The iPad Lawyer — Can You Really Be Secure? Encryption For The Rest of Us
“We can end government censorship in a decade. The solution to government surveillance is to encrypt everything.”
— Eric Schmidt, Executive Chairman, Google
“Encryption isn’t just a technical feature. It’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at every level.”
— James Comey, Director, Federal Bureau of Investigation
To encrypt? Or not to encrypt? That is today’s question.
We are constantly reading about people hacking into major companies and compromising your passwords, user names, and other personal information. Even photographs are no longer safe (remember the Fappening?). And there is a steady stream of reporting on the latest security flaw in our favorite operating systems, programs, and even apps.
Then, there’s the State Bar of California’s Formal Opinion 2010-179 wherein we were all warned that “data transmitted wirelessly can be intercepted and read with increasing ease.” Lawyers were reminded that they have a duty of competence that includes taking suitable steps to ensure confidentiality. That’s good advice for anyone in business. You can read the full opinion here: http://ethics.calbar.ca.gov/LinkClick.aspx?fileticket=wmqECiHp7h4%3D&tabid=837
What’s a tech-savvy, on-the-go, cutting edge businessperson to do? Most of you don’t want to think about, let alone touch the concept of encrypting data with a 10-foot pole. But do think about this — how many of you are now receiving what should be confidential communications through iMessage, private messages, social media, etc.?
The good news is that caring for the confidentiality of your data and communications has come a long way. It’s neither complicated, perplexing, nor over-priced any longer.
Here are some simple (digging deeper than this would have resulted in an entire book by itself) security secrets for getting the most out of data protection on your iDevices without making your head explode:
- Enable data protection on your device. The simplest thing to do that most of you aren’t doing (shame on you). Go to Settings > General > Passcode. Then follow the prompts to create your passcode. I recommend you set your passcode to trigger immediately. And I further recommend that you ignore the simple passcode configuration (4 digits) and use a longer, alphanumeric passcode (yes, I know it’s more time-consuming, but how hard is it to figure out the year you were born or some other supposedly tricky 4-digit number? I’ve even seen people just use 1234 — seriously?!?!?)
- Understand the crypto-keys already built into your iDevice. Part of being confident in being technology competent and meeting your ethical obligations is just knowing what you already have and use. Apple has recently announced that it’s using stronger encryption in iOS 8 (that means you should have updated your iDevice’s operating system): “On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”
- Understand that there are still security bugs out there. Plan for them. This means to start using encryption on some of your email transmittals. For those of you using Chrome and Gmail, there is a Chrome extension that encrypts all data leaving your browser. For those of you who still check email through a browser, start using https instead of http when entering the addresses for your online connections. For those of you with your own IT people, talk to them about using a VPN (a Virtual Private Network). Further, for those of you who use Exchange, those servers are likely already encrypting your data.
- Use secure passwords when you sign in. And stop using the same password for everything. Once a password is compromised, how hard do you think it will be for someone to try it out everywhere? I use 1Password Pro (https://agilebits.com/onepassword) as my password management tool. I have it on my iPhone, iPad, iPad Mini, MacBook, and iMac. Everything is synced through Dropbox (https://www.dropbox.com/). (I’ll talk about two-factor authentication in a moment). When selecting a password manager, also find out if it web-based (1Password is not).
- Turn on two-factor authentication and use built-in encryption for web-based providers. From Google to Dropbox to Apple ID, providers now offer you the option of turning on two-step/factor verification/authentication. DO IT NOW! You should be able to go to a provider’s website and, through that webpage, find the options for turning this option on (most do not have it ON by default). And don’t forget that some providers — like Evernote (https://evernote.com/)— offer you the ability to encrypt text from within a note (just highlight the text, right-click on that highlighted material, and then select “Encrypt Selected Text.”)
- Have a plan of attack if your iDevice is lost or stolen. The last thing you want to do is panic. I’ve talked before about using the Find My iPhone App (https://itunes.apple.com/us/app/find-my-iphone/id376101648?mt=8). You should all have it for your iDevices. Not only will this app allow you to find your missing iPad or iPhone, Lost Mode lets you remotely lock your iDevice and even send a custom message and phone number to the missing iDevice’s screen. Of course, you can remotely wipe your entire iDevice if that seem appropriate.
- Start treating your iDevice like the treasure it is. Stop sitting on it. Stop tossing it. Stop setting it down anywhere and everywhere. Keep it away from water. Shall I go on? This is a highly sophisticated computer. And it’s an investment in you and your business. You might want to start treating your iDevice better.
Complete and yet easy data protection is not quite here, yet. By following some simple and secure workflow habits, you can still have peace of mind from the most casual of data attacks. It all really starts with changing the way you think about security. (Hint: The ostrich approach no longer works.)
Let’s take this conversation further . . . I’d love to know your thoughts on what I’ve written.