COMPLEX TECH: Are you protecting your (and your client's) data with encryption?
/Well? If you aren't entirely clear on what is meant by "encryption," you need to be. If you understand encryption and aren't using it, are you waiting for a data breach or loss before you actually implement any form of encryption security? Depending upon your level of tech know-how, you should either be learning about encryption or using it.
Consider the recent Ninth Circuit decision in United States v. Arnold. In that opinion, the Ninth Circuit held that border patrol agents can search your laptop or other digital device without limitation when you are entering the country. The Electronic Frontier Foundation suggest encryption as one solution: "If you encrypt your hard drive with strong crypto, it will be prohibitively expensive for CBP to access your confidential information." (Jennifer Granick, Protecting Yourself From Suspicionless Searches While Traveling (May 1, 2008) www.eff.org.)
But you don't travel outside the country with a laptop, so United States v. Arnold doesn't impress. So consider this hypothetical that probably hits close to home for many attorneys. You are at Big Firm's offices for endless days of deposition testimony in a massive toxic chemical spill case. Big Firm graciously provides an open wireless network for you to access while in their offices. You don't know anything about WiFi, other than your Windows laptop is set to look for open WiFi networks and connect automatically. It seems to work every time you go to offices like Big Firm's, so you don't worry about it. You surf the Internet during breaks, you log onto your office e-mail server, you check your bank account balance online, all with not a care in the world. But did you know that all your wireless data is flying through the air in an unencrypted format that any junior high school hacker could capture and analyze. You might luck out if some of the sites you visit use SSL encryption for password submission, but you are basically operating your computer out in the open. Even Big Firm's IT staff could be reading and recording your transmissions...
Subsequent posts in the COMPLEX TECH series (i.e., those posts that follow after this very first post under the COMPLEX TECH moniker) will identify some specific encryption options. But for now, a simplified explanation of what is meant by "encryption." In grade school you likely discovered the substitution cypher. A simple substitution cypher is created by writing down the alphabet and then writing a second copy of the alphabet under the first shifted over by an arbitrary number. For example, if you shift two letters right, your second alphabet's "A" appears under the "C" of the first. Your second alphabet's "B" appears under the "D" of the first, and so on. When you get to the end of the first alphabet, you wrap back around to the beginning. The second alphabet is used to encode a message. First, you write out your message. Next, you find each letter of your message in your first alphabet and record those letters. The result is that the original message is replaced with a set of letters that have been shifted using your "key." The problem with substitution cyphers is that they are incredibly easy to crack, even without computers.
In WWII, the Germans created the Enigma machine, which created encoded messages that were very hard to break. Essentially, the machine used a substitution cypher that changed every time a key was typed on the keyboard. In other words, every letter was encoded with a different substitution cypher. But even that complex encoding system was cracked without the use of the computing power available today.
Encryption techniques used today take data and either divide it into blocks, scrambling and obscuring each block individually, or convert a block of text into a large number and perform mathematical operations on that number with other huge numbers. The important piece of information that you should take from this discussion is that secure encryption methods, like PGP, are believed at present to be secure from all decryption techniques, or so secure that only governments with the highest level of technical know-how could every crack the encryption technique (it is generally believed that if PGP is breakable, perhaps only the NSA is capable of doing so).
Stay tuned for more encryption discussions in the COMPLEX TECH series.