You may not understand how end-to-end encryption works, but you use it all the time. It protects your messages and emails, your purchases and bank transfers, and your access to websites and services. Governments around the world have tried to prohibit end-to-end encryption because they want to be able to listen in on what you say and spy on what you do.
In the UK, the government is planning a PR blitz to try to paint end-to-end encryption as dangerous, in reaction to Facebook adding end-to-end encryption to its Messenger app. The main thrust of their campaign is to paint end-to-end encryption as endangering children.
If end-to-end encryption is made illegal, you would not be able to do very much on the internet, at least not securely. Here are 10 ways that end-to-end encryption protects you.
Every time you log into your bank’s website, or use its app, all the data you send and receive is protected by end-to-end encryption. You can see your bank balance, but no one else can. You know how much you’ve spent on something, how much your salary is, and how much your mortgage costs, and you can transfer money to other accounts or people.
End-to-end encryption is essential to protect data in transit; between your computer or smartphone and the server you connect to. This data doesn’t go directly from your device to the server; it goes over a number of routers and servers along a path that may not be anywhere near direct, depending on internet traffic.
Here’s an example. I used an online traceroute tool to show the “hops” between a request to connect to apple.com from a dozen different cities. I’ve removed some of the data to only show IP addresses:
1.|– 45.79.12.202
2.|– 45.79.12.2
3.|– 45.79.12.9
4.|– 213.248.83.174
5.|– 62.115.137.106
6.|– 62.115.151.71
7.|– 17.253.144.10
You can see some similarities in the IP addresses above, so it looks like the data is going through multiple servers on the same network (hops 1, 2, and 3; hops 5 and 6), but there are six servers routing data between the sender and receiver.
Any of those servers could be compromised by a “man in the middle” attack, and, if the data was not encrypted, it could be intercepted. Your banking information could go through a dozen or more servers, with varying levels of security protecting them from cybercriminals, and, in same cases, remain on those servers for some time, in caches. If the data is encrypted from end to end, then once it leaves your device, it’s only decrypted when it gets to your bank.
Without end-to-end encryption, it would be like sending a postcard, which anyone could read before delivery.
Jeff Bezos wouldn’t be so wealthy if not for end-to-end encryption. The fact that you can use HTTPS (the secure hypertext transfer protocol) to transfer data to and from websites means that you can enter a credit card number, its expiry date, and its CVV, and not be worried about it being intercepted along the way. All e-commerce sites use HTTPS, and you should never enter a credit card number if you don’t see a padlock in your web browser’s address bar. (Our 7 essential tips to stay safe shopping online article explains this, and gives other security tips for online shopping.)
7 essential tips to stay safe shopping online on Black Friday and Cyber Monday
This is the target of the UK government: secure messaging. While there are many secure messaging services – Apple’s iMessage, Signal, WhatsApp, Telegram, and others – the UK is targeting Facebook Messenger, which does not yet use end-to-end encryption. With secure messaging, your chats, photos, and audio messages are protected, the same as your banking information: no one can read them except for you and the recipient. If you want to send spicy text messages or, ahem, “noods,” that’s your right; no government should be able to listen in on what you say to others.
It’s important to point out that plain old SMS text messages (the “green bubble” conversations when you use Apple’s Messages app on your iPhone) are not secure. Be sure to read our comparison of the top five secure text message apps—which can also be used for live video or audio phone calls.
As with text messages, video calls via FaceTime, Zoom, and Skype are protected by end-to-end encryption. Your video chats may be boring, but some people’s aren’t, and they wouldn’t want anyone to be able to see what they say and what they do.
And businesses use videoconferencing a lot; they wouldn’t want competitors, or even nation states, to be able to see what they discuss. And what about government agencies? They regularly use video calling to interface with officials around the world.
My photo library has lots of cat photos, but also photos of family, friends, places I’ve been, and more. While not all these photos are personal, I wouldn’t want anyone sifting through my pics. You may have more risqué photos, and many celebrities have had their photo libraries hacked to expose their nude photos. Most people store their photos in the cloud – whether on Apple’s iCloud, Google Photos, or another service like SmugMug or Flickr – for convenience and easy access on mobile devices.
If end-to-end encryption was not available, these photos would be easily accessible on the servers though which they transit from your phone to the repositories.
As with photos, you may have lots of files in the cloud: you may use iCloud Drive, Dropbox, OneDrive, Box, or another service to store both personal and professional files. Many people store files in the cloud that contain sensitive information, such as financial information or health records.
Without end-to-end encryption, every time you upload or download a file, it could potentially be intercepted and copied along the way.
As with text messages, your email is sent and received using end-to-end encryption. It may not necessarily be encrypted on the email server, however; you’re trusting the company hosting your email to have impenetrable security. But at least during transit — when the message travels between you, email servers, and recipients — your emails are like sealed letters, not post cards. (They’re even more secure than sealed letters, because no one can steam them open.)
Of course, it’s also best if your email messages are fully encrypted when “at rest” — that is, while stored on the mail provider’s servers — and that your mail provider follows other best practices to protect your security and privacy. For more information, check out our review comparing secure email providers ProtonMail, Tutanota, and Mailfence.
Three Free Secure Email Providers That Protect Your Data and Privacy
Every online account you use, whether it’s Facebook, Twitter, Instagram, a forum, or a website where you post comments, benefits from end-to-end encryption using HTTPS. Your user name and password are protected, so no one can intercept them, log in as you, then post things as you, damaging your reputation.
Before late 2010, many sites would only require HTTPS during sign-in, but would drop back to the insecure HTTP protocol afterward. Other sites did not even require HTTPS to sign in. This changed quickly thanks to the public release of a new hacking tool. Firesheep was a Firefox extension that made it easy for anyone to hijack the browsing session of anyone else on a public Wi-Fi network. This meant that anyone on the same Wi-Fi network could easily log into someone else’s accounts — without needing to know their passwords. (Intego’s Chief Security Analyst Josh Long wrote about Firesheep on his blog in 2010 and 2011.)
One reason that companies were able to have so many employees work from home during covid lockdowns is because of the availability of end-to-end encryption. This allows employees to access company websites, intranets, and servers, to have access to confidential files. Without it, much less work could have been accomplished during this period.
You send and access a lot of personal data on government websites, and with health care providers and insurers. And this data is very confidential. If you have health issues, you don’t want anyone who doesn’t need to know about them to have access to your data. And you certainly don’t want anyone to access data on government websites, where you may file taxes, request benefits, and more. You may also use online accounting software, and the data here is confidential. End-to-end encryption ensures that it can’t be intercepted en route.
These are just 10 ways that end-to-end encryption helps you stay secure everyday; there are many others, and any threat to end-to-end encryption is a threat to our general data security and identity.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: