The presence of end-to-end encryption (E2EE) in messaging apps and programmes protect journalists and their sources, particularly when communicating sensitive information.
When dealing with sensitive information, journalists should always take a risk assessment of online tools used to communicate and should always prefer apps that provide end-to-end encryption (E2EE), like Signal for example, when communicating sensitive information. Encryption is primarily used to protect your messages content from being read. It is not possible to encrypt SMS and regular phone calls, therefore allowing Internet Service Providers (ISPs) and governments to access all contents transferred using these services. The type of encryption used will determine what data the ISP or the app can see. In most countries, governments can subpoena ISPs and force them to give extensive records and sometimes also use alternative methods to retrieve data without the ISPs’ knowledge.
Risk assessment parameters
- The entities (individual, private, public organisation) that could want to access your information and the level of resource they could engage to access it.
- The Internet Service Providers (ISPs) through which information will transit through on both ends.
- The choice of application available and the type of encryption it uses.
Types of encryption
- No encryption. Any device or system involved in the transit between the sender and receiver of messages or data can access its content.
- Encryption at Rest. Protects in-device data from unauthorised users. The main use is protection from malware, spyware, or intrusion attempts within the user’s own device. This type of encryption will not protect any data in-transit.
- Encryption in-Transit. Protects the users data while it is being transferred to the app server. ISPs can’t read user data, but it can be read by the app server.
- End-to-end Encryption (E2EE). The best level of encryption currently commercially available. Encrypts user data for the entire transit, making it unreadable by the app server.
Limits to End-to-end encryption
- Weak encryption. “Encryption” can mean many different things and on its own it does not necessarily guarantee complete safety of your information. Though encryption is constantly advancing, methods of breaking encryption advances along with it. Old or weak encryption can provide a false sense of security. Users may verify the strength of their encryption through open source apps that have published security audits such as Threema.
- Logging/data retention. A log file is a data file that contains information about usage patterns, activities, and operations within an operating system, application, server or another device. Some apps (and VPNs) do not purge their data, meaning that if someone has the capabilities to decrypt the user’s data and can receive encrypted log files, the hacker can read everything. It is better to look for apps that promise “no logging”, even then check their terms to confirm what they mean by “no logging”. Some apps only use ‘encryption in-transit’ but have no logging or keep your data for a minute or two before purging it. This can be a risk, but it is safer than E2EE with weak encryption.
- Server and organisation location. If the server is based in a country where data privacy laws are weak, the user’s data is in danger of being accessed. In some cases, ISPs can legally be required to share data with ally states, for example the Five Eyes Alliance allows the US government to access data about internet users from four other state governments. It is important that the applications on the user’s phone are not hosted in a country that endangers them.
Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal security tools across large enterprises. Over the last two years, he has been working in Myanmar and researching how to maintain proper security in the context of an oppressive nation-state. In the last few months, he has been working with multiple groups in Taiwan to train them on proper security and safety measures.