A beginner's guide to encryption
Don't understand encryption or the policy debates around it? Let us walk you through the basics.
When iPhone encryption stymied the FBI, federal agents in two separate court cases tried to force Apple to help them access data. One phone belonged to a suspected drug dealer, and the other to Syed Rizwan Farook, the shooter in the San Bernardino, Calif., terror attack.
While the US government dropped the San Bernardino, Calif., case this week after finding an alternative way to access Mr. Farook’s data, the debate about encryption on consumer devices is far from over.
Encryption keeps some of your most vital data safe.
It protects your credit card information from being stolen by anyone eavesdropping on your Internet traffic when you make purchases online. It’s also used to keep medical information secure, protect free speech, and defend against surveillance. Increasingly, encryption is becoming widely available by default on consumer devices like smartphones.
But law enforcement and intelligence agencies say this trend of strong security on consumer devices has consequences: Encryption is hindering their investigations of criminals and terrorists.
That conversation is happening on a national level. President Obama at South by Southwest Interactive called for the tech community to find a way to protect both consumer security and national security.
So, to help you learn more about encryption – whether it’s to improve your own security, or help form your opinion in this heated debate – we spoke with several experts to create a practical guide on the basics.
First, how does encryption protect my data?
Encryption algorithms use math to "scramble" data so it can’t be read by an unauthorized person – such as a hacker or government seeking to break in.
Right now, you’re reading what’s known as plain text. But if this article was encrypted, anyone who intercepts the encrypted version of it would instead see a very long string of unintelligible numbers and letters, such as: “SNaci82xleab92lka.”
Data can be encrypted in two places: First, it can be encrypted "in transit," such as when you send information from your browser to a website. Second, data can be encrypted when it’s "at rest," such as when it is stored on a computer or on a server.
Once my data is encrypted, who can unlock it?
To unscramble the encrypted data, you will need an encryption "key." The key is a very large number that an encryption algorithm uses to change the data back into a readable form. Without the key, no one but the owner of the encrypted data will be able to access a readable version. This unscrambling process is called "decryption."
Anyone who has your encryption key can read your encrypted data. In some kinds of encryption, you might not be the only one who has a key. If another party – such as a company providing the service or product that's encrypted – keeps a copy of your key, they will also be able to decrypt your data. This is a practice used by many businesses to access encrypted information they maintain.
End-to-end encryption for communication platforms is considered the most secure. If messages are end-to-end encrypted, only the people who are having the conversation have the keys to decrypt what’s being sent. This also means the company providing the messaging platform does not have the technical ability to access the data – or, potentially, turn it over to law enforcement if presented with a warrant.
What are some common places encryption is used?
Internet browsers: When you visit a website, check the URL bar for "HTTPS" before the site’s address. Many sites and platforms are adopting HTTPS encryption, which protects the connection between your browser and a website from anyone trying to see or modify information you submit to that site. This protects sensitive data such as credit card details or passwords. Companies such as Google and Mozilla are working to make this encrypted connection more obvious to Internet users with icons in the URL bar, such as a lock to indicate a secure connection. This helps users better understand whether their connection to a website is secure, as they might not want to submit sensitive information – such as a social security number – if there is a higher chance it could be stolen.
E-mail: However, HTTPS encryption does not prevent your e-mail provider from being able to read your messages. Software such as Pretty Good Privacy (PGP), also called Gnu Privacy Guard (GPG), or S/MIME can encrypt the body of your e-mail so that no one but the person receiving the e-mail can read it – not even your e-mail provider. This doesn’t protect your e-mail's "metadata," which is general information about your message. This includes who sent and received the message and at what time, as well as the subject line and details on how big any attachments may be.
Computers and hard drives: Full disk encryption protects all data stored on the computer or external hard drive. That means that if an unauthorized person were to download data from an encrypted hard drive, they wouldn’t be able to read any of the files stored on it. The person who owns the device accesses it as they normally do with a password.
Smartphones: Depending on the version of the iOS or Android operating systems that a smartphone is running, device encryption may be available. In this case, the encryption protects files stored on the phone.
Apple offers encryption by default in the latest version of its iOS operating system; this is enabled by setting a passcode for the lockscreen. If you choose a numeric pin, experts recommend choosing one that is longer than four digits, as it will be more difficult for an attacker to break. Phones running iOS8, the previous version, also have the option to encrypt their data easily. For its part, Google enabled encryption by default for some new devices running the most recent operating system, but not all, despite announcing its commitment to do so for the previous version of Android. Users running the latest Android operating system can enable encryption in their settings.
Many smartphone apps, too, have encrypted connections to ensure the data sent from them is secure, and some communication apps boast end-to-end encryption. Popular mobile Internet browsers also support HTTPS encryption.
