Data Protection Archives - PC Tech Magazine https://pctechmag.com/topics/data-protection/ Uganda Technology News, Analysis & Product Reviews Mon, 18 Nov 2024 07:21:46 +0000 en-US hourly 1 https://i0.wp.com/pctechmag.com/wp-content/uploads/2015/08/pctech-subscribe.png?fit=32%2C32&ssl=1 Data Protection Archives - PC Tech Magazine https://pctechmag.com/topics/data-protection/ 32 32 168022664 Building a Strong Data Protection Framework: Best Practices, Regulations, and Benefits for Businesses https://pctechmag.com/2024/11/how-to-build-a-strong-data-protection-framework/ Mon, 18 Nov 2024 07:21:46 +0000 https://pctechmag.com/?p=80878 Organizations use data protection as one of the vital aspects of performing their business activities.

The post Building a Strong Data Protection Framework: Best Practices, Regulations, and Benefits for Businesses appeared first on PC Tech Magazine.

]]>
One factor that is worth noting is that the amount of data being protected in the world where information flow is maximized has attracted a lot of attention. Given that numerous commercial organizations are using data for decision-making processes, improving the client’s experience, and maintaining business processes efficiently, data protection has become critically important for various organizations and companies. Data protection is about some fundamental principles, best practices, and choosing the right solutions to secure valuable data.

What is data protection?

Data security can be defined as the general practice of safeguarding information against espionage, theft, disclosure, and obliteration. It embraces a wide spectrum of measures as straightforward as the application of specific technical countermeasures and as complex as the establishment of sound policies and procedures. This will help foster continuity of business, help organizations retain their customer base, and avoid embarrassing data leakage or failure to meet regulations.

By restricting data access control and data encryption to carrying out periodical audits and administrative compliance, Privacy Engine allows a business to implement successful strategies and fulfill its goals associated with data safety.

Key principles of data protection

Understanding these principles can help organizations shape policies and procedures that align with regulatory requirements:

  1. Lawfulness, fairness, and transparency:

Data needs to be processed lawfully, fairly and in a transparent way within the organization. This entails the ability to reveal why data is gathered, how it is going to be processed and the abilities of an individual in relation to their data.

  1. Purpose limitation

Personal data should only be processed for the purposes for which the data subject has voluntarily given his consent or which has been communicated to him, specifying the exact scope of the processing operation. In the same sense, organizations have to restrict the use of data within the stated or intended aim and must not process data for any other purpose.

  1. Data minimization

Any data should only be gathered and processed to the extent necessary to realize the intended goal of an organization. It can reduce substantially the frequency of leakage and of unauthorized access to sensitive information.

  1. Accuracy

There is a legal requirement to ensure that data is accurate, supply chain data must be current and retained for only a short duration. The goal of every data check-sheets includes a series of standard data audits and validation.

  1. Storage limitation

An important guideline that has to be followed especially when using large amounts of data is that such data must be kept for only as long as is necessary. One of the problems associated with large amounts of data is that there is a high potential for hacking.

  1. Integrity and confidentiality

Companies need to ensure that their data is guarded from input, processing, output, and storage by unauthorized personnel. This includes encryption, use of access controls, and transfer of data properly.

Importance of data protection for organizations

The companies that pay special attention to the protection of the data can also gain in terms of efficiency of operations and overall competitive advantage within the market. The following are good reasons why data protection is important for organizations:

  • Enhanced customer trust and loyalty

This poses a great risk to most firms and corporations as amassing data breaches and violating the privacy of the customers are likely to cause the customers to shift loyalty to new business entities. Thus, the focus on data protection is important to establish and strengthen the relationships with the customers.

  • Regulatory compliance

Violate data protection laws and regulations and you are exposing yourself to massive fines, legal consequences and reputational losses. Such impacts from organizations are prevented from influencing organizations by enforcing acceptable measures of data protection.

