TLDR: We do have perfect encryption. We just don’t use it everywhere.

The ongoing discussion about cybersecurity, encryption and data leaks, recently fueled by the Apple Cloud Hack or Panama Papers leak, often gives a distorted image of the status quo. When talks about security of – lets say the iCloud – come to the actual tech level, even the technically savvy compare the security infrastructure of the iCloud with the security infrastructure of physical objects: Locks on doors and cars, vaults, etc. This does not help.

An accurate comparison should be different: To start, in the physical world, locks are by far not as good as commonly believed. The average door lock keeps up seconds or minutes as a maximum and the major aim of bike locks is not to actually prevent the lock from being picked (which is impossible) but making it as lengthy and complicated as possible to raise the risk of being caught in the act to a level that potential bike thieves pick other alternatives. It is like the (unofficial) asics commercial: you don’t have to outrun the lion, you just have to outrun someone else. Also: each thieve can only attack one lock at a time which already forces him to choose the least ‘secure looking’ lock. In other words: All locks fail with time, but thieves are constrained by the physical world, which makes locks secure that look secure.

In the online world, these constraints do not apply: first, there is not just one thieve but an uncountable multitude. Second, this multitude very often acts fully automatically, overcoming physical limits of distance, time and human capacity. Automated scripts work on locks everywhere, all the time and (mostly) without any risk of being caught. And ironically, some constraints from the physical world even – although not applying in the act per se – work to the advantage of the online world since limitations of geographic distance or extradition will already hinder most hackers ever being brought to justice. The determinants of all participating factors are different in the online world: Everything must be encrypted, and not just “a bit” or “to some extend”, but fully and always.

Consequently, there is encryption to make the lockpicking close to impossible. At least with available technology, available encryption can be seen as perfect security. Common 256bit key-encryptions (e.g. AES) cannot be hacked through brute force attacks. Yes, they cannot. To be entirely honest and very clear, there have been some breaks of the Rijndael algorithm (the basis algorithm of the current AES encryption), that were published and many of them required a reduced number of cracking-rounds from those specified in AES description. However, all of these attacs were scientific experiments using theoretical calculations. In the corresponding papers, the “non practicability” of the attacks was emphasized. In other words: Available combinations of existing highest computing power devices (see the list of the current worlds largest “supercomputers” here) would still take trillions of years to recover an AES key with 256 bit encryption (another example here). So it is still safe to say that AES is safe (pun intended).

Of course the abstraction of the digital world still leads the less tech savvy that all digital encryption “can be hacked somehow” which is understandable. If hacks appear, they are the result of circumstantial factors to obtain information to than decrypt the actual target. In the physical world this is the corresponding act of not cracking the vault but stealing the key. However this is a risk imminent to every lock – both digital and physical and both strong and weak. In the digital world, there is black and white (or 1s and 0s if you want): Either data is encrypted (fully) or it is not. And it mostly is.

Coming back to the comparison of digital and physical locks (by the way, well explained by another great feature of CGP Grey here, although in a different context) this means two things:

First: The factors defining real world encryption are different than the ones for digital encryption. Second: There is perfect digital encryption, there is no perfect physical lock. The technology for perfect digital locks is available (for free) and in practical use. And last: The factors defining security of applications like iCloud are not in the tech, but in the law: Companies often do not apply real end-to-end encryption. Terms and Conditions often stipulate possible insights and use of the data, leaving access rights, mirroring, and analytics. The tech for encryption is there, but we often do not use it.