End-to-end encryption has been in the news quite a bit lately. In particular, Facebook is implementing end-to-end encryption in all of their messaging services, and ProtonMail was ordered by a Swiss court to log the IP address of a French climate activist who was using ProtonMail for their emails. This has brought up the question of just how useful end-to-end encryption is, and where the limits of its functionality lie. Today, we’ll take a sobering look at that.
First off, end-to-end encryption simply means that data is transported in encrypted form from a sender to a receiver, and only the sender and receiver can decrypt the data to read it. Sometimes this is achieved with symmetric cryptography, other times with asymmetric cryptography. Sometimes there are two parties involved (a sender and a receiver), sometimes only one (the data owner), and sometimes there are three or more parties (group communications). But the result is always the same: only authorized parties can decrypt the data to read it.
That sounds great, and it is. It’s a game-changer for privacy and security, and has been for several years now in various domains, including email, chat, and browsing websites. With end-to-end encrypted email and chat, you can send messages and be sure that only the intended recipient/s can read them. With the end-to-end encryption of HTTPS, SSL, and TLS, you can be sure that nobody can eavesdrop on you when you browse the web. End-to-end encryption makes the internet much more secure, makes our communications much more private, and, in my opinion, is the greatest technological innovation since the development of the internet.
But it doesn’t make you invincible.
You can’t encrypt everything
Read that again, because it’s important: You can’t encrypt everything.
ʕ·ᴥ·ʔ: You can’t encrypt everything!
Some data, called metadata, can’t be encrypted. Metadata is data about data. So, for example, an email may contain the sender’s IP address. In this case, the IP address is metadata about the email. Other metadata in an email can include:
- the sender’s email address
- the recipients’ email addresses
- the sender’s and recipients’ names
- subject lines
- timestamps
- whether or not there is/are attachments
- size of the email in bytes
Just like how real mail has to pass through various post offices and be handled by various postal office workers, email has to pass through various networks on the internet and be handled by various email servers. Those networks and servers need at least some of this metadata to facilitate email communications. In particular, at minimum, they need the sender’s and recipient’s email addresses. If they don’t have those, how will they know where to send an email if they don’t know the recipient’s email address, and how will the recipient send back a reply if they don’t know the sender’s email address?
Email doesn’t have to include your name (though it oftentimes does). It doesn’t have to include the subject line either (but again, it oftentimes does). Maybe email communications can function without timestamps (barely, and probably with lots of issues). You can hide attachments within the body of the email and encrypt it (we don’t do this). And you can also hide the size of the email by always including a random amount of junk data in your emails (we don’t do this either).
So there’s a lot of metadata in an email that isn’t the actual content of an email. Some of it isn’t necessary, but some of it is, and all of it isn’t getting end-to-end encrypted. And this metadata, while it may seem unimportant, can be enough to get you arrested.
ʕ·ᴥ·ʔ: Arrested?!
Arrested.
ʕ·ᴥ·ʔ: No way.
Yes way, as it was for that French climate activist who was a ProtonMail user, and for Natalie Edwards who was the informant for this BuzzFeed News article. In both cases, law enforcement couldn’t read the actual messages that were being sent and received because of end-to-end encryption. But with the metadata, they knew who was doing the sending, who was doing the receiving, when messages were being sent and received, how often, and so on. They didn’t know that Natalie Edwards was leaking confidential banking information to BuzzFeed News; they just knew that she had access to the confidential information, that she was chatting on WhatsApp with this BuzzFeed News reporter, and that they were chatting a lot, just before the article was published.
ʕ • ᴥ •’ʔ: …Snap.
Facebook is still Facebook
And that brings us to Facebook’s new efforts to implement end-to-end encryption in all of their messaging services. If you think that Facebook successfully rolling out end-to-end encryption makes Facebook Messenger, Instagram DM’s, or even WhatsApp private, you’ve got another thing coming. All of that metadata will still be there. And it will all still be used to invade your privacy to the detriment of your security.
Telegram is even worse. Some people think it’s a better end-to-end encrypted alternative to WhatsApp, but it’s not. At least with WhatsApp, messages are end-to-end encrypted by default. Not with Telegram, which holds the encryption/decryption keys to your messages by default. They do offer end-to-end encryption for messages, but you have to turn that on manually for every conversation.
