Comment by bmandale 9 hours ago
This is an incredibly common misuse of the term e2ee. I think at this point we need a new word because you have a coin flip's chance of actually getting what you think when a company describes their product this way.
There was a discussion here on hn about OpenAI and it's privacy. Same confusion about e2ee. Users thinking e2ee is possible when you chat with an ai agent.
>Users thinking e2ee is possible when you chat with an ai agent.
It shouldn't be any harder than e2ee chatting with any other user. It's just instead of the other end chatting using a keyboard as an input they chat using a language model to type the messages. Of course like any other e2ee solution, the person you are talking to also has access to your messages as that's the whole point, being able to talk to them.
I do not think this matches anyones' mental model of what "end-to-end encrypted" for a conversation between me and what is ostensibly my own computer should look like.
If you promise end-to-end encryption, and later it turns out your employees have been reading my chat transcripts...
I'm not sure how you can call chatgpt "ostensibly my own computer" when it's primarily a website.
And honestly, E2EE's strict definition (messages between user 1 and user 2 cannot be decrypted by message platform)... Is unambiguously possible for chatGPT. It's just utterly pointless when user2 happens to also be the message platform.
If you message support for $chat_platform (if there is such a thing) do you expect them to be unable to read the messages?
It's still a disingenuous use of the term. And, if TFA is anything like multiple other providers, it's going to be "oh, the video is E2EE. But the 5fps ,non-sensitive' 512*512px preview isn't."
They also paid me something around 100 dollars in settlement for this
They aquihired (and gutted) keybase for this, but I have a doubt that their "reimplementation" is actually E2EE.
I would say Telegram is communicating their level of encryption pretty good ("client-to-client" and "client-to-server" is a good way to avoid the ambiguity of e2e).
https://telegram.org/faq?setln=en#q-so-how-do-you-encrypt-da...
Creating a new term for the less secure definition doesn't work, as they'll just continue to call it E2EE encrypted.
I think part of the problem is that prior to WhatsApp's E2EE implementation in like 2014, TLS was very often called "End to End Encryption" as the ends were Client and Server/Service Provider. It got redefined and now the new usage is way more popular than the old one.
I can't blame most people for calling TLS "E2EE", even some folks in industry, but it's not great for a company to advertise that you offer X if the meaning of X has shifted so drastically in the last decade.
> prior to WhatsApp's E2EE implementation in like 2014, TLS was very often called "End to End Encryption"
That's pretty wild
The reason that a different term had to be invented was that some centralized messaging system defined itself as "encrypted" when it begun to use TLS.
It would have been stupid to pick a term commonly used for TLS to differentiate yourself from TLS
The two endpoints of the communication with Kohler's app are the client and the server. In WhatsApp's E2EE implementation the endpoints are two client devices. Both are valid meanings of E2EE. You're defining that "end to end" means the server cannot access it but that's simply not what it means.
No term will stop marketers from lying. If users see one as being the more secure one, marketers will use it. Unless they get sued for false advertising.
Any new term you come up with, will end up being misused by marketers.