WebEx has end-to-end encryption, Zoom got it too after a lot of pressure, and now Microsoft Teams is getting it too. But what for and why?
End-to-end encryption (E2EE)
End-to-end encryption means that all transmitted data is encrypted throughout the entire transmission path. Only the communication partner can decrypt the message. This ensures secure communication between two parties so that no third party, including the provider, can read this communication.
However, it does not mean that the data is then encrypted on the devices of the communication partners or that the data cannot be forwarded to third parties there after all (WhatsApp problem with forwarding to Facebook).
In addition, end-to-end encryption is often used in marketing, as in the case of the federal lawyer’s mailbox, but then a server still scans the messages in decrypted form and then forwards them again in encrypted form; this is not end-to-end encryption.
Likewise, it is important what specifically falls under encryption.
Finally, the disadvantages of end-to-end encryption must also be presented, because with this method it is not possible to monitor the communication even for what I consider to be positive purposes. Often it is not the tool itself, but how it is used, that shows the problem. But let’s take a closer look at what is now coming to Microsoft Teams.
Pressure on Microsoft grew despite complete encryption InTransit at Teams.
Microsoft has long resisted end-to-end encryption with very good arguments. I can remember very well a discussion among data privacy advocates with the Microsoft Teams compliance boss in #teamprivacy. He explained very clearly that all Microsoft Teams communication is of course encrypted, this InTransit and also AtRest. One uses the usual encryption mechanisms (SSL, Bitlocker) and also a Customer Key is possible to use. One would like to build alone only around the already encrypted communication actually not still another container, because then the Compliance tools would not function such as Communication Compliance for the monitoring of communication by the customer any longer. Content can then no longer be removed from the communication in real time and here we are talking about the cruelest content and the removal is under the control of the company that runs the tenant and Microsoft has nothing to do with it. This as an excerpt from the discussion with lawyers and data protectors in Germany.
But all this does not matter, because tenders especially in the EDU area, federal authorities and also some enterprise companies and especially the implementation at Zoom increased the pressure on Microsoft in Germany very strongly. Thus, it was decided in Redmond to set up an end-to-end encryption and to rebuild the compliance and security tools so that they still work.
What does it mean for Microsoft Teams?
- End-to-end encryption only for 1-to-1 VOIP calls for the time being.
- Start from April 2021
- No end-to-end encryption for meetings.
- What is encrypted in the end-to-end call?
- A 1 to 1 chat and VOIP call is initially a peer-to-peer call.
not for everything else only 1 to 1
end to end must be enable for both sides or opt in must be done
Enterprise, EDU, Business license is needed (no consumer)
Encrypted is used:
- Voice-
- Video-
- and screen sharing.
in a 1 to 1 call.
not encrypted with end-to-end encryption, but of course with InTransit and AtRest/ standard encryption.
- 1 to 1 recordings are not supported
- not when following a meeting link
- no spontaneous meeting
- no call transfer to another device is supported
- no live events
- no teams webinars
- To communicate only over end-to-end encryption on 1 to 1 calls, all other features except just voice, video and screensharing can be turned off in the Teams admin center. This limits the feature, but then you only communicate via end-to-end encryption in 1 to 1 meetings.
Prerequisite for an end-to-end encryption 1 to 1 call.
- Administrator must have activated this function
- Both communication partners must agree to this via opt-in
How do I see that my 1 to 1 call now has end-to-end encryption?
When the feature is rolled out, you can see a small green sign at the top left corner of the 1 to 1 call. If you hover over it with your mouse, you will see the corresponding confirmation:
