Not All Encryption Is Created Equal

Encryption makes the digital world work. It consists of a few elegant math equations that scramble data before being sent over the internet where prying eyes could otherwise intercept it, read it, and manipulate it. Encryption is the reason everything from financial transactions to state secrets get passed around the internet nearly instantaneously, unlocking massive amounts of innovation, wealth, and prosperity as a result.

But not all encryption is created equal. Some forms of encryption expose the communications of internet users to private corporations and other third parties they choose to share your data with.

These days, many technology companies claim to have products that are “end-to-end encrypted”. This is often misleading. In March, Zoom falsely claimed in their security white paper that hosts could enable an “end-to-end encrypted meeting” with one click. After backlash, Zoom quietly changed the language in their white paper to avoid using the term “end-to-end encrypted”.

In this scenario, Zoom failed to acknowledge a critical distinction between standard web encryption, often called “client-to-server” (C2S) encryption, and true end-to-end (E2E) encryption.

The difference between C2S and E2E encryption can’t be overstated. Simply put, it is the difference between communicating privately, and having everything you do monitored.

Client-to-Server (C2S) vs. End-to-End (E2E) Encryption || Source: Wickr

Today, companies that utilize C2S encryption decrypt, process, and store our unencrypted data in Cloud servers to provide us services. But that’s not all they do — far too often, these companies abuse our trust by spying on us, breaching our data, and manipulating our actions. In other words, C2S encryption has an achilles heel — it positions companies and service providers in the middle of senders and recipients, granting them full access to our data and communications.

E2E encryption covers the achilles heel of C2S and allows for truly private two-way communications. This is what E2E means — one “end” is the sender and the other “end” is the recipient. Computation is performed locally on devices (“on the edge”), removing the need for pesky, centralized servers that allow corporations, third parties, and others to eavesdrop on us.

C2S Encryption Exposes Us to “Flip-the-Switch Risk”

The dangers of C2S encryption can be summarized as flip-the-switch risk. What is flip-the-switch risk? Let’s say you buy a product from a company you absolutely love and trust unconditionally — for simplicity, we will use Apple as an example. Imagine Apple rolls out a new iPhone where all the phone’s data is encrypted on Apple’s servers using a form of C2S encryption (note: just an example, not how Apple encrypts iPhone data today).

You trust Apple. And this new iPhone is so jam-packed with upgrades like retina-ID, a camera that can zoom in far enough to see cells, and a processor that can calculate Pi’s final digit. You buy this iPhone. You buy it because you trust Apple and assume no one at the company will use your new phone’s data to blackmail you or to steal your credit card information to go on a spending spree. Or at least, you feel the low risk of something like this happening is worth the incredible new features.

But the Apple of today may not be the Apple of tomorrow. Let’s say a wealthy, secretive group of investors buy up a majority stake in Apple. They oust the Board of Directors and decide to sell all of the user/iPhone data held in Apple’s servers to the highest bidder. This phenomenon is known as flipping-the-switch. The fact you trust the people at the reigns of an institution that holds your sensitive data today, does not protect you from those people ultimately leaving, and having the switch flipped on you.

This is not hyperbole — flip-the-switch risk manifests itself in very real ways today. For example, Fitbit was acquired by Google in 2019. If you were one of the 28 million Fitbit users at the time of acquisition, your sensitive health data was suddenly handed over to a new company who you may or may not trust. Amazon’s acquisition of PillPack in 2018 is another example of a tech behemoth acquiring their way to sensitive user data. And the list goes on.

Flip-the-switch risk also applies to insider employees. In fact, this is the most common way that sensitive user data gets exposed. A Cloud admin who is also a spurned divorcee spies on her ex. Or a network engineer who is also a crazed super fan stalks a celebrity. Earlier this year, Amazon fired several Ring employees for viewing customer video footage without consent. C2S encryption has opened a pandora’s box of similar risks.

What’s Next for Encryption?

As a user, you should never trust that a company holding the keys to your data will not abuse their power or hand your data over to advertisers for profit. Nowadays, most of us are numb to the constant mistreatment of our data, but there is a better way. Seeking truly E2E encrypted products can insulate us from these risks and remove the possibility of intermediaries or strangers gaining access to our data. This problem is not limited to laptops and phones; in fact, the threat is quickly entering into our homes.

Most homeowners today have some type of internet-connected devices. Whether it’s a refrigerator pinging a manufacturer to let them know the temperature gauge isn’t working, or an Alexa-powered smart speaker telling dad jokes on-demand, or a Nest that keeps you cozy with the perfect temperature, your home is almost certainly now “smart” in some way.

Owning smart devices today is both convenient and scary — if our devices can talk to us, then who else are they talking to? This new reality demands us to choose products wisely, as the implications on the safety of our homes and families has never been greater. Luckily, a new wave of E2E encrypted products is emerging to deliver data ownership and control to users, not corporations.

A human-centered and privacy-respecting future is on the horizon. One where we can look at our smart devices without any doubt that, now or later, we are not being watched, listened to, or tracked without our consent. By enforcing E2E encryption with trusted and tamper-proof technologies, such as blockchain, we can remove all ambiguity, subjectivity, and doubt regarding whether or not our data is truly protected.

Blockchain can take E2E encryption to even greater heights to achieve individualized E2E encryption, where the keys to your data will be minted by a trusted blockchain and owned exclusively by you. A human-centered approach — no more data breaches, no more falling victim to false claims. As this philosophy is applied to home security cameras, personal tracking devices, and other smart devices, a new #OwnYourData revolution will emerge. With individualized E2E encryption, we can eliminate flip-the-switch risk and take back control of our data once and for all.

About IoTeX

Founded as an open source platform in 2017, IoTeX is building the Internet of Trusted Things, an open ecosystem where all “things” — humans, machines, businesses, and DApps — can interact with trust and privacy. Backed by a global team of 30+ top research scientists and engineers, IoTeX combines blockchain, secure hardware, and confidential computing to enable next-gen IoT devices, networks, and economies. IoTeX will empower the future decentralized economy by “connecting the physical world, block by block”.

Learn more: Website | Twitter | Telegram | Medium | Reddit