The battle against default encryption on phones has erupted in the phone makers’ back yard.
California, home to both Google and Apple, has joined the fray of state and federal governments ganging up on encryption that can’t be cracked by even the phones’ manufacturers.
California Assembly member Jim Cooper has introduced a bill that would outlaw encryption on phones that can’t be cracked by law enforcement and manufacturers.
An excerpt:
This bill would require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider.
The bill would, except as provided, subject a seller or lessor that knowingly failed to comply with that requirement to a civil penalty of $2,500 for each smartphone sold or leased.
The bill is similar to one introduced in New York earlier this month.
In fact, California’s proposed bill even matches the $2,500 fine per noncompliant phone that was proposed in New York’s bill.
The main difference between the bills, in fact, is that Cooper has swapped out the rationale for weakening encryption that’s been used by governments including England and China – i.e., fighting terrorism.
Instead, Cooper’s justified his proposed ban on unbreakable encryption as a way to fight human trafficking.
Cooper, a former police officer who spent 30 years on the force, is from a city in Sacramento County, which is considered to be Northern California’s gateway for human trafficking.
He says that full-disk encryption introduced to mobile device operating systems in 2014 has foiled the law’s attempts to prosecute human traffickers:
Human traffickers are using encrypted cell phones to run and conceal their criminal activities.
Full-disk encrypted operating systems provide criminals an invaluable tool to prey on women, children, and threaten our freedoms while making the legal process of judicial court orders useless.
When he introduced the bill on Wednesday, Cooper was flanked by various law enforcement officials and anti-human trafficking advocates, presenting the bill not as an attack on strong encryption but rather as legislation concerned with “evidentiary access.”
One of those advocates, Jenny Williamson, Founder and CEO of Courage Worldwide, said that “every single girl” that’s come to her organization has been trafficked via mobile phone:
The crimes are placed in the girl’s hand via that phone.
[The pimp] makes her take her own pictures, he makes her post her own photos. So if he gets caught, the act will be on her. The crime will be on her.
He uses that threat to keep her in line, that she’s going to be put in jail. The phone holds the evidence to her abuse, [evidence of her] being sold as a commodity.
Law enforcement agents have been making a similar argument for years.
When Apple came out with its “even we can’t break it” encryption, the chief of detectives for Chicago’s police department said that it would lead to pedophiles flocking to phones running iOS:
Apple will become the phone of choice for the pedophile. The average pedophile at this point is probably thinking, I’ve got to get an Apple phone.
In October 2014, FBI Director James Comey took both Google and Apple to task over their use of encryption by default in Android and iOS phones, saying that law enforcement’s inability to crack passwords could lead to justice being thwarted:
If this becomes the norm, I would suggest to you that homicide cases could be stalled, suspects could walk free, and child exploitation might not be discovered or prosecuted.
Justice may be denied, because of a locked phone or an encrypted hard drive.
Comey said that what concerns him the most was the idea of companies “marketing something expressly to allow people to place themselves beyond the law.”
Cooper said at Wednesday’s press conference about the California bill that the proposed anti-encryption bill isn’t a case of surveillance run amok:
It’s not the boogie man. It’s not NSA [National Security Agency]. It’s not Edward Snowden. 99% of the public will never have their phone searched with a court order.
Rather, he told Ars Technica, it’s about catching bad guys doing bad things:
For the industry to say it’s privacy, it really doesn’t hold any water. We’re going after human traffickers and people who are doing bad and evil things. Human trafficking trumps privacy, no ifs, ands, or buts about it.
But, as we have pointed out before, implementing backdoors for law enforcement also creates vulnerabilities that the bad guys could exploit.
Andrew Crocker, an attorney with the Electronic Frontier Foundation (EFF), told Ars that the bill had “glaring problems” and that it was “entirely infeasible from a technical perspective.”
There is no way to ensure that phones can be decrypted by the police and not the bad guys. Just as in New York, this California lawmaker misses the point that it’s not about privacy but security – the security of innocent people’s devices against hackers, thieves and others. It could well be unconstitutional under the First Amendment as well.
Crocker says he’s sympathetic about the need to protect children: a point Cooper stressed multiple times.
But that doesn’t make it permissible to allow police to disregard privacy and security, he said.
This is a law that would make us all less secure. Meanwhile the police have access to lots of other tools to get at this evidence, from hacking or brute forcing the device to getting cloud backups to forcing the owner to unlock the phone.
Image of Padlock on smart phone courtesy of Shutterstock.com