How to Be Safe Online

Encryption 101

If you don’t totally understand what encryption is, this guide is for you.

encryption guide.
Browsers using encryption display lock icons to let you know your data is safe and sound.

Photo illustration by Mal Langsdon/Reuters

Encryption has become a major buzzword in the digital world in the past few months. You’ve probably heard that Apple and Google have made it a default setting for their latest smartphones, while FBI Director James Comey and U.K. Prime Minister David Cameron think encryption should be banned unless governments have ways to get around it. Even President Obama commented on the subject recently, saying that he supports “strong encryption” (albeit with some caveats). But for all this talk about encryption, less than 20 percent of Internet users actively use it, according to Pew. So what is it, exactly, and how does it affect the security of your online communications?

In simple terms, encryption relies on mathematical algorithms to protect the security and integrity of data as it is transmitted or stored on devices. Encryption is the process of combining the contents of a message (“plaintext”) with a secret password (the encryption “key”) in such a way that scrambles the content into a totally new form (“ciphertext”) that is unintelligible to unauthorized users. Only someone with the correct key can decrypt the information and convert it back into plaintext. Encrypting data doesn’t stop someone who is not the intended recipient of a message from intercepting it—but it helps ensure that he won’t be able to decipher it if he does. Herewith is a basic explanation of where encryption stands today—and how you can use it protect yourself and your communications.

For much of the 20th century, sophisticated encryption was available only to members of the military and intelligence communities. They used it to protect their most sensitive communications and kept the technology secret to prevent their adversaries from adopting it. But in 1976, two researchers named Whitfield Diffie and Martin Hellman discovered and published a paper on “split-key encryption,” which demonstrated how individuals and ordinary users could communicate securely by creating a pair of related private and public keys that would be used to encrypt and decrypt plaintext conversations. Diffie and Hellman’s discovery laid the foundation for a number of innovations in secure communications over the past 40 years—many of which were necessary for the growth of the Internet as a public platform for sharing personal information, shopping, banking, and much more.

Today, encryption is an integral part of many of the tools and protocols we rely on to protect the security of our everyday transactions and online communications. Encryption can be used on the physical layer of the Internet to scramble data that’s being transmitted via cable or radio communications. It adds support for secure communications to plaintext protocols like the Hypertext Transfer Protocol (HTTP), which enables Web browsing, and can protect the integrity of data exchanged through applications like email and mobile messengers. You can also encrypt data that is stored on devices like cellphones or computers, shielding the local copies of emails, text messages, documents, and photos from unauthorized snooping.

How and at what layer your data is encrypted makes a huge difference. Just because a product or service uses encryption doesn’t necessarily mean that everything that’s stored on or sent over that platform is completely private. For example, Google now makes the HTTPS protocol (HTTP over an encrypted connection) the default for all Gmail traffic, which prevents unauthorized users from reading emails while they travel between Google’s email servers and end users’ computers—but it does nothing to stop Google itself from accessing plaintext copies of those conversations. If you don’t want your email provider to be able to read your messages, you have to take additional steps to implement end-to-end encryption, which refers to a system in which “messages are encrypted in a way that allows only the unique recipient of a message to decrypt it, and not anyone in between.” With end-to-end encryption, you encrypt the contents of a message on your local machine or device. That data is then transmitted as ciphertext by the email provider to the intended recipient, who is the only person who can decrypt and read it.

Even if you’ve never done anything proactive about encryption, you almost certainly use tools and services that rely on it every single day. The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are used by many popular websites and embedded in a large number of physical products—including smartphones, home routers, and media streaming devices—to protect the security of data as it’s sent back and forth between clients and servers. Your bank uses strong encryption to keep hackers away from your sensitive financial information when you log on to the bank’s website to check your account balance. In fact, there is an entire industry dedicated to supporting the secure digital communications ecosystem. Companies like Verisign and Comodo exist primarily to verify the authenticity of digital certificates and assure customers that the secure sites they are visiting have implemented encryption properly and are not being impersonated by malicious actors. That’s how you can reasonably trust that when you make a purchase from an online retailer, you’re not handing your credit card information over to a stranger who will use it to commit identity fraud.

But there is also a lot that you can do as an individual to add an extra layer of security to your communications. The simplest step is to make sure you’re taking advantage of the option to encrypt whenever it’s offered by the products and services that you use. If you have an iPhone, for example, you should upgrade to the latest iOS, which is comes with encryption by default—meaning that a third party that manages to get around your pass code and get access to the device will find all of the stored information is unreadable. (The same is true for the newest Android OS.)

You should also pay attention to whether the websites you visit use HTTPS, which is an increasingly standard security practice. You can figure this out by looking at the URL of a website: If there is an “s” after the “http,” that means HTTPS is turned on, and any data sent from your browser to the site’s servers is encrypted. Some browsers, like Chrome, have features that make it even more obvious—you’ll notice that “https” is displayed in green with a lock icon to the left of it. The Electronic Frontier Foundation and the Tor Project have created a handy tool you can download as a browser extension for Chrome and Firefox known as “HTTPS Everywhere,” which creates a workaround for websites that still default to unencrypted connections or have otherwise implemented HTTPS in ways that make it difficult to use.

Do your homework to find out which companies and services use strong encryption. There are a number of digital security–focused organizations that have made guides and tools to help ordinary users better understand how this technology works and where it exists online. After the Snowden leaks, EFF began publishing a report called “Encrypt the Web,” which compares how the major Internet companies measure up against five best-practice encryption criteria (including support for HTTPS). The “Encrypt All the Things” campaign, from the advocacy group Access, similarly encourages Internet platforms to improve their data security to prevent unauthorized access to user information. Don’t forget that as a consumer, you have the power to decide to give your business to the companies that you trust—and to help pressure those companies to continually improve their security practices.

If you’re willing to invest the time to go a step further, there are a variety of free and open-source tools that you can use for end-to-end encryption. The first widely available tool that facilitated end-to-end encryption was called PGP, which stands for Pretty Good Privacy and can be used to encrypt text, emails, files, and even parts of your hard drive. Although PGP has been around since the early 1990s, many users still find it difficult and time-consuming to use.* That’s one of the reasons why Google announced last June that it was releasing the source code for the Chrome browser’s new End-to-End extension, which it hopes will be an easier option that allows users to encrypt their data before it leaves the browser. The source code for End-to-End is currently being audited by the computer security community to ensure that the product is robust before Google adds it to the Chrome store. You can also install plugins like Off the Record and TextSecure, which similarly enable end-to-end encryption on instant messages and text messages.

At the end of the day, there’s no such thing as perfect security online. But encryption provides one of the best ways to defend yourself against unauthorized access to your sensitive communications, and it’s worth taking the time to get to know what tools and services are available to you.

*Correction, Feb. 25, 2015: This article originally misstated that PGP has been around since the early 1980s. It was invented in 1991. (Return.)