Recently, Apple has announced a significant expansion in its use of End-to-End Encryption (E2EE), increasing the number of data points protected by this method on iCloud from 14 to 23 categories. This move is among the company’s responses to the surge in data breaches in recent years. In fact, according to a study conducted by Apple, data breaches have more than tripled between 2013 and 2021. Just last year, over 1.1 billion personal records were exposed. The implementation of E2EE acts as an added barrier of protection, particularly advantageous against sophisticated hacking attacks.
Understanding End-to-End Encryption (E2EE)
E2EE is a communication process that encrypts data shared between two devices, thereby preventing third parties, including ISPs, cloud service providers, and cybercriminals, from gaining access to data during transmission. The cryptographic keys used for encryption and decryption are stored at the endpoints or the devices receiving or sending the data. It utilizes an algorithm that converts standard text into an unreadable format that can only be read by those who possess the decryption keys. E2EE is often employed when transferring sensitive information such as business documents, financial details, legal proceedings, and personal conversations.
Advantages of E2EE
The primary advantages of E2EE include security in transit, safety from third parties, tamper-proof communications, and compliance with industry-specific regulatory laws. By using public key cryptography, endpoint devices securely store private keys, enabling only authorized individuals to access the messages. If any encrypted message is altered or tampered with during transit, it becomes undecipherable, thus, protecting against potential risks.
Disadvantages of E2EE
Although E2EE offers robust security measures, there are certain challenges too. These include the complexity of defining endpoints and potential privacy risks. In some E2EE implementations, data can be encrypted and decrypted multiple times during transmission, rendering it crucial to accurately define the communication endpoints. If these endpoints are compromised, the encrypted data may be exposed. Moreover, E2EE’s capability of offering a high degree of privacy might inadvertently protect individuals sharing illicit content. Finally, E2EE doesn’t offer protection to metadata, thereby making certain aspects of the information still visible to potential interlopers.
Legal Framework for Encryption in India
In India, no specific encryption law exists. However, rules governing industries like banking, finance, and telecommunications do set minimum standards for encryption to secure transactions. The licencing agreement between the ISP and Department of Telecommunications (DoT) stipulates that users cannot use encryption standards larger than 40 bits with symmetric key algorithms or similar methods without prior clearance and deposit of decryption keys. Moreover, the new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, which replaced the earlier 2011 rules, have the potential to impact the E2EE techniques used by social messaging applications such as WhatsApp, Telegram, Signal, etc. The Information Technology Act of 2000, while regulating electronic and wireless modes of communication, lacks any substantial policy on encryption.
