Over the last few years, the adoption of true end-to-end encryption (e2ee) has grown enormously. Even before the pandemic, individuals and business users alike were taking steps to increase their data security. Based on the significant cybersecurity challenges that surfaced 2021, there is no reason to believe this will change. However, this trend naturally leads to increased regulatory activity regarding encryption, including a few troubling ideas.
Tresorit remains at the forefront of the effort to ensure everyone’s right to privacy and digital security. This right is shared by individuals, activists, NGOs, and enterprises alike. What will 2022 bring? Here are my predictions.
Cybersecurity in 2022
Supply chain and ransomware attacks dominated the last months of 2020 and 2021. Just think of the havoc the log4j vulnerability uncovered in December caused, and even the patches having to be patched. Companies create digital infrastructures based on tools provided by several different partners. Unfortunately, the integrations between the tools create vulnerabilities. As a result, suppliers will have to work together closely to ensure that all integrations are safe. This will push the SaaS industry towards deeper collaboration on several cybersecurity issues. After all, the entire infrastructure is only as strong as its weakest link.
In parallel with these industry efforts, stricter data protection regulation will continue to roll out globally, and the fines given for infractions will increase. Several industry specific standards, or regulation, are already surfacing that (will) require e2ee. Still, data breaches will continue to happen simply due to the nature of the data-driven economy we live in.
Nevertheless, we are glad to see that enterprises are increasingly recognizing e2ee as the most viable option to increase data security within their organizations. Coupled with more secure integrations, an accelerating shift to zero-trust networks, e2ee can lead to a more secure digital world.
Turbulent waters ahead for encryption?
As the adoption of e2ee increases, many countries are raising concerns about the security implications of the technology. The zero-knowledge, client-side encryption we at Tresorit call true end-to-end encryption means that service providers cannot access the encrypted content within their service. As a result, they can’t provide it to law enforcement even when that data is requested through a lawful court process. (See our Transparency Report here about how we handle those requests).
In the best cases, this is an opposition of rights: everyone has a right to privacy and a right to safety. Governments are tasked with ensuring public safety. For centuries, people have accepted that sometimes this can mean limits on how they lead their lives. However, the world is not a list of best-case scenarios. State-funded digital surveillance under autocratic regimes, the blanket surveillance of millions based on questionable court orders are two examples of why people are increasingly turning to e2ee solutions.
Still, this doesn’t change a state’s responsibility to ensure safety and uphold the law. As a result, some countries and regions, notably the EU and UK, are considering enforcing access to encrypted content through compulsory backdoors. The UK’s Online Harms Bill is vocal about its aim to prevent companies offering e2ee services to children. The bill claims that e2ee prevents authorities from protecting children from online sexual abuse. How the bill progresses through the legislative process will be interesting to watch in 2022. However, as we’ve stressed several times, a backdoor can be exploited by anyone, not only the state. A single backdoor will compromise an entire service.
Thus, the providers of end-to-end encrypted services must work to find ways to balance the need for lawful, limited, and targeted access to encrypted information and the individuals’ right to privacy. Ensuring users can report abuse and misuse of the service is only the first step (read about how companies are doing this already, in this excellent paper by Rianna Pfefferkorn). The regulatory pushback against e2ee is a major factor in the future of the technology, and understandable in a few cases. As a result, e2ee service providers must come up with ways to ensure security, while making minimal sacrifices to user privacy. And as Apple learned the hard way last year, coming up with privacy-respecting solutions to the challenge is no easy feat.
End-to-end encryption remains the way forward
Despite these challenges, it’s evident that end-to-end encryption is the way forward. After gaining in popularity for private users, especially in messaging, it’s now becoming a requirement in the business world. Even Microsoft Teams can be end-to-end encrypted since 2021. Hopefully, this positive trend will continue beyond communication solutions to include a wide range of tools and solutions used by businesses. For example, will we ever see enterprise SaaS services such as Salesforce roll out true e2ee support?
We also see several companies from highly regulated industries migrating to the cloud. Falling under the requirements of TISAX, BaFin, FINRA, ITAR, the enterprises require end-to-end encrypted services for this transition. Moving from on-premises technology to cloud solutions is a major security risk for them. However, they also realize the need to migrate and see e2ee as the only viable security option for their use case, as specified by several of these standards.
Naturally, this will feed into the trends above, influencing not only broader cybersecurity trends connected to encryption but the regulatory framework that forms around it in the coming years.
A lot is uncertain, and as the world continues to grapple with the pandemic, remote work is here to stay in the long term. But, I know, Tresorit will continue to empower everyone to take back control of their digital values in 2022 and beyond. We look forward to helping enterprises, businesses, and individuals alike secure their digital lives.