Bonum Certa Men Certa

Guarding Your Privacy With E2EE: Primer

End-to-end encryption deciphered

Lock and Key



Summary: "As with all security, there is assumed risk no matter how careful you are. There are no security guarantees but that doesn't mean you shouldn't try."

End-to-end encryption (E2EE) is something that's been in the news quite frequently. Lack of education about E2EE is being exploited. Your fundamental human rights are being violated. This article serves to educate the non-technical person about E2EE and how it affects their everyday life.



Let us get a few fundamental things clarified, first. Without these basic things, no proper discussion can happen around E2EE.

"Another important thing to note is that the sender sees the data that will be encrypted in its unencrypted form anyway. Obvious statement but important to remember."What is E2EE? E2EE is a system in which data is encrypted so that only one party can decrypt the data: the intended recipient(s).

Note that we used the word "system" in our definition for E2EE. This is done to keep the scope of this article separate from any specific E2EE software.

Another important thing to note is that the sender sees the data that will be encrypted in its unencrypted form anyway. Obvious statement but important to remember.

Next, let us note articles 12 and 19 of the Universal Declaration of Human Rights (UDHR).

LockArticle 12 UDHR: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Article 19 UDHR: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."

We'll refer to these as A12UDHR and A19UDHR, from now on.

We've now established some fundamental definitions; we can move on to what all this means in the context of E2EE.

Let's now connect what A12UDHR and A19UDHR have to do with E2EE.

A12UDHR mentions privacy. Our data privacy is a form of privacy. Thus, according to A12UDR, every human being has a fundamental right to data privacy. The only way we can achieve data privacy is via E2EE.

"The only way we can achieve data privacy is via E2EE."A19UDHR mentions the freedom to hold opinions WITHOUT INTERFERENCE and to seek and impart INFORMATION and ideas THROUGH ANY MEDIA (we're paraphrasing here to highlight information relevant to this article). Thus, according to A19UDHR, every human being has a right to exchange INFORMATION THROUGH ANY MEDIA. End-to-end-encrypted data (E2EED) is a form of information; thus A19UDHR gives every human being a right to seek and impart E2EED over any medium they wish.

So, in summary, we've established the following as an inalienable right of every human being:

Every human being has a fundamental right to use E2EE and seek and impart E2EED over any medium they wish (Internet, printed documents, etc.).

Now it's time to consider the technical side.

If you go back to our definition of E2EE, you will see that there are strict requirements about who can decrypt E2EED.

Many platforms (email, social control media, messaging apps, etc.) advertise E2EE. They are pretty much all not E2EE. Why? They have the keys that can decrypt your data. Go back and read the definition of E2EE again.

What are these "keys"? Good question.

Every system of E2EE is basically built on the idea of a pair of keys:

"Many platforms (email, social control media, messaging apps, etc.) advertise E2EE. They are pretty much all not E2EE."Public Key (PKEY): Just a file. A sort of identifier. PKEYs are used in E2EE to encrypt data so that only the intended recipient(s) can decrypt the encrypted data.

Secret Key (SKEY): Just a file. This is the (only) file which can be used to decrypt the encrypted data.

There exists a mathematical relationship between a PKEY and a SKEY which makes it infeasible to decrypt the encrypted data without access to the recipient's SKEY. When used correctly, E2EED is safe even from the quantum computers of today.

You can refer to the end of this article for the technical details.

"You can willingly forfeit your privacy (and many do by accepting "Terms and Conditions" of various platforms and services) but no body has a right to forcibly take away your privacy."The easiest way to decrypt E2EED is to get a hold of the recipient's SKEY or to catch the pre-encrypted data via some sort of back door in the device being used to encrypt the data. The problem is, many organisations already have your SKEY; they keep a copy for themselves, when SKEY has been generated. So, these systems don't actually satisfy our definition of E2EE.

Remember: You have a fundamental right to end-to-end encryption. You have a fundamental right to keep the secret keys used for your end-to-end encryption software private. Nobody has the right to take these secret keys away from you - no company, no government, no individual, no organisation. You can willingly forfeit your privacy (and many do by accepting "Terms and Conditions" of various platforms and services) but no body has a right to forcibly take away your privacy.

"Complain to your local government representative about the attacks on E2EE."There have been repeated attempts (and will continue to be repeated attempts) to outlaw end-to-end encryption. Governments want to spy on citizens; companies want to spy on individuals to profit off their private data; organisations want private data of individuals to make discriminatory decisions about said individuals. All of these actions have negative consequences on individuals: psychological abuse, economic discrimination, racial discrimination, political discrimination, exploitative psychological advertising (the list goes on and on).

So what can you do about this? You can raise awareness, first of all. Complain to your local government representative about the attacks on E2EE. You can educate yourself about which software gives you full control over your secret keys.

"Note that operating systems and devices have constantly had back doors installed into them."Here's a list of software you can look up which gives users control over their secret keys:

1) GnuPG and Kleopatra (GNU/Linux, BSD, OSX)

2) Gpg4win and Kleopatra (Windows)

3) OpenKeychain (Mobile)

There are many books, videos, and tutorials about the tools above. They're a good point to start with.

