Encryption

Tips For Protecting Your Data When Traveling Internationally

IMG_0376.JPG

This year has been a pretty busy international travel year for me and with all the extra security precautions being taken at international borders these day you can't be too careful when it comes to protecting your data while traveling. So what should you be doing to protect yourself and your data when traveling out of your home country?

It really boils down to two simple things, minimize the data you carry with you on your devices and protect/encrypt the data you transmit. Protecting data transmission is pretty straight forward and so are the reasons for doing so, but minimizing the data on your devices is a little less straight forward. After all, if your device is encrypted then why does it matter? It matters because if the nice man or woman in customs at the border demands that you unlock your device then you have two choices...be detained indefinitely or unlock your device. Whole disk/device encryption doesn't protect you in this case. The only thing that does is to not have the data on your device in the first place.

Protect Your Data Transmissions

The easiest way to get information from someone is to just pluck it out of thin air and with proiliferation of cellular and wireless connectivity the amount of sensitive information floating through the air at any given time is astonishing. If you are on trusted wireless networks like at home or at work its one thing, but when you are in another country you can't trust any of them. So the best way to go is to encrypt everthyhing and this done by using a VPN service. And not just any VPN service, you have to use a service you can trust. If its a free service then its most likely a service you can't trust. There are a ton of VPN services out there but the best one I have found is Cloak.

IMG_0377.PNG

The reason I like Cloak is that it is automatic. You don't have to remember to switch it on, it is activated automatically when ever you are connected to a network you have NOT already identified as a "trusted" network. This is critical because it means you don't have to think about it. Just install the app and you are protected. All of the data you are transmitting and receiving on "untrusted" networks is encrypted between your device and the Cloak VPN server. After that the data is traveling just like it would otherwise (either unsecured or secured via an https connection). So that means you have to trust the folks at Cloak because your data is getting unencrypted on their end. Cloak has some really great options for just buying small amounts of their service that are great for getting just while you are traveling. I had two international trips and for just one single In-App-Purchase of $9.99 I had unlimited data to cover me for 30-days (which covered both of my trips).

Don't Carry Sensitive Data With You

Encrypting your data can only protect you if someone can't force you to unencrypted it. When passing through international borders these days you can't assume that won't happen. So the best approach is to just not carry the data with you or to have the data accessible but not directly on your device. Below are a couple of examples of where I took data off of my devices for international travel.

IMG_0378.PNG

I use 1Password to store all of my passwords and sensitive information. One of the things that security experts like so much about 1Password is that up until recently 1Password focused on local storage for your passwords. But then 1Password came out with a new subscription service. Security experts didn't like it because it was cloud-based and some consumers didn't like it because now you had to pay a monthly or yearly subscription for your service. But what people failed to realize is that now that 1Password was cloud-based you could simply "turn off" the data on your local devices as a way to protect the data (for example when you cross an international border) and then turn it back on once you crossed. That is exactly what 1Password's new "Travel Mode" does. Once you login into your 1Password online account and enable "travel mode" all of the vaults in your account that are not marked as "safe for travel" are removed from all of your local devices (phones, tablets and computers). So what I do is I create a new vault in my account called "travel" and copy only the select few passwords and documents I know I will need for traveling. All my other data is taken off all my devices. Then once I arrive in the country I am traveling too I login to my 1Password online account and disable travel mode. Now I have all of my data back on my devices. Then before I leave I re-enable travel mode and do it all over again. That way if a border agent asks me to unlock my phone it won't have all of my sensitive data and passwords, just a few.

IMG_0380.JPG

Another app I rely on is DEVONthink. I used it to store all of my bills, envoices and receipts. This is great, except I really don't want all of this information turned over to a border agent. I use the Dropbox sync method of syncing my DEVONthink data across all of my devices. So before I travel all I had to do was disable the sync on the DEVONthink databases that I was worried about (my "Bills" database) and then delete the database from my mobile devices. I really don't need access to bills and receipts while I'm on foreign travel so it was best to just temporarily remove it from my devices.

There are probably other app and services out there that are similar to the examples I talk about above (1Password and DEVONthink) where you can remove local data and retain a cloud-based access. If you pair that strategy with the strategy of then removing even the passwords to these services from your device (at least until you are through the border) then you can re-enable your 1Password access and re-connect to the web-based versions of these services while you are abroad.

Hopefully this helped some of you. It may seem like overkill but it really wasn't that hard to do what describe above and it sure made me a lot more comfortable when traveling overseas.

Smartphone Encryption: Leaving Your Front Door Unlocked

image.jpg

There has been a lot of activity these past few weeks concerning data encryption, law enforcement and what smartphone manufacturers should and should not be including in their hardware/software with respect to encryption. The states of New York and California are both proposing laws that would prohibit smartphone manufacturers from selling phones in their states that are incapable of being decrypted by the manufacturer at the request of law enforcement. In other words, these 2 states are requiring that a "back door" be built into smartphones for law enforcement.

