Remember in Dan Brown’s novel Digital Fortress, when NSA agent Susan Fletcher is trying to figure out why their famed supercomputer (‘TRANSLTR’) is taking forever to decrypt a seemingly innocuous code? Turns out the ‘code’ was actually a worm designed to bring down the supercomputer, written by an ex-NSA agent who was unhappy with the NSA being privy to the personal communication of millions of people over the world.
Turns out, the NSA are huge Dan Brown fans
In an eerily similar series of events, the NSA (National Security Agency, USA) was found to have conducted mass electronic surveillance across internet services such as Google, Facebook, Yahoo, Amazon etc. The real-life analogue to Dan Brown’s tragic hero, played by a 29 year old ex-NSA agent, Edward Snowden, stated that the reason behind leaking the documents which made this big reveal was that he didn’t wish to live in a society that indulges in such unethical practices. Snowden fled the US, seeking political asylum in a number of countries, as his home country launched an all-out manhunt to track him down.
A wake up call
In response to these leaks last year, several experts began stressing the importance of securing your personal data and communications from eternal surveillance, chiefly by encrypting it. Encrypted data can only be read by someone who has a ‘key’ to it – a password that unlocks the true contents of the message. While encryption isn’t a one-stop solution, it’s better than nothing. However, as is always the case, increased security comes at the cost performance overheads. Encryption isn’t fool-proof, nor can everything be encrypted. Take WhatsApp, It stores chats in an encrypted database on the phone’s local storage. As a proof of concept, a hacker gained access to the encryption keys and was able to read all the user’s chat messages in cleartext. (http://dgit.in/WhatsAppHack) In theory, this means any app installed on your phone can read/modify/upload these chats to an external server and wreck havoc with your confidential data.
The vaults of the new age
A number of security-conscious companies and individuals expressed concern over the heightened surveillance, and nearly a year later, we’re seeing the fruits of their effort. Secure smartphones such as Silent Circle’s BlackPhone and Boeing’s Black, as well as encryption-focussed hardware are making themselves seen and heard in the market. These devices usually feature secure, encrypted communication channels as well as features that make the device tamper-proof. Koolspan has a product called the TrustedChip, a chip that can be plugged into the microSD card slot of an Android phone, which features an encryption engine that encrypts all data transactions on the device.
The Boeing Black
Boeing, the American aircraft manufacturer, recently unveiled the Boeing Black, an Android based smartphone aimed at industries requiring a high level of secrecy, such as defence establishments and government agencies. Its specs are fairly standard for a mid-range smartphone – a 4.3” qHD display with a resolution of 960×540, a dual-core 1.2GHz ARM v9 CPU, a 1590mAh battery and a dual-SIM supporting both GSM and CDMA networks. What’s special about it, is that it runs a custom version of Android that includes a “Hardware Encryption Engine” that encrypts the local flash storage, as well as any data transmitted from the device. The back panel of the device can be customized to feature a solar-charger, a biometric scanner and even satellite transceivers. A feature called the “Hardware Root of Trust” verifies the authenticity of any software/apps that are installed on the device through a set of digital signatures, while a Secure Boot feature ensures that only secure and approved system images can be booted on the device. If the system image is modified in any manner by an unauthorized source, the device will simply refuse to boot. The real clincher, though, is its self-destruct feature – the phone uses a special casing, that if tampered with, will trigger a series of functions that will erase all data contained on the device.
