Skip to content
Naked Security Naked Security

New York tries to force phone makers to put in crypto backdoors

If it passes, Apple, Google, et al., would have to either hobble encryption or pay $2,500 fines per phone sold in the state.

The sport of holding Apple, Google and other tech companies over a barrel to demand backdoors now has a new player: New York.

The state assembly has come up with a proposed bill that would ban encrypted mobile phones and slap manufacturers with a $2,500 fine per phone sold in the state of New York without a backdoor.

In a nutshell, backdoors are security holes – for example, an undocumented master decryption key – knowingly added to software.

The bill, introduced earlier this month, (PDF) demands that smartphones come with means of being decrypted, starting as of two weeks ago:

Any smartphone that is manufactured on or after January 1, 2016, and sold or leased in New York, shall be capable of being decrypted and unlocked by its manufacturer or its operating system provider.

The state assembly would impose a $2500 fine for each infringing phone sold in the state.

That’s a lot of phones and a lot of potential fines. New York’s a big state with a big appetite for mobile gadgets.

The rationale, from notes on the bill:

The fact is that, although the new software may enhance privacy for some users, it severely hampers law enforcement’s ability to aid victims.

All of the evidence contained in smartphones and similar devices will be lost to law enforcement, so long as the criminals take the precaution of protecting their devices with passcodes. Of course they will do so. Simply stated, passcode-protected devices render lawful court orders meaningless and encourage criminals to act with impunity.

The proposed bill is similar to the Investigatory Powers Bill in the UK, which has the support of Prime Minister David Cameron.

If it passes – the next step would be for the bill to move to the floor calendar, followed by votes in the assembly and senate – it would mean that manufacturers or operating system providers would have to decrypt and unlock phones for law enforcement and other authorities, creating a backdoor to surpass the encryption.

We’re hearing plenty of similar calls to poke holes in encryption, coming from countries including the UK with its Investigatory Powers Act or in China, which was poised to require internet companies and other technology suppliers to hand over encryption codes and other sensitive data for official vetting before they went into use.

Those demands were dropped in the law’s final draft, but China’s new law still requires that companies help with decryption when the law deems it necessary for investigating or preventing terrorist cases.

The Netherlands, on the other hand, has come out against backdoors last week, but the assault against the technology is still raging, as the New York bill clearly shows.

Apple CEO Tim Cook has been strenuously arguing that backdoors weaken security.

Here’s how he explained it to 60 Minutes last month:

Here’s the situation… on your smartphone today, on your iPhone. There’s likely health information, there’s financial information. There are intimate conversations with your family, or your co-workers. There’s probably business secrets and you should have the ability to protect it. And the only way we know how to do that, is to encrypt it.

Why is that? It’s because if there’s a way to get in, then somebody will find the way in. There have been people that suggest that we should have a backdoor. But the reality is if you put a backdoor in, that backdoor’s for everybody, for good guys and bad guys.

Cook and other Silicon Valley execs last week met with White House officials to discuss the use of social media and technology in the fight against terrorism, radicalization, and propaganda.

Apple has stated that it’s “impossible” to unlock most iPhones, given an iOS 8 feature that prevents anyone without the device’s passcode from accessing the device’s encrypted data – including Apple itself.

Cook has said that a backdoor wouldn’t be such an issue if it were to be used only for catching “bad people,” but he doubts that crooks couldn’t manage to figure out how to exploit a backdoor even if it were only meant to help law enforcement.

Naked Security’s take?

Paul Ducklin put it pretty bluntly: “Tim Cook is right: if you put in cryptographic backdoors, the good guys lose for sure, while the bad guys only lose if they are careless.”

And, as Paul recently reminded us, the US has gone down this road before, and it didn’t turn out well.

In the 1990s, the US required American software companies to use deliberately weakened encryption algorithms in software for export, in an attempt to make it safe to sell cryptographic software even to potential enemies because their traffic would always be crackable.

The results:

  • International customers simply bought non-US products instead, hurting US encryption vendors.
  • EXPORT_GRADE ciphers lived on long after they were no longer legally required, leaving behind backdoors such as FREAK and LOGJAM that potentially put all of us at risk.

Doubleplusungood.

Backdoors have a way of being forgotten about, soon end up widely known, often live much longer than anyone imagined, and can be widely misused: all good reasons to avoid them.

