ANNEX 5: IMPACT OF ENCRYPTION AND ANONYMISATION
5.
Fourth example: the use of end-to-end encryption means that the content of the email
is not visible to the CSP or the OTT provider. Sender/recipient details are visible to
both.
6.
Fifth example: the OTT provider is a privacy service. It does not retain data at all and
so cannot provide data in response to a warrant or court order. If the OTT provider
does collect data, Alice and Bob can hide sender/recipient details by using an
anonymisation service such as Tor and end-to-end encryption will provide protection
for the content. Content and sender/recipient details are not visible to a CSP because
SSL and end-to-end encryption are used. The privacy service could be compromised
overtly or covertly and so a user may use an anonymisation service before visiting the
privacy service.
7.
For the sake of completeness, it should be noted that the combined protection offered
by SSL, end-to-end encryption and anonymisation services is not absolute. A user of
all three is still vulnerable to CNE.
322