WebProNews

Tag: E2EE

  • Apple Adding End-to-End Encryption to iCloud, FBI Predictably Objects

    Apple Adding End-to-End Encryption to iCloud, FBI Predictably Objects

    Apple is finally adding a major feature to iCloud, upgrading its security to include end-to-end encryption (E2EE).

    iCloud has always included strong encryption, labeled “Data Protection,” but it did not offer E2EE, meaning Apple ultimately held the key to unlocking users’ data. Apple reportedly investigated the possibility of adding E2EE years ago, but abandoned plans in response to FBI objections.

    The company has now announced plans to roll out full E2EE for iCloud under its “Advanced Data Protection.”

    “Apple makes the most secure mobile devices on the market. And now, we are building on that powerful foundation,” said Ivan Krstić, Apple’s head of Security Engineering and Architecture. “Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.”

    Advanced Data Protection is already available to Apple Beta Software Program members and will be available to all users in the US by year’s end. The feature will make its way to worldwide customers in early 2023.

    Not surprisingly, the FBI is renewing its objection, saying it was “deeply concerned with the threat end-to-end and user-only-access encryption pose.”

    “This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism,” the bureau said in an emailed statement to The Washington Post. “In this age of cybersecurity and demands for ‘security by design,’ the FBI and law enforcement partners need ‘lawful access by design.’”

    Despite the FBI’s concerns, many other organizations are praising Apple.

    “We applaud Apple for listening to experts, child advocates, and users who want to protect their most sensitive data,” writes the Electronic Frontier Foundation. “Encryption is one of the most important tools we have for maintaining privacy and security online. That’s why we included the demand that Apple let users encrypt iCloud backups in the Fix It Already campaign that we launched in 2019.”

  • Twitter May Roll Out End-to-End Encryption for Direct Messages

    Twitter May Roll Out End-to-End Encryption for Direct Messages

    Twitter is the latest platform interested in end-to-end encryption (E2EE), reportedly looking to roll it out for Direct Messages.

    E2EE is a common feature in most major communication apps, such as Signal, WhatsApp, iMessage, and Google’s RCS messages. E2EE protects communications, ensuring only the sender and recipient can read them.

    According to BGR, Twitter is working to implement E2EE in Direct Messages. While the company originally began working on the feature in 2018, it never actually implemented it.

    The renewed interest in E2EE was uncovered by Jane Manchun Wong, a well-known app researcher. Wong discovered references to the feature in code for the Android Twitter client. Interestingly, Elon Musk replied to Wong’s tweet with a winking emoji.

    There’s not official word on the feature, and certainly no release date, but E2EE will be a welcome upgrade whenever it debuts.

  • Experts Warn the EU’s DMA Will Break Encryption

    Experts Warn the EU’s DMA Will Break Encryption

    Another day, another attack on encryption, with security experts warning the EU’s DMA legislation will likely break, or severely weaken, encryption.

    The EU unveiled the Digital Markets Act (DMA) as its latest effort to crack down on Big Tech. In addition to severe fines, and even possible breakups, of companies that fail to abide by the legislation, the DMA calls for “gatekeeper companies” to make their services interoperable with smaller rivals.

    Messaging, in particular, is one of the most obvious areas impacted by this clause, with services like WhatsApp, Facebook Messenger, and Apple’s iMessage likely forced to open up and work with competitors. Unfortunately, since all of these services provide end-to-end encryption (E2EE), experts warn there is no easy way for the the services to work with each and still maintain the level of security and privacy they currently offer.

    In speaking with The Verge, one expert used a very low-tech example to illustrate the issues, especially with compatibility and accountability between various services.

    “If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Alec Muffett, former Facebook engineer and internet security expert, said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”

    Similar questions plague potential implementation of the DMA. How will messages be securely sent across various platforms? If two different services use two different types of encryption, which company will modify its service to be compatible with the other? Will services opt to simply drop encryption when sending messages across services? Or will companies adopt some method of decrypting and re-encrypting as the message is passed from one service to another, making the communication vulnerable to interception, and thereby compromising privacy and security?

    Unfortunately, as has been stated time and time again, the encryption protocols people, companies, and governments rely on for privacy and security are not created, managed, or dictated by policies. They are, instead, bound and constrained by basic mathematics.

