The battle against default encryption on phones has erupted in the phone makers’ back yard.
California, home to both Google and Apple, has joined the fray of state and federal governments ganging up on encryption that can’t be cracked by even the phones’ manufacturers.
California Assembly member Jim Cooper has introduced a bill that would outlaw encryption on phones that can’t be cracked by law enforcement and manufacturers.
An excerpt:
This bill would require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider.
The bill would, except as provided, subject a seller or lessor that knowingly failed to comply with that requirement to a civil penalty of $2,500 for each smartphone sold or leased.
The bill is similar to one introduced in New York earlier this month.
In fact, California’s proposed bill even matches the $2,500 fine per noncompliant phone that was proposed in New York’s bill.
The main difference between the bills, in fact, is that Cooper has swapped out the rationale for weakening encryption that’s been used by governments including England and China – i.e., fighting terrorism.
Instead, Cooper’s justified his proposed ban on unbreakable encryption as a way to fight human trafficking.
Cooper, a former police officer who spent 30 years on the force, is from a city in Sacramento County, which is considered to be Northern California’s gateway for human trafficking.
He says that full-disk encryption introduced to mobile device operating systems in 2014 has foiled the law’s attempts to prosecute human traffickers:
Human traffickers are using encrypted cell phones to run and conceal their criminal activities.
Full-disk encrypted operating systems provide criminals an invaluable tool to prey on women, children, and threaten our freedoms while making the legal process of judicial court orders useless.
When he introduced the bill on Wednesday, Cooper was flanked by various law enforcement officials and anti-human trafficking advocates, presenting the bill not as an attack on strong encryption but rather as legislation concerned with “evidentiary access.”
One of those advocates, Jenny Williamson, Founder and CEO of Courage Worldwide, said that “every single girl” that’s come to her organization has been trafficked via mobile phone:
The crimes are placed in the girl’s hand via that phone.
[The pimp] makes her take her own pictures, he makes her post her own photos. So if he gets caught, the act will be on her. The crime will be on her.
He uses that threat to keep her in line, that she’s going to be put in jail. The phone holds the evidence to her abuse, [evidence of her] being sold as a commodity.
Law enforcement agents have been making a similar argument for years.
When Apple came out with its “even we can’t break it” encryption, the chief of detectives for Chicago’s police department said that it would lead to pedophiles flocking to phones running iOS:
Apple will become the phone of choice for the pedophile. The average pedophile at this point is probably thinking, I’ve got to get an Apple phone.
In October 2014, FBI Director James Comey took both Google and Apple to task over their use of encryption by default in Android and iOS phones, saying that law enforcement’s inability to crack passwords could lead to justice being thwarted:
If this becomes the norm, I would suggest to you that homicide cases could be stalled, suspects could walk free, and child exploitation might not be discovered or prosecuted.
Justice may be denied, because of a locked phone or an encrypted hard drive.
Comey said that what concerns him the most was the idea of companies “marketing something expressly to allow people to place themselves beyond the law.”
Cooper said at Wednesday’s press conference about the California bill that the proposed anti-encryption bill isn’t a case of surveillance run amok:
It’s not the boogie man. It’s not NSA [National Security Agency]. It’s not Edward Snowden. 99% of the public will never have their phone searched with a court order.
Rather, he told Ars Technica, it’s about catching bad guys doing bad things:
For the industry to say it’s privacy, it really doesn’t hold any water. We’re going after human traffickers and people who are doing bad and evil things. Human trafficking trumps privacy, no ifs, ands, or buts about it.
But, as we have pointed out before, implementing backdoors for law enforcement also creates vulnerabilities that the bad guys could exploit.
Andrew Crocker, an attorney with the Electronic Frontier Foundation (EFF), told Ars that the bill had “glaring problems” and that it was “entirely infeasible from a technical perspective.”
