Encryption is under attack. Regardless of whether you think you have anything to hide, you should be concerned.
Encryption is the chief means by which we can secure our sensitive private information and communications from prying eyes, and governments around the world are challenging our ability to use encryption technologies by arguing that encryption makes it difficult for law enforcement officials to conduct investigations or monitor suspicious online activity. Their solution? Establishing “backdoors” through which government entities would be able to unlock protected data.
The best way to stop government from pressing forward with its demands for weakening encryption -- and that’s exactly what backdoors would accomplish -- is to make encryption ubiquitous and mainstream. If everyone is using encryption, from encrypted chat to encrypted email to encrypted Web surfing and everything in between, then it becomes much harder to argue that encryption protects only the select few who have something to hide.
Where to get started? To date, the primary challenge preventing encryption from being a routine factor in most people’s computing lives is the fact that it is still relatively difficult to employ. Encryption has traditionally required users to jump through a lot of hoops to get it to work, but that is slowly changing. Here we list various encryption technologies you can easily use to protect your data from prying eyes and to communicate online securely and privately. The more people use them, the harder it gets to take away our right to privacy and security.
Secure chat and messaging apps
Mobile devices are a growing security concern for users and organizations alike, given the breadth and depth of sensitive data they contain. Thankfully, encryption options for mobile devices are fast becoming ubiquitous. And it’s not apps alone. Apple turned on full-disk encryption by default on iOS devices so that all data stored on iPhones and iPads are automatically protected. With Google also offering full-disk encryption on its latest Android versions, though not yet turned on by default, full-disk encryption for mobile devices is becoming standard. Once it is, it will be much harder to rollback.
Apple also offers end-to-end encryption for its iMessage app to keep your iMessages out of the company's reach. Law enforcement officials have been pushing Apple to make it easier for them to reclaim data from iOS devices, but Apple hasn’t backed down. For many regular users, getting an iOS device may be the easiest way to avail themselves of encryption tools.
Several apps provide secure messaging for Android and iOS, including Wickr, Signal, and Telegram. One drawback of these encrypted chat and messaging tools is that both the sender and the recipient have to use the same app to communicate. For example, Wickr users can send encrypted text messages to other Wickr users, but they will have to use a standard text-messaging app to send unencrypted messages to non-Wickr users.
Wickr’s popularity is also fueled by another layer of security it provides: Chats and photos delete themselves after a specified period of time. This extends to audio, video, and even documents pulled from cloud storage. Everything sent via Wickr is transmitted over encrypted channels and automatically removed after it expires. When law enforcement comes knocking, there’s nothing to hand over since the data is long gone.
Telegram is currently getting a bad rap because of reports that various terrorist groups and criminals use the app. It allows users to share encrypted media and messages with up to 200 people at once. The secret chats can bypass Telegram servers entirely, be stored only for a specified duration, or be stored securely for later retrieval.
Making encrypted voice calls
Buying a burner phone every time you want to make a phone call you don’t want traced back to you is a thing of the past, thanks to several new apps geared toward securing voice communications.
Signal, created by security researcher Moxie Marlinspike, lets users easily make encrypted voice calls and send encrypted messages on Android and iOS. (The Signal Desktop Chrome app, in beta, extends Signal’s secure messaging to the desktop.) A bonus to Signal is that the app lets users communicate with everyone on their contact lists. If the call recipient is not a Signal user, you will be warned that the call will not be encrypted, but you do not have to switch to your standard phone app to make the call, so the adoption process is even easier.
Open Whisper Systems, which makes Signal, recently partnered with WhatsApp to provide end-to-end encryption for the popular messaging app, but it’s not clear at the moment where that partnership stands. Even so, the popularity of apps such as WhatsApp and Snapchat show there is a strong appetite for secure communications.
For a long time, people who were interested in making calls from the desktop had only Skype as a viable option. But Skype has been plagued by accusations that the U.S. government forced Microsoft to build a backdoor into the service. OStel, maintained by The Guardian Project, is a secure voice and video communication service available for both desktop and mobile users. Users have to create an account with OStel (no personal information is required) and download the appropriate software. CSipSimple and Linphone work with Ostel on Android and iOS devices, for example.
