One of our staff members worked as an undercover operative for more than 10 years and he tells us that the way you stay alive is by always remembering “The Rule of One.”
The Rule of One is simple – one person can keep a secret, two cannot.
This rule also applies to data encryption. If another entity is holding or has access to keys to unlock your protected data, then you are vulnerable to compromise. For example, some organizations state they provide end-to-end encryption; and by a loose definition they do. The encryption is done on your device and decrypted on the receiving device, but what they do not divulge is that their organization:
- May also have copy of the keys used to encrypt your data
- May have baked in a master key into the protocol used to transfer your data; or
- There is a mathematical calculation to recover the keys used to encrypt your data
This my friends, is technically known as “bad juju.”
You should also know that there is a difference between “end-to-end” encryption and “peer-to-peer” encryption. Tech companies and the media will use these terms interchangeably. It is PARTICULARLY important to know the difference and where the encryption/decryption process is executed. For instance, some messaging systems rely solely on the use of the Transport Layer Security protocol, or TLS, to protect your data while it is being transferred over the Internet to their servers for “real” encryption. In this case, your device “technically” does the encryption using TLS (a weak protocol). The messaging service then receives your message from TLS, re-encrypts it, then forwards it to your specified recipient’s endpoints. However, during the time your information is within the messaging service’s custodial care, it may be unencrypted.
While it can be argued that TLS provides “end-to-end” encryption of your information (messages and calls), it is really a “point-to-point” solution, and not “peer-to-peer,” thus potentially leaving your valuable information vulnerable while in transit.
True “peer-to-peer” encryption only occurs on your device (phone, tablet, laptop, desktop, etc.), and the decryption only occurs on the specified recipient’s system(s), thus making it harder for a nefarious third-party to access your data.
Asking tough questions from your service providers and receiving COMPLETE answers is critical! Some of the biggest organizations that claim to protect your privacy may have access to your data, and if they have access, then other entities can also gain access. We recently emailed customer support (they do not have live customer support) of a large organization who claims to provide “peer-to-peer” encryption. In response, we received a page and a half of explanation but NO DIRECT “Yes or No” to the question of do you have a copy of my encryption keys or can you recover my encryption keys.
For a deeper dive on encryption, this article highlights the work of a mathematician who warns that US spies may be weakening next-gen encryption. It offers insight into the nuances happening in the world of encryption. Oh, and it is not just NSA doing this, most other countries are doing the same thing – like GCHQ has proposed the “Ghost Protocol.”
Our product QTel (formerly Qphone) however, is an example of “The Rule of One” and true peer-to-peer encryption for your messaging and voice/video communications. The encryption process happens at the originating device and the information is only decrypted on the specified recipient’s endpoints. Global Integrity does not know the keys used to encrypt the information – period. So, your voice, video and messaging are secure and private as they should be while passing through our closed and hardened ecosystem. Furthermore, your data (IP, device, usage, and location information) is NEVER archived by us, thereby foiling criminal elements or other entities trying to monitor you by accessing our systems.
When it comes to keeping secrets, “The Rule of One” is extremely important. Keep this in mind as you evaluate the security and privacy of your communications and messaging solutions.