In the last few years phones and apps have been touting themselves as better than other phones/services because their messaging has end-to-end encryption, or some other variant of secure messaging. Why do we care?
Edit: Thanks for the answers, everyone!
In: 140
You care because you don’t want either of the following things:
1) Your messages to be surveilled.
2) Your messages to be altered.
If your messages *aren’t* encrypted end-to-end, it means that there is a point in the middle of the transaction when this is possible. I’m a network engineer who worked for a nationwide ISP for a decade, and one of my jobs was to execute tap-and-trace orders from law enforcement organizations who contacted my team’s legal department. Our lawyers would read and approve the court order, they’d call me, and then with the officer and the lawyer on the phone, I would activate the span to send a copy of the traffic from the target over to the law-enforcement traffic capture device (a computer with specialized software to record network data, similar to [Wireshark](https://www.wireshark.org/)).
This was many years back, before SSL/HTTPS was ubiquitous, so simply reading traffic off the wire was very simple. However, now transport encryption is virtually universal, so tapping ISP traffic, while still useful for watching for activity, is far less of a complete solution.
So, if the NSA or FBI wants to read your Skype messages, what do they do? Well, they know your traffic is going to Skype servers, because they can see your IP headers, but they can’t read the payload. No problem, they know your source IP address, and the time at which you sent the messages, so they’ll go to Microsoft (who owns and operates Skype), and present them with a court-order, asking them to send them the plaintext traffic their servers receive from you, and anyone talking to you.
This is where end-to-end encryption comes in. Now even your messaging service doesn’t know what you sent, only the source and destination IP address of the message packets. In order to decrypt the traffic, they have to obtain the encryption keys off your phone, or that of your interlocutor, in order to read the messages you sent.
And before you say, “I have NordVPN”, I’d just like to point out to you the story of [Crytpo AG](https://en.wikipedia.org/wiki/Crypto_AG), the CIA/BND front which sold “security and encryption services” to other governments for 70 years.
Latest Answers