A beginner's guide to encryption
When iPhone encryption stymied the FBI,听federal agents in two separate court cases tried to force Apple to help them access data. One phone belonged to a suspected drug dealer, and the other to Syed Rizwan Farook, the shooter in the San Bernardino, Calif., terror attack.
While the US government the San Bernardino, Calif., case this week after finding an alternative way to access Mr. Farook鈥檚 data, the debate about encryption on consumer devices is far from over.
Encryption keeps some of your most vital data safe.
It protects your credit card information from being stolen by anyone eavesdropping on your Internet traffic when you make purchases online. It鈥檚 also used to keep secure, protect , and . Increasingly, encryption is becoming widely available by default on consumer devices like smartphones.
But law enforcement and intelligence agencies say this trend of strong security on consumer devices has consequences: Encryption is hindering their investigations of criminals and terrorists.听
That conversation is happening on a national level. President Obama at South by Southwest Interactive called for the tech community to find a way to protect both consumer security and national security.听
So, to help you learn more about encryption 鈥 whether it鈥檚 to improve your own security, or help form your opinion in this heated debate 鈥 we spoke with several experts to create a practical guide on the basics.
First, how does encryption protect my data?
Encryption algorithms use math to "scramble" data so it can鈥檛 be read by an unauthorized person 鈥 such as a hacker or government seeking to break in.
Right now, you鈥檙e reading what鈥檚 known as plain text.听But if this article was encrypted, anyone who intercepts the encrypted version of it would instead see a very long string of unintelligible numbers and letters, such as: 鈥淪Naci82xleab92lka.鈥
Data can be encrypted in two places: First, it can be encrypted "in transit," such as when you send information from your browser to a website. Second, data can be encrypted when it鈥檚 "at rest," such as when it is stored on a computer or on a server.
Once my data is encrypted, who can unlock it?
To unscramble the encrypted data, you will need an encryption "key." The key is a very large number that an encryption algorithm uses to change the data back into a readable form.听Without the key, no one but the owner of the encrypted data will be able to access a readable version. This unscrambling process is called "decryption."
Anyone who has your encryption key can read your encrypted data. In some kinds of encryption, you might not be the only one who has a key. If another party 鈥 such as a company providing the service or product that's encrypted听鈥 keeps a copy of your key, they will also be able to decrypt your data. This is a practice used by many businesses to access encrypted information they maintain.
听for听communication platforms is considered the most secure. If messages are end-to-end encrypted, only the people who are having the conversation have the keys to decrypt what鈥檚 being sent. This also means the company providing the messaging platform does not have the technical ability to access the data 鈥 or, potentially, turn it over to law enforcement if presented with a warrant.
What are some common places encryption is used?
Internet browsers: When you visit a website, check the URL bar for "HTTPS" before the site鈥檚 address. Many sites and platforms are adopting HTTPS encryption, which protects the connection between your browser and a website from anyone trying to see or modify information you submit to that site. This protects sensitive data such as credit card details or passwords. Companies such as Google and are working to make this encrypted connection more obvious to Internet users with icons in the URL bar, such as a lock to indicate a secure connection. This helps users better understand whether their connection to a website is secure, as they might not want to submit sensitive information 鈥 such as a social security number 鈥撎齣f there is a higher chance it could be stolen.
E-mail: However, HTTPS encryption does not prevent your e-mail provider from being able to read your messages. Software such as Pretty Good Privacy (PGP), also called (GPG), or S/MIME can encrypt the body of your e-mail so that no one but the person receiving the e-mail can read it 鈥 not even your e-mail provider. This doesn鈥檛 protect your e-mail's "metadata," which is general information about your message. This includes who sent and received the message and at what time, as well as the subject line and details on how big any attachments may be.
Computers and hard drives: Full disk encryption protects all data stored on the computer or external hard drive. That means that if an unauthorized person were to download data from an encrypted hard drive, they wouldn鈥檛 be able to read any of the files stored on it. The person who owns the device accesses it as they normally do with a password.
Smartphones: Depending on the version of operating systems that a smartphone is running, device encryption may be available. In this case, the encryption protects files stored on the phone. 听
Apple offers encryption by default in the latest version of its iOS operating system; this is enabled by setting a passcode for the lockscreen. If you choose a numeric pin, experts recommend choosing one that is longer than four digits, as it will be more difficult for an attacker to break. Phones running iOS8, the previous version, also have the option to encrypt their data easily. For its part, Google enabled encryption by default running the most recent operating system, but not all, to do so for the previous version of Android. Users running the latest Android operating system in their settings.
Many smartphone apps, too, have encrypted connections to ensure the data sent from them is secure, and some communication apps boast .听Popular mobile Internet browsers also support HTTPS encryption.
Is encryption impenetrable?