The alternative: Blackphone
While Boeing’s Black isn’t open to regular customers, a more viable option for privacy conscious customers is the Blackphone. BlackPhone, the product, is an Android-based smartphone that provides secure texts and voice and video calls to its subscribers. (Blackphone, the company that sells and supports the $629 device, has as its co-founder Phil Zimmerman, who invented the PGP encryption algorithm in 1991, which is still the most popular encryption method for securing emails, files and even whole disk drives.) The Blackphone will be manufactured by niche smartphone maker Geeksphone, while Silent Circle, known for its suite of secure communication apps, will provide the software. The Operating System on the phone, is a version of Android stripped of all Google services, called PrivatOS. Baked into the OS itself, are Silent Circle’s flagship apps – Silent Phone, which provides encrypted voice and video calls, Silent Text which has encrypted messaging, and Silent Contacts which guards your contacts from apps trying to illicitly upload your contacts to their servers. While these apps can be used on any Android/iOS phone by purchasing a subscription, the Silent Phone comes bundled with a free, 2 year subscription to Silent Circle’s suite of apps, a subscription to SpiderOak’s encrypted cloud storage service and Disconnect, an app that anonymizes your search queries on Google and Bing by routing the traffic through a VPN
The phone itself features some powerful specs – a 4.7” 720p screen, a 2GHz processor, 16GB of onboard (non-expandable) storage and an 8MP camera. The phone doesn’t use any proprietary hardware, which means most of the platform code will be open sourced, allowing independent engineers to audit and patch the code against any security loopholes. Given that most Android malware ships in the form of innocent looking apps that demand access to an overwhelming list of permissions, Blackphone’s PrivatOS includes a full-fledged Security Center that gives you fine-grained control over the data your apps can access. You can individually allow and deny access to permissions on a per-app basis, unlike stock Android which forces you to either accept or decline a blanket list of permissions. While the founders warn that no device can be considered ‘NSA-proof’, the Blackphone is a firm step in the right direction.
The TrustChip
If you’d rather not give up your existing smartphone, Koolspan’s TrustChip is a $119 hardware-based encrypted communications medium. The TrustChip is basically a chip that fits into any standard SD card slot. Once installed, it can be used to securely communicate with other users who’ve installed the chip. TrustChip also includes TrustGroups that allows Group Administrators to selectively disable or enable features and implement security policies for the group. For phones that don’t have a microSD slot (for e.g. iPhones), a special accessory called a TrustSleeve can be attached to the phone. The TrustSleeve also functions as an extended battery pack. In order to call other users of TrustChip, users will have to use a special app on their smartphone. The TrustCall secure calling feature requires a $25 monthly subscription fee per subscriber.
What can you do?
While most of the anti-snooping devices listed above aren’t available in India, that doesn’t mean one should get complacent and ignore the issue altogether. There are a lot of tools and apps that you can use (many of them free of cost) that can significantly raise the barrier against digital spying. For starters, use HTTPS Everywhere (http://dgit.in/HTTPSeverywhere) a browser add-on for Chrome, Firefox and Opera that enforces the secure HTTPS protocol on all sites that support it. If you frequently store sensitive data on your local hard disk, TrueCrypt (http://dgit.in/Truecrypt) is an open source, cross platform disk encryption utility for Windows, Mac OS X and Linux. It works by creating virtual drive partitions that are completely encrypted using the military-grade AES-256 encryption standard. TrueCrypt can also encrypt external media like pen drives or external hard drives. Alternatively, certain versions of Windows 7 and 8 include the BitLocker disk encryption tool, while Mac users can use the FileVault utility. For sensitive files stored in cloud services like Dropbox and Google Drive, BoxCryptor is a tool that perform on-the-fly encryption on a file-by-file basis, rather than encrypting an entire drive (http://dgit.in/BoxCryptor). SecureGmail is a Chrome extension that encrypts emails sent through Gmail. While sending an email, enter a passphrase to encrypt the email is created. (http://dgit.in/SecureMail). The sender will then have to use the same passphrase to unlock the contents of that email message. Microsoft Outlook has a built-in encryption feature that uses Digital Signatures to verify the authenticity of the mail. The recipient must possess a digital signature similar to the one the sender has to read the contents of the message. Microsoft has instructions to set up this feature on http://dgit.in/OutlookEncryption.
While no device or software is going to be 100% secure from attacks or unauthorized surveillance, it’s the responsibility of every netizen to ensure that one’s private correspondence remains private. Even law-abiding citizens have reason to be concerned about the heightened data collection, both by corporations and government bodies, for this type of confidential data could be lethal in the wrong hands. Encryption is just one of the steps you can take, and like we said earlier, it’s not foolproof. Still, it’s a lot better than the alternative – being a data-spewing firehose every time you go online.