Cryptography is coming out of the woodwork. June saw the release of the Blackphone on the shelves of Dutch telecoms operator KPN. Designed for the general public, this secure smartphone is based on a modified, secure version of the Android operating system. It comes with pre-installed apps that guarantee security for calls (Silent Phone), texts (Silent Text) and contacts (Silent Contacts). But privacy doesn’t come cheap: the phone retails for $629.
Encryption has also made its way into television programs, with the omniscient machine in Person of Interest. And in this year’s blockbuster video game, Watch Dogs, set in a dark version of Chicago, a lone hacker takes on a company that spies on phones, laptops and cameras. Even jargon that was traditionally understood only by geeks – Trojan Horses, viruses and backdoors – is now common parlance. All thanks to Edward Snowdon’s revelations of wholesale U.S. and British
government spying on individuals around the world.
Cryptography for the masses
Stepping in quickly to profit from the trend, companies are offering a variety of user-friendly encryption products to guarantee personal privacy for the masses. Enigmabox, released in Switzerland in 2013, promises to make digital lives anonymous, allowing its users to remain “under the radar”. The plug-and-play device is installed between a router and a computer, where it diverts Internet traffic to one of the company’s VPN servers, which keep no records of their connections. Data is encrypted within the device and protected by a key known only to the user.
Web sites visited and user-entered data are secure, as are Internet calls and email messages – as long as those on the receiving end also have an Enigmabox. ProtonMail, released in May, is a secure online messaging service developed by researchers at Harvard, MIT and CERN. Its developers claim that it is as easy to use as Gmail and works with any browser.
ProtonMail, released in May, is a secure online messaging service developed by researchers at Harvard, MIT and CERN. Its developers claim that it is as easy to use as Gmail and works with any browser. ProtonMail is compatible with other messaging systems, allowing users to send and receive encrypted email even if their contacts are not using the service.
It did not take long, though, for ProtonMail to hit a wall. Two months after its release, the start-up’s PayPal account was frozen; PayPal questioned whether or not it had “obtained government permission” to encrypt email messages.
Blackphone, manufactured by a Spanish company, has installed its headquarters in Switzerland, along with ProtonMail and Enigmabox. This is no coincidence: Switzerland has a reputation for discretion, a favourable legal framework and technical expertise. The country is also making a name for itself in the market for secure data centres; some servers are even buried in a former military bunker deep beneath the Alps.
Tanja Lange, a cryptography expert at the Eindhoven University of Technology (TU/e)
“One of the lessons of the Snowden affair was that even governments were involved in industrial espionage.”
Easy-to-use interfaces
Unlike previous systems understood only by experts, the new projects hope to make encryption widely accessible thanks to user-friendly interfaces that hide the technical details. The best-known email encryption software, PGP, is still usable only by a limited audience because it is austere, complex and lacks such basic functions as searching through
old messages.
“There’s no reason to deny people the possibility of protecting their devices,” says Lars Ramkilde, professor at the Technical University of Denmark (DTU) in Copenhagen. “The systems just have to be efficient enough that users are unaware that their data are constantly being encrypted.” Ramkilde has created Dencrypt, a smartphone app for secure Internet conversations. “The climate has changed, and the demand for privacy is increasing. To a certain extent, Snowden has created a new market.”
Dencrypt is based on a dynamic encryption technique: the app changes its encryption protocol with each new use, instead of always using the same standard method. “By far the most commonly used algorithm is the Advanced Encryption Standard (AES),” says Ramkilde. “It was developed in the U.S. in the 2000s, and hackers have had plenty of time since then to improve their decryption programs. If your encryption method changes every time you use it, it becomes much more difficult to get around.”
Even with the advent of these new products geared for the public, the most lucrative target for specialised companies remains the professional world. “One of the lessons of the Snowden affair was that even governments were involved in industrial espionage,” says Tanja Lange, a cryptography expert at the Eindhoven University of Technology (TU/e) in the Netherlands. “Company executives realised that investing in secure phones would protect their strategies and innovations.” Fabien Jacquier, founder of the Swiss information-security company Kyos, agrees. “We have a few wealthy individuals among our clientèle, but our main market is companies. Developing high-end solutions for the public would entail huge development costs and considerable marketing effort.”
Confidence and concern
For now, “most people still think their exchanges are secure, even though an email is more like a postcard than a letter in an envelope,” says TU/e researcher Lange. École Polytechnique Fédérale de Lausanne (EPFL) cryptography expert Arjen Lenstra believes that caution is a good thing. “As soon as you type any kind of data into a keyboard of an electronic device you instantly lose control of that data. Making the public aware of this is scary but healthy.” And the NSA’s breaches of privacy are only the tip of the iceberg. “The HeartBleed bug discovered in the spring of 2014 compromised the security of one third of the planet’s passwords over a two-year period,” says Kyos’ Jacquier. “It was a massive security breach.”
Encryption protocols are based on mathematics, making them in principle almost impossible to break. But in practice, security is never guaranteed. “Encrypting data can make things more complicated, but it would be naïve to believe that you can keep a secret for a long time from a truly motivated hacker,” says EPFL’s Lenstra. “No one can guarantee absolute security,” adds DTU’s Ramkilde.
Nonetheless, even limited protection is important. “The goal is not to insist on building an inviolable system, that’s illusory,” says Jacquier. “It’s more about sufficiently complicating the hacker’s job so that he moves on to an easier target. Just like you discourage a thief by putting up an armoured door.”