Don’t want to be the next SONY? Encrypt Everything!

Your personal data is your own and it should stay that way. Enabling other people, organizations, or for that matter systems, to peek into our data is a serious problem which we should all be aware of and concerned about. Following on from my recent blog post ‘Who’s Watching Me? Tips to Protect Your Privacy in the Digital World’, I’d like to expand upon the importance of encryption to help protect personal data.

There are many different personal views when it comes to personal data. There’s one mindset where people are comfortably numb. They don’t believe that anyone would want to snoop or steal their data, and they live their digital lives as if nothing malicious could ever happen to them. These people, and in some cases, companies don’t take data security seriously and end up paying the price.

At the other end of the spectrum there are those who are so paranoid that they don’t end up using the internet or technology for fear of data loss and privacy issues. There is some truth within this camps’ ideology and a healthy dose of paranoia doesn’t hurt anyone (tinfoil hats are all the rage these days J). But being scared of technology isn’t right either. Where we want to be is somewhere in the middle. We don’t want to be loose and irresponsible, but we also don’t want to be scared of the technology we’re using. For this reason we need to be educated on how to protect our data so that we can find middle ground. The answer is encryption.

Encryption essentially provides a secure way to transfer and store personal data and prevent it from being read or utilized against their owners will. It’s important to note that encryption does not stop someone from intercepting your data, but does prevent them from being able to use it.

There are two key areas where encryption should be used: storage and transmission. There’s actually a third (processing), but that’s slightly out of scope of what we’re talking about here.

• Storage: Stored data is often called data-at-rest because its stored in one physical location and it isn’t traversing the network. It’s important to note that data is at rest doesn’t mean that the physical device itself (such as a laptop or mobile device) isn’t in motion, in fact they are often moved. Therefore you should encrypt these device’s storage repositories in case of theft or loss of the physical device. Windows provides its own native OS encryption, BitLocker, Linux provides LUKS Android and iOS have built in encryption that you should utilize.
• Transmission: Data in motion occurs as soon as your data leaves its storage for another device or internet site. Even though transmission may take a split second, you don’t want your personal data to be sent in clear text, without encryption.

It’s important to note, that some data is sent unencrypted by default, think HTTP traffic here. So if you are sending sensitive data you need to make sure that it’s going over an HTTPS (SSL/TLS) connection. There are other methods which can be used, such as PKI. PKI allows for secure encrypted communication between parties, and each recipient decrypts the data using their own public key. A good example of this is TextSecure, which is an Android app that allows you to send encrypted texts to those that are using the same application with your public key. Once again, this data can be intercepted, but it can’t be read or abused since the data is not readable without the proper key.

The encryption community has become very active over the past year, producing numerous tools and services for data in motion. For example www.letsencrypt.org is creating a new SSL Certificate for free, that will make the web and your personal data more secure. Tools are also being developed for mobile devices, as today this is where most personal data is being used/stored, and needs to be secure. A good example of this is the Silent Circle application suite, which allows secure communication from each user utilizing the app.

With hacking and breaches at an all-time high (think SONY), we all need to start utilizing encryption in our digital life as much as possible. This isn’t something for super nerds, tinfoil wearing paranoid people, or those working at the NSA (it’s actually used to protect against NSA snooping). Encryption should be for everyone and the more we promote it as security evangelists the more it will be used. Encrypt everything!!