Bonum Certa Men Certa

Guarding Your Privacy With E2EE: Primer

End-to-end encryption deciphered

Lock and Key



Summary: "As with all security, there is assumed risk no matter how careful you are. There are no security guarantees but that doesn't mean you shouldn't try."

End-to-end encryption (E2EE) is something that's been in the news quite frequently. Lack of education about E2EE is being exploited. Your fundamental human rights are being violated. This article serves to educate the non-technical person about E2EE and how it affects their everyday life.



Let us get a few fundamental things clarified, first. Without these basic things, no proper discussion can happen around E2EE.

"Another important thing to note is that the sender sees the data that will be encrypted in its unencrypted form anyway. Obvious statement but important to remember."What is E2EE? E2EE is a system in which data is encrypted so that only one party can decrypt the data: the intended recipient(s).

Note that we used the word "system" in our definition for E2EE. This is done to keep the scope of this article separate from any specific E2EE software.

Another important thing to note is that the sender sees the data that will be encrypted in its unencrypted form anyway. Obvious statement but important to remember.

Next, let us note articles 12 and 19 of the Universal Declaration of Human Rights (UDHR).

LockArticle 12 UDHR: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Article 19 UDHR: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."

We'll refer to these as A12UDHR and A19UDHR, from now on.

We've now established some fundamental definitions; we can move on to what all this means in the context of E2EE.

Let's now connect what A12UDHR and A19UDHR have to do with E2EE.

A12UDHR mentions privacy. Our data privacy is a form of privacy. Thus, according to A12UDR, every human being has a fundamental right to data privacy. The only way we can achieve data privacy is via E2EE.

"The only way we can achieve data privacy is via E2EE."A19UDHR mentions the freedom to hold opinions WITHOUT INTERFERENCE and to seek and impart INFORMATION and ideas THROUGH ANY MEDIA (we're paraphrasing here to highlight information relevant to this article). Thus, according to A19UDHR, every human being has a right to exchange INFORMATION THROUGH ANY MEDIA. End-to-end-encrypted data (E2EED) is a form of information; thus A19UDHR gives every human being a right to seek and impart E2EED over any medium they wish.

So, in summary, we've established the following as an inalienable right of every human being:

Every human being has a fundamental right to use E2EE and seek and impart E2EED over any medium they wish (Internet, printed documents, etc.).

Now it's time to consider the technical side.

If you go back to our definition of E2EE, you will see that there are strict requirements about who can decrypt E2EED.

Many platforms (email, social control media, messaging apps, etc.) advertise E2EE. They are pretty much all not E2EE. Why? They have the keys that can decrypt your data. Go back and read the definition of E2EE again.

What are these "keys"? Good question.

Every system of E2EE is basically built on the idea of a pair of keys:

"Many platforms (email, social control media, messaging apps, etc.) advertise E2EE. They are pretty much all not E2EE."Public Key (PKEY): Just a file. A sort of identifier. PKEYs are used in E2EE to encrypt data so that only the intended recipient(s) can decrypt the encrypted data.

Secret Key (SKEY): Just a file. This is the (only) file which can be used to decrypt the encrypted data.

There exists a mathematical relationship between a PKEY and a SKEY which makes it infeasible to decrypt the encrypted data without access to the recipient's SKEY. When used correctly, E2EED is safe even from the quantum computers of today.

You can refer to the end of this article for the technical details.

"You can willingly forfeit your privacy (and many do by accepting "Terms and Conditions" of various platforms and services) but no body has a right to forcibly take away your privacy."The easiest way to decrypt E2EED is to get a hold of the recipient's SKEY or to catch the pre-encrypted data via some sort of back door in the device being used to encrypt the data. The problem is, many organisations already have your SKEY; they keep a copy for themselves, when SKEY has been generated. So, these systems don't actually satisfy our definition of E2EE.

Remember: You have a fundamental right to end-to-end encryption. You have a fundamental right to keep the secret keys used for your end-to-end encryption software private. Nobody has the right to take these secret keys away from you - no company, no government, no individual, no organisation. You can willingly forfeit your privacy (and many do by accepting "Terms and Conditions" of various platforms and services) but no body has a right to forcibly take away your privacy.

"Complain to your local government representative about the attacks on E2EE."There have been repeated attempts (and will continue to be repeated attempts) to outlaw end-to-end encryption. Governments want to spy on citizens; companies want to spy on individuals to profit off their private data; organisations want private data of individuals to make discriminatory decisions about said individuals. All of these actions have negative consequences on individuals: psychological abuse, economic discrimination, racial discrimination, political discrimination, exploitative psychological advertising (the list goes on and on).

So what can you do about this? You can raise awareness, first of all. Complain to your local government representative about the attacks on E2EE. You can educate yourself about which software gives you full control over your secret keys.

