Does encryption really shield you from government's prying eyes?
Encrypting data may not guard against surveillance, some experts say, while others argue in favor of taking steps to protect privacy
IDG News Service - If you're thinking about encrypting email in light of revelations about U.S. government spying, you may be wasting your time.
Recent leaks about surveillance efforts by the secretive National Security Agency have sparked a wide range of questions during the last week over online privacy, or lack thereof, as well as possible violations of the Constitution. But at this stage, the exact methods employed by the nation's top intelligence agencies to gather information in the interest of national security are still fuzzy.
At the very least, the NSA has confirmed that it is collecting Verizon phone records to examine their metadata and analyze call patterns between people. The NSA's Prism system apparently goes even further, reportedly accessing servers at Google, Apple, Microsoft, Facebook and other major companies, to collect data that the agency is storing for possible surveillance and investigations.
With such large amounts of personal data at stake, one question is the extent to which encryption -- a process for scrambling digital information so only certain groups of people can decipher it -- can succeed in shielding consumers from government surveillance.
The answer is complicated, and depends on the definition of "government surveillance," which is still not entirely clear. But for some security experts, encryption is a non-issue, period.
For instance, if the government is doing only what it claims to be doing with cellphone calls, which is performing traffic analysis to look at patterns and see where calls are coming from and going to, there are no good avenues for encrypting that, some say.
"The fact that I called you, or you called me, that has nothing to do with encryption," said security expert Bruce Schneier. "This is not communications eavesdropping. This is eavesdropping at the endpoints," he said.
Encrypting those endpoints is a lot harder than encrypting, say, emails or phone calls themselves, if not impossible outright, said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation. "You still have to tell the ISP that we want to talk to each other," he said. "You can't really scramble a phone number, because the company needs to know how to complete the call," he said.
There are services for encrypting phone calls end to end, like Silent Circle, which announced discounts citing "overwhelming demand" for their services following the NSA spying reports. In addition to calls, the company also offers encrypted video, texting and email over its network. End-to-end encryption aims to encrypt information through all phases -- at rest, in transit and in use.
There is also RedPhone and TextSecure, two mobile apps made by open source developer WhisperSystems, for end-to-end encryption of phone calls and text messages, respectively. Cryptocat is another player.
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Getting Real About Management and "Big Data" It's an exciting yet daunting time to be a security professional. Security threats are becoming more aggressive and voracious. Governments and industry bodies...
- The Big Data Security Analytics Era Is Here Security management must be based upon continuous monitoring and data analysis for situational awareness and data-driven security decisions. Organizations have entered the era...
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- Business-driven Data Protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the Arcserve team will...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!