End-to-end encryption alone is not enough to enable and protect private conversations. Dr. Galina Datskovsky, CEO of Vaporstream shares why we shouldn’t make the mistake of thinking otherwise when evaluating communications platforms.
Last month, Zoom bowed to pressure to provide end-to-end encryption to both their paid and unpaid users. A move that relieves security concerns about paid users (who would have end-to-end encryption) and unpaid users (who would not) communicating in a truly protected fashion. The move also serves to remind us that end-to-encryption is table stakes for any enterprise communication platform. Moreover, end-to-end encryption alone is not enough to enable and protect private conversations – and we shouldn’t make the mistake of thinking otherwise.
While end-to-end encryption protects information from man-in-the-middle attacks, it does not protect information once it is delivered to a device. Once any information sent reaches another device it is decrypted, leaving the user with no control over it. A user cannot stop the recipient from – intentionally or unintentionally – forwarding it to someone else, posting a screenshot online, or saving it to their camera roll. It’s not just about human behavior either – many end-to-end encrypted communications platforms actually support automated cloud backups.
The bottom line for enterprise customers is to recognize that just because the information is end-to-end encrypted doesn’t mean the information is safe. There is a significant difference between consumer applications and enterprise-grade platforms built with privacy by design. Many of the same implications are true for consumer-focused messaging services such as Signal that are designed for private communication amongst citizens but not the enterprise end-user who has broader concerns than PII.
In order to have secure and private conversations, a solution is needed that provides end-to-end encryption and content controls. Enterprise users must always be able to decide when information can be forwarded, copied, shared, or saved even – or especially – after it is delivered to another device.
Confusing Security and Privacy
Even though security and privacy are two very different issues, they are often confused. When Zoom announced their Keybase acquisition last month as a step towards creating “a truly private video communications platform,” they were doing exactly that. Confusing people.
Security is about countering attacks. Privacy is about content control. What enterprises need to do on a daily basis is to make sure the communication platforms they are using are not just secure, but private.
In addition to content controls, enterprises should demand that communication platforms are private by design. Consumer applications often require users to individually activate privacy features, such as disappearing messages. Enterprise communication platforms must lead with privacy as the default, and not require users to take added actions for privacy features.
Consumer applications do not offer ways to retain and destroy the information to meet compliance requirements – and often offer features that are inherently non-compliant. For example, Zoom allows users to record meetings without other users’ explicit permission and it is unclear where the recordings are stored, or for how long. Enterprise communication platforms that are private by design are inherently built to support data lifecycles for complex compliance and regulatory requirements. That way, you can enjoy privacy features, while maintaining compliance – a critical requirement for many businesses.
Compliance is a consideration that is closely paired with privacy issues in regulated industries. From GDPR and CCPA to HIPAA and FINRA ensuring compliance in the midst of private communications is directly tied to the content being shared. Consumer-focused messaging platforms are not required nor is it their focus to ensure compliance and the focus on encryption, though important, obscures broader issues with platforms not designed for critical communications.
Enterprises would also do well to consider the defensibility of a communication platform. For example, if your provider outsources development or offshores.
Zoom has a track record of being untransparent about its security. When they first announced they were going to provide end-to-end encryption for paid users, they were unclear about the architecture that would protect paid users, even when they were communicating with unpaid users.
It’s easy to feel confident in a communication platform that is as popular as Zoom especially as it very publicly moves to add end-to-end encryption. However, we have to remember that one feature alone does not make a communication platform inherently private. Enterprises need to look at platforms holistically to evaluate whether the tools they use to communicate and share information meet their privacy needs. End-to-end encryption is just one small part of the equation.
This post was originally published on Toolbox on July 17, 2020 by Galina Datskovsky,