"Note that operating systems and devices have constantly had back doors installed into them."Here's a list of software you can look up which gives users control over their secret keys:

1) GnuPG and Kleopatra (GNU/Linux, BSD, OSX)

2) Gpg4win and Kleopatra (Windows)

3) OpenKeychain (Mobile)

There are many books, videos, and tutorials about the tools above. They're a good point to start with.

Note that operating systems and devices have constantly had back doors installed into them. The best way to use E2EE software is to have a separate device for performing all E2EE tasks; said device should never be connected to the Internet. This is too inconvenient for some but is worth considering for those who want added level of security.

A note on hardware security tokens: Don't believe in them. Most of them are likely to have back doors in them which allow extraction of your secret keys. Use an ordinary, general-purpose computer for all E2EE tasks; preferably one that never sees the Internet. Old laptops make great E2EE machines; just turn off the WIFI and don't plug in any Ethernet cable. Devices like the Raspberry Pi are also a good candidate for an affordable system exclusively used for E2EE. You can use these devices with an HDMI cable, keyboard+mouse, and a USB stick to move data to and from the device.

Does all your data need to be E2EED? Of course not. That would be overkill. But data that you think needs to be private should be private. So use E2EE software to protect your privacy, when you see fit. This includes pictures, videos, legal documents, files containing passwords, etc.

"Old laptops make great E2EE machines; just turn off the WIFI and don't plug in any Ethernet cable."Remember: E2EE is a system in which data is encrypted so that ONLY ONE party can decrypt the data: intended recipient(s). Any system which doesn't satisfy this definition is not E2EE; don't let governments, companies, etc. convenience you otherwise.

Technical details



Say J wants to send a file F to M; J wants to encrypt F so that only M can decrypt F. We'll refer to the encrypted form of F as EF.

What would J need to do?

We'll establish a few more definitions (sorry about this but it's necessary to maintain correctness).

J and M both have keys.

E2EE software : S.

Public key of J : JPKEY Secret key of J : JSKEY

Public key of M : MPKEY Secret key of M : MSKEY

(1) J and M both use S to generate their respective key files (JPKEY, JSKEY, MPKEY, MSKEY).

(2) J needs MPKEY in order to encrypt F for M.

(3) M sends J: MPKEY, in advance (this can be done over any media as MPKEY is not required to remain private).

(4) J now has the following: S, JSKEY, MPKEY, F. J can use these to obtain EF.

(5) J sends EF to M.

(6) M now has the following: MSKEY, S, EF.

(7) M can use these to obtain F from EF.

All of the above can be done with only one person. In, that case J = M. This is when you want E2EED that is "for your eyes only".

RSA and EDDSA are considered the most secure systems for E2EE today (2020). The major weak points in any E2EE are: human error, hardware and software backdoors, hardware and software bugs. E2EE is always evolving, so what you read today may not be true tomorrow.

As with all security, there is assumed risk no matter how careful you are. There are no security guarantees but that doesn't mean you shouldn't try.

Be wary of any body that gives you guarantees.

Recent Techrights' Posts

Dispelling the Notion That Microsoft is Political Left
Microsoft not only got bailed out (several times) by Donald Trump but also approached him to take over TikTok without paying for it
Slow But Ongoing Mass Layoffs at EPO, Estimates That Nearly Half of the FOs Will be Made Redundant Soon
When you cease to care about validity and quality of patents you're granting why bother with humans at all?
[Video] Richard Stallman's New Talk in Germany Covers What Free Software Means, Why LLMs are "Bullshit", and Lots More (Web3 Summit 2024 Berlin)
Closing Keynote Day 3 - Dr. Richard Stallman - Web3 Summit 2024 Berlin
The Peril of the Electronic Frontier Foundation (EFF) Illuminates the Dangers of Founders Leaving or Being Forced Out
Whatever you may think they stand for, you risk being fixated on what they originally were and perhaps what their Web sites still say
Difficult Times at Soylent News
We hope that Soylent News will recover from this
Crimes of the EPO Are Costing Everybody in Europe
Since virtually everyone in Europe is a user of software (almost nobody is a forest dweller like in countries near the equator), this impacts everybody
 
