Apple and Google recently made headlines for changing their policy on smartphone encryption, namely making device encryption the default on their products, and designing their systems so that neither company holds the encryption keys. Purportedly, this will keep the government out of your personal life when it comes to rifling through your smartphone and tablet computer – and has been welcomed by the general populace who is interested in privacy issues.
Of course, the truth is that this is nowhere close to what people think it means, as Andrew Zonenberg writes in the article “Why Apple’s iPhone encryption won’t stop NSA (or any other intelligence agency)”. Although not meant to be technical in nature, the article does bring some elements that are traditionally used in the digital data security field, requiring a little heavy reading on the side (0day exploits; Alice, Bob, and Eve; UID keys; etc).
The gist of the article is this: there are many ways to collect data that are associated with your smartphone. The use of device encryption covers security issues specific to one particular risk. Incidentally, this is why I think the government going crazy about “helping the terrorists” is over the top.
Device Encryption: Preventing Access When Smartphone is Lost
When evaluating what Apple’s new stance means, it helps to understand what device encryption (aka, disk encryption) is and does. Device encryption, as the name implies, encrypts the device, specifically, the data storage portion of the device. It does not mean that files are encrypted, or that data is encrypted. It means the disk is encrypted. You should let that sink in for a moment.
The implications of this are huge: if you send an email from a disk-encrypted computer, the email is not encrypted. If there’s an attachment to that email, it’s not encrypted. If you copy a file to a USB device, that file is not encrypted. If making a making a call from a smartphone that has disk encryption, the call is not encrypted. Neither are texts, tweets, SMS messages, pictures, video clips, etc.
None of that is encrypted; at least, none of it is encrypted by the disk encryption. It’s the device’s storage disk that is encrypted with disk encryption – and thus anything placed inside of it. A real-life analogy would be placing documents in a safe and locking it with a key. The documents, coins, family photos, cash, jewelry, etc. do not change in any way whatsoever when placed inside a safe, and are only protected as long as they are inside the safe. The same is true for disk encryption. Zonenberg put it more succinctly (Eve is the “bad” person in the following):
There is only one situation where disk encryption is potentially useful: if Alice or Bob’s phone falls into Eve’s hands while locked and she wishes to extract information from it. In this narrow case, disk encryption does make it substantially more difficult, or even impossible, for Eve to recover the cleartext of the encrypted data.
Ultimately, what all of this means is that your calls, texting messages, things backed to the cloud, and other data are still well within the reach of spooks and others.
But you’re very safe from intruding eyes if someone were to steal your smartphone, or if you were to lose it — which happens a lot.
Related Articles and Sites: