What is End-to-End Encryption?

How Your Data is Kept Private on The Web Through Encryption

Smartphone and Tablet Digital Security Lock Encryption. iMrSquid / Getty Images

In the recent past, terms like end-to-end encryption would be for the geeks only and not likely to be on the tongue of lay people. Most of us would not bother wanting to know about it and searching for it on the Internet. Today, end-to-end encryption is part of your daily digital life. It is actually the ultimate security mechanism that protects your sensitive and private data online, like your credit card number during a transaction, or your phone call which is being wiretapped.

Now with global concerns about people's privacy being compromised, hackers lurking in every corner, and governments prying on their citizens' private communication, Internet calling, VoIP and instant messaging apps are featuring end-to-end encryption. It became common talk when WhatsApp brought it to more than a billion users; after being preceded by apps like Threema and Telegram, among others. In this article, we are going to see what end-to-end encryption is, how it works in very simple terms and what it does for you. 

Encryption Explained

Before getting to the 'end-to-end' part, let us see first what plain old encryption is. The struggle for data security and privacy online is a battle that is fought on many fronts, but at the end, it boils down to this: whenever you send private data to another computer or server on the Internet, which you do many times a day, it is like red riding hood's mother sending her to her grandmother's at the other side of the woods.

These woods, which she has to cross alone without defense, has wolves and other dangers far more lethal than the wolf of the bed-time story. Once you send the data packets of your voice call, chat, email or credit card number over the jungle of the Internet, you have no control over who lays their hands on them.

This is the nature of the Internet. This is what makes so many things running on it free, including Voice over IP, which gives you free calls. Your data and voice packets pass through many unknown servers, routers, and devices where any hacker, big brother or rogue state agent can intercept them. How to protect your data then? Enter encryption, the last resort. 

Encryption involves turning your data into a scrambled form such that it is impossible for any party intercepting it to read, understand and make any sense of it, except the recipient to whom it is intended. When it reaches this rightful recipient, the scrambled data is changed back to its original form and becomes perfectly readable and understandable again. This latter process is called decryption.

Let's complete the glossary. Unencrypted data is called plaintext; encrypted data is called cyphertext; the computer mechanism or recipe that runs on the data to encrypt it is called an encryption algorithm - simply software that works on data to scramble it. An encryption key is used with the algorithm to scramble the plaintext such that the right key is required along with the algorithm to decrypt the data. Thus, only the party who holds the key can get access to the original data.

Note that the key is a very long string of numbers that you do not have to remember or care for, as software does it all. 

Encryption, or as known before the digital age, cryptography, has been used for millennia before our time. Ancient Egyptians used to complicate their hieroglyphs to prevent lower-level people from understanding stuff. Modern and scientific encryption came in the middle ages with Arab mathematician Al-Kindi who wrote the first book on the subject. It became really serious and advanced during World War II with the Enigma machine and helped considerably in defeating the Nazis in many cases.

Now, the very first instant messaging and calling apps that came with end-to-end encryption come from Germany, where people are particularly concerned about their privacy. Examples are Telegram and Threema. Actually, this may have been exacerbated with the scandal of Germany's Chancellor Merkel's phone calls being wiretapped by the US. Also, Jan Koum, co-founder of WhatsApp, mentioned his Russian childhood background and all the theatrical spying involved as one of the driving elements for his eagerness to enforce privacy through encryption on his app, which nevertheless came quite late. 

Symmetric and Asymmetric Encryption

Don't pay attention to the complex wording. I just want to make the difference between two versions of a simple concept. Here is an example to illustrate how encryption works.

Tom wants to send a private message to Harry. The message is passed through an encryption algorithm and, using a key, it is encrypted. While the algorithm is available to anyone who can afford to be geeky enough, like Dick who wants to know what is being said, the key is a secret between Tom and Harry. If Dick the hacker manages to intercept the message in cyphertext, he will not be able to decrypt it back to the original message unless he has the key, which he does not. This is called symmetric encryption, in which the same key is used to encrypt and decrypt on both sides. This poses a problem as both legitimate parties need to have the key, which may involve sending it over from one side to the other, thereby exposing it to being compromised. It is therefore not effective in all cases. 

Asymmetric encryption is the solution. Two types of keys are used for each party, one public key and one private key, that is each party has a public key and a private key. The public keys are available to both parties, and to anyone else, as the two parties mutually share their public keys prior to communication. Tom uses Harry 's public key to encrypt the message, which can now only be decrypted using this (Harry's) public key and Harry's private key. This private key is only available to Harry and to no one else, not even to Tom the sender. This key is the one element that makes it impossible for any other party to decrypt the message because there is no need to send the private key over.  

End-to-End Encryption Explained

End-to-end encryption works as explained above, and is an implementation of asymmetric encryption. As the name implies, end-to-end encryption protects data such that it can only be read on the two ends, by the sender, and by the recipient. No one else can read the encrypted data, including hackers, governments, and even the server through which the data is passing. 

End-to-end encryption inherently implies many important things. Consider two WhatsApp users communicating through instant messaging or calling over the Internet. Their data passes through a WhatsApp server while transiting from one user to the other. For many other services that offer encryption, the data is encrypted during transfer but is protected only from outside intruders like hackers. The service can intercept the data at their servers and use them. They can potentially hand the data to third parties or to law enforcement authorities. End-to-end encryption keeps the data encrypted, without any possibility of decryption, even at the server and everywhere else. Thus, even if they want to, the service cannot intercept and do anything with the data. Law enforcement authorities and governments are also among those who cannot access the data, even with authorization. Theoretically, no one can, except the parties at the two ends. 

How To Use End-to-End Encryption

You do not actually manually use end-to-end directly and do not have anything to do to put it to work. The services behind, the software and the web security mechanisms take care of it. 

For instance, the browser in which you are reading this is equipped with end-to-end encryption tools, and they get to work when you engage in online activity that requires securing your data during transmission. Consider what happens when you buy something online using your credit card. Your computer needs to send the credit card number to the merchant on the other side of the world. End-to-end encryption makes sure that only you and the merchant's computer or service can access the so-confidential number. 

Secure Socket Layer (SSL), or its latest updated version Transport Layer Security (TLS), is the standard for encryption for the web. When you enter a site that offers encryption for your data - normally they are sites that handle your private information like personal details, passwords, credit card numbers etc. - there are signs that indicate security and safety. In the address bar, the URL starts with https:// instead of http://, the additional s standing for secure. You will also see an image somewhere on the page with the logo of Symantec (owner of TLS) and TLS. This image, when clicked on, opens a pop-up certifying the genuineness of the site. Companies like Symantec provide digital certificates to websites for encryption. 

Voice calls and other media are also protected using end-to-end encryption with many apps and services. You benefit from the privacy of encryption just by using these apps for communication. 

The above description of end-to-end encryption is simplified and theoretically illustrates the fundamental principle behind, but in practice, it is a lot more complex than that. There exist a lot of standards out there for encryption, but you really do not want to go deeper. 

You would rather want to think on the question that is surely on your mind now: do I need encryption? Well, not always, but yes you do. Probably we need encryption less often than we do. It depends on what you transfer in your personal communication. If you have things to hide, then you will be thankful for the existence of end-to-end encryption. I personally don't find it important for my WhatsApp and other IM apps, and they only include chats with friends and family. Who would care to spy on us while there are a billion other people talking? However, we all need it when doing banking or e-commerce transactions online. But then you know, you don't get to choose. Encryption occurs without you knowing, and most people don't know and don't care when their data is encrypted.