Before I get into why these laws are an extremely bad idea for the general public, I want to make sure everyone understands the basics of data encryption. Tom's Guide has a really well written short data encryption explanation that I encourage you to take a few minutes to read. It does a good job of explaining the basics of encryption. At the heart of the matter is both the hardware encryption that is being built into smartphones ,like the iPhone, as well as the data transmission encryption that is part of secure instant messaging services like Apple's iMessage and Apple's iCloud email (which both use encryption to send and receive data). Both of these types of encryption require "keys" to encrypt and decrypt the data, a private and a public key. Wikipedia has a write-up on how these 2 keys work with respect to data encryption. The public key is, well, something that you give out publicly so someone else can send you an encrypted message. Within Apple's Mail and iMessage applications this "public key" is all handled in the background by the iMessage and Mail applications without you having to even know these keys exist. The private key then only exists on your personal device. So that private key is needed by iMessage or Mail to decrypt any incoming message so that you can read it. Again, this is all done by the applications on your device without you even having to worry about it. That is, until lawmakers started trying to introduce legislation to change the way this works.

The private key I just described only exists on your personal device and nowhere else. That means that a company like Apple, whose servers all of these encrypted messages pass through, cannot read any of your encrypted messages. Why not? Because they don't have the key. Without the private key there is no way to get to the information in the message and read it (it just shows up as scrambled garbage). This is the whole premise behind encrypted communications...privacy and data security. Until lawmakers step in that is. The laws being introduced by the states of New York and California, if passed, would make it illegal for a company like Apple to sell smartphones in these states unless Apple had a way to decrypt the data on the device and the messages going through Apple's servers at the request of law enforcement. That would mean Apple would have to store and have access to your private encryption keys (which right now only exist on your personal device).

So this doesn't seem so bad, right? These lawmakers hearts are in the right place after all. They just want to be able to stop terrorists and child pornographers and such and these encryption technologies are closing a loop hole that law enforcement has been using for many years to catch these criminals. I'm all for catching criminals. But what about when these criminals want to come after your data? Shouldn't we be allowed as citizens to protect our personal data? Think about all of the sensitive information you have on your smartphone right now. Most smart cybercriminals only need a few pieces of information from your device to start wreaking all kinds of havoc on your life, like stealing your identity. How many of you have received a new credit card in the mail because your card was "compromised" and required a new card number? This generally happens to us at least 2 or 3 times a year. This is because either your credit card issuer or a vendor you used your card at was unable to protect your credit card information. Your credit card is a single piece of digital information and yet it seems like it is always getting compromised. If these lawmakers get their way, all of the information in your smartphone will soon be just as vulnerable as your credit cards you are having to constantly get replaced. These proposed laws would require Apple to store all of our private keys on their servers so that if law enforcement wanted to gain access to our phones as part of a criminal investigation they could subpoena Apple, get your private key and gain access to all encrypted communications going through Apple"s servers and everything on your phone (if they have it in their possession). If you aren't a criminal and don't plan on breaking any laws anytime soon then why would should this bother you?

Let's just ignore for now the whole side of this argument that says you don't trust law enforcement. To keep it simple we will just assume that law enforcement will always use this "power" for good and never go after someone by mistake. The other problem with forcing Apple to store your private keys is that your private keys are now vulnerable. Apple must protect these keys from criminals. Think about it. Lawmakers have now painted a big sign on Apple for criminals letting them know that the keys to millions of digital lives all reside at Apple. Think of it as the biggest and most important bank on the planet. Apple doesn't want that responsibility. They are first and foremost a hardware company and only get into services to support the hardware they are designing and selling. This law would require Apple and other companies to put a lot of effort and money into protecting everyone's private keys. The other way to look at this is by looking at the deadbolt on your front door. If you went into Home Depot to buy a new deadbolt for your house and printed on the package of every single lock you could buy was the following message:

"Be aware, by law we must build in the capability for law enforcement to be able to open this lock. So this lock is designed to work with a special key that only law enforcement has access to"

Would you feel good about using that lock to secure your house? Everything you own is protected by this lock you are about to purchase and right there on the package it says that someone else already has a key to that lock.

Smartphones have become such a staple of our society. They really do contain our digital lives and as such they should have the ability to protect the data we store on them. These laws would open up a hole in the security that is currently built into these devices, a hole that can and will be used by criminals to gain access to our data. These laws don't make it illegal for you personally to then take an iPhone and add your own encryption software or capability to them, but let's be honest...the average person is not going to bother to do this or even have the technical know-how to do it. What these laws are really doing is telling the average citizen that in order to make the lives of law enforcement a little bit easier we have to give up our data security. This is pretty tough pill to swallow. Rather than punishing criminals, law enforcement is across the board punishing the general population. The people writing these state laws don't understand technology. If they did, they would realize that the criminals and the terrorists they want so badly to catch are already using other methods to encrypt their communciations. These state laws would really only hurt law abiding citizens and do very little to deter criminals or aid in their arrest.

As I was finishing up writing this post, news broke that California Congressman Ted Lieu has drafted a federal law that would prohibit States from making smartphone data encryption illegal on a state by state basis. This bill would essentially protect individuals who want to buy a smartphone with full data encryption capability built-in (and of course, protect the companies that sell these smartphones). This is just the beginning, but it is refreshing to see a bill even in draft form that is backed by common sense and a little bit of IT know-how (Lieu is one of 4 Congressmen with a computer science degree). More to come...

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.