Here's some good news this holiday season: The new smartphone that's been sitting under your tree is probably more secure out-of-the-box than you might think.
That's because, over the past few months, both Apple Inc. and Google Inc. have announced improvements to the privacy protections on each company's smartphones, tablets and computers, encrypting the data stored on users' devices by default.
Full-device or full-disk encryption does a few very important things. It means that someone who gains physical access to your device without your knowledge – say, an abusive partner or family member or ill-intentioned friend – won't be able to access the files inside without your password or passcode (say, via software floating around the Internet that once made such things possible). It also means that law enforcement or government agencies that seize your device won't be able to gain access to the file's inside either – and neither Apple or Google will be able to help them.
It wasn't always like this. In the past, Android users running version 3.0 and up had to choose to enable encryption. It wasn't enabled by default. That's changed, starting with new Android devices running version 5.0. And while iPhones and iPads have long encrypted data such as e-mail with a user's passcode by default, things such as photos, text messages, contacts and call history were not.
The thing is, full-disk encryption has been around for years. So why is it only now making its way to consumer devices as a built-in feature, enabled by default, and not something the user has to purchase, enable or add-on?
From a technical perspective, mobile processors are powerful enough now to handle the computationally intense task of encryption, and flash storage is fast enough that users won't notice the extra time it takes to read and write encrypted data behind the scenes. But advances in hardware and software alone didn't get us here.
"One thing that several [U.S.] states have done in their data breach bills is include language that essentially says that if a company loses data and the data's encrypted, it's not considered a breach, and therefore they don't have to tell anyone," said Christophe Soghoian, principal technologist for the American Civil Liberties Union. "So those data breach laws have probably done more than anything else to push businesses to encrypting data."
In other words, if you lose your company phone or laptop, as long as it's encrypted, no big deal. And because consumer and company devices are basically one in the same now, their features too have begun to overlap. That means that things such as encryption – once considered enterprise-only – are now included, and often enabled, on consumer devices by default. That's pretty cool.
Of course, the needs of business users aren't the only impetus for consumer technology companies such as Apple and Google to make it harder for attackers, criminals, and even police to gain access to a user's files. There's a great deal of value in which brand of phone consumers perceive as secure and safe. Our phones are basically digital simulacrums of our lives now, which makes them attractive targets for abuse.
"We're seeing a lot more cyberstalking and Internet partner violence using things like StealthGenie," says Morgan Marquis-Boire, a senior researcher at The Citizen Lab in the University of Toronto's Munk School of Global Affairs, and director of security at First Look Media, parent company of The Intercept.
"Full-disk encryption helps protect people from that type of worry, right? Privacy isn't just about nation state threats. It's the ability to keep your data safe from the opportunist attacker, which may be far more of a physically real threat for some people."
But in many parts of the world, threats from law enforcement and government agencies are a concern. According to the Wall Street Journal, which has been reporting on the backlash from law enforcement that Apple and Google have received in response to their encryption plans, two-thirds of Apple's revenue is generated outside of the U.S., "where it says encryption is even more important to customers concerned about snooping by their governments."
The U.S. Supreme Court only ruled in June that police require a warrant to search the contents of phone during arrest. In Canada, the Supreme Court is expected to rule on a similar case soon. In many places around the world, police still do not require a warrant to search a user's phone, making full-disk encryption one form of defence.
Whether consumers are actually demanding this stuff is hard to say – but that shouldn't be taken as an indication such features aren't necessary.
"I think that consumers are expected to be their own CIOs, their CTOs, and they're ill-equipped for the job," Mr. Soghoian says. "And so they don't know about the risks. They don't know that there are these tools or solutions that are out there. And it's again, for that reason, that responsible companies build products that are secure out-of-the-box, because they know that people are never going to invest time into tweaking these obscure, secure settings."