  • Mitigation of security risks

On the other hand, data protection restricts the business from encountering such events as data leakage and intrusion. Proper protection of information can lessen the above events or prevent the potential effects thereof.

Data protection best practices

These practices encompass various aspects of data management, from employee training to advanced technological safeguards:

  • Conduct regular data audits

Data audits are carried out to check weaknesses and compliance and to review the success of data controls.

  • Implement data encryption

One of the main security checks to secure data in practice is encryption. When encryption involves taking data from one location and sending it to another point of transmission, encryption prevents anyone from glimpsing a bit of the data as it passes by.

  • Control data access

Accurate control of access to data minimizes or reduces cases of privacy infringement. This involves the use of good authentication methods, using role based and necessity based access controls as well as a robust monitoring system to alert when there is strange access being made.

  • Train employees on data privacy and security

Inadequate input from personnel is one of the biggest causes of data leakage and other security breaches. If people are trained in how to handle in terms of data privacy and security then such risks in mitigated.

  • Establish data retention policies

Data retention policy sanctions how long data should be retained and when it has to be destroyed. If Organizations follow these policies, the organization will be safe from leakage of data and unauthorized access and also from legal action.

  • Use Privacy-Enhancing Technologies (PETs)

Privacy policies like data obscuring, data elimination, and data substitution enable organizations to ensure that specific information is only used in specific ways without reducing the usefulness of the data.

  • Regularly update software and security measures

It is truly unfortunate that many organizations still recognize the need to act on outdated software as well as security measures to protect their databases from breaches and practices of cybercriminals. It is sufficient to say that software and security should be updated frequently to increase the strength of data protection.

Benefits of investing in data protection solutions

These solutions help streamline compliance, enhance data security, and optimize data management, ultimately contributing to the success and resilience of the organization:

  1. Improved operational efficiency

There are always potential ways how to make processes related to data protection run without needing lots of manual intervention and time. This makes it possible for organizations to worry less on areas of social responsibility and more on their main major goals and objectives.

  1. Cost savings

To avoid this unfavorable outcomes as well as avoid the tangible costs of data breaches, fines, and legal consequences, data protection has to happen before time. They can thus minimize such risks and impacts on overall costs if with right protective measures are taken up.

  1. Better decision-making with quality data

Data protection means that data is accurate, comprehensive, and relevant to help the organization make good decisions. The quality of information is critical for its application in decision-making and ensuring business performance.

  1. Enhanced customer relationships

Through proper protection of data and ensuring customer loyalty, many organizations will get to improve their rapport with customers and thus improve on their competitiveness.

In conclusion, all organizations use data protection as one of the vital aspects of performing their business activities. It means that by realising the key types, using the optimization and following the minor details, the organizations will be able to ensure the data’s protection, gain customers’ trust and become compliant with the regulations.

The post Building a Strong Data Protection Framework: Best Practices, Regulations, and Benefits for Businesses appeared first on PC Tech Magazine.

]]>
80878
5 Key Benefits of Using CipherTrust Manager For Data Protection https://pctechmag.com/2024/08/5-key-benefits-of-using-ciphertrust-manager-for-data-protection/ Wed, 28 Aug 2024 07:52:01 +0000 https://pctechmag.com/?p=78415 For encryption to work well across a company, the key management system must have central control, strict access rules, automatic policies, expansion options, and complete record-keeping.

The post 5 Key Benefits of Using CipherTrust Manager For Data Protection appeared first on PC Tech Magazine.

]]>
Nowadays, organizations collect and store a constant amount of sensitive data. As data grows, keeping this valuable information secure becomes more important. Encryption locks down confidential files, communications, and databases so they can’t be read without the right keys. However, managing these keys presents its challenge. Someone must oversee key generation, distribution, and protection. This important job falls to an enterprise key management system. As one of the top solutions, CipherTrust Manager ensures this role is filled.

CipherTrust Manager is the central command center for all encryption keys within an organization’s IT systems. It handles the full key lifecycle from creation through rotation and replacement based on set rules.

Keys are securely held in specially protected hardware devices. These secure machines, called hardware security modules (or HSMs for short), solely contain the electronic copies of keys. Even if servers or storage units are attacked, the keys stay safeguarded from theft or improper use since they never leave the hardened HSM environments.

The five key benefits of the CipherTrust Manager encryption key management platform.

Centralized key management

The main benefit of CipherTrust Manager is that it provides a central place to create, store, and manage encryption keys for the whole company. Everything in one place makes it organized instead of becoming a messy tangle of different keys used in many spots.

Also, a CipherTrust Manager safely keeps all the keys inside secure hardware devices called hardware security modules (HSMs). HSMs are machines that protect keys by ensuring they are never shown without protection outside of the HSM. The HSM cannot be taken apart or tampered with.

Centralization means keys no longer need to be put into programs or stored on individual computers. This eliminates weaknesses like keys being saved in files or databases that could get stolen or shared by accident. With CipherTrust Manager, you must strongly verify your identity through a website or app to access a key.

Following rules and managing everything makes critical generation, distribution, replacement, cancellation, and destruction easy. It gives complete visibility and control over the keys used across apps, databases, user information, API connections, etc. Auditing and reporting ensure oversight of all critical activities.

Granular access controls

A key management system must have strict rules about who can access or use keys. CipherTrust Manager supports role-based access control (RBAC) with detailed permissions that can be given based on work groups, teams, or specific users. Different user roles determine whether people can view, generate, import, or activate keys. The system also sets whether users can only read or change keys. Controls may allow access to some apps’ keys but block access to others.

Administrator roles separate jobs, so one person cannot handle key activation and auditing, for example. If an employee with key access leaves their job, their login and permissions can quickly be removed using the central dashboard.

CipherTrust Manager’s access management helps follow regulations and protects key material from unauthorized use. Its records and reports provide accountability for all management activities on encryption items, ensuring the right people do the right things with keys.

Encryption policy automation

For encryption to provide security for large groups, the rules for managing keys must follow best practices without needing someone to do tasks by hand. CipherTrust Manager supports automatic policies that take the hard work out of managing encryption daily.

Automated policies regularly perform repeated jobs, like rotating keys on a set schedule. They can also automatically reject weak keys, change keys for passwords at set times, and expire keys after a standard amount of time.

Templates help apply the usual rules to everyone. For example, a template ensures new database fields use strong 256-bit AES encryption with a 90-day key rotation. If encryption needs to change, changes are applied to everything from the template.

Other automatic policies make adding new apps or cloud services easier. Automatic policies also guide the backup/restore process for keys, keeping sure practices without human effort. CipherTrust Manager decreases security risks and provides less work for administrators by automatically following encryption lifecycles according to set rules.

See also: The different types of data encryption explained

Scalable, high-performance architecture

As companies collect more data and use encryption in more places, the need to manage keys grows, too. CipherTrust Manager provides ways to expand and stay reliable to support ongoing growth.

Its flexible design allows adding more appliance nodes to make it larger. Nodes stay together through an active-active group setup, ensuring no single point of failure. If a node has problems, others can instantly take over to keep services running well. Doing tasks in parallel also boosts speed – tests show CipherTrust Manager handles over 250,000 encryption jobs per second.

The solution works with popular remote HSM systems like Luna CloudHSM to expand on demand. Virtual versions offer options to set up on-site, hybrid, or in multiple clouds. CipherTrust Manager’s quick design, immediate copying, and complete disaster backup keep up as encryption use increases across more areas within companies.

Comprehensive audit trail

Sometimes, investigating incidents requires a full record of encryption activities to meet rules. CipherTrust Manager keeps a detailed history of every key management step through its centralized logging and reporting dashboard. All stages of a key’s life — from creation and sharing to rotating, limiting, and deleting — get documented with metadata like date, time, user, and app or system requesting it. This audit log provides clear proof.

