When a third party app says they offer “end to end encryption,” what does that mean?


When messaging/journaling/etc apps say this, what does it actually mean, and why does it give people reassurance that their private info is safe?

In: 111

The encryption is from your end to the other and only both devices know the code to decrypt the messages. Which means it should be safe.

Content is encrypted before it leaves your device, and is only decrypted when it reaches the other person’s device. It has been encrypted from **one end to the other**.

Standard messaging platforms resemble an old-school *telegraph*. End-to-end encryption more closely resembles *physical mail*.

To send a telegraph, you beep out your message. This gets sent to a telegraph station, where a person listening writes down your message, and then beeps it on to the next station down the line, where there’s another person waiting. Eventually, someone writes down the message and hands it over to the recipient.

The important thing to note is that the *telegraph operator reads the message* at every hop. So if your telegraph operator knows your cousin, they’ll gossip. And if the Government thinks you’re up to Crimes, they’ll watch over the shoulder of the telegraph operator to see if anything Looks Like Evidence.

Mail, on the other hand, is sealed in an envelope. And that envelope gets handed to a postman, tossed around by baggage handlers when it’s put on a plane, carried around by another postman, and then delivered *unopened* to the recipient. No one else has seen the content of the envelope until the recipient opens it. It is a crime for anyone else to open this mail, even the Government if they’re not going through proper channels (warrantee void where it’s voided).

The encryption is, more-or-less, the envelope that stops non-recipients from reading. The “end-to-end” part is the fact that it stays unopened from the beginning of the journey to the conclusion.

This, of course, relies on trusting the postal system actually does what they say they do. The post office has actual laws that guarantee it works this way, whereas some service that claims end-to-end encryption does not.

What is **not** “end-to-end” encryption is when the email is encrypted during transmission between servers, but is transferred from your email server to you in a form that the server (and its operators) can read.

And that’s actually the usual case, as email headers must be readable by the servers because they have routing information, and some email servers will also scan your emails for spam, attacks, and viruses.

What they’re claiming is that your data gets encrypted on your phone and doesn’t get decrypted until the intended recipient gets it. Encrypted data can’t be read without decrypting it first, so in principle end-to-end encryption ought to keep the app developer from sitting in the middle of your conversation reading your messages.

In reality, though, it’s important to remember that anyone can claim their app uses end-to-end encryption, whether or not it actually does. So you shouldn’t rely on an app to do the right thing.