💡 LEARN MORE – To encrypt or not to encrypt? We explore the issues ►

💡 LEARN MORE – The FREAK bug, a side-effect of weakened encryption ►

💡 LEARN MORE – The LOGJAM bug, another side-effect of weakened encryption ►

SOPHOS STATEMENT ON ENCRYPTION

Our ethos and development practices prohibit “backdoors” or any other means of compromising the strength of our products for any purpose, and we vigorously oppose any law that would compel Sophos (or any other technology supplier) to weaken the security of our products.

Full statement ►

Image of encrypted binary code with encrypt word inside courtesy of Shutterstock.com

19 Comments

Great article Lisa. I’ve never been a fan of Apple’s products – too expensive and closed source for my liking. However, Tim Cook is correct – bad guys always find backdoors and good guys are always victims from this. The ratio of good guys being hacked by bad guys because of backdoors to catching criminals by implementing a backdoor to access their phones is magnitudes higher. The greater good would therefore favour no backdoor access.

Similarly as Microsoft favours more and more privacy invasive practices with Windows 10, I am drawn more and more closely to Linux and (heavens above) iOS, and that is something I never thought I would ever end up doing! Sorry Nadella, you’re not listening to your user base again, which is why Windows 7 isn’t going away any time soon (despite all the deceptive tricks).

I propose they follow Volkswagen’s example by having the firmware act differently under certain conditions, e.g. Test or Position, if phone in NY disable or backdoor the encryption, else it is ON :-D

You are assuming that the phone isn’t spoofed by GPS type transmitters to make it think it’s not in NY. If you have your hands on the hardware, this type of spoofing is easy… This is always a loser for the masses.

Everyone’s just going to stop selling phones in New York. All the cell phone stores will shut down. Everyone will have to go to another state to buy their new phone. Otherwise, there will be no difference to the current situation.

What would the state law say if you had a shop but when a customer “bought” a phone you actually got them to approve an order from, say, New Jersey?

Duck asked “What would the state law say if you had a shop but when a customer “bought” a phone you actually got them to approve an order from, say, New Jersey?”

Easy. New York cannot dictate what New Jersey sells. Drive to New Jersey and buy a phone (or maybe mail-order one), and carry it back. You might be in violation, but the vendor wouldn’t be. And NY would have a tough time finding you unless they insisted the carrier somehow detect and report what model you have.

New York would have to modify its state motto–note the added clause below.
New York: State of silly gun laws AND CELLPHONE LAWS.

I meant, if you tried to sell “New Jersey phones” by proxy, so the person didn’t have to go there. Thus the NY phone stores would not implode but the bill (if enacted) would not work. Sort of like online in person.

That’s exactly what will happen, or people will order there phone’s online. This is one of those laws that’s on the books as a feels good law but will make no real difference. point blank; you can’t remove encryption. whats next making it so if i “jailbreak” my phone its illegal? this hole argument is from a place of fear and I’m completely done with it.

NY mafia; Give us access to everything or else.

And, in NYC, heaven forbid that an obese person could buy a Big Gulp (had that made it into law). The Big Apple and its dictatorial, overreaching overlords are a big joke and have been for more years than I can remember, and that’s a lot of years.

What a great opportunity to teach people how to look after their own private data – my phone has no pass-code and no private data – everything is uploaded to the cloud where it is double encrypted without a back-door for criminals to exploit. Only the mentally retarded will keep evidence on their smart phone for use by law enforcement. A good law that will only catch the people who are stupid enough to want to be caught.

These days, half your personal/private/incriminating data is in the hand (and on the devices) of your friends and family. What if one of them is “mentally retarded” by your standards? Are you sure your 90-years-old grandmother or your 5-years-old nephew can protect your data as perfectly as you yourself (allege to) do?

“United States of America” is fast becoming “Ruined States of America”.
Apple, Google et al, could stand up against this, by stop selling their devices in New York for a while. A month would probably be good enough to make the bill to fall dead on the ground.

Why don’t these ignorant idiots simply pass a law stating that it is illegal for criminals to use encryption. Surely everyone engaged in criminal activity would first remove the pass code and encryption of all their devices. That way the good guys & gals still keep all the security benefits.

The bill, also known as the “Pennsylvania, New Jersey, Connecticut, Massachusetts, and Vermont cell phone vendor massive sale assistance act of 2016….”

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?