CipherTrust Manager’s records provide undeniable evidence and help comply with rules. Its reporting catches policy breaks or suspicious behavior early. Configurable reports let teams or auditors analyze encryption management carefully.

Therefore, for encryption to work well across a company, the key management system must have central control, strict access rules, automatic policies, expansion options, and complete record-keeping. CipherTrust Manager brings all these things together into one strong system. It securely manages encryption keys everywhere and allows them to increase over time and cloud spaces.

The post 5 Key Benefits of Using CipherTrust Manager For Data Protection appeared first on PC Tech Magazine.

]]>
78415
Continuous Data Protection — Definition and Advantages https://pctechmag.com/2024/04/continuous-data-protection-definition-and-advantages/ Mon, 15 Apr 2024 09:15:38 +0000 https://pctechmag.com/?p=75236 If you’re working hard to preserve and save your data, you should make sure you’re using the correct…

The post Continuous Data Protection — Definition and Advantages appeared first on PC Tech Magazine.

]]>
If you’re working hard to preserve and save your data, you should make sure you’re using the correct way.

When you back up your personal or professional data, you’re taking the first step in protecting yourself from hackers, viruses, and natural catastrophes.

Major corporations accumulate data exponentially, necessitating the expansion of their backup processes year after year to accommodate the increasing volume. With all the data that must be backed up yearly, it might be difficult to locate a system that functions smoothly regardless of the amount of data stored.

To make matters worse, daily, weekly, or monthly backups will gradually become slower until the present process fails and someone must reassess everything.

Nobody should have to worry about data backup continually. If you go long enough without modifying your method, you may encounter an avoidable problem.

What exactly is continuous data protection?

Continuous data protection (CDP) is a popular backup strategy because it is inexpensive, has no impact on disk or server performance, and provides robust protection against data loss. Similar to data exporting, it provides additional data security and ensures data availability and access during the information conversion process.

Continuous data protection (sometimes known as continuous backup) has some similarities to traditional backup. Both methods take a complete computer snapshot, capturing all of the data contained within. But here’s where the similarities end.

Continuous data protection automatically backs up all data on a computer every time a change is performed. This means that by using this method, you will be able to retain a continuous record of changes made to any file, document, folder, or spreadsheet, as well as restore a machine to any point in time with extraordinary granularity. All backups are copied multiple times and recorded to a journal file, along with any modifications made.

Many customers looking for a backup solution choose continuous data protection since it eliminates the unpleasant “backup window” problem. Running a typical backup exposes you to the risk of losing data between scheduled backups. This is where continuous data protection excels. By using this strategy, you will never lose your data because it is constantly backed up.

Because backups occur every few minutes rather than nightly, CDP reduces the amount of data that needs to be backed up each time, effectively eliminating the ‘backup window’.

CDP also provides robust security against malware, viruses, and ransomware, as well as unintentional data erasure or sabotage.

How does CDP work?

Continuous Data Protection operates in tandem with full backups of a system or storage, recording and logging every change to the original data after the backup in question. These changes make it much easier to restore the system after some sort of failure with as little data loss as possible.

CDP offers a lot of granularity in terms of data recovery when compared with most backup measures, which might be its most significant advantage. It is also rather challenging to implement from both the software and the hardware standpoint, so there is a rather limited selection of solutions offering full CDP support.

At the same time, the term “near-continuous data protection” also exists in this industry and is adopted by plenty of massive companies such as Microsoft. It is nowhere near as effective and granular as true CDP, but its upkeep and overall cost are also much lower in comparison.

The advantages of CDP

Continuous data protection is an effective backup strategy that works hard to protect your data from danger. There are numerous reasons why individual users and huge enterprises adopt this backup solution.