ProtonMail is a much better custodian of your data, but they, too, have their limits and must adhere to the laws of a higher authority: the Swiss government. And let’s just say: the Swiss government is no angel.
Signal is great, but it’s an American company beholden to the US government. Both Signal and ProtonMail by default don’t log metadata on their users’ activities, but both can be forced by their respective governments to do so, just as ProtonMail was forced recently to log the IP address of that French climate activist. End-to-end encryption can’t and won’t solve this problem of metadata collection.
Technology is no replacement for skill
ʕ·ᴥ·ʔ: So what can we do?
We go back to basics: OPSEC (operational security).
Let’s take the French climate activist using ProtonMail as an example once more. If that activist had simply used Tor or a VPN (preferably not ProtonVPN or any VPN within easy reach of Swiss law enforcement), then ProtonMail wouldn’t have been able to provide that activist’s real IP address, and that activist may not have gotten arrested.
For Natalie Edwards, she could have used a brand new prepaid phone number that’s not tied to her identity in any way to contact BuzzFeed News, and insisted that they also buy their own brand new phone number not tied to them to chat with her through WhatsApp. This way, they could have communicated with each other without anybody knowing. Nobody would know that these two new numbers belong to BuzzFeed and Natalie Edwards, and nobody can read the content of their messages because of the end-to-end encryption on WhatsApp.
ʕ·ᴥ·ʔ: Neat!
It is, but you can go even further with the Natalie Edwards example. I’m sure WhatsApp still logs IP addresses, so simply using a private phone number would not necessarily have been enough to protect her. To take it even further and protect her IP address, she could have used Tor, or a VPN, or public Wi-Fi, or mobile data in a location that’s not tied to her, and then permanently disposed of the phone number after using it to send BuzzFeed News everything she wanted to send them.
ʕ·ᴥ·ʔ: Okay, that’s doable.
But hold on, that’s still not enough to completely protect her from law enforcement. Telecoms like AT&T, Verizon, T-Mobile, etc., collect hardware identifiers (kind of like serial numbers or a device fingerprint) on your phone whenever you connect to their cellular networks. With those hardware identifiers, a phone can be tied to a phone number. If Natalie Edwards had used her real phone with a new phone number, law enforcement could have tied that number to her phone, and then to her.
To protect her from that, she could have purchased a completely brand new phone, put the brand new number in it, and then contacted BuzzFeed with that at an IP address and location that aren’t tied to her.
ʕ·ᴥ·ʔ: Okay… This is getting difficult.
And a bit expensive, but nobody said that privacy and security come cheap or easy. Luckily, it can be cheaper and easier when you don’t involve a tracking device called a “phone”.
Technology still helps, though
For Natalie Edwards to (let’s remember: illegally) leak confidential documents to BuzzFeed without identifying herself in any way, the easiest and cheapest way to do it would have been to set up a brand new virtual machine, connect to public Wi-Fi with a randomized MAC address, sign up for a new VPN account, sign up for a new end-to-end encrypted email account, and then contact BuzzFeed through all of that, before finally deleting everything to cover her tracks.
Instead of a virtual machine, she could have used a disposable qube on Qubes OS. Instead of a VPN, she could have used Tor. Instead of both, she could have used Tails. Any of those combinations would have worked too.
The whole point is this: end-to-end encryption only hides data. You can’t hide metadata, but you can dissociate yourself from it. There is no one tool or technology that will do that for you, so you have to do it yourself, using your wits and the resources available to you.
…
ʕ·ᴥ·ʔฅ: Happy hunting!
And don’t do anything illegal.
ʕ·ᴥ·ʔ: Oh, right. Yeah, that too. Haha.
Doing something you don’t want anybody including your government to see? Or maybe you’re just a paranoid privacy nut like me. (ʕ·ᴥ·ʔ: Hey, that rhymes.) If so, consider subscribing. I’ll send out an email notifying you of a new article only once a month. You’ll get no other emails from me, and I’ll respect your privacy by not sharing your email address with anyone (promise). If that sounds good to you, drop your email address down below. You can also subscribe to my RSS feed which is linked to in the menu.