Privacy and secure data
James Comey, the Director of the FBI in a 60 Minutes interview last night discussed the issues with Apple and Google’s new restriction that doesn’t permit them to respond to a federal warrant since the data on one’s phone can now be encrypted without either Apple or Google having access to the key. Here’s the segment from 60 minutes. I’d recommend watching to place his comments in context.
As I’ve noted in previous posts, my concerns with security transcend governmental access to one’s data. For most US citizens, corporate access to your information, coupled with increasing hack attacks is by far the larger concern. Though I believe that proper, controlled access to phone data is highly useful for crime fighting and anti-terrorism efforts, in my view, it doesn’t outweigh the bigger privacy issues with devices.
From a practical perspective, what does this mean to the average tech user?
The changes in iOS 8 and Android is another key step towards securing your device and hence your privacy. Though it’s a crucial step in the right direction, there are still major privacy issues remaining. I’m hoping this action provides impetus for other companies to find methods for securing data in ways that make it difficult to impossible for corporations, governments and hackers to access our most sensitive data.
So, what is the technology in question and what does it mean?
iOS and Android phones have been using whole device encryption for quite a while. This helps protect data on the phone or other device from getting into the wrong hands. It also permits a very fast and complete erasure of the device by simply throwing away the key. Until iOS 8 and the pending version of Android, the key was stored on corporate servers. Starting with iOS 8, the key resides only on the device itself, in a section of the system that is very difficult to access on a non-jailbroke phone (see the post on The Hazards of Jailbreaking for more on jailbreaking). This has a couple ramifications to the user:
- Their device can’t be read by corporate, governmental or hackers without a brute force attack. This is good!
- If you lose the key, you will not be able to recover your data. This is not-so-good!
BTW: You should also encrypt your main disk on your PCs and Macs. Unlike your mobile devices, this requires that you explicitly turn on whole disk encryption. For more information about this, see the Encrypt Primary Drive section from January’s New Year’s Technical Resolution post. Encrypting your disk prevents the disk from being mounted and read from another computer, which is the prevalent method to illicitly access drive data when login credentials are not known.
What happens if I lose the key?
You actually don’t lose the key per se, rather you forget your device’s password or you purposely erase the device due to loss or theft. To protect against that, keeping proper backups is crucial. For our Macs, we use Time Machine (onto an encrypted disk: Again, requires explicit action to enable encryption). For our iOS devices, they are locally backed up using iTunes, again encrypted. If you backup to iCloud, there is some vulnerability since Apple holds the encryption key for your iCloud account.
If your computer or device has been properly backed up, then if you need to recover, you can do it from the backup after restoring your operating system.
Warning: iOS devices also need access to your iTunes account, so if you can’t log into iTunes and you need to recover, you will have made your device totally unusable (or a “brick” in tech parlance).
A few notes:
- Your encryption key will only be as strong as the password that enables it. If your password is easy to crack, then it doesn’t matter how strong the encryption is. See the Change Passwords section of January’s New Year’s Technical Resolution post.
- On your smart phone or tablet, be sure to use a password or passcode. It’s amazing to me how many folks don’t do this, yet have their lives on their phones. Again, encryption will not protect you if you leave the front door unlocked.
- You might consider using a password storage and generation program. Be careful however how they store and propagate your passwords through the Cloud. I’m experimenting with 1Password on my PC, Macs and devices. I like the fact that it encrypts the password file on your computer, while storing the file encrypted on iCloud or Dropbox (my preference). Some password systems have been compromised because data was saved in the corporate systems of the vendor. Having it stored in a third-party location is marginally safer. I’ll be writing up my experiences with 1Password soon.
- Though many Cloud services, like Dropbox, Apple’s iCloud, Microsoft’s OneDrive encrypt your data in transit as well as during storage, keep in mind that these keys are kept by the vendor and could be made available to a third party, stolen in a hack attack or used by an unscrupulous employee. Very sensitive data should be encrypted by you prior to putting it up into the Cloud. Some Windows configurations and MacOS come with proprietary encryption software. There are also third party apps that provide cross-platform support.
Finally, a reminder that there are no absolutes with security, since all security options need to be balanced with usability.