In light of increasing concern that attorney-client data may be at risk of being seen by the NSA, we recently covered how to encrypt your attorney-client communications and how to ensure that your Internet surfing remains anonymous.
However, it is likely much of your digital communication takes place entirely outside of the traditional desktop web browser/email model. We now use our smartphones not only to make phone calls but to email, surf the web, and store data. We use our computers to make phone and video calls with Skype and other voice over internet protocol (VoIP) services. We also chat using Google Talk and Facebook, among other services.
How do we keep our communications secure and encrypted in those arenas? Unfortunately, we only do so using a patchwork hodgepodge of applications and services, and the availability of those is largely dependent, of course, on which type of operating system you are using. Here are some of the most easily available and accessible options.
Securing Your Smartphone
At a bare minimum, keeping the contents of your smartphone encrypted is key. As of the introduction of iOS 8, Apple now automatically encrypts your mail, texts, photos, and call records that even the FBI will have trouble penetrating. Your passcode (and you should really be using a strong alphanumeric passcode, not the simple 4-digit one you’re probably using) is combined with a set of secret numbers to create an encryption key.
Perhaps more importantly, this encryption scheme cannot be unlocked by Apple, even if they are ordered to do so by a court, because the structure of the encryption — your passcode plus secret numbers baked into your phone — isn’t known by Apple. This is a huge step forward for data security and privacy. Finally, it also means that even if someone steals your phone and physically cracks it open, the data on the phone is nothing but garbage without your password. Apple says that if you use a six-digit alphanumeric password, brute force cracking could take upward of five years.
In September 2014, Google announced that it would provide the same level of encryption found in iOS 8 in all upcoming Android OS releases. If you are running existing Android versions like Jelly Bean and Kit Kat, you can still encrypt your device via Android’s existing menu. Go to Settings –> Security –> Screen Lock and proceed from there to choose a password and encrypt the device. There are two minor downsides
- Encrypting the entire phone can take a while, so plan on 30 minutes or so and the phone restarting a few times.
If you later wish you hadn’t encrypted your data, you cannot undo the encryption. You will need to perform a factory reset, which will wipe your device.
If you are sending email using your smartphone, you will want to take steps to encrypt that email as if you were emailing from your desktop. On an iPhone, you can do so via Apple’s Mail client, which has support for encrypted email. However, as with encrypting email from your desktop or laptop, you will need to get a digital certificate from email recipients and install and trust that certificate to allow for message encryption. If you would rather use widely-revered open source encryption PGP (Pretty Good Privacy), you can use IPGMail app, which integrates with both DropBox and iOS Mail. Using the app, however, still won’t obviate the need to have your recipient provide certificates and encrypt their own email traffic.
Given that Android’s app market is not as locked-down and more developer-friendly than Apple’s, it is not surprising that there are a number of applications that will allow you to encrypt your email traffic. The well-regarded Guardian Project, which specializes in creating secure, private, and open source apps, developed Gnu Privacy Guard app, which uses the GnuPG encryption standard. The Privacy Guard app will encrypt emails and the files attached to them. You can also, if you are feeling brave, run it from the command line for maximum flexibility, though that is probably a bit much.
Overall, your use of these apps on iPhone or Android shouldn’t change much of your email user experience as they are designed to function in the background. However, that seamlessness will only be achieved if your email correspondents are also using the same encryption standards, which may be a non-starter in terms of your client base.
We’ve already discussed that traffic analysis makes it possible to determine who you are and, roughly, where you are from using your IP header. If that is the sort of thing you want or need obscured, you will either need to refrain from surfing via your phone’s web browser or use a browser that scrambles your header info. One of the leading desktop-based browsers, Tor, also has mobile versions for both iOS and Android.
On iOS, you can use The Onion Browser app, and it will block cookies, hide your IP address, and tunnel your traffic using the Tor network. However, it will also block video streams and other similar multimedia sites, precisely because those things can bypass Tor. As such, it is not likely that you would want to use The Onion Browser as a complete browser solution for your phone, but it is something you may wish to keep handy for secure communication needs.
