Catalina Goanta and Vittorio Bertola (17/12/2021). End-to-End Encryption. In Belli, L.; Zingales, N. & Curzi, Y. (Eds.), Glossary of Platform Law and Policy Terms (online). FGV Direito Rio. https://platformglossary.info/end-to-end-encryption/.
Author: Catalina Goanta and Vittorio Bertola
End-to-end encryption (E2EE) is the use of cryptography implemented through the Transport Layer Security protocol (TLS) for the protection of a message so that it can only be read by the communicating users (Electronic Frontier Foundation, 2020; W3C, 2015)1 2, and not by third parties acting as intermediaries in the transfer of this data. This is made possible through the use of asymmetric cryptography (also known as public-key cryptography), which generates two keys (large numbers with mathematical properties) for the decryption of the message: a private key for encryption and a public key for decryption (Electronic Frontier Foundation, 2018)3, unlike symmetric cryptography, where the same key is used for both encryption and decryption (Goanta, Hopman, 2020)4.
Recent definitional issues around E2EE have shown that some companies may indicate that they implement E2EE when in fact that is not the case (Schneier, 2020; Lee, Grauer, 2020)5 6. Given the harms which may arise out of not abiding by security standards a company may refer to in order to appease its user base, the assessment of these implementations can become crucial for consumer protection, contract law, and misleading marketing.
More specifically, proper E2EE would require that the sending and receiving user manage their encryption keys and procedures directly and that third-party communication software only ever deals with the encrypted content. As this is inconvenient for the average user, almost all current implementations that claim to offer “end-to-end encryption” (e.g., in instant messaging and videoconferencing tools) offer in fact “managed app-to-app encryption”, in which the application also takes care of creating and managing the user’s keys and of encrypting and decrypting the messages. As a consequence, the application also has access to the unencrypted content and could examine it or make it available to its maker or to other parties.
- SSD.EFF.ORG. (2020). End-to-end encryption. Surveillance Self-Defense. Available at: https://ssd.eff.org/en/glossary/end-end-encryption.
- Zhu, Yan. (2015). End-to-End Encryption and the Web. W3C Technical Architecture Group. Available at: https://www.w3.org/2001/tag/doc/encryption-finding/.
- SSD.EFF.ORG. (2018). A Deep Dive on End-to-End Encryption: How Do Public Key Encryption Systems Work? Surveillance Self-Defense. Available at: https://ssd.eff.org/module/deep-dive-end-end-encryption-how-do-public-key-encryption-systems-work.
- Goanta, C., Hopman, M. (2020). Crypto communities as legal orders. Internet Policy Review, 9(2). DOI: 10.14763/2020.2.1486.
- Schneier, Bruce. (2020). Security and Privacy Implications of Zoom. Schneier on Security. Available at: https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html.
- Lee, Micah., Grauer, Yael. (2020). Zoom Meetings aren’t End-to-end Encrypted, Despite Misleading Marketing. The Intercept. Available at: https://www.loopinsight.com/2020/03/31/zoom-meetings-arent-end-to-end-encrypted-despite-misleading-marketing/.