From b6c59c137ac6aa51b6e5d1ceda04532b3a2a8b9a Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Mon, 17 Oct 2016 00:37:19 +0100
Subject: [PATCH] Add an entry to the FAQ about disabling e2e

---
 supporting-docs/guides/2015-08-19-faq.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/supporting-docs/guides/2015-08-19-faq.md b/supporting-docs/guides/2015-08-19-faq.md
index 8e8c5528..b3ab172e 100644
--- a/supporting-docs/guides/2015-08-19-faq.md
+++ b/supporting-docs/guides/2015-08-19-faq.md
@@ -590,6 +590,28 @@ You can also run Vector, the code that Riot.im uses, on your own server. It's a
 
 There are several, but they don't have all the features that synapse has. Check the list of clients on [matrix.org](http://matrix.org/docs/projects/try-matrix-now.html#clients).
 
+##### Why can't end-to-end encryption be turned off?
+
+When encryption is enabled in a room, a flag is set in the room state, so that
+all clients know to encrypt any messages they send. The room state stores
+information about the room like the topic, the avatar, and the membership list.
+
+Imagine if encryption could be turned off the same way as it is turned
+on. Anyone with admin rights in the room could clear the flag and then messages
+would start being transmitted unencrypted. It would be very easy for a user to
+miss the change in configuration, and accidentally send a sensitive message
+without encryption.
+
+Worse yet, anyone with sysadmin access to a server could also clear the flag
+(remember that the main reason for using e2e encryption is that we don't trust
+the sysadmins), and could then easily read any sensitive content which was
+sent.
+
+The solution we have taken for now is to make clients ignore any requests to
+disable encryption. We might experiment with ways to improve this in the future
+- for instance, by alerting the user next time they try to send a message in
+the room if encryption has been disabled.
+
 |
 
 ### QUESTIONS TO BE ANSWERED!