  1. Constant data syncing

You have a steady stream of data synchronizing. Therefore, no data will be lost (even if the system fails). If your system crashes, you won’t have to spend hours repairing it yourself. You will be able to retrieve your data promptly and without skipping a beat.

  1. Records multiple versions of data

CDP keeps numerous versions of each file, all the way back to the earliest changes. Users can restore data to any point in time. This is especially significant when teamwork is involved. You will not delete or damage a file that another user is currently working on.

  1. Doesn’t affect server performance

With CDP, the system will only need to read the altered bits of your data rather than going through all of it each time you perform a backup. As a result, your server’s performance will be unaffected, and you will not be required to run nightly backups. CDP will back up every few minutes for you.

  1. Short backup intervals

Furthermore, continuous data protection provides shorter intervals between backups. If a calamity strikes, you’ll only have to go back a few minutes to an hour, rather than several days, to restore your data.

  1. Saves you disk space

Utilizing continuous data protection will save disk space. CDP can provide a snapshot of how your server has looked every hour for the last two days, every Wednesday for the previous week, and every week for the last month.

How can you save disk space? CDP will only maintain the minimum amount of data required to represent distinct points in time. Approximately 15% of the storage space is being used. While a full backup is only conducted once, a continuous data protection backup can theoretically recycle your data multiple times without taking up disk storage space.

  1. You can restore data from any point in time

CDP employs journal-based recovery, which continually logs all changes made to data and applications. This is useful for recovering data. Continuous data protection enables you to access data anytime because changes are constantly being made to the data store.

  1. Protection from attacks and data loss

Because you can access data at any time, CDP safeguards you if you are the victim of a malicious attack. You can roll back your data immediately before the attack and find it intact.

  1. Can aid in disaster recovery

Disaster recovery relies heavily on continuous data preservation. This is because the CDP backup store may be repeatedly replicated to an offsite data storage facility, safeguarding the data from physical damage.

Disaster recovery (DR) solutions enable businesses to rapidly and efficiently restore software, settings, and data to their previous condition in the event of a computer, server, or other infrastructure failure. Check out the top-rated disaster recovery software to see which one works best for you.


ALSO READ: RAISING AWARENESS AND PROMOTING PRIVACY AND DATA PROTECTION


Conclusion
Continuous data protection is a very popular feature for large and scaling organizations. Some professionals even consider it a must-have when it comes to protecting their company’s sensitive data.

The more data a business accumulates over the years, the more a continuous data protection backup makes sense. With low storage space and the ability to recover data from minutes, hours, days, and weeks ago, CDP is a great option for anyone looking for airtight security that doesn’t eat up disk space.

Data security should be an integral part of any business. Security software comes in all shapes and sizes, all designed to secure all types of data.

The post Continuous Data Protection — Definition and Advantages appeared first on PC Tech Magazine.

]]>
75236
Data Privacy Day — Raise Awareness and Promote Privacy & Data Protection https://pctechmag.com/2024/01/data-privacy-day-promoting-privacy-and-data-protection/ Sun, 28 Jan 2024 07:42:41 +0000 https://pctechmag.com/?p=74337 On a public holiday, the allure of sleeping in a bit is undeniable, especially with the office closed.…

The post Data Privacy Day — Raise Awareness and Promote Privacy & Data Protection appeared first on PC Tech Magazine.

]]>
On a public holiday, the allure of sleeping in a bit is undeniable, especially with the office closed. But even if you run a business that still has to open or have work commitments, you probably don’t have to leave home as early as a typical work day.

I didn’t have such luxury presented to me this Friday morning, as I was up early to go through the usual early morning routine which doesn’t care about public holidays, ahead of a Digital Marketing and Social Media training facilitated by Patricia Kahill and Joy Akatukunda. These ladies know what they are doing and talking about; whenever you can, give them your money and let them teach you about Digital Marketing!

A few days prior, while passing by Arena Mall, my attention was drawn to a billboard proclaiming “Black Drip.” I wondered whether it was a new brand or I’d just been living under a rock or something. On Friday afternoon I discovered on Twitter that the Black Drip social media pages were abuzz earlier that day, showcasing extravagant purchases made by their clients.

It was all going well, the netizens were captivated; at least some of them. My friend Mark Ruhindi, a Tax and Corporate Lawyer wasn’t too impressed, he instead offered them free advice: DELETE, which they followed, but apparently, not fast enough as plenty of screenshots had already been taken. Uganda Revenue Authority (URA) also picked interest.

By the way, kudos to URA for adopting a tone that combines business acumen with a touch of humor on social media. It’s a refreshing approach that underscores the seriousness of their work while maintaining a connection with the public.

Black Drip is probably going to have extra scrutiny of their books from the Taxman, thanks to their viral post.

This incident serves as a stark reminder of the ramifications of oversharing, perfectly aligning with the ethos of #DataPrivacyDay, observed annually on January 28 to raise awareness and promote privacy and data protection best practices.

Our interconnected world provides a platform to share experiences, but it also demands a cautious approach, both for personal or business use.

As we commemorate Data Privacy Day, it’s crucial to reflect on our online habits. One fundamental step is to exercise caution in oversharing. In the era of constant connectivity, a momentary pause before posting personal details or locations can prevent unintended consequences. Additionally, take time to review and secure privacy settings on your online platforms. Limiting the visibility of personal details ensures that your online presence is shared only with your intended audience.

When many think of #Cybersecurity, images of hacking and technical intricacies come to mind. However, you go a long way toward safeguarding your data and privacy by simply being mindful of what you share online. Remember, the internet never forgets, as evidenced by URA’s timely reminder to Black Drip.

Happy Data Privacy Day!

The post Data Privacy Day — Raise Awareness and Promote Privacy & Data Protection appeared first on PC Tech Magazine.

]]>
74337
Assessing the Limitations of Secure Data Rooms and Online Document-Sharing Platforms https://pctechmag.com/2023/10/assessing-the-limitations-of-secure-data-rooms-and-online-document-sharing-platforms/ Mon, 02 Oct 2023 22:06:32 +0000 https://pctechmag.com/?p=72499 In an increasingly digital world, the need for secure document sharing and data protection has become paramount. To address this,…

The post Assessing the Limitations of Secure Data Rooms and Online Document-Sharing Platforms appeared first on PC Tech Magazine.

]]>
In an increasingly digital world, the need for secure document sharing and data protection has become paramount. To address this, various online platforms, including Secure Data Rooms (SDRs) or Virtual Data Rooms (VDRs), have emerged, promising robust document protection and secure information exchange. However, it is important to critically evaluate the limitations of such platforms to ensure adequate safeguards for sensitive data.

Here we examine the weaknesses and vulnerabilities inherent in secure data rooms and other online document-sharing platforms, shedding light on the potential risks and challenges they pose in maintaining document security.

Flawed Encryption and Data Breach Risks 

A fundamental aspect of secure data rooms and online document-sharing platforms is encryption. Encryption algorithms are used to encode documents and protect them from unauthorized access. However, the effectiveness of encryption methods can vary significantly across platforms. Weak encryption algorithms or improper key management can render sensitive documents susceptible to decryption by malicious actors. Additionally, vulnerabilities in the platform’s infrastructure or security protocols may expose data to breaches or unauthorized access, leading to potential data leaks and compromises.

Human Error and Insider Threats

Despite the advanced security measures implemented by secure data rooms and online document-sharing platforms, human error remains a significant weak point. Users may inadvertently share sensitive documents with the wrong recipients, misconfigure access permissions, or fall victim to social engineering attacks, compromising document security. Similarly, insider threats pose a considerable risk, as authorized individuals with malicious intent or inadequate security awareness can intentionally exploit vulnerabilities within the platform, potentially leading to data breaches or unauthorized document access.

Lack of End-to-End Encryption 

While encryption is a critical component of document protection, many online document-sharing platforms do not offer true end-to-end encryption. End-to-end encryption ensures that data is encrypted from the point of origin to the intended recipient, with only the authorized parties possessing the decryption keys. In contrast, some platforms employ client-side encryption or server-side encryption, leaving the data vulnerable to interception or unauthorized access during transmission or storage. This lack of end-to-end encryption introduces a potential weak point in the overall security of the documents shared through these platforms.

Dependence on Third-Party Infrastructure

Secure data rooms and online document-sharing platforms often rely on third-party infrastructure and service providers for storage, processing, and data transmission. While these partnerships enable seamless functionality, they also introduce additional vulnerabilities. The security practices and protocols of these third parties may not align with the stringent standards required to safeguard sensitive documents, thereby compromising the overall security of the platform. Furthermore, any breaches or vulnerabilities within the third-party infrastructure can directly impact the security and confidentiality of the shared documents.

Limited Control over Data

When utilizing online document-sharing platforms, users often relinquish a certain degree of control over their data. Platform administrators may have access to encryption keys, granting them the ability to view or manipulate the shared documents. While administrators are typically trusted entities, the potential for abuse or unauthorized access cannot be eliminated. This lack of complete control over data poses a risk, especially when sharing highly sensitive information or operating in regulated industries where strict control and confidentiality are crucial.

Weak Browser Security

Apart from users being able to share login info with others, one of the main security issues with secure data rooms is that they rely on JavaScript to enforce security controls such as preventing printing of documents.  However, users can manipulate JavaScript in a browser’s development mode and run scripts that bypass the security controls. Many systems also allow document downloads if printing is enabled since users can print directly to PDF files and again bypass any protection measures.

The reason why a browser environment provides weak security is because the user has control over it since code is executed locally on their device.  It therefore can never provide the same security as an installed app.

While secure data rooms and online document-sharing platforms offer convenience and some level of document protection, it is important to recognize their limitations. Flawed encryption, data breach risks, human error, lack of end-to-end encryption, reliance on third-party infrastructure, poor environment security, and limited control over data are among the weaknesses and vulnerabilities that demand attention.

Understanding these limitations empowers individuals and organizations to make informed decisions about document-sharing practices and consider additional security measures.

The post Assessing the Limitations of Secure Data Rooms and Online Document-Sharing Platforms appeared first on PC Tech Magazine.

]]>
72499
Why government and technology companies can’t agree on encryption of user data https://pctechmag.com/2015/11/why-government-and-technology-companies-cant-agree-on-encryption-of-user-data/ Wed, 25 Nov 2015 06:14:31 +0000 http://pctechmag.com/?p=28399 Your phone is getting better and better at protecting your privacy. But Uncle Sam isn’t totally comfortable with…

The post Why government and technology companies can’t agree on encryption of user data appeared first on PC Tech Magazine.

]]>
Your phone is getting better and better at protecting your privacy. But Uncle Sam isn’t totally comfortable with that, because it’s also complicating the work of tracking criminals and potential national-security threats.

For decades, tech companies have steadily expanded the use of encryption — a data-scrambling technology that shields information from prying eyes, whether it’s sent over the Internet or stored on phones and computers. For almost as long, police and intelligence agencies have sought to poke holes in the security technology, which can thwart investigators even when they have a legal warrant for, say, possibly incriminating text messages stored on a phone.

The authorities haven’t fared well; strong encryption now keeps strangers out of everything from your iMessages to app data stored on the latest Android phones. But in the wake of the Paris attacks, US officials are again pushing for limits on encryption, even though there’s still no evidence the extremists used it to safeguard their communications.

While various experts are exploring ways of resolving the impasse, none are making much headway. For now, the status quo favors civil libertarians and the tech industry, although that could change quickly — for instance, should another attack lead to mass US casualties. Such a scenario could stampede Congress into passing hasty and potentially counterproductive restrictions on encryption.

