Calling this 'end-to-end encryption' really bothers me, as we already get that from HTTPS.
What this ought to be called is 'encrypted-at-rest' (EAR).
Words are important; there's an obvious downgrade attack where E2EE is implemented as EAR, but then later watered down to something like HTTPS (where the pipes are encrypted but that data is stored unencrypted.) You could do this without changing the language of the product offering, provided that the product is sold and marketed as 'end-to-end'.
Whereas if you created an EAR system and marketed as such, you'd be vulnerable to lawsuits if you pulled a bait-switch (which you might have done because the FBI is leaning on you.)
Does encrypted at rest necessarily preclude Google from retaining keys? It seems like the same schtick Apple had for all these years where they said iCloud data was fully encrypted (which was true) in the hopes everyone would conflate "encrypted" (you and them have the keys) and e2ee (where they don't handle the keys).
What this ought to be called is 'encrypted-at-rest' (EAR).
Words are important; there's an obvious downgrade attack where E2EE is implemented as EAR, but then later watered down to something like HTTPS (where the pipes are encrypted but that data is stored unencrypted.) You could do this without changing the language of the product offering, provided that the product is sold and marketed as 'end-to-end'.
Whereas if you created an EAR system and marketed as such, you'd be vulnerable to lawsuits if you pulled a bait-switch (which you might have done because the FBI is leaning on you.)