Note that operating systems and devices have constantly had back doors installed into them. The best way to use E2EE software is to have a separate device for performing all E2EE tasks; said device should never be connected to the Internet. This is too inconvenient for some but is worth considering for those who want added level of security.

A note on hardware security tokens: Don't believe in them. Most of them are likely to have back doors in them which allow extraction of your secret keys. Use an ordinary, general-purpose computer for all E2EE tasks; preferably one that never sees the Internet. Old laptops make great E2EE machines; just turn off the WIFI and don't plug in any Ethernet cable. Devices like the Raspberry Pi are also a good candidate for an affordable system exclusively used for E2EE. You can use these devices with an HDMI cable, keyboard+mouse, and a USB stick to move data to and from the device.

Does all your data need to be E2EED? Of course not. That would be overkill. But data that you think needs to be private should be private. So use E2EE software to protect your privacy, when you see fit. This includes pictures, videos, legal documents, files containing passwords, etc.

"Old laptops make great E2EE machines; just turn off the WIFI and don't plug in any Ethernet cable."Remember: E2EE is a system in which data is encrypted so that ONLY ONE party can decrypt the data: intended recipient(s). Any system which doesn't satisfy this definition is not E2EE; don't let governments, companies, etc. convenience you otherwise.

Technical details



Say J wants to send a file F to M; J wants to encrypt F so that only M can decrypt F. We'll refer to the encrypted form of F as EF.

What would J need to do?

We'll establish a few more definitions (sorry about this but it's necessary to maintain correctness).

J and M both have keys.

E2EE software : S.

Public key of J : JPKEY Secret key of J : JSKEY

Public key of M : MPKEY Secret key of M : MSKEY

(1) J and M both use S to generate their respective key files (JPKEY, JSKEY, MPKEY, MSKEY).

(2) J needs MPKEY in order to encrypt F for M.

(3) M sends J: MPKEY, in advance (this can be done over any media as MPKEY is not required to remain private).

(4) J now has the following: S, JSKEY, MPKEY, F. J can use these to obtain EF.

(5) J sends EF to M.

(6) M now has the following: MSKEY, S, EF.

(7) M can use these to obtain F from EF.

All of the above can be done with only one person. In, that case J = M. This is when you want E2EED that is "for your eyes only".

RSA and EDDSA are considered the most secure systems for E2EE today (2020). The major weak points in any E2EE are: human error, hardware and software backdoors, hardware and software bugs. E2EE is always evolving, so what you read today may not be true tomorrow.

As with all security, there is assumed risk no matter how careful you are. There are no security guarantees but that doesn't mean you shouldn't try.

Be wary of any body that gives you guarantees.

Recent Techrights' Posts

Microsoft-Connected Sites Trying to Shift Attention Away From Microsoft's Megabreach Only Days Before Important If Not Unprecedented Grilling by the US Government?
Why does the mainstream media not entertain the possibility a lot of these talking points are directed out of Redmond?
[Video] 'Late Stage Capitalism': Microsoft as an Elaborate Ponzi Scheme (Faking 'Demand' While Portraying the Fraud as an Act of Generosity and Demanding Bailouts)
Being able to express or explain the facts isn't easy because of the buzzwords
Microsoft ("a Dying Megacorporation that Does Not Create") and IBM: An Era of Dying Giants With Leadership Deficits and Corporate Bailouts (Subsidies From Taxpayers)
Microsoft seems to be resorting to lots of bribes and chasing of bailouts (i.e. money from taxpayers worldwide)
 
GNU/Linux in Kyrgyzstan: From 0.5% to 5% in Eight Years
the country is almost the size of the UK
Justice for Victims of Online Abuse
The claims asserted or pushed forth by the harasser are categorically denied
[Meme] Senior Software Engineer for Windows
This is becoming like another Novell
Links 18/05/2024: Deterioration of the Net, North Korean IT Workers in the US
Links for the day
Windows in Lebanon: Down to 12%?
latest from statCounter
Links 18/05/2024: Caledonia Emergency Powers, "UK Prosecutor's Office Went Too Far in the Assange Case"
Links for the day
US Patent and Trademark Office Sends Out a Warning to People Who Do Not Use Microsoft's Proprietary Formats
They're punishing people who wish to use open formats
Links 18/05/2024: Fury in Microsoft Over Studio Shutdowns, More Gaming Layoffs
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, May 17, 2024
IRC logs for Friday, May 17, 2024
Links 18/05/2024: KOReader, Benben v0.5.0 Progress Update, and More
Links for the day
[Meme] UEFI 'Secure' Boot Boiling Frog
UEFI 'Secure' Boot: You can just ignore it. You can just turn it off. You can hack on it as a workaround. Just use Windows dammit!
The Market Wants to Delete Windows and Install GNU/Linux, UEFI 'Secure' Boot Must Go!
To be very clear, this has nothing to do with security and those who insist that it is have absolutely no credentials
In the United States Of America the Estimated Share of Google Search Grew After Microsoft's Chatbot Hype (Which Coincided With Mass Layoffs at Bing)
Microsoft's chatbot hype started in late 2022
Techrights Will Categorically Object to Any Attempts to Deny Its Right to Publish Informative, Factual Material
we'll continue to publish about 20 pages per day while challenging censorship attempts
Links 17/05/2024: Microsoft Masks Layoffs With Return-to-office (RTO) Mandates, More YouTube Censorship
Links for the day
YouTube Progresses to the Next Level
YouTube is a ticking time bomb
Journalists and Human Rights Groups Back Julian Assange Ahead of Monday's Likely Very Final Decision
From the past 24 hours...
[Meme] George Washington and the Bill of Rights
Centuries have passed since the days of George Washington, but the principles are still the same
Daniel Pocock: "I've Gone to Some Lengths to Demonstrate How Corporate Bad Actors Have Used Amateur-hour Codes of Conduct to Push Volunteers Into Modern Slavery"
"As David explains, the Codes of Conduct should work the other way around to regulate the poor behavior of corporations who have been far too close to the Debian Suicide Cluster."
Video of Richard Stallman's Talk From Four Weeks Ago
2-hour video of Richard Stallman speaking less than a month ago
statCounter Says Twitter/X Share in Russia Fell From 23% to 2.3% in 3 Years
it seems like YouTube gained a lot
Journalist Who Won Awards for His Coverage of the Julian Assange Ordeals Excluded and Denied Access to Final Hearing
One can speculate about the true reason/s
Richard Stallman's Talk, Scheduled for Two Days Ago, Was Not Canceled But Really Delayed
American in Paris
3 More Weeks for Daniel Pocock's Campaign to Win a Seat in European Parliament Elections
Friday 3 weeks from now is polling day
Microsoft Should Have Been Fined and Sanctioned Over UEFI 'Lockout' (Locking GNU/Linux Out of New PCs)
Why did that not happen?
Gemini Links 16/05/2024: Microsoft Masks Layoffs With Return-to-office (RTO) Mandates, Cash Issues
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, May 16, 2024
IRC logs for Thursday, May 16, 2024
Ex-Red Hat CEO Paul Cormier Did Not Retire, He Just Left IBM/Red Hat a Month Ago (Ahead of Layoff Speculations)
Rather than retire he took a similar position at another company
Linux.com Made Its First 'Article' in Over and Month, It Was 10 Words in Total, and It's Not About Linux
play some 'webapp' and maybe get some digital 'certificate' for a meme like 'clown computing'
[Meme] Never Appease the Occupiers
Freedom requires truth. Free speech emancipates.
Thorny Issues, Violent Response
They say protests (or strikes) that do not disrupt anything are simply not effective. The same can be said about reporting.
GNU/Linux in Malaysia: From 0.2 Percent to 6+ Percent
That's like 30-fold increase in relative share
Liberty in Liberia? Windows Falls Below 10% and Below iOS
This is clearly a problem for Microsoft
Techrights Congratulates Raspberry Pi (With Caution and Reservations)
Raspberry Pi will "make or break" based on the decisions made in its boardroom
OSI Makes a Killing for Bill Gates and Microsoft (Plagiarism and GPL Violations Whitewashed and Openwashed)
meme and more
The FSF Ought to Protest Against UEFI 'Secure Boot' (Like It Used To)
libreplanet-discuss stuff
People Who Defend Richard Stallman's Right to Deliver Talks About His Work Are Subjected to Online Abuse and Censorship
Stallman video removed
GNU/Linux Grows in Denmark, But Much of That is ChromeOS, Which Means No Freedom
Google never designs operating systems with freedom in mind
Links 16/05/2024: Vehicles Lasting Fewer Years, Habitat Fragmentation Concerns
Links for the day
GNU/Linux Reaches 6.5% in Canada (Including ChromeOS), Based on statCounter
Not many news sites are left to cover this, let alone advocate for GNU/Linux
Links 16/05/2024: Orangutans as Political Props, VMware Calls Proprietary 'Free'
Links for the day
The Only Thing the So-called 'Hey Hi Revolution' Gave Microsoft is More Debt
Microsoft bailouts
TechTarget (and Computer Weekly et al): We Target 'Audiences' to Sell Your Products (Using Fake Articles and Surveillance)
It is a deeply rogue industry that's killing legitimate journalism by drowning out the signal (real journalism) with sponsored fodder
FUD Alert: 2024 is Not 2011 and Ebury is Not "Linux"
We've seen Microsofers (actual Microsoft employees) putting in a lot of effort to shift the heat to Linux
Links 15/05/2024: XBox Trouble, Slovakia PM Shot 5 Times
Links for the day
Windows in Times of Conflict
In pictures
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, May 15, 2024
IRC logs for Wednesday, May 15, 2024