I'd say the difference is minimal though.

If they tell law enforcement they can’t produce an unencrypted copy and it’s later proven that they could, the potential penalty would likely be more severe than anything they could have gained by using the data themselves. And any employee (or third party they tried to sell the data to) could rat them out—so they’d have to keep the information within a circle too small to make use of it at scale. And even if it never leaked, hackers would eventually find and exploit the backdoor, exposing its existence. And in either case they’d also have to face lawsuits from shareholders (rightly) complaining that they were never warned of the legal risk.

There is a conceptual distinction: Encryption in transit vs. encryption at rest. You may send the packets encrypted to the server, but if they are not encrypted on the server's file system, anyone can read them.

The real question is, why do you think governments make such a big fuss about citizens having access to military grade encryption?

There have been audits of e2ee implementations, and the algorithms used also have some objective properties. I don't think that I have ever heard in cryptography discussions that backdoors are so widespread that the discussion is moot. I have only heard, time and time again, the opposite.

Even Apple, in this very occasion, opted to ditch the service rather than backdoor it, and in fact takes the UK to court over this. I think that the opinion that this is all for show is a tad wild, and not very well supported in this occasion.

Like every cryptology book starts with the adage "There is cryptography that prevents your little sister from reading your mail, and cryptography that prevents the government from reading your mail, and we will talk about the latter."

https://blog.cryptographyengineering.com/2025/02/23/three-questions-about-apple-encryption-and-the-u-k/

On the other hand, not all implementations are created equal. Telegram was recently under fire, and there is a lot of variance in e2ee implementations in XMPP clients, IIRC.

the difference is closer to maximal. only way to be worse is not just on purpose, but expertly on purpose.

There's also a big difference between published specifications and threat models for the encryption which professionals can investigate in the code delivered to users, versus no published security information at all with pure reverse engineering as the only option

Apple at least has public specifications. Experts can dig into it and compare against the specs, which is far easier than digging into that code of code blindly. The spec describes what it does when and why, so you don't have to figure the out through reverse engineering, instead you can focus on looking for discrepancies

Proper open source with deterministic builds would be even better, but we aren't getting that out of Apple. Specs is the next best thing.

Telegram has been under fire from the start, lol. 'we have math PhDs"

I’m no expert but given the repeated efforts from governments around the world to get backdoors added to encryption and frequent pushback from big tech, or at least Apple, I’m more inclined to think there currently, or recently, aren’t backdoors. At least, not easy ones, not official ones. As an example, recall a few years ago there was a terror-related attack in the U.S. where someone tied to Muslim extremists went on a shooting spree before taking his own life (I’m not bothering to look up the details and my recollection could be flawed). The attacker used an iPhone and the U.S. government took the opportunity of strong public outrage to try to force Apple to create a tool to break the encryption on the iPhone so they could examine its contents. Apple resisted and the effort went to court, with the decision eventually being that Apple did not have to break the encryption. The government then revealed that they had access to a third party tool that they used to break into the phone and recover its contents. That’s pretty much been the pattern before and since: a government will try to find a cause that seems likely to gather widespread support and use that to get a backdoor they promise not to abuse, and the companies push back to varying degrees. All the while there seem to be third party tools that exploit various flaws, including zero-day flaws to gain the access the companies won’t provide. My impression is that at least a couple times a year there’s a story about an Apple security update patching these holes and notifying certain users if they may have been targeted.

It’s possible that’s all just theater put on by the U.S. and allies to help Apple or Google tell governments the U.S. doesn’t trust, “see, we can’t even give the U.S. government we’re subject to access, so we certainly can’t give you access.” Given some of the cases that have been used to try to force access, though, I’m more inclined to think the government really doesn’t have the easy access some might like.

Of course, it’s also possible that some of the flaws used by zero-day exploits to gain access are intentionally planted, either by the software companies or by an individual programmer acting at a government’s behest. The later patches could be to maintain appearances to outsiders, since there always seem to be additional flaws. Still, programming is hard enough and operating systems are complex enough that I’m more inclined to say that usually these really are just human error and not something malicious.

None of that is to say that anyone should fully trust these encryption systems. Used properly, they’re probably good enough against ordinary hackers, people just looking for financial rewards. You can keep your family photos, important records, school notes, etc. on them without worrying too much. Financial records you might want to doubly encrypt, just so they’re not so easy to exploit if there is a breach and data dump. If you’re doing something any government cares enough about to really investigate, they’re probably going to find a way into your computer, phone, or cloud service, depending on how motivated they are. Maybe not some impoverished “third-world” governments, but most of the big ones have some resources. I’d be extremely cautious about things that could actually send someone to jail, either in your own country or one that is less friendly.

We do not control software which fails to include a libre software license text file.

The winners have already escaped. Excuses come from those who can only cope. They are the last people you want to copy.

The government then revealed that they had access to a third party tool that they used to break into the phone and recover its contents.

I'm not sure if we're thinking of the same case but I also remember that the tool wasn't ready in the beginning, which is why they tried the court method until it was

E2EE is, theoretically, secure. It certainly prevents a government from hoovering up your data when they casually cast too wide of a dragnet while "chasing a criminal". ...At least, when it is implemented honestly and correctly.

Now if governments wanted to properly backdoor some E2EE implementation; all they really need to do is compromise one end of the conversation. Of course, they want to be able to do it auto-magically; through delivering a court order to a single point; and not through busting down the door, or capturing the user of, one end or another of the conversation and compromising the device.

The question therein lies; do you as a person want the government to be forced to bust down a door? Some people think they should be forced to break doors and others do not feel that it is necessary. There are many diverse stances on this question; all with unique reasons.

It's clear to me that E2EE works properly...the governments would not be trying to "end Encryption" if it did not work. Therefore it stands to reason that E2EE is not compromised, if a government is forced to pass a law in order to compromise the encryption or turn it off entirely. That proves it works.

I just logically proved Encryption works, without even taking a stance on the matter. For the record however; I do support Encryption. I think this law undermining it is a massive governmental overreach that will quickly lead to that same government finding out how critical Encryption actually is to their people. Just give it time.

In any case a service that implement E2EE is always more secure than plain data transit
Even with a backdoor it's a bit more secure than regular service

But you should be angry against the UK law cause of the probable future consequences that will impose even further surveillance for other services
But people that defend it are probably mainly Apple fans. Apple is "against" to maintain a "privacy" friendly company against google and meta, but it's bullshit

Apple's datacenters have been untrustworthy for a long time, at this point any breaches or data sales of user data is as much the user's fault. But yeah, from what I've seen, corporations never make moves to primarily benefit the consumer, society, state law or otherwise. Only self profit. Sometimes aligning with demand improves profit.

Sure it's E2EE, it's encrypted with your key and the company's key and the government's key.... SAAAFE ....

It wasn't that it wasn't ready, it just cost them $1m to hire a private contractor to unlock it.

A court ordered redesign of the password lock timeout would have been free.