Why is security and encryption important?
Technology has changed the way we access and store information, and the law is one of the industries where iPhones and iPads have become significant tools for day-to-day use. (One recent survey put the rates at 68% and 63% respectively for USA lawyers).
One side effect of the ability to now carry so much computing power and storage with us is that many of us have an awful lot of sensitive and confidential data either in our pocket or in our bags, as well as on our computers, email and cloud-based services.
Thanks to Edward Snowden, we know now that our government and others have been illegally spying on us all for many years, and only now are governments beginning to reign in their security agencies. However, Australia remains one of the most aggressive governments engaging in mass surveillance (although the UK is not far behind), and with the servile acquiescence of the opposition, was able to introduce new laws criminalising disclosure of the existence of certain warrants and authorising bulk metadata collection of all Australians. (Curiously, Malcolm Turnbull, when the Minister for Communications, was the only member of the government to admit the emperor was wearing no clothes when he discussed some ways of easily circumventing this dragnet, including his own admitted use of Wickr, a secure message app.) If you’re interested, the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 is available here.
Of course, some might say that if you’ve done nothing wrong you’ve got nothing to fear. But surely the point is, if you’ve done nothing wrong, the government has no need to know?
Even if you’re not concerned about the government trawling through all your information, there’s still good reason to want to keep it secure.
For law enforcement and government agencies, it’s self-evident why they should want to keep their data — which is often our data — secure. (Even if it seems they haven’t been entirely successful.)
For the law enforcement and government sector, the Commissioner for Privacy and Data Protection provides some guidance, but most of the detailed policies are internal and not published on the web.
For lawyers, it’s a legal and ethical obligation to keep client confidences confidential, and the law recognises that confidential communications are privileged and so exempt from observation by the executive. So lawyers are both entitled and obliged to take reasonable steps to keep the government from snooping through their confidential data.
Some USA jurisdictions have quite extensive and detailed guidelines for lawyers in this regard, and what constitutes acceptable professional conduct standards when it comes to digital security. Australia seems to have very few explicit policies to guide the legal profession in keeping confidential client data confidential.
The Victorian Legal Services commissioner doesn’t really have anything specific about digital and cloud security in its policies and guidelines. There are general obligations of confidentiality in the Victorian Bar Rules 62–66, the Professional Conduct and Practice Rules 1 and 3, and in the new Legal Profession Uniform Conduct (Barristers) Rules 2015 rules 114–118 and Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015 rule 9.
In California a lawyer’s obligation of confidentiality is considered to apply when using WiFi networks. Free public WiFi networks in particular can be a real risk, and if you’re on the same open network as other users — such as at the Supreme Court — your email and cloud-based services could be at risk if you’re not securing your connection with a VPN: see here, here and here.
And only recently, the United Nations’ Special Rapporteur on freedom of expression suggested that encryption is an adjunct of the right to privacy and freedom of opinion and expression. (See here for a good example of the right to privacy applied in 1984 in the UK to stop capricious and gratuitous surveillance.)
Even if you use a password on your computer, anything on your hard drive can be easily accessed by simply removing it from your computer, and either plugging it into an enclosure (just like an external hard drive) or connecting it in another computer. Unless you encrypted your drive, the contents of that disk are then immediately accessible.
The methods of security I’m going to mention do work. (One way of knowing this is just from the hyperbolic response of security agencies that don’t like being prevented from snooping.) For example, the Deputy Attorney-General for the USA declared that a child will die because of Apple’s iOS 8 encryption. And Lavabit and SilentCircle shut down their encrypted email and message services rather than (it seems) hand over their encryption keys to the government. Governments complain about these services because they work.
What about metadata? If you rely on Attorney-General George Brandis or former Prime Minister Tony Abbott for your understanding of metadata, then frankly, you’ll have no idea what it is. So, what is it and why is it so important?
For example, with a digital photograph, the associated metadata can be: camera make and model; time and date the image was captured; orientation (landscape or portrait); copyright; flash; exposure time; ISO rating and shutter speed; and GPS coordinates. Don’t think it’s important? The FBI used metadata to track down one of its most-wanted hackers, Higinio O Ochoa III, when he tweeted a photo of his girlfriend’s breasts, but left the GPS data embedded in the EXIF (exchangeable image file) data.
With an email, the metadata might be: to, from, CC and BCC details; date; subject; source IP; received status; message ID; return path; time and date; encryption status; and in-reply-to information. Don’t think it’s important? Former US General and CIA director David Petraeus was discovered having an extramarital affair with his biographer, and accused of providing classified information to her, before pleading guilty to mishandling classified information. His liaison was uncovered by email metadata.
With mobile phones, the metadata might be: the phone number of every caller; IMEI (international mobile equipment identifier) and IMSI (international mobile subscriber identity) numbers of the handsets and SIM card; call time and duration; and locations of each caller.
Don’t think it’s important? Have a look at:
- the sorts of data retained till very recently by Facebook’s messenger app, which provides similar metadata to mobile phones;
- German politician Malte Spitz metadata records, provided only after he sued his mobile phone company to get the data;
- ABC journalist Will Ockendon’s metadata records.
This is the information that is already provided routinely to law enforcement agencies. Though it’s your data, Australian telcos won’t willingly give all of it to you, though they routinely give it as a matter of course to Australian law enforcement agencies! Journalist Ben Grubb recently won his appeal to the Office of Australian Information Commissioner to gain access to his own metadata, but Telstra is appealing that decision. As a result of that, Telstra has now provided a fee-for-service for limited metadata to its customers.
If you have location data turned on in your mobile phone, then you might be creating a metadata history of your regular schedule, showing where and when you can be found.
Search engines and browsers
If you use Google as your search engine, then your search queries, results and pages you visited from those searches are all being captured by Google (and also stored on your hard drive in your internet cache). If you’d rather not have your search history mined for advertising opportunities, or worse, consider a search engine that doesn’t track you, such as DuckDuckGo, or a secure browser such as Tor (on a computer) or Red Onion (on iOS) or Onion Browser (on Android).
In a Word document, metadata might show who authored the document, when it was created and what software version was used, and — this is the important bit — embedded comments or previous changes. If you send a Word document to your opponent, do you check it for metadata? As a general rule, never send Word documents to others unless you intend they can see the metadata and edit the contents. Instead, you should routinely use PDF.
For the most part, metadata can’t be prevented, and can’t always be removed or avoided. For example, if you use a mobile phone, unless you turn it off, it will track your location to enable the network to identify which tower your handset should use for receiving calls and data. Likewise, emails will always include header information so the internet can route the message from the sender to the correct recipient. And even if you think you’re clever, and can remove metadata from your computer, you probably can’t. You’d be amazed at the amount of information stored on our computers, and attempts to remove stuff look like …
Understanding when metadata is generated, what type and what risks are associated with it will determine the appropriate response. For example, The Guardian offers a service for the truly worried (or paranoid) called Secure Drop, as does Freedom of the Press Foundation.
Keeping your confidential data confidential
Physically secure and track your devices
Your first layer of security is to restrict physical access to your devices, or to keep track of them.
If you have an Apple computer or device, turn on Find My iPhone under settings > iCloud > Find My iPhone. As long as your device has an internet connection, you can locate it, lock it or wipe it.
Passwords and data encryption
Turn on password protection on your devices. This will prevent casual or opportunistic access to computers, and for iOS devices, will completely encrypt them when they are secured. (Computer encryption is a must, and I’ll discuss that next.)
Choose a strong password (see also the EFF guide to password creation). Don’t choose one of the easy to remember passwords that everyone else chooses. And once you do start using strong passwords, consider an app to store and secure your passwords, so you can create multiple strong passwords, without trying to remember them all. I reckon 1Password is the best, but some folks also like LastPass. (You should also use two-factor authentication where possible with your passwords, either using Authy, or the new feature now available in 1Password. Don’t use the free Google Authenticator: it’s okay, but last year suffered a nasty glitch in one update that wiped all users’ authentication codes till a fix came up, and won’t work across multiple devices unlike the other apps I recommended.)