Both ends of the call, the caller and the recipient, must be using OStel. Also, OStel can’t make calls to landlines or SIM card phone numbers on cellular networks. One of the advantages of OStel is that it works on BlackBerry, iPhone, Nokia, and Android devices, as well as on Mac OS X, Windows, and Linux. It also uses ZRTP, the same encryption protocol as the aforementioned Signal.
Encrypting your Internet connection
Websites are increasingly using HTTPS to help protect data sent from users’ computers to their servers. Credit card information typed into a Web form is transferred through an encrypted channel to the retailer’s server, so any attackers who might be monitoring the traffic won’t know what was sent. But that's only the start.
With the ubiquity of public Wi-Fi -- in airports, coffee shops, parks, and even the New York subway -- it’s easy to forget why hopping online isn’t always the best idea. Attackers can easily intercept data traveling to and from your device regardless of what online services you access. Here, encrypting your Internet connection via a virtual private network such as F-Secure’s Freedome service, NordVPN, or CyberGhostVPN can make that data useless to eavesdroppers.
Most of us are familiar with VPN as software that comes installed on our work computers to enable us to access corporate applications. VPN services, on the other hand, let users establish an encrypted tunnel with a third-party server, then access the Internet through that tunnel. When a user in California connects to Facebook through a VPN service in France, as far as Facebook is concerned, that user is from France, not California. This is a great way to conduct online banking from an airport, as the VPN service encrypts the connection, preventing anyone from eavesdropping on your banking activity.
Then there is Tor, which grants complete anonymity on the Internet. It relies on a multilayered, onionlike security mechanism that bounces communications around multiple nodes to hide its origin. Not only does Tor prevent surveillance, it also prevents sites from tracking users. You can even access Facebook via Tor. Users new to Tor can go with the Tor Browser to get started. Orbot is a Tor proxy for Android from The Guardian Project.
Encrypting your email
Of all forms of modern communication, email is perhaps the most sensitive. Your email inbox can contain bank statements, bills from various services and retailers, tax-related documents, as well as personal messages. Information about who you are talking to, what you are talking about, or even when you are sending email can be dangerous in the wrong hands. Law enforcement can also subpoena copies of mail stored on mail servers, so sending encrypted blobs of text ensures the only eyes to see your messages are those you authorize.
Secure email service such as Hushmail and GhostMail promise built-in encryption. When you send an email to another member, the service encrypts the contents of your message before delivering it. If you want to send a message to a recipient who is not on Hushmail, your message can be encrypted with a secret Q&A combination. The recipient will need to know the answer to the question to decrypt the message. These services handles the keys in the background, making the process seamless for users.
Outlook has built-in cryptographic security features based on digital certificates generated by the software. Before users can send encrypted messages to each other, they need to digitally sign messages and exchange certificates. Once done, it’s a matter of opening up a new message and selecting “Encrypt message contents and attachments” under the Options menu.
If you have years of history on Gmail, Yahoo, Hotmail, or other services, it’s a hard sell to move to a new email provider in the name of security. One option is to use Hushmail or GhostMail for sensitive communications, and keep going with the existing service for normal messages. But that works against the goal of encryption ubiquity.
Managing private/public keys
Until email providers decide to set up a universal encrypted email system, the onus of security falls on the sender and recipient. The sender has to generate a public/private key pair and publicize the public key. The recipient has to know how to use the public key to decrypt the message. For many tools that make use of public/private keys, public/private key management is transparent. That's not the case with email.
Services such as Keybase.io and Android apps such as K-9 and OpenKeychain attempt to make key management simpler. With Keybase.io, you use Twitter, GitHub, Reddit, or a handful of other tools to publish the public key. You can store the private key with Keybase or store it somewhere else, for example, OpenKeychain on your phone. When you want to sign your messages with your key or encrypt a whole text message, you can use Keybase’s built-in tools, then cut and paste the generated block of text into your email message. Because Keybase uses PGP (Pretty Good Privacy), the recipient can decrypt or verify the signature using any key manager that handles PGP keys. Mailvelope is a Chrome app that can encrypt and decrypt messages using your PGP keys in popular webmail services.
Encrypting personal email still has a long way to go before it is easy enough to be used by everyone, but it’s getting there.
