The newest releases of Google's Android O.S. introduced a long overdue feature: encryption of user data is now enabled out-of-the-box. Although Android users have had the option to encrypt their devices since Android 3.0, now you won't even have to think about it. Apple's IOS has been doing this for some time now, and now Android has caught up. This move has been quite a game changer for the smartphone industry and users alike.
To be more specific, it is only the data partition that is now encrypted by default, but that will do the trick because, well... that's where your private data is stored. It's also worth noting that if you upgraded your phone to Lollipop (Android 5.0) rather than purchasing phone with Lollipop pre-installed, you will need to manually encrypt your data from the settings menu. That's likely because the encryption process can take over an hour, and I can imagine a lot of people would be irritated if an update rendered their phone unusable for such a long amount of time. The algorithm Google chose to use is AES-128-CBC with SHA256, both are proven ciphers when properly implemented. Apparently it's possible to use AES-256 if desired, although at this point in time, I see no reason to do so. AES (Advanced Encryption Standard) is one of the more popular ciphers available today, and works well on embedded systems like smartphones. Curiously, Google is not using the hardware random number generators present inside devices (not even on its' own Nexus). I'm not sure what to make of that, but perhaps they are protecting users against possible backdoors being built into future (or present) random number generators. This does mean more overhead for the CPU, but personally I'd trade a little performance for security.
There is no doubt that Edward Snowden's revelations of the NSA's scandalous surveillance program played a role in this decision. Since those documents leaked, American's have started to care much more about their personal privacy, and the rest of the world has lost a lot of trust in the American tech market. Since Google is the largest tech company in the US, it's likely that they suffered lost revenue as well. In fact, according to Google's founder, Eric Schmidt, NSA spying will kill our technological industry. Because these activities were and continue to be unconstitutional-- and let's just call it what it is-- illegal, it's only natural that the people would seek ways to circumvent the system.
As soon as this was announced, the director of the FBI stated that he was not happy about it. One would think that the FBI's ability to tap almost any private conversation
anywhere at any given moment, and to intercept half of the traffic
flowing through the internet without due process of law would be enough
for them. I mean seriously, you can already intercept most of the
data on our phones before it's even stored in our little encrypted
partition, and now you want to take that away too? Google did the right thing and gave the user complete control over their data, and nobody but the device owner can decrypt it. That means law enforcement can't call Google and ask them to
unlock someone's phone, because Google does not have the key. The FBI
is so pissed about the idea of people getting this inkling of privacy
back that they are seriously trying to pressure phone manufactures to
put (and I quote) "Not [hardware] backdoors, but frontdoors" into their
products to circumvent the encryption. I'm sorry FBI, but no matter
which door you use and what you want to call it, it's still an
intentional way of undermining methods of protecting personal data, and thus by definition is still a backdoor. Not to mention that
if hackers have a history of exploiting such backdoors, they
surely will figure out how to exploit the 'front-doors' as well.
James Comey (director of the FBI) claims that as encryption is used more frequently, their ability to solve crime is diminished. And now I'd like to challenge that statement. His example was one of classic eye-rolling cliché: 'What if a little girl goes missing and we can't find her because we can't get into her phone?"
First of all, you, the federal government, has more data-mining resources available to you than Heinz has pickles. You could always retrieve her call log, text messages, entire location history (even if the gps was off), emails, and probably even her web history from the telecoms. If the phone is still on when the feds get to it, they can perform a cold boot attack to unlock it, because the passphrase must be cached in memory in order to decrypt that data. Than there is always Prism, and all the other creepy data mining&retention systems available to agencies such as the FBI. The point of those systems is in fact to capture and store as much data as possible while in transit. Common, this is supposed to be for our protection, right? Is the director of the FBI admitting that those systems are in fact a total waste of money? Not to mention that parents have the ability to track their kids everywhere they go these days, thanks to their cell phones. If you are a parent concerned about what your kids are hiding from you, don't buy them something they can lock, because it's your fault if you can't access it. And than there's the Google and Apple accounts. By default, pictures, contacts, settings, wifi passwords, location history, emails, and a lot more personal information is automatically uploaded to Google or Apple's servers. Google is certainly able to provide this data to law enforcement when they are legally obligated to do so.
It seems unless this little girl is a vigilant privacy advocate like myself and uses 64 character random strings for her passwords, never enables location services, does not run Google software on her devices, has data sync disabled, runs a firewall on her device, routes all her web traffic through the tor network, and uses end-to-end encryption for all of her text messages & phone calls, that dinky little encrypted partition will not drastically hinder your ability to locate her.
In the end, encrypted devices will simply give back to you the constitutionally guaranteed freedom of reasonable privacy in your home, papers, and locked containers. In most states, police need a warrant to search a locked container during a traffic stop. I would consider an encrypted smartphone a type of locked container; it is after all the most personal of all the electronic devices that we carry around today. So will encrypted phones make any difference at all? Yes, they absolutely will. During a routing traffic stop, the police will see the lockscreen and know that they will not be able to overstep their legal authority. In 99% of these cases, they will write your speeding ticket or whatever and send you on your way. Cases in which the police have reasonable suspicions that a crime has been committed and there is important evidence stored on your locked device, they will be forced to obtain a warrant in order to search your phone, at which point you likely will be obligated to provide them the passphrase. Isn't that the way it's supposed to work anyway? It appears that the FBI is simply butthurt over loosing about 1% of their ability to undermine our constitutional rights because Google & Apple are delivering a feature the people desperately need.
Finally, with all the money spent on these dragnet surveillance systems, Americans ought to be able to hold the NSA accountable for the accuracy of the
information that they store about us. I should be able to call them and
ask "Hey, remember that blonde chick I hooked up with last weekend?
Could you refresh my memory, when did she say her birthday is again?" At
least we'd be getting something useful from these systems of
control that we pay for. One conclusion we can draw from all this with certainty is that encryption works. Use it.
No comments:
Post a Comment