Both Apple and Google have announced plans to encrypt data by default on mobile devices. This is fantastic news. It means that if you lose your device, your data is protected from people who want to look at it.
In Apple’s case, a post on their site days “On devices running iOS 8, your personal data … is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data…” That means that your data is protected, but that the key to the data is your passcode (either a simple PIN or something more complex).
In order for the data protection to be valuable, you need a good passcode. If you choose a simple PIN it might be easy to capture by someone watching you enter it (called “shoulder surfing”) or by someone watching at a distance with a video camera – even one on their phone. You can reduce the likelihood of this succeeding by using a complex passcode and trying to hide make your finger less visible when entering the code, by holding the phone close to your body, for example.
Encryption of data is a very good idea. If you have a tablet or phone with sensitive information, encrypting that data makes it much less likely that it will fall into the hands of others. So if you have a list of people’s names and contact info (as most device users do), encrypting that means that others cannot find out with whom you associate. Encrypting email means other cannot read the messages stored on your phone, even if they are somehow accessible.
That understandably upsets some people in law enforcement. With proper authorization, they want to access data that can help them solve crimes. This is a noble goal. But, if there is only one key – and it is in the hands of the user, they may not be able to access the device’s data. There are multiple solutions to this issue, including key escrow, M of N control and other tools, none of which Apple or Google have implemented. We discuss many of these in Learning Tree Course 468, System and Network Security Introduction as well as in our Mobile Application & Device Security course . I’m all in favor of strong privacy, but I’m also in favor of catching genuine bad guys.
A solution to the balance of privacy and legitimate law enforcement needs is necessary. This is as good a time as any to have that debate. Please share your ideas for solutions in the comments below.
To your safe computing,