On Android, you can configure Firefox mobile to browse privately, delete browser history and cookies, disable plugins, and tell sites you do not wish to be tracked. For greater security, you can install Orbot, which uses Tor to encrypt and hide your traffic. Orbot also integrates with Android’s official Twitter client so that you can tweet anonymously.
VoIP Services For Both Desktop And Mobile Calls
Skype is likely the most well-known VoIP provider, in large part because it operates on nearly every desktop and mobile OS. Skype allows you to place video and voice calls across the Internet rather than going through a phone line. Skype has a freemium model, which means that some types of communications are free, while other features require payment.
Skype states it does encrypt both voice and video communications, file transfers, and instant messages. If you place a call via Skype to a mobile or landline phone, rather than another Skype user, any part of that communication that takes place via the ordinary phone network will not be encrypted. However, Skype uses closed-source software, so privacy advocates note there is no way of verifying whether Skype actually does encrypt.
Even if you love Skype for video chatting, it is unlikely you want to use it as your primary mode of communication on your smartphone. So, if you would like to be dead certain that your voice calls are encrypted when you use your smartphone to make a call, there are open source options. Open source, in this instance, isn’t just philosophically appealing — it allows a user to actually verify the encryption and security by auditing the code.
iOS users can choose to use the free Signal app, developed by the open source software group Open Whisper Systems. WIRED tested the app a few months ago and said their test calls were “indistinguishable from any other phone call.” Users know they are being encrypted thanks to a pair of words that appear on the phone’s screen. You read those terms to the person on the other end of your call to authenticate. If your words match, you can be certain your call is encrypted.
Android users have a number of VoIP options for encrypted phone calls. One of these, RedPhone, is also developed by Open Whisper Systems and is free. RedPhone uses your phone’s data connection, encrypts calls end-to-end, and lets you use your regular phone number.
Secure Chat Services For Desktop And Mobile
Using Google Talk, Facebook Messenger, and other real-time chat messenger services is a very appealing way to communicate with colleagues and, perhaps, clients. However, by default, those communications are not encrypted. In order to ensure encryption, you need to chat via a third-party chat provider. Mac users can install Adium, while Windows users can use Pidgin. These external chat clients function exactly as chatting in Google or Facebook does, but they offer the added benefit of being able to incorporate the OTR (Off The Record) messaging plugin. (OTR function is actually already baked into Adium for Mac.)
OTR generates an encryption key for you that you will store locally. Anyone you chat with must also be using OTR, and that user needs their own encryption key. It is easiest if you use Pidgin or Adium as your chat client, but if you prefer using Facebook or Google’s services directly instead, you will want to disable the web interface while doing so, or you won’t have the benefit of the encryption.
Finally, OTR will only encrypt your chat. It cannot encrypt your metadata, such as the date and time your messages are sent. For maximum security concering metadata, consider using chat service like Riseup, which allows access through their own secure VPN, or walks you through how to set up Tor as a hidden service.
All of this concern about security may seem overblown at most or overly complicated at least. However, new tools arrive every day to help simplify and automate the process of encrypting and securing your data, which makes the entire affair less daunting. We have to remember that we are in a profession that places the sanctity and security of client data above all else, and that requires we take affirmative steps to keep up with technology and protect that data.
Apps Mentioned in this Post
- IPGMail – iOS
- Gnu Privacy Guard App – Android
- The Onion Browser App – iOS
- Orbot – Android
- Signal – iOS
- Cellcrypt – Android and iOS
- The Onion Browser App – iOS
- Ostel – All platforms
- Redphone – Android
- Adium – OS X
- Pidgin – Windows, OS X, and Ubuntu
- Off-the-Record Messaging – Windows, OS X, and Ubuntu
- Riseup Chat
- Gibberbot – Android
- ChatSecure – iOS
Featured image: “Abstract flat vector illustration of data encryption concept isolated on red background. Design elements for web.” from Shutterstock.