On iOS 9, choose Settings > Touch ID and Passcode (or it may be just Passcode). Turn off simple passcode to chose an alphanumeric password, and turn off erase data to prevent a thief from wiping your device, which wipes your Find my iPhone settings or other tracking software.
An incorrect code will result in progressively longer intervals before the device will unlock for a fresh attempt.
When a password is set, iOS automatically encrypts everything on your phone.
Once you do this, you might like Contact Lockscreen, an app that will allow you to display your contact details on the lock screen. It won’t stop opportunistic thieves, but it does allow an honest finder to find you and return your phone, even though it’s locked.
You could consider something like iFortress, but to be honest, I don’t know what that really adds to the encryption built-in to iOS.
Last, if you backup your iOS device on a computer using iTunes, make sure you encrypt those backups too, otherwise, an easy way for an adversary to get around the encryption on your device is to simply access your unencrypted backups which will contain everything your device does up to the point in time you last backed up.
In Windows, choose Control Panel > User Accounts and Family Safety > User Accounts. If your computer doesn’t have a password set, chose the option create a password for your account.
Make sure your computer is set to automatically lock when unattended, in Control Panel > Appearance and Personalization > Change screen saver.
Next, turn on full disk encryption. I run Windows in a virtualizer — VMWare to be precise — which allows me to encrypt my virtual Windows machine if I want. (But there’s no real need, given the virtual machine is inside my already-encrypted Mac hard disk.) But my version of Windows doesn’t have BitLocker, Microsoft’s native encryption software, so I can’t show you any screenshots of the setup. The Intercept has a detailed guide for using BitLocker. Otherwise, if you don’t want to spend money purchasing or upgrading to a version of Windows with BitLocker, consider installing the open-source DiskCryptor. Electronic Frontiers Foundation has an excellent how-to guide.
The current version of Mac OS X won’t let you create a user account without a password. Once you have set one up, make sure you require it to log-in to your Mac. Choose System Preferences > Users & Groups and then select your user profile. Click on login options and ensure automatic login is turned off.
You should also make sure that your computer will lock at some stage if you leave it unattended. To do this choose System Preferences > Security & Privacy > General and tick the checkbox next to require password after sleep or screen saver begins.
You can alter sleep or screen saver times in System Preferences > Desktop and Screen Saver.
Next, turn on full disk encryption, called FileVault by Apple. (Actually, this is FileVault 2, and in my experience, works unobtrusively and seamlessly. The original FileVault sucked. I lost access to my hard disk with the original File Vault. Fortunately, I had a backup I could restore from, but it was a major PIA.) You set this in System Preferences > Security & Privacy > FileVault. Turn it on, and set a recovery key. (I recommend against using iCloud recovery, so no one has the recovery key but you, and so no one but you can be compelled to compromise your encryption.)
Last, if you have a backup — you do have a backup, right? — make sure that’s also encrypted. Local backups using Apple’s TimeCapsule are easy enough to encrypt, and backup tools like SuperDuper or CarbonCopyCloner will simply make an exact copy, encryption and all, of the source.
Most cloud-based services have various degrees of encryption available, but many of those have the encryption key to unlock the data and can be forced to hand over data to law enforcement or security agencies, or even subject to hacking.
For cloud backups where you alone hold the encryption keys, so even the cloud provider cannot see your data even if it wants to, consider Tresorit, Viivo or SpiderOak. These three services also allow for access to encrypted files on iOS and Android devices, although access requires going through their apps and then decrypting onto your device. Viivo in particular is useful because it provides the ability to encrypt files inside DropBox.
The last step is to protect your communications, especially given our greatest vulnerability to illegal monitoring by various security agencies and also hacking by criminals can occur online.
Virtual private network
The first line of security is to use a virtual private network (VPN). VPNs have a varied reputation, depending on which vested interest you listen to. Like any tool, a VPN can be used for criminal purposes. It can also be used to circumvent geo-blocking (the process music and movie studios use to try to prevent international access to different markets, often in an attempt to artificially inflate local prices.) But for us, it’s use is in securing all our internet communications. Email, web browsing, app traffic, all protected from hacking or interception. Lawyers in particulare should not use public WiFi without using a VPN, unless you’re comfortable putting the security of your device at risk. And anyone who has passwords in their device should want to protect that information from nasties like those I mentioned earlier.
At it’s simplest, a VPN is a secure internet connection between your computer, and another computer, typically a server provided by a VPN provider.
Many commercial VPN providers offer servers in different countries. You can choose which country server to connect to, and all your internet traffic is sent via that server, intermingled with all the other VPN users connected to that server. Here’s an example taken from one VPN provider, tuvpn.com.
Not only does this make your internet connection appear to the wider internet to be coming from a different country, it makes it very difficult to identify your traffic from anyone else who is using the same server. Your host ISP can probably see that you’re connected to a VPN, but because it’s encrypted, can’t see the content of that communication. If the VPN provider keeps logs of your connection, it would be possible for someone to use those logs to identify your connection and the traffic you requested. Some VPNs take the privacy of their clients very seriously, and make a point of not keeping any such logs.
Here’s a brief explanation of VPNs from Google’s privacy team.
For a more detailed discussion of VPNs, check Gizmodo, and for a list of some recommended VPN providers, check out TorrentFreak’s annual review for 2015. I’ve personally used WiTopia, Express VPN and TorGuard and been happy with all. (Yes, TorrentFreak does focus on Bit Torrenting, but BitTorrent can be used to download copyright infringing material, but it can also be used for its original purpose of rapidly downloading large files from multiple peers. The BBC provided an example of this earlier this year when it offered episodes of Dr Who for sale and download via BitTorrent.)
Once you have a VPN, the trick to security is to keep it on when you’re connected to the internet.
There are different tools you can use for this. Both Windows and Mac have built-in software that can connect to a VPN, using two of the three types of VPN connections available: Point to Point Tunnelling Protocol (PPTP) or Layer 2 Tunelling Protocol (L2TP).
On a PC, go to Control Panel and search for VPN.
Choose Setup a virtual private network (VPN) connection.
From this point, the options can change slightly depending on the settings provided by the VPN provider. Most have how-to-guides on their websites.
On the Mac, choose System preferences > Network, select + in the lower-left corner to add a new service and choose VPN from the drop-down menu. Create the new connection, and then fill in the account details from the VPN provider.
In iOS, go to Settings > VPN, then Add VPN configuration, which will take you to second screen below. (If your device has never had a VPN setup before, you’ll need to navigate to Settings > General > VPN for the first time, and then the VPN option will appear in the main settings menu.)
After mucking around with VPNs for a while now, I reckon the best way to use them is to use the OpenVPN app. OpenVPN provides open-source software and so open for the encryption community to ensure there are no backdoors built in to it. (It’s not suitable for all purposes though: I discovered it was useless in China, because China blocks Open VPN ports, and so I had to resort to some other VPN wizadry to circumvent the Great Firewall of China.)
OpenVPN is a bit more complex to install, but is more secure, and (in my experience at least) the only way to reliably keep a persistent active connection. On the Mac, the best software to easily use it (or any VPN for that matter) is Viscosity.
And on an iOS device, the OpenVPN app is the only way to have a persistent VPN connection. All others activated in the setup menu will close when the iPhone or iPad goes into standby or auto-lock. Apple does this deliberately, because a persistent connection will drain your battery more quickly, and will use more data. The average (non-paranoid) user doesn’t require always-on encrypted internet communications, and would probably prefer to use less mobile data and have longer battery life.
Once you download the OpenVPN app, you then have to install the configurations from your VPN provider.
