We at Skiff want to make privacy effortless for everyone. That’s why we’re so excited to be sharing this post about end-to-end encryption (E2EE) and our product.
End-to-end encryption helps people communicate without revealing the contents of their messages to anyone in between, including the service provider. Skiff uses E2EE not only for messaging, but also for all writing, collaboration, and communication on our platform, including documents, comments, titles, messages, and more. Encryption keys are only known to our users, and not to us.
Today, many products we use for remote work and collaboration - including messaging, note-taking, and video conferencing - take only superficial measures when it comes to protecting your data and privacy. Recently, however, E2EE has become the expected standard for messaging: From iMessage and WhatsApp, to Signal and Telegram, billions of people are using end-to-end encrypted messengers (we certainly hope you are!). These messaging products end-to-end encrypt all communications by default, keeping content and personal data private from service providers.
Yet, there are so many other services beyond messaging apps that could benefit from the high level or privacy and security provided by E2EE. The reason Amazon, Microsoft, Google, and Apple have not been able to make the full switch is that privacy - and particularly end-to-end encryption - must be built into products from the ground-up. It requires designing authentication algorithms, distributing public keys and private keys to users, and intentionally designing software that collects less personal information and metadata. When products are built without these technical requirements in mind, it's hard for a product to pivot and distribute encryption keys to every user, stop collecting individuals' personal information, and start to encrypt all communications and data on the platform.
Skiff is building E2EE as a core design principle for all parts of online work. A lot of the work you do online can be become sensitive at the drop of a dime, and you shouldn’t have to be constantly adapting to different products. In years past, using end-to-end encryption required keeping track of personal encryption keys (such as PGP keys) or pasting messages into encryption platforms or complex command line tools. Today, privacy can and must be built-in from the start as the basis of every product we use.
Below, we have a simplified diagram illustrating the workings of a collaboration platform that, like most of today’s dominant providers, does not use E2EE. The diagram illustrates how changes made to a shared document by one user (“Bob”) are made available to a second user (“Alice”).
Bob, pictured on the far left, makes an edit on the document. Bob sends the edits in plaintext to the service provider's server (Note: The data may be encrypted over the network connection from Bob to the server using HTTPS). After Bob logs in, the server receives his edit and merges it into the document. Now, Alice - another collaborator on the document - is sent a copy of the new version of the document with Bob’s changes. In this process, the technology provider has access to everything Bob writes and the entire document. In some cases, this data is fed in to providers' monetization or prediction algorithms.
In this second diagram, we share Skiff's version. Bob makes an edit, and - before sending it to the provider - encrypts it with a symmetric encryption key shared only between him and Alice (and never shared with Skiff). Alice then receives Bob's encrypted edit, performs validation and decryption, and subsequently merges it into the document.
In the Skiff E2EE case, however, Alice and Bob's document is kept private to the intended recipients and never exposed to any central technology provider. In this way, data ownership is decentralized and private to the two editors Alice and Bob, as it should be. The first case requires that Alice and Bob trust that service provider's databases, endpoints, and servers are protected from data breaches, misuse, and cyberattacks. In the second (E2EE) case, Skiff case adds a layer of encryption to their private information that is unbreakable by the technology provider. The Skiff model is how all consumer technology should be built - even if you're not protecting sensitive healthcare or financial data (and you just prefer privacy).
The Skiff model doesn't just keep Alice and Bob's diary for their eyes only. It is fundamentally designed, from the ground up, to authenticate and protect personal and sensitive information. Once systems are designed, built, and scaled, it is difficult to increase privacy and extremely challenging to simply add end-to-end encryption. At Skiff, we've spent years building modern privacy and cybersecurity as the cornerstone of products that look and feel like those we love to use today. For more details, check out our white paper here.
Today, our product builds E2EE into document collaboration and group communication. Tomorrow, we see it as the foundation of an ecosystem of privacy-first software built to be usable, beautifully designed, and secure from the ground-up. If you’re interested in taking our product for a test run, sign up for our waitlist at http://skiff.org/beta.