End-to-end encryption
Template:Short description Template:Multiple issues
End-to-end encryption (E2EE) is a method of implementing a secure communication system where only the sender and intended recipient can read the messages. No one else, including the system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to read or send messages.<ref name="Wired Lexicon">Template:Cite magazine</ref>
End-to-end encryption prevents data from being read or secretly modified, except by the sender and intended recipients. In many applications, messages are relayed from a sender to some recipients by a service provider. In an E2EE-enabled service, messages are encrypted on the sender's device such that no third party, including the service provider, has the means to decrypt them. The recipients retrieve encrypted messages and decrypt them independently on their own devices. Since third parties cannot decrypt the data being communicated or stored, services with E2EE are better at protecting user data from data breaches and espionage.<ref>Template:Cite news</ref><ref name=":1" />
Computer security experts,<ref>Template:Cite journal</ref> digital freedom organizations,<ref>Template:Cite web</ref> and human rights activists<ref name=":12">Template:Cite web</ref> advocate for the use of E2EE due to its security and privacy benefits, including its ability to resist mass surveillance.<ref name=":2" /> Popular messaging apps like WhatsApp, iMessage, Facebook Messenger, and Signal use end-to-end encryption for chat messages, with some also supporting E2EE of voice and video calls. As of May 2025, WhatsApp is the most widely used E2EE messaging service, with over 3 billion users.<ref>Template:Cite web</ref> Meanwhile, Signal with an estimated 70 million users,<ref>Template:Cite web</ref> is regarded as the current gold standard in secure messaging by cryptographers, protestors, and journalists.<ref name=":3" /><ref>Template:Cite magazine</ref><ref>Template:Cite magazine</ref>
Since end-to-end encrypted services cannot offer decrypted messages in response to government requests, the proliferation of E2EE has been met with controversy.<ref>Template:Cite news</ref><ref name=":0">Template:Cite web</ref> Around the world, governments, law enforcement agencies, and child protection groups have expressed concerns over its impact on criminal investigations.<ref>Template:Cite journal</ref> As of 2025, some governments have successfully passed legislation targeting E2EE, such as Australia's Telecommunications and Other Legislation Amendment Act (2018) and the Online Safety Act (2023) in the UK. Other attempts at restricting E2EE include the EARN IT Act in the US and the Child Sexual Abuse Regulation in the EU.[1]<ref>Template:Cite web</ref> Nevertheless, some government bodies such as the UK's Information Commissioner's Office and the US's Cybersecurity and Infrastructure Security Agency (CISA) have argued for the use of E2EE, with Jeff Greene of the CISA advising that "encryption is your friend" following the discovery of the Salt Typhoon espionage campaign in 2024.<ref>Template:Cite web</ref><ref>Template:Cite web</ref><ref name=":1">Template:Cite web</ref>
Definitions
End-to-end encryption is a means of ensuring the security of communications in applications like secure messaging.<ref>Template:Citation</ref> Under E2EE, messages are encrypted on the sender's device such that they can be decoded only by the final recipient's device.<ref>Template:Cite web</ref> In many non-E2EE messaging systems, including email and many chat platforms, messages pass through intermediaries and are stored by a third party service provider,<ref>Template:Cite web</ref> from which they are retrieved by the recipient. Even if messages are encrypted, they are only encrypted 'in transit', and are thus accessible by the service provider.<ref>Template:Cite web</ref> Server-side disk encryption is also distinct from E2EE because it does not prevent the service provider from viewing the information, as they have the encryption keys and can simply decrypt it.
The term "end-to-end encryption" originally only meant that the communication is never decrypted during its transport from the sender to the receiver.<ref name="Baran-E2EE">Template:Cite book</ref> For example, around 2003, E2EE was proposed as an additional layer of encryption for GSM<ref name="GSM-E2EE">Template:Cite conference</ref> or TETRA,<ref name="TETRA-E2EE">Template:Cite conference</ref> in addition to the existing radio encryption protecting the communication between the mobile device and the network infrastructure. This has been standardized by SFPG for TETRA.<ref name="SFPG-E2EE">Template:Cite web</ref> Note that in TETRA, the keys are generated by a Key Management Centre (KMC) or a Key Management Facility (KMF), not by the communicating users.<ref>Template:Cite thesis</ref>
Later, around 2014, the meaning of "end-to-end encryption" started to evolve when WhatsApp encrypted a portion of its network,<ref>Template:Cite magazine</ref> requiring that not only the communication stays encrypted during transport,<ref>Template:Cite journal</ref> but also that the provider of the communication service is not able to decrypt the communications—maliciously or when requested by law enforcement agencies. Similarly, messages must be undecryptable in transit by attackers through man-in-the-middle attacks.<ref name=":2">Template:Cite news</ref> This new meaning is now the widely accepted one.<ref>Template:Cite journal</ref>
Motivations
The lack of end-to-end encryption can allow service providers to easily provide search and other features, or to scan for illegal and unacceptable content. However, it also means that content can be read by anyone who has access to the data stored by the service provider, by design or via a backdoor.<ref>Template:Cite web</ref> This can be a concern in many cases where privacy is important, such as in governmental and military communications, financial transactions, and when sensitive information such as health and biometric data are sent. If this content were shared without E2EE, a malicious actor or adversarial government could obtain it through unauthorized access or subpoenas targeted at the service provider.<ref name=":0" />
E2EE alone does not guarantee privacy or security.<ref>Template:Cite web</ref> For example, the data may be held unencrypted on the user's own device or accessed through their own app if their credentials are compromised.
Modern implementations
Messaging
As of 2025, messaging apps like Signal<ref name=":3">Template:Cite news</ref> and WhatsApp<ref>Template:Cite web</ref> are designed to exclusively use end-to-end encryption. Both Signal and WhatsApp use the Signal Protocol. Other messaging apps and protocols that support end-to-end encryption include Facebook Messenger,<ref>Template:Cite web</ref> iMessage,<ref>Template:Cite web</ref> Telegram,<ref>Template:Cite magazine</ref> Matrix,<ref>Template:Cite web</ref> and Keybase.<ref>Template:Cite web</ref> Although Telegram supports end-to-end encryption, it has been criticized for not enabling it by default, instead supporting E2EE through opt-in "secret chats". As of 2020, Telegram did not support E2EE for group chats and no E2EE on its desktop clients.
In 2022, after controversy over the use of Facebook Messenger messages in an abortion lawsuit in Nebraska, Facebook added support for end-to-end encryption in the Messenger app.<ref>Template:Cite web</ref><ref>Template:Cite web</ref> Writing for Wired, technologist Albert Fox Cahn criticized Messenger's approach to end-to-end encryption, which required the user to opt into E2EE for each conversation and split the message thread into two chats which were easy for users to confuse.<ref>Template:Cite magazine</ref> In December 2023, Facebook announced plans to enable end-to-end encryption by default despite pressure from British law enforcement agencies.<ref>Template:Cite news</ref>
As of 2016,<ref>Template:Cite web</ref> many server-based communications systems did not include end-to-end encryption.<ref>Template:Cite book</ref> These systems can only guarantee the protection of communications between clients and servers,<ref>Template:Cite web</ref> meaning that users have to trust the third parties who are running the servers with the sensitive content. End-to-end encryption is regarded as safer<ref>Template:Cite book</ref> because it reduces the number of parties who might be able to interfere or break the encryption.<ref name="ssdeef">Template:Cite web</ref> In the case of instant messaging, users may use a third-party client or plugin to implement an end-to-end encryption scheme over an otherwise non-E2EE protocol.<ref>Template:Cite web</ref>
Audio and video conferencing
Signal and WhatsApp use end-to-end encryption for audio and video calls.Template:Citation needed Since 2020, Signal has also supported end-to-encrypted video calls.<ref>Template:Cite web</ref> In 2024, Discord added end-to-end encryption for audio and video calls, voice channels, and certain live streams.<ref>Template:Cite web</ref> However, they had no plans to implement E2EE for messages.
