End-to-End Encryption – Is Your Data Safe from Big Tech?

In today‘s hyperconnected digital world, we share vast amounts of personal information through online messaging apps owned by big tech companies with abysmal track records on privacy. While most popular messaging apps like WhatsApp, iMessage and Signal now implement "end-to-end encryption" (E2EE) that is promoted as protecting your private messages from prying eyes, a closer look reveals that your most intimate data may not be as safe as you‘d think from the big tech panopticon. Let‘s dive into the details of how E2EE works, what it does and doesn‘t protect, and alternatives for more privacy-conscious users.

What is End-to-End Encryption?

End-to-end encryption is a system where only the communicating users can read the messages. The goal is for messaging providers to not be able to decrypt the data being communicated, thus preventing them from unauthorized access to user messages. When you send a message, it is encrypted before leaving your device and isn‘t decrypted until it reaches the recipient‘s device. The messaging service and other third parties should ideally have no way to access the content of these end-to-end encrypted messages.

Here‘s a simplified overview of how E2EE works:

1. Alice and Bob want to exchange encrypted messages via a messaging app.
2. The app generates a public-private key pair for Alice and Bob and securely exchanges the public keys.
3. When Alice sends a message to Bob, the app uses Bob‘s public key to encrypt the message on Alice‘s device before sending it.
4. The encrypted message passes through the app‘s servers where it appears as unreadable ciphertext.
5. Once the encrypted message reaches Bob, his app uses his private key to decrypt it on his device.
6. The decrypted message can now be read by Bob, but was never readable by the messaging service or third parties during transit.

This may sound like your messages are completely shielded from the big tech messaging providers, but the reality is not so simple. E2EE is an important piece of the privacy puzzle, but it has significant limitations. Before we get to those, let‘s look at which popular messaging apps actually use E2EE.

Which Messaging Apps Use End-to-End Encryption?

The good news is that most of the major messaging platforms now support E2EE in some form:

• WhatsApp: E2EE enabled by default for all messages and calls.
• iMessage: E2EE enabled by default, but only when communicating with other iMessage users. Falls back to unencrypted SMS/MMS when messaging non-iPhone users.
• Signal: The gold standard of messaging privacy. All communications are E2EE by default using the open-source Signal Protocol.
• Telegram: Cloud chats are not E2EE by default. "Secret Chats" feature uses E2EE but must be enabled manually chat by chat.

A notable exception is Facebook Messenger, which does not implement E2EE by default but has an opt-in "Secret Conversation" mode similar to Telegram. Instagram, also owned by Facebook, has no E2EE support at all. Regular SMS text messages are also not encrypted.

So while the trend is positive with more apps adopting E2EE, the details of the implementation matter a lot. Having to manually enable E2EE for each chat is tedious and less secure than making it the unchangeable default like Signal does. Even WhatsApp, which uses the Signal Protocol, has come under fire recently for its privacy practices.

WhatsApp‘s Privacy Woes

In January 2021, WhatsApp announced an update to its privacy policy that would allow more data sharing with parent company Facebook and kicked off a mass exodus of users to rivals like Signal and Telegram. The backlash forced WhatsApp to delay the update and clarify what data would and wouldn‘t be shared.

WhatsApp stressed that the content of messages and calls would remain E2EE and private:

"We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data."

The new policy applies to businesses using WhatsApp to communicate with customers, allowing some data like phone numbers and transactions to be used for ad targeting on Facebook. But WhatsApp users are right to be wary given Facebook‘s history of broken promises, privacy scandals, and voracious appetite for personal data. Even if individual messages remain encrypted, there are still significant privacy concerns.

Metadata and Unprotected Data

The biggest limitation of E2EE is that it only encrypts the content of your messages, not the metadata around them. Metadata is data about data – information like who you message, when, from where, and for how long. It may not seem sensitive compared to the contents of messages, but metadata can paint an incredibly revealing picture of your private life, relationships, interests, and activities. As former NSA general counsel Stu Baker put it: "Metadata absolutely tells you everything about somebody‘s life. If you have enough metadata, you don‘t really need content."

With E2EE, your messaging provider can‘t read your messages, but still has access to metadata. And tech companies like Facebook are in the business of harvesting as much of your data as possible to target you with ads, content, and services via AI algorithms. So even with E2EE protecting message content, companies can still collect and exploit sensitive data like:

• Your contact list and who you message
• When and how often you message them
• Your typing patterns and message lengths
• Your IP address and geolocation
• Your device model and operating system
• What groups you participate in
• What businesses you interact with
• Links you share and websites you mention

So while E2EE is great for keeping message contents private, tech companies still have concerning visibility into our communications and social graphs that we may not want them to have. There are other risks to E2EE as well.

Other Risks and Limitations of E2EE

Another problem with E2EE is that your messages are only as secure as the devices at either end. If an attacker or authority gains physical access to an unlocked device with E2EE messaging apps, they can usually read the messages on that device since they are decrypted on receipt. E2EE also does not protect your message backups if you store them in the cloud (e.g. iCloud for iMessage).

There is also the potential for undisclosed backdoors to be built into E2EE systems under pressure from governments who want access for law enforcement and surveillance. The nature of closed-source proprietary software is you can‘t verify that the E2EE implementation is free of intentional vulnerabilities or secret mechanisms to allow decryption of messages.

Which brings us to one of the biggest policy debates around E2EE: should governments be allowed to force tech companies to provide decrypted user data or build in backdoors to E2EE for "lawful access"? The U.S., U.K., Australia and other nations have pushed for laws to limit or undermine E2EE in the name of fighting crime and terrorism. But privacy advocates argue that any weakening or circumvention of E2EE would be far riskier to the security and privacy of law-abiding citizens than it would be beneficial for law enforcement.

Despite these risks and limitations, E2EE is still an essential tool for private communication in a digital ecosystem dominated by big tech surveillance capitalism. But to truly protect your privacy, you may want to look beyond the big tech messaging apps to more privacy-focused alternatives like Signal.

E2EE Messaging Alternatives to Big Tech

If you want to minimize your exposure to big tech‘s data harvesting machinery, you‘ll need to look for E2EE messaging apps that are not run by the likes of Facebook and Google. The leading alternative is Signal, an open source app that uses its own gold-standard Signal Protocol to implement E2EE. All messages are E2EE by default with no way to turn it off, and Signal collects minimal metadata – only your phone number, random keys, and profile info, but not your contacts, location, group memberships, etc.

Another good option is Telegram, especially if you need features beyond basic messaging. Telegram supports massive group chats and channels, self-destructing messages, and file sharing. The downside is that E2EE is not enabled by default in Telegram but limited to an opt-in "Secret Chat" feature you have to use on a chat-by-chat basis.

The big tradeoffs with switching to more privacy-preserving messaging apps is network effects and features. All your contacts need to be on the same app to message them, and you may lose out on bells and whistles like business messaging, payments, stickers, etc. Signal and Telegram also do less content moderation than apps run by big tech companies, so you will encounter more misinformation, toxicity, and objectionable content.

Conclusion – Surveillance vs Privacy

At the end of the day, E2EE alone is not enough to significantly curtail the sweeping surveillance power of big tech companies that run the most popular messaging platforms. WhatsApp, iMessage, and Facebook Messenger may keep your message contents private with E2EE, but their parent companies Apple, Facebook, and Google are still vacuuming up all the metadata and associated user data they can to feed the yawning maw of their targeted advertising businesses.

To take back control of your privacy, the best option is to use open source, E2EE-only messaging apps like Signal that are not run by big tech companies with an insatiable appetite for your data. But even then, be aware that E2EE does not make your messaging impervious to determined attackers or authorities. Practicing good digital security hygiene like strong passwords, two-factor authentication, and encrypted device storage is just as important.

While shifting to more private messaging may mean giving up some features and conveniences you are used to, that is the inevitable tradeoff in pushing back against big tech‘s relentless assault on our privacy. In a world where our every digital move is tracked and monetized, E2EE is a critical tool for carving out a small slice of our lives that is inaccessible to the big tech panopticon. So the next time you send a sensitive message, make sure that padlock icon is there – your privacy depends on it.