Last week, Zoom Video Communications announced that the company would be rolling out end-to-end encryption (E2EE) service for all its users. Earlier this facility was available only to paid accounts. With this announcement, Zoom joins a long list of communication platforms that includes WhatsApp and Telegram to use E2EE to ensure that any unauthorised third-party monitoring of the content is thwarted.

While tech corporations are pushing towards E2EE citing privacy concerns of the users, there is one party that is not particularly excited about it — a group of governments around the world. 

In October, India and Japan became the latest partners with the Five Eyes (FVEY) intel alliance countries that include Australia, Canada, New Zealand, the UK and the USA. This alliance is calling for tech firms to ‘enable law enforcement access to content’ upon production of a warrant. The alliance argues that while encryption is important for ensuring the privacy of its citizens, particular implementations of this technology can pose challenges to ‘public safety, including highly vulnerable members of our society like sexually exploited children.’

Let us understand the issue in more detail.

What is E2EE and How Does It Work?

End-to-end encryption is basically a public key encryption system which ensures that the contents of your messages and files are understood only by the intended recipients. When E2EE is applied, your messages are protected from being read in transit by not just hackers, but also the government and the company that is facilitating the communication itself.

E2EE generally uses asymmetric encryption techniques for protecting the transmitted message. Also known as public-key cryptography, asymmetric encryption resolves the ‘one-key’ problem of symmetric encryption. In this type of encryption, the cryptographic algorithms generate two keys with one-way function — one public key for encryption and another private key for decryption. As names suggest, the public key is distributed freely while the private key is only with the intended recipient. A lot of internet standards including Transport Layer Security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), Pretty Good Privacy (PGP), and GNU Privacy Guard (GPG) are based on asymmetric encryption.

Some of the most popular asymmetric encryption algorithms include — Diffe Hellman (DH), Rivest Shamir Adleman (RSA), Elliptic Curve Cryptography (ECC), El Gamal, and Digital Signature Algorithm (DSA). The Diffe Hellman algorithm is most preferred for E2EE techniques. In the DH key exchange algorithm, keys are not exchanged but are jointly derived. This algorithm ensures confidentiality since there is no way of finding the private keys, which are very large and complex, from the publicly transmitted information. 

What Do Governments Want?

In a press release from FVEY alliance countries (along with India and Japan), cited public safety as the reason to call for alteration to the E2EE adoption by tech firms. In particular, the alliance calls for the following steps to be taken:

• Enabling companies to act against illegal content by embedding public safety in system designs and facilitating investigations and prosecution of offences.
• Permitting access to law enforcement to exchange content in a ‘readable and usable format’ in cases where legal authorisation is produced.
• Consulting with governments to facilitate substantive legal access to influence design decisions. 

The statement also said that while the alliance is focussed on E2EE currently, it wants the commitment to be extended to other encryption services such as device encryption, custom encrypted applications, and encryption across integrated platforms. In support of this argument, the press release cited the call of action issues by leading child protection organisations such as WePROTECT Global Alliance and NCMEC which stated that measures to privacy mustn’t come at the expense of child safety and protection.

What are the Implications of this Request

What the alliance of governments is doing is essentially asking for an encryption backdoor. To define, encryption backdoor is a built-in way to circumvent encryption to allow the company or authorised body to access all the data transmitted on its channel.

Most tech giants are against creating encryption backdoor for the reason that pre-designing such an arrangement makes the system significantly less secure due to its inherent vulnerability. Further, it would not be very difficult for malicious actors to eventually discover these backdoors for exploits. The possibilities are quite frightening, starting from targeting state-owned networks to the creation of black markets for illegal exploits.