To a lot of us, encryption doesn’t mean much. We might think of it in the context of Second World War codebreaking or maths puzzles. But it plays a far bigger practical role in our lives – encryption is fundamental to online privacy and security.
Given the importance of the technology, it’s unsurprising that it lies at the core of contentious debate. Governments and intelligence agencies want our banking details to be secure, but also want to access messages to prevent terror plots. Technology companies argue there is a trade-off between the two – and privacy campaigners worry that governments will pick the wrong position.
Getting to grips with encryption helps us stay safe and make good choices online. Below, Which? explains how the technology works.
Which? Tech Support – our experts will help you tame your tech
What is encryption and what does it do?
Information flows across the internet through local wireless or phone data, and then through phone and undersea cables, passing through lots of different systems as it travels. When that traffic travels without encryption, anyone with access to the cables, wireless networks or systems that it flows across can read everything that gets sent.
That can mean your internet provider being able to see your exact search and browsing history – which it might then have the right to sell on – or might mean that people could see information such as your card details as they travel to a website you make a purchase on.
For that reason, any online interaction involving sensitive information – at first, personal details in online banking and shopping, but now more and more beyond that – is encrypted, meaning it gets garbled and encoded, so that it looks like nonsense to anyone trying to intercept it before it reaches its destination.
What services use encryption and how can I tell if my browsing is encrypted?
Until a few years ago, most web traffic was sent without encryption – only online stores and banking made a point of using it. The way you could tell whether your browsing was encrypted or not was to look at the web address.
If the address began with http:// your browsing was not encrypted. If it began with https:// it was secure – and protected by encryption. This method still works, but most browsers don’t now show you the web address by default.
In large part, this is because most browsers now require websites to let you browse securely. Google’s Chrome browser will by default warn you if you’re visiting an unencrypted (or ‘not secure’) page, but still shows a padlock at the left-hand side of the address bar (shown above) to show you’re encrypted – and Mozilla’s Firefox browser does the same. Apple’s Safari browser varies slightly from this formula, still showing a padlock, but this time in the middle of the address bar.
Apps don’t have anything like such a standard or clear way to know whether or not your traffic is encrypted. Generally, you need to check the description when downloading an app, or else look around for trusted independent reviews. Most major messaging apps will encrypt your traffic using end-to-end encryption (more on this later), while all major banking apps use strong encryption too.
How does encryption work?
Modern encryption relies on a quirk of maths. It’s much easier to multiply two huge random prime numbers to generate an even huger number than it is to reverse the process and work out the original two figures you started with. When we’re talking about numbers that are each hundreds of digits long, trying to do this would take far more time and effort than is feasible. This forms a code.
As you browse the internet, your browser checks a few trusted ‘certificate’ sites to assure itself it’s talking to the real amazon.co.uk, for example, at which point it trusts it enough to send over a small ‘key’, which lets the website then generate an encrypted connection.
This is easy for your browser and the website to decrypt and use, because of the small amount of private information they have generated. But anyone from outside has to break down the vast number created from two prime numbers, a practically impossible task with the computing power available to most of us.
Sometimes we’re trying to communicate with one other person, or a group of other people, usually via a service operated by a large company. In this instance, we might want to be able to send our messages so they can be read by the person we’re talking to, but not by the company providing the service.
In practice, this operates by having two levels of encryption – one working as before, providing an envelope of sorts, directing the message inside to its intended recipient or recipients, but keeping its contents as gibberish. The service provider can read the envelope, but nothing more – just enough to facilitate the communication.
Why do some services use end-to-end encryption when others don’t?
Most major internet companies didn’t initially want to offer end-to-end encryption, as it gives them less ability to learn about their users. Facebook, for example, provides instant messaging through WhatsApp and its Messenger apps. If it were able to automatically scan these messages for keywords, it would be able to send us better targeted advertising.
The problem was that other services were becoming available offering this level of privacy, just as users were becoming concerned about online snooping. Rather than lose their customers, the tech giants built in the new privacy protections, at the cost of some of their own informational advantage.
This also had the bonus of improving user security, meaning that those looking for big troves of user data would have to look elsewhere – they didn’t have them any more. But end-to-end doesn’t work for everything: for social networks where posts are public, it would make no sense (and, in fact, break the service). Similarly, for a service such as online shopping, where it’s the website provider itself you’re transacting with, there’s no extra benefit to end-to-end encryption protocols.
Why is this a big debate?
The concept of a private conversation is hardly a new one: no secret service on the planet has ever been able to listen in on every face-to-face conversation and even the most paranoid of phone-tapping governments couldn’t listen in to every line.
But in the online world, our chats are tantalisingly close, especially as they are often written down and so, in theory, available for retrieval long after they’re concluded. End-to-end encryption denies governments access to those chats, even when they might want to be able to see them in the aftermath of a terror attack or another serious crime.
This leads to major standoffs. Governments insist there must be some way they could be given a route in to access conversations for law enforcement purposes. Tech giants – backed by civil liberties groups – say there’s no way to do this without violating privacy, making communications less secure from malicious actors, or both.
The modern internet would be unusable without strong encryption: we’re now used to sending sensitive data hundreds of times a day, from Googling medical symptoms to buying our groceries. But deciding where its limits lie relies on understanding how security really works in this online world – and in this area, governments are playing catch-up.
Sign up for Which? Computing
- The UK’s largest computing and technology title, published six times a year.
- Easy, jargon-free advice so you can make the most of your tablet, laptop or smartphone.
- One-to-one support from our friendly Tech Support team, ready to respond to unlimited member queries.
Sign up to Which? Computing here, or contact our helpful customer service team today on 029 2267 0000.