In 2020, after inquiring Keybase, Zoom announced end-to-end encryption would be limited to paid accounts.<ref>Template:Cite web</ref><ref>Template:Cite magazine</ref> Following criticism from human rights advocates, Zoom extended the feature to all users with accounts.<ref>Template:Cite web</ref><ref>Template:Cite web</ref> In 2021, Zoom settled an $85M class action lawsuit over past misrepresentation about end-to-end encryption.<ref>Template:Cite web</ref> The FTC confirmed Zoom previously retained access to meeting keys.<ref>Template:Cite web</ref>
Other uses
Some encrypted backup and file sharing services provide client-side encryption. Nextcloud,<ref>Template:Cite book</ref><ref>Template:Citation</ref> MEGA,<ref>Template:Cite book</ref><ref>Template:Cite book</ref> and CryptpadTemplate:Citation needed offer end-to-end encryption of shared files.
The term "end-to-end encryption" is sometimes incorrectly used to describe client-side encryption.<ref>Template:Cite web</ref>
Some non-E2EE systems, such as Lavabit and Hushmail, have described themselves as offering "end-to-end" encryption when they did not.<ref>Template:Cite news</ref>
Law enforcement and regulation
In 2022, Facebook Messenger came under scrutiny because the messages between a mother and daughter in Nebraska were used to seek criminal charges in an abortion-related case against both of them. The daughter told the police that she had a miscarriage and tried to search for the date of her miscarriage in her Messenger app. Police suspected there could be more information within the messages and obtained and served a warrant against Facebook to gain access. The messages allegedly mentioned the mother obtaining abortion pills for her daughter and then burning the evidence.<ref>Template:Cite web</ref><ref>Template:Cite web</ref>
While E2EE can offer privacy benefits that make it desirable in consumer-grade services, many businesses have to balance these benefits with their regulatory requirements. For example, many organizations are subject to mandates that require them to be able to decrypt any communication between their employees or between their employees and third parties.<ref>Template:Cite news</ref> This might be needed for archival purposes, for inspection by Data Loss Prevention (DLP) systems, for litigation-related eDiscovery or for detection of malware and other threats in the data streams. For this reason, some enterprise-focused communications and information protection systems might implement encryption in a way that ensures all transmissions are encrypted with the encryption being terminated at their internal systems (on-premises or cloud-based) so they can have access to the information for inspection and processing.
Challenges
Man-in-the-middle attacks
End-to-end encryption ensures that data is transferred securely between endpoints. But, rather than try to break the encryption, an eavesdropper may impersonate a message recipient (during key exchange or by substituting their public key for the recipient's), so that messages are encrypted with a key known to the attacker. After decrypting the message, the snoop can then encrypt it with a key that they share with the actual recipient, or their public key in case of asymmetric systems, and send the message on again to avoid detection. This is known as a man-in-the-middle attack (MITM).<ref name="Wired Lexicon" /><ref name="Schneier">Template:Cite book</ref>
Authentication
![Screenshot of the Signal Android app showing a screen labelled "Verify safety number" with a QR code and a series of 60 digits. Below the digits is the note "To verify end-to-end encryption with [redacted], compare the numbers above with their device. You can also scan the code on their device. Learn more". Under the note is a button labelled "Mark as verified".](/index.php?title=Special:Upload&wpDestFile=Signal_safety_number_screen_on_Android.jpg){kind=link}
Most end-to-end encryption protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, one could rely on certification authorities or a web of trust.<ref>Template:Cite web</ref> An alternative technique is to generate cryptographic hashes (fingerprints) based on the communicating users’ public keys or shared secret keys. The parties compare their fingerprints using an outside (out-of-band) communication channel that guarantees integrity and authenticity of communication (but not necessarily secrecyTemplate:Citation needed), before starting their conversation. If the fingerprints match, there is, in theory, no man in the middle.<ref name="Wired Lexicon" />
