End-to-end encryption trends and challenges — position statement
End-to-end encryption (E2EE) is a means of securing communications from one device, sender or ‘end point’, to another.
It transforms standard text, image, audio and video files, and live video streams, into an unreadable format while still on the sender’s system or device. The content can only be decrypted and read once it reaches its final destination.
Background
Encryption is not new and, in its modern form, has been used for more than 40 years as a tool to promote privacy and security. It is primarily employed for the secure transmission and storage of information and can help to prevent data breaches and hacking. There are different forms of encryption.
Encryption ‘in transit’ involves protecting information as it travels, for example over the internet from your mobile device to a company’s servers. This is an extremely common form of encryption for mainstream communications.
‘End-to-end’ encryption is often seen as a stronger form of encryption (though its application varies in practice). As a result, it is increasingly being adopted and promoted by services which offer messaging functions to consumers. Popular examples of services that use end-to-end encryption include iMessage, WhatsApp, Signal, and parts of Skype and Telegram. Meta is in the process of implementing it across its Facebook and Instagram messaging services, and has also begun testing its use on the Quest virtual reality platform.
Opportunities and risks
End-to-end encryption, when used in combination with other account authentication and cyber security measures, can help defend against security breaches that could have dangerous consequences for users at high risk. This could include human rights activists, whistle-blowers and others who might face persecution or retaliation if their communications are revealed.
At the same time, end-to-end encryption can provide hiding places for various forms of online harm and distribution of illegal content. Of particular concern, it can allow abusers to have concealed live contact with children, to share illegal child sexual exploitation and abuse material with each other, and to perpetrate child sexual abuse online. This can erode the safety and privacy of other users, and expose victim-survivors to re-traumatisation from the continued circulation of images or videos of them.
eSafety’s position is that deployment of end-to-end encryption does not absolve services of responsibility for hosting or facilitating online abuse or the sharing of illegal content.
Safety, privacy, and security are not mutually exclusive, and each can be maintained through thoughtful and intentional design. eSafety does not expect companies to design system vulnerabilities into services that use end-to-end encryption. Our focus is on working with industry to find proactive and systemic solutions, including the prevention and detection of online abuse and illegal content.
When designing new features and products, user safety should be considered alongside privacy and security – they are all critical to user trust and retention.
eSafety suggests all services, including those that use end-to-end encryption, should adopt a Safety by Design approach. Safety by Design encourages online services of all sizes to anticipate, detect and eliminate online safety risks so our digital environments are safer and more inclusive, especially for children and others who are at greater risk.
All services, whether encrypted or not, should offer essential features such as user options for reporting harmful material, abuse and illegal content. Specific steps that are available to most services that use end-to-end encryption are detailed in the full position statement.
Advice for users
Users are advised to take extra care when communicating on services that use end-to-end encryption, particularly when they do not know the person they are communicating with. It’s especially important to remember that any form of encryption can heighten the risk of concealed online interaction between adults and children.
If you encounter an image or video that shows child sexual exploitation and abuse, or other content that encourages the production or sharing of this type of material on encrypted services, report it to the relevant service and to eSafety.
You can make a report to eSafety at esafety.gov.au/report.
If you suspect a child is a victim of online child exploitation and abuse, including sexual grooming, report it to the Australian Centre to Counter Child Exploitation (ACCCE). If they are in immediate danger, call the police on Triple Zero (000).
If you encounter other abuse on encrypted services where there is an Australian connection, including serious cyberbullying, adult cyber abuse, and threatened or actual sharing of intimate images, you can follow the steps for collecting evidence, reporting it and preventing further contact.
Find out more
Further information about end-to-end encryption is provided in eSafety’s position statement.
Topics covered:
- Definitions
- Online safety risks
- Relationship to privacy and security
- Limitations of end-to-end encryption
- eSafety’s approach
- Guidance for industry
- Safety by Design
- Case study: existing tools
- Emerging good practice
- Guidance for users
Download a copy of the position statement
Click on the file link to download the full position statement.
Published: 25 February 2020
Updated: 17 October 2023
Last updated: 07/02/2024