US privacy and computer security advocate Micah Lee describes himself, amongst other things, as “a staff technologist for EFF and the project maintainer of HTTPS Everywhere.”
In other words, he has a healthily holistic view of the use of encryption on the internet.
So it wasn’t surprising, earlier this week, to see him post a suggestion to the Android Open Source Project about security.
His suggestion was entitled “Backup and restore” should offer encrypted backups:
The "Back up my data" option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.
If you’re an Android user, the option he’s talking about is the Backup & reset page in Settings:
In the screenshot above, the feature is turned off.
Most users, however, probably have it enabled because it is, as Micah points out, very convenient.
The idea is that if you lose your device, or merely feel the need to reflash it, you can much more quickly get back to where you were.
Instead of just reinstalling your favourite apps and starting afresh, your new device will know how to get online straight away, how to get into your Twitter account, and how many Angry Birds levels you haven’t conquered yet.
Clearly, Google keeps a raft of configuration data on your behalf, because if you have the option enabled and then decide to turn it off you get this dialog:
So how risky is this option?
It’s not risky in the sense, for example, of the recent flaw in the Tumblr app on iOS.
There, Tumblr forgot to secure the actual transmission of personally identifiable information (PII), such as your password.
That meant that crooks at a coffee shop, for example, might easily be able to sniff out and extract your Tumblr password.
The Android issue is more subtle: the data is encrypted in transit, and Google (for all we know) probably stores it encrypted at the other end.
But it’s not encrypted in the sense of being inaccessible to anyone except you.
That’s obvious because, as a comment on Micah’s abovementioned posting pointed out, you can recover your data from Google even after you’ve wiped (or lost) your device, or changed your Google account password.
In other words, Google can unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can return those passwords to you quickly and conveniently even if you forget your device password and have to start over.
That’s just the sort of convenience which many users will trade against security.
So, let’s say some Three Letter Agency were to use some prismatic techqniue to acquire those Wi-Fi passwords from Google.
Is that likely? If so, would it be bad?
I have to say that it probably would be, if only because the list of Wi-Fi networks and passwords on your device is most likely much more extensive than just your own network in your own home.
You’d effectively be helping to built a list of passwords to go with the already-existing and extensive maps of Wi-Fi access points built up over years, both by Google and others.
You probably don’t want to help anyone, friend or foe, to do that.
The solution is to encrypt everything “for your eyes only” before you back it up anywhere, especially into the cloud.
And the problem with that is it’s not quite as convenient, not least because there’s no password-free way to recover that backed-up data, for example if you forget your password.
That’s the dilemma we all face.
Are you prepared to accept a digital equivalent of locking your keys in the car forever (for example if you forget your full-disk encryption password and didn’t save the recovery key)?
Or would you prefer to have what amounts to a backdoor to your own, or worse still, to other people’s, personal information?
What do you think? Let us know in the comments below…