Encrypting your hard drive
Microsoft built file and disk encryption into some versions of Windows with BitLocker, as Apple has done so for Mac OS X with FileVault2. Unfortunately for Windows users, BitLocker doesn’t come with standard versions such as Windows 7 Home or the core versions of Windows 8 and 8.1.
For Windows users who don’t have BitLocker, there is TrueCrypt and its successors. TrueCrypt ceased development in 2014, and though it is no longer actively maintained, the last stable version of this file encryption program is still widely regarded as secure and effective. VeraCrypt is a fork and successor to TrueCrypt. It is under active development and supports multiple encryption ciphers, including AES, TwoFish, and Serpent.
It’s also worth noting that your data isn’t only on your mobile device or desktop. Many of us rely on flash drives to carry files or share them with others. And external hard drives are used for backups and to expand file storage. These drives should be encrypted, too.
Encrypted flash drives are available from manufacturers such as Imation, Corsair, and Kingston. Plug the drive into your USB port and drag the file over. As simple as that, you’ve protected the file. Some flash drives also support biometrics. The idea is that if you lose your flash drive, the data on the drive is still secured because the only way to access the contents is by guessing the password (or breaking the biometric protection). There are also secure self-encrypting hard drives from vendors such as Seagate and Western Digital that you can use to back up data securely.
Protecting your files
While full-disk encryption automatically encrypts all files saved locally, it doesn’t address what happens when those files are stored elsewhere or shared with others.
Many cloud storage services, such as Google Drive and Dropbox, automatically encrypt files saved on their servers. But if the wrong person manages to access those files, there is nothing to protect the contents. Dropbox, Box, and Syncplicity all offer tools for businesses that let IT assign specific policies to files, but those controls typically apply so long as the files are stored on those services. The best way to make sure the files are protected regardless of where they are is to use file-based encryption.
A Chrome app called MiniLock makes it easy for users who are intimidated by encryption to encrypt and decrypt files. There is no signup involved beyond installing MiniLock from the Chrome Web Store. The app uses an email address and a passphrase (pick a strong one!) to generate a 44-character MiniLock ID, which serves as the public encryption key. Drag a file of any type, including videos, images, and documents, into your MiniLock window to encrypt it, specify the MiniLock ID of the user who is allowed to open the file, then email or store the encrypted file on a cloud storage service knowing full well that only the person with the valid MiniLock ID will be able to decrypt the file.
A startup called Vera is also addressing the need to protect files when they leave a company network or secure file storage. Users can set policies on a document, such as not allowing copy-and-paste or printing, not opening if it has been forwarded to someone else, deleting the file after a certain time, and encrypting the file so that only one recipient can see it.
Some software suites have encryption tools built in for you to use. Microsoft has included encryption tools in the Info tab under the File menu since Office 2010. Adobe Acrobat Pro X includes the option under the Protect section in the Tools tab. In both cases, the file is encrypted and decrypted with a password, so make sure to select a very complicated one, and keep it separate from the file itself.
If you frequently send Zip files and don’t want to make recipients jump through hoops to generate a MiniLock public key or install special software, the 7-Zip file archiving utility may be for you. While its primary purpose is to compress and decompress large files and folders, it can also turn individual files into encrypted volumes using 256-bit AES encryption. When creating the archive, assign a password, and the utility will take care of the encryption. The recipient only needs to know the password to decrypt the volume. It’s the easiest way to use encryption without confusing people who may not feel comfortable creating public keys or don’t want to sign up for yet another service.
User adoption is key
Encryption helps keep our communications with our banks private from criminals interested in stealing our money. It keeps our health records safe when they are transferred from one server to another. It prevents others from spying our credit card numbers when we are shopping online. Yet governments will continue to push back against encryption technologies in pursuit of backdoors by pointing to criminal activity and communications online -- regardless of whether they were conducted using encrypted channels.
What governments and law enforcement agencies are missing is that encryption benefits everyone, not only terrorists and criminals. Even governments rely on encryption to keep their secrets, after all.
While encryption technologies advance, becoming easier to implement, and default standards for encryption begin to fall into place, the best thing we can do is begin to use encryption tools in our daily computing lives. Too much depends on our right to privacy and security not to.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.