Last week, Facebook CEO Mark Zuckerberg announced a major strategic shift. His 3200-word missive announced that his company will pivot its messaging applications to privacy-focused chat and ephemeral communications. At the heart of this privacy focus is the use of end-to-end encryption, an advanced security technology by which messages are encrypted on the user’s device. Only the sender and the recipient can access the message. No one else, not even the provider of the messaging service can see the communication.
The rationale behind Facebooks strategic shift was based on Mr. Zuckerberg’s realization that:
[P]eople increasingly want to connect privately in the digital equivalent of the living room. … People expect their private communications to be secure and to only be seen by the people they’ve sent them to — not hackers, criminals, over-reaching governments, or even the people operating the services they’re using.”
To enable this shift, Zuckerberg announced that Facebook Messenger, Instagram Direct and WhatsApp will become interoperable and use end-to-end encryption to deliver security and privacy to users.
Many people believe they’re protected because their apps and services claim to use encryption. But that’s simply not true. Often encryption just means traffic is encrypted between client and server, but the reality is that most servers — like those of Google, Microsoft, DropBox, and Box — operate on unencrypted data. This is a problem for three reasons: the servers can become central points of attack, user data can be exploited for marketing and advertising, and the service provider may disclose user data without the user’s permission.
End-to-end encryption addresses all three problems because only senders and intended recipients of data can read it. Facebook’s endorsement of end-to-end encryption is like a flash of lightning illuminating the deficiencies of existing platforms. This move will encourage other app developers to change how they protect user data, spawning a fundamental change in the protection of information security.
Without end-to-end encryption, an attack on a server can expose all the information stored there, as happened when Sony’s emails were hacked by North Korea. This attack exposed sensitive company emails that were eventually published on WikiLeaks as well as the cancellation of an upcoming movie .
Whether an attack occurs because a phishing attempt yielded a password or because a software vulnerability enabled bad actors to exfiltrate data, the damage is the same. With end-to-end encryption, however, exfiltrating data results in gibberish because the server only stores encrypted information and doesn’t have the keys to decode it.
End-to-end encryption also prevents service providers from mining user data for their own profit. Google reads every user email for content and keywords. It then uses this information to “enrich other products within the Google family. Not surprisingly “the other products in the Google family” use that information to sell ever more sophisticated advertising. Moreover, as reported by the Wall Street Journal, Google also gives 3rd party app developers access to users’ Gmail inboxes. These 3rd parties are themselves in the business of finding ever more clever ways to monetize the information gleaned from emails. Google meanwhile steadfastly asserts it wants users to “remain confident that Google will keep privacy and security paramount.”
End-to-end encryption ultimately places control of user data in the hands of the users and organizations that own it. The fact that service providers, like Microsoft, don’t employ end-to-end encryption can put them in difficult situations where they have to divulge private user information. In April 2016, Microsoft filed a suit against the U.S. government because they were required to hand over customers’ email and not inform the customers it had done so.
If these messages had been written on paper, government subpoenas of Microsoft would have been directed to the owners of the messages, and they could have used legal processes to raise objections. Microsoft said in its suit that its remote storage of data “has provided a new opening for the government to access electronic data.” The U.S. government was only able to demand access to user email on Microsoft servers because Microsoft had access to the messages in the first place.
Facebook’s pivot to end-to-end encryption underscores the notion that the contents of users’ messages belong to the users. This information shouldn’t be vulnerable to an attack on the service provider. It shouldn’t be used to bolster the profits of the service provider. The owner of the data, not the service provider, should be responsible for its disclosure during legal disputes.
We believe that Facebook’s move is just the beginning. More and more developers will choose to use end-to-end encryption in their apps and services. The world will never be the same.
PreVeil was founded on the idea that the best way to protect information is to encrypt end-to-end. Just as Facebook is moving to incorporate end-to-end encryption in its consumer messaging apps, PreVeil has built end-to-end encryption in apps that individuals and businesses use every day: for email and file storage.
PreVeil has focused on making encryption easy to use by integrating with popular email apps, like Outlook and Gmail, and by integrating with the Macintosh Finder and Windows File Explorer. PreVeil has addressed the challenges of making encryption usable in an organization, enabling administrative access and controls without compromising security.
Mr. Zuckerberg got it right with his pivot to end-to-end encryption. As more apps and services follow Facebook’s lead, the world will change for the better.
For more information, contact us.