The rise of smartphone apps now means more of our private information is in the hands of app providers. To protect data, many app providers are now using end-to-end encryption to safeguards the data they collect. This article will explain what end-to-end encryption is, the app developers that currently use them and some of the benefits and pitfalls.
What is End-to-End Encryption?
End-to-End Encryption (EE2E) describes the process by which data is stored between end-users. When an app uses E2EE, the data is sent from one device to the intended device, and only those devices can decrypt (or view) the data. Examples of E2EE include Secure Socket Layer, Internet Protocol Security and Transport Layer Security.
Examples of EE2E
EE2E is best demonstrated through describing WhatsApp’s EE2E service. On 5 April 2016, WhatsApp announced E2EE is available on all of its devices (i.e. if you use an iPhone, Android, Nokia, Microsoft, etc.) your conversations are secure because of EE2E. When you send a video or text via WhatsApp to your friend, that video or text is only viewable by you and your friend. Not even WhatsApp will have access to your message.
Australian Banking Apps
ANZ uses a form of EE2E, known as “Secure Socket Layer” (SSL). According to ANZ, this is a high-grade encryption whereby the encryption turns the words and numbers into coded language. It prevents unauthorised users from changing or reading your data. As such, ANZ confirms that your credit or debit card number is never saved on your device or shared with the merchant (i.e. the website you online shopped through or the sales assistant who sold you those nice high-waited jeans).
When is EE2E Important?
Recently, we have seen massive data breach incidents like the Panama Papers. With the rise in data breaches, EE2E can be seen as critical. Accordingly, all app developers should consider encrypting any private, sensitive or confidential information.
Adding an EE2E service to your app can assure and convince your users that your data is safe and secure. It can also relieve you of some data storage compliance issues. If you do hold data, you will have obligations under the Privacy Act 1988 (Cth) (further described below). Of note, platforms like Facebook, Snapchat and so forth are built to share user-generated information. These organisations will need to comply still any private information they hold but their public information, for example, would not need to be EE2E.
Pitfalls of EE2E
Despite the obvious benefit of protecting sensitive data, EE2E is not without its pitfalls. First of all, the technology is not free. EE2E only encrypts (make secure) data that is in motion. Accordingly, the E2EE services take a lot more computer power (especially when the computer is older) than it would if there was no encryption.
Secondly, no solution will protect your users’ data completely. However, EE2E does reduce risk significantly in that third parties are not involved, and the user’s data isn’t floating around unencrypted before it moves onto the intended receiver.
In Australia, when an entity holds personal information, they must take “reasonable steps” to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. The Office of the Australian Information Commissioner confirms that reasonable steps may include the preparation and implementation of a data breach response plan or policy.
Encryption exists between the original source and final destination. Decryption occurs when the end users open their message. Accordingly, EE2E shields conversations from all but the sender and receiver. In determining if EE2E is relevant for your App you will need to consider the content of the information you are sharing or not sharing, whether it is private and whether your users will expect it to be private. Contact LegalVision’s IT lawyers to assist you with any questions you may have. Call us on 1300 544 755.