Talk about End-to-End Encryption is Everywhere
These days, it seems that encryption is a popular topic, and for very good reason. Encryption is changing the way we communicate and transfer data and is, in general, a very good tool for protecting privacy and preventing others from viewing personal or otherwise sensitive data.
While encryption-related stories are an everyday thing these days, many users still don’t actually really understand what encryption is or how it works. So, in this post, I will outline a few basics of real-world end-to-end encryption usage, how it works, and what you need to know to ensure your own personal privacy and safety when messaging or performing other online activities.
End-to-End Encryption Does Not Protect Your Phone or Computer
The most important thing you need to know about end-to-end encryption is that it – in no way whatsoever – protects your phone or computer. What end-to-end encryption does do is protect data sent over the Internet or through Wi-Fi while it is in transit. This means that snoopers or hackers can’t view messages or data sent by you to another person using the same type of encryption.
If someone has physical access to your phone or computer, though, he/she can still see data or messages sent using end-to-end encryption. That’s why using strong, secure passwords is still absolutely essential – regardless if you use encryption for transferring data/messages or not.
Know When Your Data is Encrypted
The truth is this – most public messaging tools don’t use any form of encryption at all to protect data and messages while in transit. While WhatsApp and Facebook (as long as your using the encrypted version of Messenger) do provide end-to-end encryption, email and many other messaging applications do not.
Messaging apps that do not use end-to-end encryption leave your data and messages vulnerable to what are known as Man In The Middle, or MITM, attacks. MITM attacks occur when a hacker intercepts your data or messages while they are being sent from you to the recipient (or vice versa.)
If the data is not encrypted during transit, it is visible as raw data or plain text that the hacker can view or manipulate with minimal effort. Therefore, ensure that any app you use to send data or messages does indeed use end-to-end encryption – especially if you send or receive anything of a confidential or sensitive nature.
Always Treat Your Online/Mobile Messages as Public
Like I mentioned above, there are some apps/applications that do provide end-to-encryption when sending and receiving messages. However, like I also wrote, most do not. So, unless you’re absolutely sure that the app or program you are using does secure messages with end-to-end encryption, you should assume that your data and messages are visible to the public. What this means is simple; if you’re not comfortable sharing the data or message with the public at large, don’t send it via a messaging app or program you are not 100 percent sure about. If you want to be sure your data and messages are protected while being sent over the airways, look for an app or program listed and verified as using end-to-end encryption (HIPAA certified apps are great for this.)
The government enforces very strict standards for certifying HIPAA compliant apps and programs because they are used to transmit private health-related information. So, HIPAA-compliant messaging and transfer apps generally offer much stronger encryption and protection than those without the certification.
Know What the Encryption Protects
While end-to-end is probably the most talked about type of encryption these days, it’s certainly not the only kind in use on phones and computers. Other types of encryption protect data actually stored on the devices. And, of course, some data may not be protected by any type of encryption at all.
End-to-end encryption protects data only while it’s in transit over the Internet or via a Wi-Fi connection. This means that the data/message is unencrypted on the device on which it was sent as well as the receiving device (after it’s been decrypted for viewing or use.) Because encryption is not “always on”, so to speak, it’s important to know when the data or messages are actually being protected and when they are not.
Encryption Keys and Who Has Them
With many end-to-end messaging and data transfer apps, the keys to unlocking the data may be held by the provider and not with actual users. This means that government or law enforcement agencies, or others, may be able to coerce service providers to grant them access to data or messages sent or received with the app or service. This is another reason to treat messages or data sent with such providers as public and not completely private.
If you want to ensure that data and messages are indeed private, look for apps or services that allow you to hold and control the keys for encrypting and decrypting data. If the service providers do not have access to the keys, then there is no way for them to provide data to a third party. Apps and services that allow you to create, store and control your own encryption/decryption keys are much more private and secure than those that do not.
Remember, Encrypted Does Not Mean Secure
It’s important to note that encryption does not necessarily always equal true security. A number of best practices should be followed to ensure that your data or messages are safe and secure – even if you are using encryption.
Controlling access to your phone or computer is the first step. The fewer people who have access to your devices, the more secure your data will be. Additionally, ensuring that others don’t have ready access to your encryption/decryption key files will generally prevent them viewing your data – even if they do gain physical access to your phone or computer. If you store keys on your devices, others may be able to find them to unlock data or messages on those devices. If you do create and use your own encryption keys, it’s best to store them on removable media such as USB drives or flash media so that you can disconnect the key source when it’s not in use.
Also, I should again mention that the most effective way to protect data on your phone or computer is to ensure that you use adequate passwords that are strong enough as to not be cracked with brute force or other attack methods. This usually means using passwords that are at least 15 to 20 characters in length, and consist of numbers, capital and lowercase letters as well as symbols or characters. Also, a good practice is to come up with passwords that don’t make sense to anyone except you.
While there is no perfect way to ensure data privacy and security, using the above-mentioned methods will help. If you have ideas, suggestions or thoughts on how to improve data/message privacy and security, please feel free to leave a comment. I am always open to hearing what you guys have to say on important security issues. Until, next time…