    Unfortunately for privacy and security, the mathematics of the DMA don’t quite add up.

  • UK Government Planning Full Media Assault on End-to-End Encryption

    UK Government Planning Full Media Assault on End-to-End Encryption

    The UK government has hired a high-powered ad agency for a full-fledged assault on end-to-end encryption (E2EE).

    The UK government has long been opposed to E2EE. Despite the importance of E2EE in virtually every aspect of digital life, critics criticize it for making it harder to catch criminals. Politicians in the US, the UK, and other countries often call for encryption backdoors to be created, seemingly oblivious to the mathematical impossibility of simultaneously having strong encryption that protects government officials, journalists, civil rights activists, and everyday users, while also providing authorities with a backdoor.

    According to Rolling Stone, the UK’s latest effort involves an appeal to the public, portraying E2EE as an impediment to protecting children online and preventing child exploitation. This particular argument is one of the most commonly used, since everyone agrees with the importance of protecting children.

    Unfortunately, using the ‘protect the children’ argument often results in actions that undermine the safety of the very children it purports to protect. As a result, industry experts are calling the UK’s proposal “scaremongering.”

    “The Home Office’s scaremongering campaign is as disingenuous as it is dangerous,” said Robin Wilton, director of Internet Trust at the Internet Society, told Rolling Stone. “Without strong encryption, children are more vulnerable online than ever. Encryption protects personal safety and national security … what the government is proposing puts everyone at risk.”

    It seems the Home Office’s immediate target is WhatsApp, and its plans to extend E2EE. Should it succeed in its plans, however, it’s a safe bet E2EE in all its uses, and any platform that uses it, will be the next target.

  • Germany May Block Telegram Over Hate Speech

    Germany May Block Telegram Over Hate Speech

    Germany is looking to address hate speech on the Telegram messaging platform, even leaving open the possibility of banning the service.

    Telegram is a messaging service that offers end-to-end encryption (E2EE), making it a prime competitor to WhatsApp and Signal. In addition to E2EE, the app has strong support for groups, making it as much a chat as messaging platform.

    As with all E2EE services, some use Telegram for illegal and unwanted behavior. Germany has been struggling with far-right groups, something the country is especially sensitive to, given its past.

    In response, Interior Minister Nancy Faeser, left open the possibility of banning the app in statements to Die Zeit, via The Independent

    “We cannot rule this out,” she said. “A shutdown would be grave and clearly a last resort. All other options must be exhausted first.”

  • End-to-End Encryption Comes to Microsoft Teams One-to-One Calls

    End-to-End Encryption Comes to Microsoft Teams One-to-One Calls

    Microsoft has rolled out end-to-end encryption (E2EE) to one-to-one calls in Microsoft Teams.

    E2EE is considered the gold standard for messaging and communication, as it encrypts the messages so that only the sender and recipient can view them. Not even the service provider can access the information.

    Microsoft announced the rollout in a blog post, significantly improving the privacy and security of one-on-calls.

    In October, we announced the public preview of end-to-end encryption (E2EE) support for Microsoft Teams calls. Today, we are happy to announce that E2EE for Teams calls is now generally available. IT admins will have the option to enable and control the feature for their organization once the update has been received.

  • Facebook Rolling Out End-to-End Encryption in Messenger

    Facebook Rolling Out End-to-End Encryption in Messenger

    Facebook has started rolling out end-to-end encryption (E2EE) across Messenger, continuing its efforts to bring E2EE across its platforms.

    E2EE is the gold standard in secure communications, encrypting data so that only the sender and recipient can read the messages. WhatsApp already included E2EE for messaging, and recently rolled it out for chat backups.

    The company is now implementing E2EE across Messenger. CEO Mark Zuckerberg made the announcement in a Facebook post.

    End-to-end encrypted voice and video calls are now rolling out on Messenger, and we’re introducing opt-in end-to-end encryption for group chats and group audio and video calls too. I’m proud that we continue to extend encryption across more services.

  • Messenger Calls and Instagram DMs Get End-to-End Encryption

    Messenger Calls and Instagram DMs Get End-to-End Encryption

    Facebook has added major security features to Messenger calls, as well as Instagram DMs, upgrading both with end-to-end encryption (E2EE).

