Sunday, November 13, 2022

Why you need end-to-end encryption

TL;DR - no matter who you are, you need to set up an end-to-end encrypted communication app for your calls and messages, and start using it for your day to day communication.

Encryption is a technology that allows us to send messages to each other using codes. It's core to how we are able to exist in the digital age: it's why a neighbor with an antenna can't read your emails, it's how you are able to bank online without a hacker rerouting your money, or even how you access your medical records online privately. Encryption is so ubiquitous that you are using it every day and don't even realize it. In fact, most major services on the Internet, even completely public ones, turn on encryption automatically.

The lock icon means my connection to Blogger is encrypted.

When it comes to personal communication, encryption ensures two major things for the people you're talking to:
  • That outsiders won't see or hear your communication.
  • That outsiders won't modify what you're sending.
In the past, we lived happily without any encryption. Gen-X people likely remembered their wireless house phones, where sometimes you'd overhear your neighbor's calls in the background. This was normal at the time, and was mostly safe in an age where technology didn't run so much of our lives. But now privacy is not just a fringe benefit, but a matter of safety and the security of many of the things we hold dear.

What is end-to-end-encryption?

Most communication today is encrypted-in-transit. That means you have protection to and from your service provider. For example, if you send a message on Facebook Messenger, that message is secure between you and Facebook, and then from Facebook to the message recipient. But notably, Meta has access to that message. They can read it. They could edit it in transit. Or filter it if they don't like what you're saying.

Encrypted-in-transit message

End-to-end encryption (E2EE for short) takes the message and puts it in an encryption "envelope". The messages still flow through the communication provider, but the provider can't read or modify the message. It's private "end to end", hence the name.


End-to-end encrypted message

With E2EE, a communication provider:
  • CAN'T see or hear anything that is being said/messaged/shown/etc.
  • CAN'T record your communication.
  • CAN'T meaningfully modify what you say.
  • CAN still see who you're talking to and when.
  • CAN still block you from sending a message (but without any knowledge of what you're about to say.
E2EE is not preferred by many communication providers, because it limits the sort of services you can provide:
  • Can't target advertisements based on what you're saying.
  • Quality, speed, and reliability of group communication tends to be worse than non-E2EE solutions.
  • Some features like camera filters, message search, are more difficult to build and may be of lower quality.

Why do I need this?

"I'm not talking about anything illegal, why would I need encryption?" 

To understand why an upstanding person like yourself might need end-to-end encryption, it can be helpful to think about the many parties that may want to access your communication.
  • The communications provider. How much do you want a big tech firm to know about you, and how comfortable are you with who they will sell this data to? Could a data broker build a profile of you to be targeted or even harassed?
  • Partners. Consider the case of the Cambridge Analytica scandal, where Facebook leaked private user data to a company which then used it to interfere in elections in the United States.
  • Hackers. Could a hacker reading your text messages use that information to access your bank or other important accounts?
  • Government. Are you a law-abiding citizen? Okay, sure you are... but are you a law abiding citizen by the past and future laws of every government you'll ever interact with? For example, Facebook was forced to disclose messages under subpoena related related to an abortion case (which became illegal shortly AFTER the subpoena).
What do I do?

The best thing you can do is to get an app that supports end-to-end encryption for messages and video/audio calls, and get in the habit of using the secure mode by default. Encourage your friends and family to use secure options, and make it clear that you're not comfortable with using systems like text messages anymore.

Some options to consider:
  • Signal is the defacto standard for the privacy-conscious. Their app is the gold standard for the privacy conscious, and their technology is so good, their "Signal protocol" is used in many other apps.
  • WhatsApp offers E2EE by default. While many are nervous what ownership by Meta will mean for the future, their track record so far on encryption is pretty good.
  • Telegram is not E2EE by default, but does offer optional "secret chats". While I'd prefer it to be on by default, at least you can choose it for any communication.
Most importantly, get away from daily use of anything where you are not sure you have end-to-end encryption.
  • Text messages from your phone are the WORST! Stop using them, right now, except where absolutely necessary to communicate with businesses. The system is ancient and notoriously insecure. This includes iMessage - while iMessage itself may be E2EE, that only applies to your "blue bubble" contacts, while your "green bubble" contacts still go through insecure SMS.
  • Telephone calls. The security is weak, but also the quality is absolutely terrible compared to even the most mediocre audio calling apps. It's all around a bad experience, and there are way better options, including Facetime and Duo.
  • Facebook Messenger. While they support end-to-end encryption, it's not offered on all clients, so it's difficult to ensure a secure connection.
That's my rant, now go install your new communication app!

Wednesday, June 29, 2022

Why I flag most recruiter emails as spam (Amazon edition)

Usually I just flag as spam and move on. But sometimes it's just funny when a company as big as Amazon can get something as basic as a recruiting email so wrong.