There is no way to ensure that phones can be decrypted by the police and not the bad guys. Just as in New York, this California lawmaker misses the point that it’s not about privacy but security – the security of innocent people’s devices against hackers, thieves and others. It could well be unconstitutional under the First Amendment as well.
Crocker says he’s sympathetic about the need to protect children: a point Cooper stressed multiple times.
But that doesn’t make it permissible to allow police to disregard privacy and security, he said.
This is a law that would make us all less secure. Meanwhile the police have access to lots of other tools to get at this evidence, from hacking or brute forcing the device to getting cloud backups to forcing the owner to unlock the phone.
Image of Padlock on smart phone courtesy of Shutterstock.com
Billy Reuben
It’s not “human trafficking”. It’s slavery. Anyone who can’t acknowledge this is being disingenuous, and in it for something other than the safety and liberty of human beings. These are elitists, who, by the way will never live in the world they prescribe for others. They will retain their encrypted phones because – well, they’re just better than you are.
Anonymous
They will retain their own encrypted phones, but they will justify it in terms of “National Security”…
Mahhn
People that won’t unlock their phones for LE that are suspect of this, I have no problem if someone cuts off a finger of theirs every 1 min until the phone is unlocked. I suspect it will only take 1 min to get the password. Should be done in public, maybe even on TV. No mercy for these kinds of people.
David Pottage
@Mahhn
Wow, I did not expect to see a commentator on naked security advocating torture and dismemberment for criminal suspects!
In this case we are talking about people suspected of Human trafficing (AKA slavery), but in other countries, the secret police will be torturing people suspected of having the wrong religion or sedition.
In any discussion about back doors for law enforcement it is worth remembering that many countries, including large ones we do a lot of trade with have very different and repressive laws, that we probably don’t want to assist in any way.
Mahhn
I have 0 mercy for people who commit crimes against children. No excuses. If you are accused of trafficking people and won’t unlock your phone for the court, it would be your decision. It’s not the same as torturing people just to hurt them. It’s 100% preventable by the phone owner. I’ve met people like this, I have no mercy for them and they have none for anyone, especially your children if they can cash in on them
Kyle Saia
this is really getting out of hand now. don’t they understand that making laws like this doesn’t help catch the bad guys, it only makes them find different solutions. this only leaves the rest of us in a bad place.
I wish i could live in this world that the politicians live in where everyone obeys the laws.
Fed up
Google and Apple are both sitting on piles of cash, so they should take the temporary hit to profit and simply stop the sales of cellphones in California and New York; the consumers will take care of the rest. When New Yorkers and Californians can not purchase cell phones due to the actions of lawmakers in their state, it won’t be long before the state has a new set of lawmakers sitting in those seats that understand the rules and are reminded they are their to represent the interests of the pubic and not themselves.
David Pottage
@Fed up
That might work, but only if Google & Apple have public opinion on their side. Unfortunately I think that a lot of people would be swayed by the “Think of the children” argument the the lawmakers would use, so Apple etc would just be seen as obstructive for their own ends. The lawmakers would probably stay in office and would enact stronger laws to force the phone makers to do what they want. (Threatening to put the execs in jail would do the trick).
I am not sure if it is technically feasible, but perhaps a middle way might work, where the phone makers have the ability to unlock a phone for law enforcement only if they physically dis-assemble it in their lab in California, but never remotely.
If Apple could unlock and read any phone, but only if it was sent to them with a valid warrant and a $1000 handling fee, then it would satisfy most of the law enforcement officers complaints about not being able to decrypt phones seized from those suspected of serious crimes, but also calm fears about bulk interception, remote hacking, and un-justified fishing expeditions by law enforcement officers.
No doubt the Russians, Chinese, etc would figure out how to decrypt iPhones themselves, so the warrant requirement would not protect dissidents in those countries, but if Apple designed things right they could still make it a tricky process that would destroy the phone, so that even the secret police in repressive regimes would be reluctant to read too many phones that way, and an evil maid attack would be impossible.