Be careful where you upload your files, in particular the ones that are not end-to-end encrypted
January 6th, 2025

WhatsApp backups present a confusing privacy situation that has evolved recently. Since late 2021, WhatsApp users have had the option to enable end-to-end encryption for their backups stored in Google Drive or iCloud, preventing both the storage providers and WhatsApp from accessing the contents. However, this feature must be explicitly enabled by users—it is not the default setting. When users don't enable this encryption, WhatsApp backups remain protected only by standard cloud storage encryption, meaning both the storage provider and potentially government agencies with proper legal authority could access the contents.

iCloud backups present a different scenario. While Apple uses end-to-end encryption for many iCloud services through its Advanced Data Protection feature (introduced in December 2022), standard iCloud backups are not end-to-end encrypted by default. Apple retains the ability to access these backups and can provide them to law enforcement with appropriate legal orders. Users can enable Advanced Data Protection to get end-to-end encryption for their backups, but this is an opt-in feature and is not available in all countries.

Signal stands out as one of the most privacy-focused messaging services, with true end-to-end encryption by default for all communications and local backups. Signal does not store backups on their servers—users must manually transfer their data between devices. This design choice eliminates the possibility of server-side access to user data entirely.

ProtonMail provides end-to-end encrypted email service, with zero access to user data on their servers. All emails between ProtonMail users are automatically end-to-end encrypted, while emails to external services are encrypted on ProtonMail's servers. ProtonMail cannot decrypt user data even if compelled by legal orders. This means that if the sender and recipient are both ProtonMail users, then their communications are encrypted. If only one of them is a ProtonMail user and the other is using a normal unencrypted webmail provider, such as Gmail, then the emails between them won’t be end-to-end encrypted. One could use an extension like Mailvelope with Gmail or Yahoo mail to create PGP keys and encrypt the emails manually before sending them. This is more complicated than the two both signing up for ProtonMail, however, or using a different messenger that is more secure, such as Briar or Signal.

Telegram offers a mix of security features. While it provides end-to-end encryption for "Secret Chats," regular chats are only encrypted between the user and Telegram's servers. Telegram's cloud backups are stored on their servers and are not end-to-end encrypted, meaning Telegram could potentially access this data.

SpiderOak One provides zero-knowledge cloud storage and backup services. All data is encrypted before leaving the user's device, and SpiderOak maintains no ability to decrypt user data. This makes it impossible for them to comply with data access requests, even under legal compulsion.

Tresorit offers end-to-end encrypted cloud storage and file sharing, with zero-knowledge security. Files are encrypted before upload, and Tresorit cannot access the contents of stored files. They market themselves specifically as a secure alternative to services like Dropbox and Google Drive.

Sync.com provides zero-knowledge cloud storage with end-to-end encryption. All files are encrypted before leaving the user's device, and Sync.com has no access to file contents or encryption keys. They cannot decrypt user data even if required by law enforcement.

Cryptomator is a unique solution that allows users to add end-to-end encryption to any cloud storage service. It creates encrypted vaults that can be stored on services like Dropbox or Google Drive, ensuring that the cloud provider cannot access the contents even if they wanted to.

Standard cloud storage services like Google Drive, Dropbox, and OneDrive encrypt data in transit and at rest, but they maintain access to the encryption keys. This means they can access user data and must comply with valid legal orders to provide this data to authorities.

iMessage uses end-to-end encryption for messages between Apple devices, but if iCloud backup is enabled, Apple maintains the ability to access message history through the backup. This creates a potential privacy vulnerability that users should be aware of.

Facebook Messenger offers optional end-to-end encryption through its "Secret Conversations" feature, but regular chats are not end-to-end encrypted. Facebook can access these messages and must comply with legal orders for data access.

Mega provides zero-knowledge cloud storage with end-to-end encryption. All files are encrypted before upload using keys that Mega never has access to. However, they have faced scrutiny over past security claims and ownership changes.

For email services, ProtonMail isn't alone in offering end-to-end encryption. Tutanota provides similar features, with all emails and contacts stored in an encrypted format that the provider cannot access. However, emails sent to external services may not maintain this level of protection.

The privacy battlefield continues to evolve, with more services offering end-to-end encryption and zero-knowledge security. However, users must often make conscious choices to enable the strongest privacy features, as they're frequently not enabled by default. This creates a tension between security and convenience that each user must navigate based on their needs.

The distinction between transport encryption (protecting data in transit) and end-to-end encryption (protecting data from everyone except the intended recipients) remains crucial. Many services advertise "encryption" without specifying which type they use, leading to potential misunderstandings about the actual level of privacy provided.

Technical implementation details also matter significantly. Even services claiming end-to-end encryption may have vulnerabilities if the implementation is flawed or if the service provider maintains access to encryption keys through other means, such as backup systems or key recovery mechanisms.

For truly sensitive data, users should consider using multiple layers of protection. For example, using 7-Zip to encrypt files before uploading them to any cloud service, regardless of the service's own encryption claims. This defense-in-depth approach provides protection even if one layer is compromised.

Users should also consider the jurisdiction where services operate and the legal frameworks they must comply with. Services based in countries with strong privacy laws may offer better protection against government access requests than those in jurisdictions with more invasive surveillance laws.

Regular security audits and open-source code are positive indicators for privacy-focused services. They allow independent verification of security claims and help ensure that there are no hidden backdoors or vulnerabilities in the implementation.

The future of encrypted services likely includes more widespread adoption of end-to-end encryption by default, as users become more privacy-conscious and technologies mature. However, this may face resistance from governments and law enforcement agencies concerned about potential misuse by bad actors.

Subscribe to Alexander Finnegan
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.
More from Alexander Finnegan

Skeleton

Skeleton

Skeleton