Is encryption impenetrable?
Encryption can be highly effective if it is implemented and used correctly. But for it to work as well as possible, the encryption needs to be properly coded and implemented by the company providing the encryption system. And machines using encryption – such as a computer – need to have updated software to make sure attackers cannot take advantage of any security holes.
Encryption may improve consumer security, but as it becomes more widespread, some law enforcement officials worry it puts some data beyond their reach. As we mentioned above, if a company provides a service that uses encryption and does not keep a copy of a customer’s encryption key, the company won’t be able to access a readable form of the encrypted data even if it wanted to. That means it also has no way to provide that information to law enforcement.
This is what FBI director James Comey refers to as "going dark." Cyrus R. Vance Jr., a Manhattan district attorney, says such encryption is preventing his investigators from accessing information on 175 Apple devices.
What’s a backdoor?
To avoid such scenarios, many in law enforcement are calling for tech companies to build in access to encrypted devices so law enforcement can obtain information with a warrant or court order. This kind of exceptional access is what many call a “backdoor” – in other words, a way around the system’s security features.
One method floated in recent months to ensure the government has access to encrypted data is "key escrow." This is when a third party – such as the government – would also have a key to the encrypted data in case it needs access. Many experts say this puts the information at risk should someone else steal the extra key. Other ways include the “split key” or “secret sharing” method – where multiple keys would be needed to access the locked data. So, conceivably, the government and company might both have keys they could combine provided they have a warrant. The Washington Post has a helpful explainer on these policy options.
However, many members of the US government have shied away from concrete suggestions about how to ensure government access – so long as they have a way to access what they call “warrant-proof” encryption. At a Passcode event in October, Justice Department senior counsel Kiran Raj dismissed the notion that the FBI or others want a built-in “backdoor” to encryption – but wants companies to ensure the encryption they use allows them to turn over user data when the US has a warrant.
Privacy advocates and the tech community are vehemently pushing back against arguments to require exceptional access to encryption systems, saying backdoors open consumers up to significant vulnerabilities. If the US government has a way in, they say, it will be an immediate target for hackers and other countries might demand the same. What’s more, they argue, there is a bevy of other investigative methods available to law enforcement that don’t involve weakening encryption.
In the FBI’s widely publicized San Bernardino, Calif., case against Apple, the government was not explicitly requesting a weakening of encryption. Instead, it was trying to force Apple to write new software that, when the iPhone installed the software update, would allow the FBI to crack the password faster by trying different combinations quickly. But Apple said that creating a tool to bypass security features on its own devices would achieve the same effect of a backdoor. What’s more, privacy advocates and tech companies worried it could set a precedent that could be used in other domestic and international cases.
Is all of law enforcement and US government against encryption?
Not necessarily. Law enforcement and intelligence officials have often said they appreciate the benefits of encryption when it comes to protecting data from threats such as hackers or foreign governments. They just want to be sure there’s a way to access encrypted data – especially communications – for their investigations.
What’s more, while these have been very vocal about their “going dark” plight as end-to-end encryption spreads, other officials from the State and Commerce Departments have been quieter publicly on the issue. President Obama called for a balance, though he has said law enforcement and intelligence agencies must have ways to get around encryption for critical investigations.
And many current and former officials say they recognize the need for strong encryption. Former National Security Agency director Michael Hayden said end-to-end encryption is important for security. Likewise, Sen. Ron Wyden (D) of Oregon said building in access for government, such as in the San Bernardino, Calif., iPhone case, would be detrimental for Americans’ security. The US government is also in the process shoring up HTTPS encryption on its own sites this year.
Americans aren’t alone in the discussion
Britain is considering legislation that would increase the government’s surveillance powers by requiring tech companies to bypass encryption measures on customers’ communications when presented with a warrant. Meanwhile, companies could face fines from French law enforcement if they do not give French authorities decrypted customer communications. But not all European countries are cracking down on encryption. Dutch officials took a preemptive stand against backdoors earlier this year.
Want to try encryption?
Begin by installing software updates for your operating systems and applications to help eliminate any existing software vulnerabilities that could be used to compromise your computer. Then, try some of these:
Mobile: For mobile communication, Signal provides end-to-end encrypted messaging and calls for both iPhone and Android. Wickr is another option for encrypted mobile messaging and calls.
Online: HTTPS Everywhere is a browser extension that ensures that if a secure version of a site exists, an Internet browser connects to the secure version every time. It was created by digital rights nonprofit the Electronic Frontier Foundation (EFF).
Your computer: To enable full-disk encryption on your computer, Windows users can use BitLocker, and Mac users can enable FileVault 2.
E-mail: PGP/GPG is a more advanced tool. The EFF has a guide on installing and using it for Windows and Mac.