Either you have to (very laboriously) type in the configuration for each server, including the username and password (a bluetooth keyboard helps immensely), or the provider offers downloadable configurations with your username embedded in them, and you copy them across via iTunes. TorGuard used the first way; WiTopia the second. Some VPN providers now also have their own Apps, which do all this for you.
The great thing with the OpenVPN app is that once the connection is turned on, the App will keep it on, even if you move from WiFi to mobile data and back again. The only time I find my VPN drops out is if I lose any internet connection (such as going through an underground rail tunnel) and the authentication times out.
But once you have this installed, all your email, web browsing, and app data is encrypted, and safe from George Brandis’ prying eyes.
Secure web browsing
Where possible, use https — the secure version of hyper text transfer protocol (http) — to view websites. (This is the process most banks use on their sites, which on some browsers will show you a padlock symbol to indicate a secure web connection. EFF has a plug-in for Firefox and Chrome called https everywhere, which automatically turns on https for sites that support it.
And for seriously secure web browsing, use TOR (The Onion Router), or a TOR-compatible iOS browser such as Red Onion (free) or Onion Browser (paid). Tor is slower — much slower — than other web browsers and deliberately won’t run some services such as java and flash. But it is largely impossible to track users on Tor, so when security counts, it’s one of the best options out there. This is probably what Edward Snowden uses when he communicates with the outside world on computer.
You can read about Tor in more detail, but in simple terms it works like this.
There are several options to encrypt email.
The most common is to rely on certificates issued by Certification Authorities like Comodo or Symantec. It is perhaps the easiest to do on Windows, Mac and mobile devices, but typically requires an expensive annual subscription, and relies on the certification authority validating your identity (to be properly effective) and protecting your private keys.
A more complex but open-source option is to rely on PGP (pretty good privacy). Electronic Frontiers Foundation has detailed guides to installing and using PGP, and there’s an iOS app available to provide for PGP emails on iPhones and iPads.
Other alternatives are Enlocked, Virtru and Identillect. They are relatively easy to install and use, and often have plug-ins for Microsoft Outlook if you use that as your email client. Virtue and Identillect allow you to prevent emails from being forwarded. But, they all require you to route your email through their servers, and often require recipients to install the same software in order to receive emails, unlike PGP, which integrates with most mail clients.
Email encryption only works to encrypt the content of the email, but not the header. That means the addressees and subject data remains unencrypted and visible to whoever can gain access to the email.
Voice & messages
Apple’s FaceTime and iMessage provide encrypted communications which (so far) are not known to be subject to real-time interception.
Skype is reputedly capable of interception by the NSA, but is encrypted.
Silent Circle provides strong encrypted voice and message apps, but requires a fairly heft subscription, and offers a USA number only.
Wickr is a good messaging app, and allows the sender to set an auto-destruct on messages. It’s only shortcoming is that it’s not open-source, and so there has been no external verification of its security.
An open-source alternative for both iOS and Android devices is Signal, which offers encrypted voice calling and messaging across both platforms.
Although security and encryption are often described as a trade-off with convenience, with the exception of email encryption, most of the options I suggested are pretty easy to implement, and will go a long way to keeping your confidential information confidential.
They won’t protect you completely from monitoring and observation: that’s impossible, given the way telecommunications networks operate. For example, a VPN on your mobile phone won’t affect the metadata trial generated as your handset moves from one cell tower to another, disclosing its location to the mobile phone network so it’s possible for the phone to make and receive calls and data.
So too, an internet service provider (ISP) can see if we’re using a VPN, and the amount of data we use. It just doesn’t know the content of that data. But the VPN provider might.
And of course, just as all this encryption and security can keep others from your data, if you lose the keys or passwords needed to gain access to it, you will also be permanently locked out of your data! Make sure your keys and passwords are backed up and accessible in the event your devices fail or are lost, stolen or damaged, and that you have a backup of your data in the event of corruption!
For more info, check: