If end-to-end encryption were mandatory

While several countries like Australia or Germany continued to seek ways to undermine encryption in 2017, too, the EU still promotes it. In the summer, the EU Parliament’s Committee on Civil Liberties, Justice, and Home Affairs has released a draft proposal that would require making end-to-end encryption mandatory in digital communications, banning encryption backdoors, and adding online privacy to the EU Charter of Fundamental Rights.

Although there are no guarantees that this proposal will go through the EU decision-making machinery, this has been the most ambitious regulatory attempt aimed to protect digital privacy and security to date. If approved, this regulation could start a technology overhaul, and that raises a few questions: How would mandatory end-to-encryption transform today’s technology landscape and services? What would the consequences be for the companies who develop tools and the people who use them?

To remember one of the few positive events from 2017 related to cybersecurity, here is an end-of-year thought experiment.

1. First, a step back in usability and features

If we imagine what the experience would be like, it would probably resemble what happened when smartphones appeared. As with every new technology, a time of adjustment is needed and if we take a step back to reminisce, there were a few things that were less than ideal. You can probably remember how cumbersome browsing was as the original desktop experience was not optimized for smaller screens. Mobile applications had fewer functions and often features available on the desktop would not work on the smartphones.

With time and widespread adoption, the performance of devices grew and the mobile market matured which resulted in an improved user experience. Still, smartphones didn’t take over desktops. Instead, a new market was created and with it came new use cases, services, and standards.

Similarly, if end-to-end encryption became mandatory in communications apps, it’s very possible we’d lose some of the basic features we use every day. In the beginning, end-to-end encryption for privacy protection would take a toll on features such as quick search within the content of files or messages, smooth profile connections to social media, handy recommendations given by algorithms that use data we provide, quick upload times and unlimited uploads.

Many of these options require that data is processed on the server-side which doesn’t correlate with the way end-to-end encryption works. In end-to-end encryption, only the encrypted data reaches the servers, making data processing difficult if not impossible with today’s technology.

2. Loss of functions sparks innovation

Along the difficulties of the adaptation process, a strong regulatory push towards end-to-end encryption would further boost the research on privacy-first technologies that can solve the above challenges. One of these technologies is homomorphic encryption, which allows performing computations on encrypted data without decrypting it. This means that companies could do operations such as database searches or data analytics on the encrypted data they store on their servers without ever accessing the content. Using homomorphic encryption could help developers in providing users with the indexing and search features they currently enjoy while still meeting the requirement of being end-to-end encrypted. Developed by IBM researcher Craig Gentry, this technology is still mostly a theory because of the computational limits of today’s devices. However, research on how to make this feasible in commercial applications is already progressing and regulations could further accelerate it.

While homomorphic encryption would help to do operations on the encrypted data, there’s another next-gen technology called differential privacy that aims to solve the collection and analysis of user data in a privacy-friendly way. Although not adopted in a large scale, we have seen Google and Apple already implementing it in some projects. This statistical method helps to improve the accuracy of queries from statistical databases while keeping the privacy of the individuals who provided the data by adding noise to that data.

In practice, differential privacy could help in collecting user-generated data for UX research purposes, harvesting data for machine learning algorithms such as those applied in healthcare research, and providing information to recommendation algorithms popular in consumer apps. And, it would achieve all that while respecting the privacy of users.

Whether we see a widespread use of homomorphic encryption or differential privacy, switching to end-to-end encryption would make more computational operations needed on the client side. That means directly on your smartphone or laptop instead of large data centers with huge computing capacity, which would require an even bigger increase in the computing power of devices.

3. Higher barrier to entry to app development

Integrating proper end-to-end encryption is not easy.  From the developers’ point of view, a change like this would mean writing more complex applications on the client side, which in turn would make app development more expensive. At first, this could slow down the proliferation of mobile apps and lead to further centralization of the communications apps market. Currently, services like Facebook, WhatsApp, and Google have billions of users. Given that user data is already providing them unimaginable power, more market share for them doesn’t sound that promising from a privacy point of view.

However, just like the way mobile app development frameworks and tools arose, a new market for crypto development would slowly appear, helping companies write secure code and integrating end-to-end encryption in applications. Also, a regulation like this would create even more demand for cybersecurity skills and knowledge from developers, boosting cryptography and cybersecurity education.

4. Change in business models that build on selling user data

It is widely known that if you use free services you are not the customer, you are the product and the asset of those free providers. It is a common business model, as well. Some are doing this quite openly and provide opt-out features to at least a certain extent (see Facebook). However, some use shady techniques to sell user data to third parties (see some browser extension scandals). With mandatory end-to-end encryption, this business model would not be viable anymore. I’m not prophesizing the end of social media like Facebook or Twitter, as they build on people’s will to voluntarily share their often most intimate life events, preferences, and thoughts with others.

Privacy doesn’t mean keeping everything hidden from others. It means that you make an educated and conscious decision on what you want to share, and with whom. End-to-end encryption is an ideal technology to make this happen for real. It means protecting your data from third-party access and keeping everything on your side and far away from servers where others could get access to it. But, it doesn’t mean you are not able to share your data on purpose with those you wish.

On the contrary, with encryption, you can simply decide who can access your data while excluding all third-parties by default. If end-to-end encryption were mandatory, you could voluntarily share data with advertisers and third-parties. If your explicit, opt-in “yes” would be needed to give access to your data that would mean you’re exercising your right to your privacy. Consequently, switching to end-to-end encryption would turn business models that rely on opt-out consent upside down. These companies would need to come up with new ways to generate revenue.

5. More control for the people but more awareness needed

In a world where end-to-end encryption is mandatory, people would certainly have bigger control over their data. However, this wouldn’t mean that they would immediately be able to turn this to their advantage. Just to use an analogy: if you drive a car, your life can depend on whether you have fastened your seatbelts. That decision gives you control over your life. However, we still need police control and fines to make sure people are using it. With something significantly less tangible than your life, that is your data, making decisions on who has access to that seems to be less important. Slowly but surely, awareness on cybersecurity would rise though, especially with more education and campaigns.

Conclusion: What’s next?

Although this all might sound like a thought experiment or a sci-fi scenario, it is much closer to us than we think. Services with a mission to provide privacy have been proliferating. Regulations that introduce strict data protection are coming soon. To go back to the example of seatbelts: remember that in the beginning, they were just a premium feature in expensive cars. Nowadays, you cannot buy a car without a seatbelt. By trickling down to low-end vehicles, it has become a de facto standard, and after that, a de jure standard. We might be on the same track with securing our digital lives.

Suggested posts

Tresorit at #InfoSec18

This year, we were invited to speak at Europe’s number one information security event: Infosecurity Europe. It featured several hundred exhibitors showcasing security solutions and...