I should start by saying that there are plenty of legitimate reasons not to want anyone snooping in your data--including the government. If your reaso
I should start by saying that there are plenty of legitimate reasons not to want anyone snooping in your data–including the government. If your reason is that you plan to do something illegal, well, I didn’t write this article for you. And there’s a pretty good chance that if you do something illegal, the government will find a way to get what it wants from you.
Now that that’s out of the way, let’s also make sure we’re on the same page as to what encryption is, and why it matters. Then we’ll look at how to best protect your data.
Encryption is a method of making data unreadable by encoding it using an algorithm so that it can only be read by someone with a decryption key. Anyone could, in theory, access the data, but it would be unusable without the key. It would be like finding a piece of paper written in code. If you don’t know the code, you can see all the characters on the page, but you wouldn’t have any idea what they mean. It’s useless.
Generally, there are two types of data that we think about in terms of encryption. The first is known as data-in-transit, which is used by financial institutions, as well as some messaging services like WhatsApp or iMessage. This is also known as end-to-end encryption because it is encrypted at the source, and can only be decrypted by the intended recipient in possession of the key.
The second type is known as data-at-rest because it is stored in an encrypted state on a server or device. For example, your iPhone is encrypted in this manner, and it allows computers and hard drives to be encrypted. When you enter your passcode or place your finger on a Touch ID sensor, the data is decrypted.
Here’s the thing, Touch ID and Face ID are pretty secure ways of protecting your phone, especially on the iPhone which uses a separate processor, known as Secure Enclave, to handle decryption. Still, neither method is perfect.
Touch ID has already been shown to be vulnerable to high-tech fingerprint copies, and there are examples of other devices that have been unlocked using a photograph of the user’s face. Those aren’t likely to be of much concern if you leave your phone on the subway, or it’s stolen from your hotel room since it’s not likely to be worth the effort to unlock.
On the other hand, if someone has possession of your device, and is able to place your finger on the sensor, or can point it at your face, they can potentially decrypt your device.
And the law is far from settled on whether or not the government can compel you to unlock your phone in this manner. Courts have come down on both sides, making it unclear how far the government can go to force you to decrypt your iPhone.
The fact that someone could use your biometric data to unlock your device is why when you restart your iPhone or MacBook, you have to enter your passcode. In fact, if you’re really interested in protecting your data, a passcode is actually far more secure provided you can keep it a secret. And I don’t mean an easy to guess four-digit passcode like the one you use for an ATM card. Choose an eight-digit, or longer passcode, preferably one with both letters and numbers.
Third-party tools from companies like Cellebrite and Grayshift that are used to access encrypted data don’t actually reverse-engineer the encryption algorithm, they simply guess the passcode. That’s why the longer your passcode, the harder it is to crack. Not only is it harder for a person to guess, but it’s harder for a computer to guess. Sure, eventually a computer can try every possible option, but that takes time.
For example, a four-digit passcode takes about seven minutes for a computer to guess. An eight-digit passcode, on the other hand, takes about 46 days. That’s a big difference, and the time required increases dramatically the longer the passcode. A ten-digit passcode would take more than 12 years to crack on average. And, if you use both numbers and letters, that same passcode would take more than 70 years to guess.
Finally, it’s worth mentioning that if you backup your iPhone to your iCloud account, that data isn’t end-to-end encrypted. Sure, it’s protected on Apple’s servers, but the company holds the encryption key, meaning they can decrypt it. That’s probably not a big deal for most of us, but it does mean they could hand it over when asked by a court.
The bottom line is this: If protecting your personal or business information is important to you (and it should be), it’s up to you to understand how encryption works, and how to use it effectively. There’s obviously a trade-off between security and convenience (long passcodes are harder to remember and take longer to enter than Face ID), but only you can decide whether it’s worth it.
After all, your personal data is your most valuable asset, and if you won’t protect it, there are plenty of people who would love to get their hands on it.
This article is from Inc.com