-End Encryption? The Basics You Need to Know

End-to-End encryption, also known as E2E encryption or E2EE, encrypts data on a sender’s computer or device and throughout travel to the intended recipient. While it travels to the intended recipient or recipients, the message is encrypted to not be read, tampered with, or hacked by anyone. When it gets to the recipient’s computer or device it is then decrypted. Many popular messaging apps and communication services — including Facebook Messenger, WhatsApp, Zoom, and Signal — use end-to-end encryption. This article will break down what you need to know about the safety, benefits, and drawbacks of E2E encryption data protection.

What Is End-to-End Encryption?

Simply put, end-to-end encryption is the act of adding an encryption code to messages on one device so that only the device to which the message is sent is able to decode or decrypt the message. This way, the message travels entirely from the sender to the recipient while in encrypted form, making it mostly impossible for hackers and unwanted third parties to access the encrypted data while it travels. In true end-to-end encryption, the encryption occurs at the device level. Messages and files are encrypted before they leave the phone or computer and are not decrypted until they reach their intended recipient. Hackers don’t have the key to decrypt the data — those secret keys are stored with the individual users. 

What is end-to-end encryption at the core is protection from data theft. With E2E encryption, only the sender and the intended recipient have the keys to decrypt the message. If the message is viewed at any point during transit, it won’t be legible. This same protection also prevents bad actors from tampering with or altering messages. 

Why Does End-to-End Encryption Matter?

Data privacy is the reason to focus on solid E2E encryption capabilities. End-to-end encryption matters when individuals want to ensure that information is completely private and protected from any third party or outside review. Some popular email services allow third-party developers to create add-on services, and if those programs don’t enable end-to-end encryption and a user adds on a third-party app, then they might be opening up their email account data and information to be read and aggregated by those third-party developers. 

In addition, data that is stored unencrypted with an email provider on their server can be requested and seized for legal proceedings or investigations. Government data requests are on the rise, and once a request is made email providers often have no choice but to comply. Last year, Mashable reported that the US Government’s data requests to Google were up 510% since 2010, and requests to Facebook were up 364% since 2013. The US leads all other countries in data requests, and in 2019 made more than 163,000 data requests of major tech companies. Data that is stored unencrypted with an email provider can be seized if requested during legal proceedings or investigations. If your email provider does not store your emails with end-to-end encryption, you ultimately can’t control access to your emails and information.

End-to-end encryption capabilities are often challenged by governments with regard to criminal investigations. The New York Times reported on recent government attempts to curtail end-to-end encryption, or to require that companies build back doors into their encrypted products in order to facilitate government surveillance. In 2016, Apple was at the center of a federal data request to unlock a shooting suspect’s iPhone. The government ultimately used a third-party to crack into the phone and access the data they wanted. It is an interesting issue, because intelligence and law enforcement agencies argue that E2E encryption makes it significantly harder for them to track criminals, including terrorists, pedophiles and human traffickers. Privacy activists on the other side of the debate argue that human rights are more protected by E2E encryption, as it prevents governments from executing mass surveillance tactics and forces a targeted, precise, and therefore more constitutional form of intelligence gathering.

Is End-to-End Encryption Safe? 

End-to-end encryption is regarded as safe because it significantly reduces the number of outsiders who may be able to view or steal your data. However, like all evolving technology, there are always issues and needs for new software releases and improvements. WhatsApp — which uses E2E encryption technology — has been hacked. The Mirror reported on a 2019 security breach in which spyware was implanted on user phones and malicious code was installed to pull user information. Hackers were even able to turn on a phone’s camera and microphone. It’s important to always update software in order to keep your data as secure as possible. Read more tips on how to prevent cybersecurity breaches

How Does E2EE Differ From Other Types of Encryption? 

What is end-to-end encryption as compared to other types of encryption? The main difference is that E2E encryption is asymmetrical and other encryption types are symmetrical. Symmetric key encryptions use only one key to decode the data that is being transmitted. E2E encryption uses two different keys, creating an asymmetrical system that is harder to crack. 

In single encryption, the key used can be a password, a code, or a random string of numbers generated and sent to the message recipient that enables them to decode a message. The message may not make sense, but if anyone gets the one key needed to decode it, they can use it to read the message. 

In double, asymmetrical encryption — the defining trait of end-to-end encryption — both a public key and a private key are used in the message transfer process. This makes E2E encryption much harder to crack and many times more secure.

Another alternative to end-to-end encryption is encryption-in-transit. This is the most common form of data encryption used today. In this system, messages are encrypted on the sender’s side, sent to a server where they are decrypted and re-encrypted, and then delivered to the recipient and decrypted there. In this process the information is protected during transmission, but the intermediary link in the chain is able to see the content — creating a potential point of weakness and exploitation.

How Is End-to-End Encryption Used? 

E2E encryption is used when companies need to ensure maximum data protection, and can be found in the finance, healthcare, and communications industries. It’s used to help companies comply with data privacy compliance requirements. The Compliancy Group reports that HIPAA encryption requirements recommend E2E encryption for businesses, and state that alternatives like encryption-in-transit do not meet compliance guidelines. Payment service providers also offer E2E encryption for sensitive information like credit card details and customer data, both for security needs and in order to meet required industry regulations.

What Are the Advantages of End-to-End Encryption? 

The advantages of end-to-end encryption are data security, admin protection, and compliance with security regulations. E2E encryption protects data from hackers thanks to the dual key system. This also protects system administrators, because they don’t hold decryption keys for the data and therefore any cyberattacks that target admins will fail. E2E encryption also benefits companies by meeting strict data protection guidelines and keeping them compliant with data and consumer protection legislation.

What Are the Disadvantages of End-to-End Encryption? 

Disadvantages of E2E encryption are limitations created by the encryption, and E2E encryption cost issues. One of the features that users like about interactive email services that interface with other programs is that they can communicate back and forth with apps like calendars and contact databases, at times creating a seamless integration of data for a user that results in features that are frictionless, helpful, and time-saving. Using E2E encryption limits the ability to do things like automatically generate calendar invites and other features that rely on data access. In addition, E2E encryption email services can be costly, and for full protection benefits they require both users in the communication to use the same email messaging app. Using E2E encryption email services requires a larger investment than a messaging app.

End-to-End Encryption Takeaways

What is end-to-end encryption in a nutshell? The most secure way to transfer data from sender to recipient, to prevent data theft, to protect from hackers, and to meet compliance requirements via secure data handling and maintenance. AuditBoard’s compliance management software can help your company build trust and scale with our connected risk platform. 

You Might Like

Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.