“There are completely reasonable concerns on both sides,” said Yeshiva University law professor Deborah Pearlstein. The aftermath of an attack, however, “is the least practical time to have a rational discussion about these issues.”

Encryption plays a little-heralded, yet crucial role in the modern economy and daily life. It protects everything from corporate secrets to the credit-card numbers of online shoppers to the communications of democracy advocates fighting totalitarian regimes providing enhanced data protection for individuals and businesses alike.

At the same time, recent decisions by Apple and Google to encrypt smartphone data by default have rankled law enforcement officials, who complain of growing difficulty in getting access to the data they feel they need to build criminal cases and prevent attacks. For months, the Obama administration — which has steered away from legislative restrictions on encryption — has been in talks with technology companies to brainstorm ways of giving investigators legal access to encrypted information.

But technology experts and their allies say there’s no way to grant law enforcement such access without making everyone more vulnerable to cybercriminals and identity thieves. “It would put American bank accounts and their health records, and their phones, at a huge risk to hackers and foreign criminals and spies, while at the same time doing little or nothing to stop terrorists,” Sen. Ron Wyden, D-Ore., said in an interview Monday.

Lawmakers on the US Senate Select Committee on Intelligence remain on what they call an “exploratory” search for options that might expand access for law enforcement, although they’re not necessarily looking at new legislation.[related-posts]

The FBI and police have other options even if they can’t read encrypted files and messages. So-called metadata — basically, a record of everyone an individual contacts via phone, email, or text message — isn’t encrypted, and service providers can make it available when served with subpoenas. Data stored on remote computers in the cloud — for instance, on Apple’s iCloud service or Google’s Drive — is also often available to investigators with search warrants. (Apple and Google encrypt that data, but also hold the keys.)

Some security experts suggest that should be enough. Michael Moore, chief technology officer and co-founder of the Baltimore, Maryland-based data security firm Terbium Labs, noted that police have managed to take down online criminals even without bypassing encryption. He pointed to the 2013 takedown of Silk Road, a massive online drug bazaar that operated on the “dark Web,” essentially the underworld of the Internet.

“The way they figured that out was through good old-fashioned police work, not by breaking cryptography,” Moore said. “I don’t think there’s a shortcut to good police work in that regard.”

Others argue that the very notion of “compromise” makes no sense where encryption is concerned. “Encryption fundamentally is about math,” said Mike McNerney, a fellow on the Truman National Security Project and a former cyber policy adviser to the Secretary of Defense. “How do you compromise on math?” He called the idea of backdoors “silly.”

Some in law enforcement have compromised ideas of their own. The Manhattan District Attorney’s office, for instance, recently called for a federal law that would require smartphone companies to sell phones they could unlock for government searches — in essence, forcing them to hold the keys to user data.

In a report on the subject, the office called its suggestion a “limited proposal” that would only apply to data stored on smartphones and restrict searches to devices that authorities had already seized. Privacy advocates and tech companies aren’t sold, saying it would weaken security for phones that are already too vulnerable to attack.

Marcus Thomas, the chief technology officer at Subsentio and former assistant director of the FBI’s operational technology division, argued that it’s too late to turn back the clock on strong encryption, putting law enforcement in a “race against time” to obtain investigatory data whenever and wherever it can. But he urged security experts to find ways to help out investigators as they design next-generation encryption systems.

The idea of allowing law enforcement secure access to encrypted information doesn’t faze Nate Cardozo, a staff attorney for the San Francisco-based Electronic Frontier Foundation — provided a warrant is involved. Unfortunately, he says, cryptographers agree that the prospect is a “pure fantasy.”

[IBN Live]

The post Why government and technology companies can’t agree on encryption of user data appeared first on PC Tech Magazine.

]]>
28399