End-to-end encryption: Why you shouldn’t accept anything less

This article references a session at this year’s RightsCon, a summit on human rights in the digital age. The event was held in Costa Rica last week, with participation from ExpressVPN.

Countries around the world have been attempting to remove end-to-end encryption from messaging apps for years so that communications could be monitored for illegal content—namely child sexual abuse images—and information that could aid law enforcement. (Here’s a quick primer on the current state of play in Western countries.)

The conversation used to revolve around the possibility of implementing “backdoors,” or access to encrypted communications by law enforcement. In more recent years, client-side scanning has emerged as a potential method to monitor messages while still maintaining encryption. It works by scanning messages on your device before the messages are sent, with suspicious content flagged for further review.

Top executives from four tech companies met at this year’s RightsCon for a discussion about the importance of end-to-end encryption—which is considered by security experts to be essential for privacy—and legislative efforts to undermine it. The panel comprised Meredith Whittaker, president of Signal; Will Cathcart, head of WhatsApp at Meta; Raphael Robert, CEO of Phoenix R&D; and Matthew Hodgson, CEO of Element.

We break down some of the talking points that came up in this conversation.

Encryption makes for greater safety, not the other way around

Will Cathcart was asked to address whether E2EE takes away the responsibility of platforms to keep users safe. He countered that notion with the following:

• E2EE fulfills a responsibility companies have to not retain a copy of everyone’s messages.
• The top fear people have around their online activity is losing control of their personal information to hackers. Having messages hacked or lost from a server is a worse outcome than purported risks posed by the use of E2EE. 
• Messaging companies use other methods to provide safety, such as letting users report accounts and banning accounts. 
• Meredith Whittaker added that there is no evidence from history that mass surveillance has ever led to safety. Moreover, centralized surveillance is more pervasive now than ever.

Client-side scanning still undermines encryption

The panelists broadly agreed that client-side scanning is not acceptable, from a privacy perspective.

• Having encryption alongside client-side scanning makes no sense, because the scans will undermine the encryption.
• It is not possible to maintain privacy with client-side scanning. To say otherwise is magical thinking, says Whittaker, in part fueled by narratives surrounding the intelligence of AI.
• Politicians have been convinced that we can depend on these scans to incriminate people—a feat by the companies that make the scanning technology.

Everyday users value private communications

Among users, the importance of encryption can seem abstract. Cathcart said that the topic should be discussed in relatable ways.

• Scanning for “bad” content in messaging apps is akin to having an in-person conversation next to a CCTV camera that uses AI to monitor you.
• We should help laypeople think about the effects of a loss of encryption in a concrete way, such as the loss of security among journalists, governments, and companies.
• Matthew Hodgson said that in a recent survey conducted by his company, 83% of UK respondents said they want to have E2EE to protect their communications.

Privacy in the age of AI

Whittaker was prompted to talk about the effects of AI on our privacy, and the extent to which E2EE can make a difference. A few points she made:

• AI requires huge amounts of data, and it relies on surveillance for that data. AI is an entrenching and justification of a surveillance business model.
• E2EE communication keeps data out of AI surveillance, but it’s not the answer, as there is plenty of data collected about us that we aren’t consenting to and can’t be stopped through E2EE.
• The belief that AI is extremely intelligent or magical, as touted by tech corporations, reinforces the exaggerated notions of what technology can do, resulting in legislation that supports tech like client-side scanning.
• We have to push back against magical thinking messages surrounding technology. 

Countries where end-to-end encryption is threatened

Here’s a primer on legislation in Western countries that could remove E2EE. These laws could require companies to create or use third-party technologies to scan messages on devices, if they want to continue to use E2EE. While the scans already pose privacy concerns (see above), another issue is that if companies are unable to incorporate such technology, they would have to remove E2EE for legal compliance.

• The UK’s Online Safety Bill is likely in the final stages of becoming law. It calls for messaging companies to identify child abuse content being sent. Signal has said the service will leave the UK if it’s forced to weaken privacy, with WhatsApp fighting the law too.
• In the U.S., the EARN IT Act was introduced for the third time in April of this year, after twice failing to become law. The Act calls for the creation of a national commission tasked with making a list of bests practices for tech companies, with the goal of halting the distribution of child sex abuse material.
• Last year, the EU proposed the Chat Control law, which would require messaging services to scan for material related to child sex abuse and terrorism. However, internal legal advice that was leaked indicated that the regulations would likely be deemed unlawful.
• In 2018, Australia passed the Assistance and Access Act, which allows the government to force companies to hand over user data even if it’s protected by encryption.