Certificate Authority Let's Encrypt Has Fallen From 12% in Geminispace to Just 1.2% in Two Years (Capsules Usually Self-Sign Their Certificates)
Don't ask the imposters about security
The "IT Industry" is Full of Imposters (It's a Growing Crisis)
They often manage the companies
Richard Stallman Explains Stochastic Parrots (LLMs)
From his latest talk
The Toys of Today's Kids and Coordination Woes, Not to Mention a Lack of Social Skills
Too much time indoors, too much screen time
Linus Torvalds, the Son of a Politician, Tries to Stay Out of Politics (or Political Topics)
"I'm just a geek" has its limits in practice
Richard Stallman Still Deals With Politics
Stallman's gonna Stallman
GAFAM Not Invincible
The US has an election very soon and Microsoft is already bribing candidates for deregulation and favours, based on press reports
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, September 10, 2024
IRC logs for Tuesday, September 10, 2024
The Greatest Show on Earth (Buzzwords Circus)
What next? Being denied medical service because you don't have a Facebook account?
Gemini Links 11/09/2024: Happiness, Improvised Nebuliser, and olden Age of Palm OS
Links for the day
Julian Assange's Father Turns 80 and They Show Themselves in Melbourne
Will he be active in Wikileaks soon?
[Teaser] EPO Tightening Its Belt
who didn't see this coming?
Are Lawsuits Over EPO Corruption Next?
Why does the mainstream media not cover it?
Europe's Second Largest Institution, the EPO, Exploits Lack of Oversight to Commit Crimes Every Day
Immunity begets impunity, which in turn begets crime
Transcript of Latest Public Talk by Dr. Richard M. Stallman (RMS), Delivered Last Month at Web3 Summit 2024 Berlin
quick-and-dirty transcription
Links 10/09/2024: Big Brother Awards Germany 2024 and Telling the Unemployed to 'Drive Uber'
Links for the day
Gemini Links 10/09/2024: DUIs and Useless Analytics
Links for the day
New Article in redhat.com: How to Install Microsoft Windows
That's just about as bad as that sounds...
OSI's Blog is Still 100% Microsoft-Sponsored Attacks on Free/Open Source Software
OSI is a compromised, defunct body. It exists to serve the enemies of its original mission.
A Decade Ago Things Became So Bad at the European Patent Office (EPO) That Staff Jumped Out the Window During Working Hours
Colleagues saw the suicide; the EPO's response wasn't to tackle the causes but to bolt down the windows (like factories in China installing controversial 'suicide nets')
Red Hat is Suing to Protect From Patent Trolls
Why doesn't Red Hat (IBM) also lobby to eliminate all software patents once and for all?
COVID-19 Ushered in Attacks on Human Rights and Things They Said They Had Introduced Temporarily Are Still in Effect/Operation Today
COVID-19 changed a lot of things
Quitting Academia When Its IT Systems Are Dominated by Clowns Who Outsource
It seems like a common trajectory
Why the Free Software Foundation (FSF) Owning or Renting Office Space Mattered
"In the long term, the FSF needs to own its future office space, but then the deadly risk is that the property ownership becomes the end goal rather than software freedom."
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, September 09, 2024
IRC logs for Monday, September 09, 2024
Free Software Foundation (FSF) Probably Has No Choice But to Shut Down Its Office
Net Income -$686,366
Nearly Two Years After Quitting My Job
My colleagues and I were bullied by managers (grievance complaint got filed) who didn't even know what "Linux" was
Terms of Service (TOS) Under Scrutiny - Part XVIII - In Conclusion
Many activities can be done offline without having to sign anything
Modern spyware and the problems of "Discord newspeak"
The history of modern instant messaging...
Links 09/09/2024: More Trash Balloons and Collapse of Real Estate Market in China
Links for the day
Gemini Links 09/09/2024: ROOPHLOCH and More
Links for the day
Wrong Priorities at IBM
Lavish spendings on a 16-year contract for the most expensive place while firing tens of thousands of staff
Links 09/09/2024: LLMs Manipulated to Lie, More Corruption Found in COVID-19 Contracts
Links for the day
The Best Interface is Outdoors, It's Nature!
Not everything should be replaced by or emulated by digital devices
Terms of Service (TOS) Under Scrutiny - Part XVII - A Personal Perspective
The bottom line is, it's possible to reduce (albeit not entirely eliminate) how many things one signs, presses "OK" on and so on
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, September 08, 2024
IRC logs for Sunday, September 08, 2024
Always Taking Things Up a Notch
Nothing will stop us
[Meme] EPO Keeps Masking Its Corruption With "Diversity and Inclusion" (Hiring the Wife of a Friend of Someone Who Bribed His Way Into EPO Presidency)
chain of nepotism
Very Large EPO Applicants Now Threaten a Boycott of the EPO (the EPO Management is Trying to Bribe Them to Change Their Plans/Minds While Hiding It From Staff)
If corruption prevails to this extent, it will have severe international effect
Gemini Links 09/09/2024: Gemini Application Developer Guide and ROOPHLOCH 2024
Links for the day
Links 09/09/2024: 'Dieselgate' Criminal Trial Starts Late, Mass Layoffs at Volkswagen
Links for the da