    E2EE is a form of encryption that secures communication in such a way that only the participants can access the conversation. Even the software or service provider is unable to decrypt the communication.

    While Messenger has supported E2EE in one-on-one text chats since 2016, Facebook is now rolling it out — on an opt-in basis — to audio and video calls in Messenger.

    Disappearing messages are also getting an upgrade, with more fine-tuned controls over how long the timer lasts, from 5 seconds to 24 hours, before a message disappears.

    Similarly, the company is testing opt-in E2EE DMs in Instagram. The test is fairly limited, with only adults in certain countries able to participate.

    The upgrades are good news for Messenger and Instagram users, adding an extra layer of protection and security.

  • AWS Acquires Secure Messaging Service Wickr

    AWS Acquires Secure Messaging Service Wickr

    AWS has acquired Wickr, one of the most secure end-to-end encrypted communication services.

    AWS is one of the leading cloud providers for government contracts, and is cleared to provide cloud services for sensitive information. As such, it’s somewhat surprising the company hasn’t had a widely adopted communication platform to compliment its cloud services. It does have Chime, but that’s very much a niche product.

    Bringing Wickr into the fold will help AWS round out its offerings, and could be an important factor in its government contracts.

    “Today, public sector customers use Wickr for a diverse range of missions, from securely communicating with office-based employees to providing service members at the tactical edge with encrypted communications,” writes Steve Schmidt, Vice President and Chief Information Security Officer. “Enterprise customers use Wickr to keep communications between employees and business partners private, while remaining compliant with regulatory requirements.”

    Schmidt says existing Wickr customers will continue to use the service as they currently do, while AWS is making it available to its other customers immediately.

  • Google Rolling Out End-to-End Encryption in Messages

    Google Rolling Out End-to-End Encryption in Messages

    At long last, Google is rolling out end-to-end encryption (E2EE) in its Android Messages app.

    Android messaging has lagged behind Apple iMessage for some time. In most ways, Android messaging has been little better than standard text messages. In contrast, Apple iMessage has offered read receipts, group administration, E2EE, sending files and more.

    Google has been working to move Android Messages to the RCS standard, which is far more comparable to iMessage. After waiting for carriers to adopt the updated standard, Google finally took matters into its own hands and started implementing it in Android. RCS was available globally in November 2020, but E2EE wasn’t included initially.

    The company is now rolling out E2EE, although with some caveats. Needless to say, both parties must have RCS enabled in order to benefit. In addition, E2EE only works for one-on-one conversations, not groups messages.

    While still not as comprehensive as iMessage, the improvements in Google’s Messages will be a welcome upgrade for users.

  • Zoom End-to-End Encryption Rolling Out Next Week

    Zoom End-to-End Encryption Rolling Out Next Week

    Zoom has announced it will be rolling out end-to-end encryption (E2EE) beginning next week.

    Zoom quickly became the de facto standard for remote work and distance learning during the coronavirus pandemic. Unfortunately, the company made a number of security missteps early on, leading to a 90-day moratorium on new features as the company focused on security.

    One of those issues revolved around E2EE. The company’s early marketing made it appear as if it offered E2EE when, in fact, it did not. The company later announced definitive plans to implement E2EE, although only for paid accounts. After feedback and criticism, the company reversed course, announcing its intention to bring E2EE to all users.

    Those plans are coming to fruition, with the company implementing the first phase of its E2EE plans next week:

    We’re excited to announce that starting next week, Zoom’s end-to-end encryption (E2EE) offering will be available as a technical preview, which means we’re proactively soliciting feedback from users for the first 30 days. Zoom users – free and paid – around the world can host up to 200 participants in an E2EE meeting on Zoom, providing increased privacy and security for your Zoom sessions.

    CEO Eric S. Yuan highlighted the benefits of E2EE, both to customers and the Zoom platform:

    End-to-end encryption is another stride toward making Zoom the most secure communications platform in the world. This phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people and the world’s largest enterprises.

    Once enabled, users will know their meetings are encrypted with E2EE by looking at the green shield icon in the upper left corner. The normal checkmark, indicating GCM encryption, will be replaced by a padlock.

