putilov_denis - stock.adobe.com
Privacy, power, and encryption: why end-to-end security matters
Governments may continue to look for ways to restrict end-to-end encryption, but the greater danger lies in demanding insecurity by design that would undermining trust, resilience, and the security of the global communications ecosystem.
Privacy is not a modern invention; it is part of the human condition of trust, dissent, and intimacy. Every society has developed ways to communicate beyond the reach of power: whispered conversations, sealed letters, coded language.
The need to keep secrets is equally as important among the powerful – governments, more so than individuals, have jealously guarded their own secrets, even as they seek to uncover the secrets of others. What is new is neither the need nor desire for private communication but the current power of the observer.
We now live in what some have termed a “golden age of surveillance,” in which governments, corporations, and adversaries possess the technical capability to monitor human interaction at unprecedented scale. In this era of pervasive digital connectivity, most digital interactions leave a permanent, searchable trace, and the need to protect sensitive information has become critical.
End-to-end encryption (E2EE) is therefore not a technical abstraction or ideological indulgence; it is the most effective defence against unauthorized access to private communications in a fully networked world. As digital communication continues to evolve, the risks of interception scale with it.
Why E2EE matters
E2EE preserves data confidentiality by masking data from unauthorised users and ensuring that only the intended recipients, with a decryption key, can access the data. Using cryptography, E2EE transforms readable plaintext into unreadable ciphertext on the sender’s device, keeps it encrypted during transmission, and decrypts it back into its original form only when it reaches its destination and is decoded with the correct key. It is widely used by governments and corporations and is becoming increasingly common among individual users, reflecting its status as the prevailing standard for data security and privacy.
The most common use of E2EE is for secure communications on mobile and online messaging services. It is also widely used by password managers to protect users’ passwords; for data storage purposes to ensure that data is protected when it is stored and when it is transmitted between devices or to the cloud; and for file-sharing purposes, including peer-to-peer file sharing, encrypted cloud storage, and specialised file transfer services.
Using E2EE means that no one else, including the service provider facilitating the communications, has access to the unencrypted data without consent. If it were to be intercepted, the data would appear to third parties as random, unintelligible characters.
As the service provider facilitating the communications does not have access to the unencrypted data due to E2EE, it is unable to provide it to any third party. That includes governments and law enforcement agencies that criticize E2EE as an obstacle to investigations while at the same time relying on and demanding the strongest available encryption to protect their own systems. Thus, the debate over E2EE is not about balancing privacy and security. It is about whether governments can demand systemic insecurity while insisting on absolute security for themselves.
The risks of 'exceptional access'
“Exceptional access” is the term used to describe the mechanism for enabling government access to encrypted communications. Different governments take different approaches to the methods they use to seek exceptional access. While the intentions behind exceptional access may be noble, facilitating such mechanisms in E2EE communications can create more problems than it seeks to solve.
The creation of government-mandated security vulnerabilities, commonly known as backdoors, into E2EE services jeopardizes the security and privacy of global communications. Once a backdoor is built, no one can guarantee that only the authorised third party will have access to it. Malicious actors will try to use such backdoors to enter and decrypt communications that are intended to be secure on the endpoints and only accessible to the sender and recipients. It is for this reason that the world’s leading providers have avowed publicly never to do so.
Third-party exceptional access mechanisms in which a copy of a user’s decryption keys are held by a “trusted” third party for potential future use by the government are at present fraught with insurmountable technological and security issues. Industry, backed by the vast majority of relevant experts, is saying that it’s simply not possible to have E2EE where a third party holds a key. It defeats E2EE’s central premise and is a deliberate breach of the security guarantee that E2EE provides.
Any kind of repository where providers are forced to store the keys would become a treasure trove of a target for attackers – especially so for sophisticated state actors who, as we have repeatedly seen, are adept at breaking into worldwide telecommunications networks and critical infrastructure.
Why encryption is not an existential threat to law enforcement
In any event, governments have for decades warned of the existential threat posed by encryption and on the grim possibility of “going dark.” But they have not gone dark, and there exist other means by which governments can get valuable data. Metadata remains available. Enhanced investigative means and other investigative tools are ever evolving and becoming more sophisticated.
Governments should be careful about what they wish for. In seeking to fetter E2EE, they may drive the very actors whose data they most need away from mainstream providers, most of whom have long-standing collaborative relationships with law enforcement. In doing so, they will lose the ability to gain the data they can still obtain notwithstanding the use of E2EE – or, worse, they will undermine the very technology on which they also rely.
At this stage of technological development, there exists no meaningful way to grant governments “exceptional access” to encrypted communications without deliberately engineering systemic vulnerability into the digital infrastructure on which billions of people, institutions, and governments themselves depend.
Once such vulnerabilities exist, they cannot be confined to the well-intentioned or the lawful; they become available to hostile states, criminal actors, and anyone capable of exploiting them. The consensus among technologists and security experts is unequivocal: E2EE either works for everyone, or it is broken for everyone. Governments may continue to warn of impending darkness, but the greater danger lies in demanding insecurity by design – an outcome that would fundamentally undermine trust, resilience, and the security of the global communications ecosystem.
Read more on Endpoint security
-
![]()
Mobile device encryption: How it works and how to enable it
By: Stephen Bigelow
-
![]()
The top 5 most secure encrypted messaging apps
By: Madeleine Streets
-
![]()
Gmail ‘bubble’ encryption may be an S/MIME killer, says Google
By: Alex Scroxton
-
![]()
Apple pulls Advanced Data Protection in UK, sparking concerns
By: Arielle Waldman
