End-to-End Encryption (E2EE) as we generally think of it protects our communications from any third party while it is moving between us and the other user we are communicating with. It’s difficult even for State actors to discern the contents of a truly E2EE communication. That’s why it is so useful, and at the same time, can be so dangerous. True E2EE, at this time, is about as secure as you can get with a communication. If you’re sending the nuclear codes from one person to another, you better make sure your connection is E2EE.
But true E2EE, or Peer-2-Peer (P2P) E2EE, is not generally what we are getting when we meet with our clients via video conference. Although many providers claim that this is so. Most of the time, what is termed E2EE by many communications providers, is not a direct private route from one user to the other. And that can be okay. Provided you know what you are getting. This modified E2EE communication, while it’s traveling over the internet at large (a space that is likely not private for you), is still encrypted. And this will likely be enough protection for the information you are exchanging with your client. As long as you trust your provider.
This topic can get very technical very quickly and even security professionals can argue over the level of protection E2EE can provide. We don’t expect the legal industry at large to have the time or the inclination to dig into these arguments. So, we’ve asked Graham Nelson-Zutter a co-founder of Voice-over-IP (VoIP) company Corvum.io, to help us cut through some of the weeds. Graham’s company, Corvum.io, caters specifically to attorneys, so he is in tune with the particular needs and obligations of legal professionals. Graham was kind enough to field our questions via email in the middle of what is obviously a busy time for the legal tech industry.
Zack
So, Graham, let’s start basic here with a look at the point of encryption in the first place. If I don’t use an encrypted method of communicating with my client, who could possibly access the contents of these exchanges? Isn’t that just something a State actor could do?
Graham
Non encrypted communications have no concealment and are relatively easy to detect and collect if someone has access to the network you’re using. The network you’re using is of course the internet, which includes your local home network and WiFi, the connection to your internet service provider (ISP) and everything between you and your cloud application provider.
To collect non encrypted communications between your ISP and your cloud app provider requires more resources and access. A state actor can do this and would normally enlist an ISP or internet backbone provider for help.
Your local home network (LAN) and WiFi are much easier to access. Anyone with access to your router, WiFi antenna or network equipment in your house can “sniff packets” and listen in. Tools like Wireshark make this pretty easy for anyone curious or motivated to try.
Zack
So that leads into my second question here. Can the provider of my connection – like Skype, Zoom, and HouseParty – access the contents of my communication if it is End-to-End Encrypted?
Graham
In short, yes it’s very likely that your provider is able to access your communications because they are not likely using true E2EE.
E2EE means that encryption is setup and working between the two or more parties (“the ends”) communicating, typically connecting to each other through the internet. In a video meeting, this means that your browser and the other participant’s browser share two ends of the same connection, both using the same encryption keys. This sounds pretty understandable and is indeed technically happening, but there’s also a third-party participating in this connection we’re not normally thinking about or we don’t yet realize is involved in our encrypted private conversations. This is the cloud app provider.
What is being sold today as E2EE does connect both parties over an encryption data stream, but is not truly E2EE or what we imagine true E2EE to be. The problem is that the keys to create our encrypted conversations were not created by participants as equal peers. Instead, our provider generates encryption keys and then hands these keys out to all participants.
True E2EE means that these 2 participants create and share their own encryption keys with each other and nobody else has these keys. Sometimes this is called Peer-to-Peer (P2P) encryption to emphasize the peers or participants as equals create and share their own keys, without needing their provider’s help or permission to create, share and use their own keys.
In practice, this true P2P form of E2EE isn’t used in most communications online. The provider normally issues the encryption keys and then hands them to all participants. This allows the provider to stay in the middle and include features like automatically focusing attention on the most active speaker in the conference and saving server-side meeting recordings. Active speaker focus, particularly, requires the provider to host a program or bot on their servers which listens to the audio stream from each speaker and compares them to focus on the loudest participant over the last 5-10 seconds.
True P2P E2EE is, unfortunately, rare today. It would be ideal to use true P2P E2EE in more applications to ensure others can’t listen in without our consent. Without true P2P E2EE, what we should ask ourselves is “do we trust our providers and their access to our private data?”. Our providers are all typically for-profit companies, but are they motivated primarily by profit. Given our provider’s history and actions, do we believe that they truly value the privacy policy they provided on their website? If they sell our metadata to Facebook or Google to sell ads, we need to ask if we trust the provider with the keys to our private conversations.
Zack
If these providers are still claiming that the connection is E2EE, how are we to know when there is a cloud-app provider in the middle? Can we verify that a connection is a certain type of E2EE? Or do we just need to take the provider’s word for it?
Graham
Without a lot of technical skill, it’s not easy to verify that your provider is giving you true P2P E2EE. Without a trusted and independent 3rd party providing a tool to verify the kind of E2EE used in your communications, you are indeed forced to take your provider’s word for it. The task really is to look at the believability or likelihood that your provider is telling the truth about your E2EE. What do their actions tell you about their believability? Do they have a history of selling your data to 3rd parties?
Zack
Last question, because I know you are busy right now. If E2EE is so good, why aren’t all connections that way, even our normal email exchanges?
Graham
True P2P E2EE is rare today. Very little of our software uses the P2P E2EE model. Cryptocurrencies are the best example as they use block chain. What we would need for mass adoption is for our web browsers and smartphones to connect to a P2P E2EE system. Cryptocurrencies do provide a template of how to achieve true P2P E2EE, but it’s not commonplace.
If we expect and plan for the E2EE we’re currently using not to be true P2P E2EE, we should look at our provider and think about whether they deserve to hold the key to our private conversations. If you don’t trust them, think about changing to a provider who you believe does protect your privacy.
Zack
Thanks, Graham, for taking the time to explain some of these concepts to us. We certainly appreciate your time. Hopefully we can have you back for some more explanation in the near future.
Graham
It’s a pleasure to help answer these questions Zack. I think that it’s great that you and tech4lawyers.com are drawing attention to a privacy and security concern that matters to all lawyers. I was raised by two lawyers. I discovered early in life that my folks were able to understand anything technical if I took the time to listen to their questions and help them build their understanding of key concepts. We can have much more say on how our communications tools work, if we’re informed.
Graham Nelson-Zutter
More information on Graham’s company Corvum.io can be found on their website at Corvum.io. You can also follow Graham on Twitter at @GrahamSNZ, or you may be able to find him at one of the many legal technology speaking engagements he has presented at.