  • Senators Introduce Legislation Attacking Encryption

    Senators Introduce Legislation Attacking Encryption

    Another day, another attack on the encryption standards that protect every single person using the internet and computing devices.

    Senators Lindsey Graham, Tom Cotton and Marsha Blackburn introduced the Lawful Access to Encrypted Data Act in a bid “to bolster national security interests and better protect communities.”

    It’s hard to tell whether the authors are trying to attack encryption, or if they simply don’t understand how it works…or both. Either way, the result is the same: This legislation will gut the end-to-end encryption (E2EE) billions of people rely on.

    Case in point:

    “After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans,” says Graham.

    Similarly:

    ”This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,” said Cotton.

    The announcement specifically states:

    “Encryption is vital to securing user communications, data storage, and financial transactions. Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of ‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.”

    These statements ignore some of the basic facts involved in the encryption debate. Let’s break this down.

    1. All of the above statements place a great deal of emphasis on a warrant. The encryption debate has never been about tech companies’ willingness or unwillingness to abide by a warrant. The issue, plain and simple, is that you cannot have strong encryption that has backdoors. Experts have been warning about the dangers of weakening encryption for years. They’ve done so here, and here, and here, and here, and here, and here and here, as well as countless other places too numerous to list.

      Ultimately, this is not a case where these senators can ‘have their cake and eat it too.’ Either everyone has strong encryption that protects them, or no one does. Even these senators rely on encryption to conduct their business. Signal is widely considered to be the most secure messaging app on the planet, in large part because of the type of encryption this legislation targets. It is so secure that the Senate specifically encourages Senate staff to use Signal.

      Yet this legislation is so dangerous to the very type of encryption that Signal relies on that the company has already warned that, if it passes, Signal will likely stop being available in the US altogether.

      Again, either everyone has strong encryption or no one does…including the senators targeting encryption.

    2. The legislation wrongly asserts that companies fail to cooperate with law enforcement, “even when criminal activity is clearly taking place.” Again, this is not a matter of intentionally failing to cooperate; it is a technical impossibility.

      Companies simply cannot create strong encryption that can simultaneously be accessed at will, either by the company, law enforcement or anyone else. In many cases, such as Apple, companies cooperate as much as they possibly can, but they cannot change the laws of physics.
    3. The assertion that “‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user” ignores how the technology is frequently used by the “ordinary user.” The fact is, E2EE protects private communication, securing text messages, video chats, emails and voice calls, ensuring people can communicate without fear.

      Businesses rely on E2EE on a daily basis to ensure they can freely discuss internal matters without fear of corporate eavesdropping and espionage. Victims of abuse often rely on these services to communicate with loved ones without their abuser being able to find them. Journalists and activists in areas ruled by oppressive regimes rely on E2EE for their very lives.

    The announcement cites several examples where E2EE thwarted attempts by law enforcement. While true, the question remains: How is that different from any other technology?

    One example encryption proponents cite is shredder manufacturers. Do these companies have to create shredders that reconstitute a document just because some bad actors use paper shredders to cover their tracks? Of course not. While some do use shredders to cover illegal activity, the vast majority of individuals use them for perfectly legal reasons.

    The same is true of E2EE. There will always be those who use any technology for illegal, immoral and unethical reasons. The vast majority, however, will use it as it was intended, for perfectly legal activity.

    If passed, however, this new legislation will punish the whole on behalf of the few.

  • Zoom Charts Path Toward End-to-End Encryption For All Users

    Zoom Charts Path Toward End-to-End Encryption For All Users

    Zoom is adding end-to-end encryption (E2EE ) for all users, reversing a decision made just weeks ago to reserve the highest security for paid plans.

    Zoom has been in hot water more than once in recent months over its encryption claims and policies. Originally, the company’s marketing led customers to believe it provided E2EE when it did not. Once the company finally rolled out the upgraded encryption, it said it would only be for paid subscribers.

    The rationale for the decision was that free plans were more likely to be used for illegal activities, and the company wanted to be able to work with the FBI and local law enforcement. Needless to say, the stand was not a popular one.

    It appears the company has changed direction, and charted what it believes will be a compromise solution that will allow it to offer E2EE to free users.

    “To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” writes CEO Eric S. Yuan. “Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”

    The move is measured solution that will likely satisfy most critics.