Encryption can be highly effective if it is implemented and used correctly. But for it to work as well as possible, the encryption needs to be properly coded and implemented by the company providing the encryption system. And machines using encryption 鈥 such as a computer 鈥 need to have updated software to make sure attackers cannot take advantage of any security holes.
Encryption may improve consumer security, but as it becomes more widespread, some law enforcement officials worry it puts some data beyond their reach. As we mentioned above, if a company provides a service that uses encryption and does not keep a copy of a customer鈥檚 encryption key, the company won鈥檛 be able to access a readable form of the encrypted data even if it wanted to. That means it also has no way to provide that information to law enforcement.
This is what FBI director James Comey refers to as "going dark." Cyrus R. Vance Jr., a Manhattan district attorney, says such encryption is from accessing information on 175 Apple devices.
听
What鈥檚 a backdoor?
To avoid such scenarios, many in law enforcement are calling for tech companies to build in access to encrypted devices so law enforcement can obtain information with a warrant or court order. This kind of exceptional access is what many call a 鈥渂ackdoor鈥 鈥 in other words, a way around the system鈥檚 security features.
One method floated in recent months to ensure the government has access to encrypted data is "key escrow."听 a third party 鈥 such as the government 鈥 would also have a key to the encrypted data in case it needs access. Many experts say this puts the information at risk should someone else steal the extra key. Other ways include the 鈥渟plit key鈥 or 鈥渟ecret sharing鈥 method 鈥 where multiple keys would be needed to access the locked data. So, conceivably, the government and company might both have keys they could combine provided they have a warrant.
However, many members of the US government have shied away from concrete suggestions about how to ensure government access 鈥 so long as they have a way to access what they call 鈥渨arrant-proof鈥 encryption. At a Passcode event in October, Justice Department senior counsel Kiran Raj dismissed the notion that the FBI or others want a built-in 鈥渂ackdoor鈥 to encryption 鈥 but wants companies to ensure the encryption they use allows them to turn over user data when the US has a warrant. 听
Privacy advocates and the tech community are vehemently pushing back against arguments to require exceptional access to encryption systems, to significant vulnerabilities. If the US government has a way in, they say, it will be an immediate target for hackers and other countries might demand the same. What鈥檚 more, they argue, there is available to law enforcement that don鈥檛 involve weakening encryption.听
In the FBI鈥檚 widely publicized San Bernardino, Calif., case against Apple, the government was not explicitly requesting a weakening of encryption. Instead, it was trying to force Apple to write new software that, when the iPhone installed the software update, would allow the FBI to crack the password faster by trying different combinations quickly. But Apple said that creating a tool to bypass security features on its own devices would achieve the same effect of a backdoor. What鈥檚 more, privacy advocates and tech companies worried it could set a precedent that could be used in other domestic and international cases.
听
Is all of law enforcement and US government against encryption?
Not necessarily. Law enforcement and intelligence officials have often said they appreciate the benefits of encryption when it comes to protecting data from threats such as hackers or foreign governments. They just want to be sure there鈥檚 a way to access encrypted data 鈥 especially communications 鈥 for their investigations.
What鈥檚 more, while these have been very vocal about their 鈥済oing dark鈥 plight as end-to-end encryption spreads, other officials from the State and Commerce Departments have been quieter publicly on the issue. President Obama called for a balance, though he has said law enforcement and intelligence agencies must have ways to get around encryption for critical investigations.
And many current and former officials say they recognize the need for strong encryption. Former National Security Agency director Michael Hayden said end-to-end encryption is important for security. Likewise, Sen. Ron Wyden (D) of Oregon said building in access for government, such as in the San Bernardino, Calif., iPhone case, . The US government is also in the process this year.
Americans aren鈥檛 alone in the discussion
that would increase the government鈥檚 surveillance powers by requiring tech companies to bypass encryption measures on customers鈥 communications when presented with a warrant. Meanwhile, companies could face fines from French law enforcement if they do not give French authorities decrypted customer communications. But not all European countries are cracking down on encryption. Dutch officials earlier this year.
Want to try encryption?
Begin by installing software updates for your operating systems and applications to help eliminate any existing software vulnerabilities that could be used to compromise your computer. Then, try some of these:
Mobile: For mobile communication, provides end-to-end encrypted messaging and calls for both iPhone and Android. is another option for encrypted mobile messaging and calls.
Online: is a browser extension that ensures that if a secure version of a site exists, an Internet browser connects to the secure version every time. It was created by digital rights nonprofit the Electronic Frontier Foundation (EFF).
Your computer: To enable full-disk encryption on your computer, Windows users can use , and Mac users can enable .
E-mail: PGP/GPG is a more advanced tool. on installing and using it for Windows and Mac.
听