When displayed for human inspection, fingerprints usually use some form of binary-to-text encoding.<ref>Template:Cite journal</ref> These strings are then formatted into groups of characters for readability. Some clients instead display a natural language representation of the fingerprint.<ref name="pEp-whitepaper">Template:Cite web</ref> As the approach consists of a one-to-one mapping between fingerprint blocks and words, there is no loss in entropy. The protocol may choose to display words in the user's native (system) language.<ref name="pEp-whitepaper"/> This can, however, make cross-language comparisons prone to errors.<ref name="Marlinspike-2016-04-05"/>
In order to improve localization, some protocols have chosen to display fingerprints as base 10 strings instead of more error prone hexadecimal or natural language strings.<ref name="Budington-2016-04-07"/><ref name="Marlinspike-2016-04-05">Template:Cite web</ref>
Modern messaging applications can also display fingerprints as QR codes that users can scan off each other's devices.<ref name="Budington-2016-04-07">Template:Cite web</ref>
Endpoint security
The end-to-end encryption paradigm does not directly address risks at the communications endpoints themselves. Each user's computer can still be hacked to steal their cryptographic key (to create a MITM attack) or simply read the recipients’ decrypted messages both in real time and from log files. Even the most perfectly encrypted communication pipe is only as secure as the mailbox on the other end.<ref name="Wired Lexicon" /> Major attempts to increase endpoint security have been to isolate key generation, storage and cryptographic operations to a smart card such as Google's Project Vault.<ref>Julie Bort, Matt Weinberger "Google's Project Vault is a tiny computer for sending secret messages" Template:Webarchive, Business Insider, NYC May 29, 2015</ref> However, since plaintext input and output are still visible to the host system, malware can monitor conversations in real time. A more robust approach is to isolate all sensitive data to a fully air gapped computer.<ref>Whonix Wiki "Air Gapped OpenPGP Key" Template:Webarchive</ref> However, as Bruce Schneier points out, Stuxnet developed by US and Israel successfully jumped air gap and reached Natanz nuclear plant's network in Iran.<ref>Bruce Schneier "Air Gaps" Template:Webarchive, Schneier on Security, October 11, 2013</ref> To deal with key exfiltration with malware, one approach is to split the Trusted Computing Base behind two unidirectionally connected computers that prevent either insertion of malware, or exfiltration of sensitive data with inserted malware.<ref>Template:Cite web</ref>
Backdoors
A backdoor is usually a secret method of bypassing normal authentication or encryption in a computer system, a product, an embedded device, etc.<ref>Template:Cite news</ref> Companies may also willingly or unwillingly introduce backdoors to their software that help subvert key negotiation or bypass encryption altogether. In 2013, information leaked by Edward Snowden showed that Skype had a backdoor which allowed Microsoft to hand over their users' messages to the NSA despite the fact that those messages were officially end-to-end encrypted.<ref>Template:Cite news</ref><ref>Template:Cite news</ref>
Following terrorist attacks in San Bernardino in 2015 and Pensacola in 2019, the FBI requested backdoors to Apple's iPhone software. The company, however, refused to create a backdoor for the government, citing concern that such a tool could pose risk for its consumers’ privacy.<ref>Template:Cite web</ref>
See also
- Comparison of instant messaging protocols
- Template:Slink – a table overview of VoIP clients that offer end-to-end encryption
- Mass surveillance
- Human rights and encryption
- Diffie–Hellman key exchange – method of negotiating secret keys for the communicating users without sharing them with observers, such as the communication system provider
- End-to-end auditable voting systems
- Point-to-point encryption
- Crypto Wars