Why end-to-end encryption is about more than just privacy
The question of whether regular people need end-to-end encryption will surely be debated for quite some time. But for Alan Duric, CEO and co-founder of Wire, the question can only have a positive answer.
Alan Duric on stage at FSec 2017
As he told the audience at the FSec security symposium in Varazdin, Croatia, end-to-end encryption is about more than just privacy – it is also critical for protecting business data, and our very lives and limbs as the Internet of Things becomes the norm.
With its eponymous open source, encrypted IM offering, Wire’s (and Duric’s) goal is to disrupt the privacy selling market headed by Google and Facebook, and offer secured communication to private users and organizations.
The latter have come to realize that they need to protect their intellectual property from industrial espionage, their own internal information (political parties, corporations involved in mergers and acquisitions, etc.), and their clients’ information (lawyers, healthcare organizations).
And, with the imminent advent of EU’s General Data Protection Regulative (GDPR) and the heavy fines that will (finally!) be imposed on those who fail to protect their customers’ information, companies should definitely be eyeing workable solutions for end-to-end encrypted communications.
Spreading the word about privacy
Duric says the information security community should work on raising awareness about the need for privacy among regular people/Internet users.
At the moment these efforts are being obstructed by Internet conglomerates, he notes, just as the tobacco industry hindered awareness raising about the dangers of smoking and passive smoking all those years ago. But those who were fighting the good fight persevered, and today everybody knowns about those dangers, and can choose for themselves whether the option is worth the risk.
People need to be aware that the great power Internet giants have over us could lead to great abuses, and ask themselves what can go wrong if they choose not to protect their communications.
But also, companies that sell security need to find good ways to do it – adapt methods that have worked in the past for other vendors, both for physical and digital security. “We are working against human nature here,” he noted.
Finally, companies must not forget that the offered products must, above all, be usable, or the whole thing will not work in the long run.
Commitment to privacy and communication security
Ultimately, if E2E encryption technology is implemented well and regularly tested for security holes, even if the service provider or the cloud is compromised the encryption keys are safe, stored on your own devices.
Duric is aware that E2E encryption is not a silver bullet, but there’s no denying that it makes life harder for those who need to break it in order to get at the data.
And from the vantage point of being included, in advisory capacity, into discussions by a number of non-governmental think tanks on the topic of encryption, he seems to believe that governments are slowly moving away from the idea of encryption backdoors, towards targeted compromise of suspects’ devices via exploits/malware.
Wire’s own commitment to privacy and communication security is backed by most of their choices:
- Open source code so that it can be independently audited
- Independent security reviews of the encryption protocol specification, implementation, and the complete solution, as well as regular code security audits for each major version of the solution
- Location of company (Switzerland) and servers (Germany, Ireland), meaning its users have the protection of Swiss and EU data protection laws
- Verifiable E2E encryption
- Minimal amount of collected data (and matadata) from users, short retention (72 hours) of the latter
- You can register an account with just your email address (and not reveal your phone number).
Wire has started by meeting the needs of the individual users, but have lately been concentrating on bringing end-to-end encrypted chats, file sharing and calls to businesses.
The company has released Teams – i.e. “Wire for work” – in beta this July, and Duric tells me there is a lot of interest in it, especially from European businesses and organizations, as the alternatives are mostly provided by companies outside of the EU.
As human-to-machine secured communication has been achieved, now is the time to start working on securing machine-to-machine communication, he says.
In machine-to-machine communication, integrity of the communication is what’s most important, especially when you consider the many nightmare scenarios that could happen as attackers get in the middle and can fiddle with connected devices, cars, etc.
“The stakes are definitely getting higher,” he concluded.