Disappointing: Google Not Yet Requiring Phone Makers To Encrypt By Default

from the get-things-up-to-speed dept

Tue, Mar 3rd 2015 3:38pm — Mike Masnick

Well, this is disappointing. Back in September, we were happy to see both Apple and Google announced that their mobile platforms would be encrypted by default (for local storage, not for data transmissions), which has kicked off something of a new round of Crypto Wars, as law enforcement types have shoved each other aside to spread as much possible FUD about the "dangers" of mobile encryption (ignoring that they also recommend mobile encryption to keep your data safe).

However, as Ars Technica reported earlier this week, it appears that while Google is encrypting by default on its own Nexus phones that have the latest Android (Lollipop), it slightly eased back the requirements for its OEM partners such as Motorola and Samsung who make their own devices. Default encryption is now "very strongly RECOMMENDED" rather than required. And even with that "very strong RECOMMENDATION," it appears that neither Samsung or Motorola are enabling default encryption on its latest devices.

While some will likely jump to the conclusion that law enforcement pressure is at work here, a much more likely explanation is just the performance drag created by encryption. Last fall, Anandtech did some benchmarking of the Nexus 6 both with encryption on and off, and as the site itself says, the results are "not pretty." Given the competitive market, there's a decent chance that the big phone manufacturers didn't want to get bad benchmark ratings when phones are compared, and those made the decision to go against the "very strong recommendation."

Hopefully this gets sorted out quickly, as phonemakers can optimize new phones for encryption. And, honestly, as the Anandtech report itself notes, these benchmarks are basically meaningless for real world performance:

The real question we have to ask is whether or not any of these storage benchmarks really matter on a mobile device. After all, the number of intensive storage I/O operations being done on smartphones and tablets is still relatively low, and some of the situations where NAND slowdowns are really going to have an effect can be offset by holding things in memory.

But, it appears, while mobile phone makers don't want to take the chance of bad benchmarks hurting their reputation, they're less concerned about leaving consumers' data exposed.

It's disappointing that this is where things are today, after so much focus on default encryption just a few months ago, but hopefully it's just a temporary situation and we'll get to default encryption very, very soon.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: android, benchmarks, encryption, mobile encryption, oems, privacy
Companies: google, motorola, samsung

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 3 Mar 2015 @ 3:55pm

Simple solution
Don't purchase from vendors that refuse to encrypt by default.
[ link to this | view in chronology ]
Kal Zekdor (profile), 3 Mar 2015 @ 4:13pm

Disappointing is the word.
The main performance bottleneck on encrypting these devices is caused be the lack of a dedicated hardware encryption chip. That costs money, and necessitates a major hardware redesign. So they tried software FDE, which has performance costs. The performance drag was too great, so they complained to Google.

Google quietly backpedaled their encryption requirement. Not permanently (at least according to them), but just an extension to give the manufacturers more time to meet the requirement.

So... disappointing is the word. Especially how Google loudly boasted about always on encryption, but was nearly silent about pushing back the requirement.
[ link to this | view in chronology ]
Anonymous Coward, 3 Mar 2015 @ 10:06pm

What they should have done is spent resources in creating/improving the encryption to reduce the "cons", ios manages it by doing it at the hardware level, and if thats what it takes for default encryption, then quite frankly, thats what i expect from anyone whose SERIOUS about advancing the right to privacy.........or, you know, ......dont
[ link to this | view in chronology ]
lfroen (profile), 3 Mar 2015 @ 10:25pm

Nothing "disappointing" here
Google do a right thing here - leave a choice in hands of those who care.
Did you ever saw a door manufacturer that _require_ to use a lock? Did you ever saw such a car?

So why the hell my phone should be different? Can I please choose by myself whether to use encryption, what kind of encryption and what to actually encrypt?

People don't expect that car/house/suitcase will somehow lock itself. And people know how to turn protection on a phone too. My 9yo daughter somehow knows.

So let the Google write software and let those who care make decisions.
[ link to this | view in chronology ]
- Kal Zekdor (profile), 4 Mar 2015 @ 12:38am
  
  Re: Nothing "disappointing" here
  I don't know where you've been living, but cars that lock themselves automatically are most certainly a thing.
  [ link to this | view in chronology ]
- Bamboo Harvester (profile), 4 Mar 2015 @ 5:57am
  
  Re: Nothing "disappointing" here
  "Did you ever saw a door manufacturer that _require_ to use a lock?"
  
  Yes, just about all of them. Exterior doors are pre-drilled at the factory for both a knob and a deadbolt.
  
  If you do NOT want either or both, you have to special order the door. Which usually adds about 50% to the cost, especially on steel-sheathed doors.
  [ link to this | view in chronology ]
Anonymous Coward, 3 Mar 2015 @ 10:47pm

Walmart
Some big companies these days are all too eager to subvert their customers safety and security.

Walmart sells some Android tablet models specially tailored for them and marketed under the RCA brand from which they have completely removed the encryption option from the operating system. Kind of lets you know where Walmart stands on the issue, doesn't it?
[ link to this | view in chronology ]
- Anonymous Coward, 4 Mar 2015 @ 6:32pm
  
  Re: Walmart
  Some big companies these days are all too eager to subvert their customers safety and security.
  
  You mean "allow customers to decide their own saftey and security". Hell, some, though a vanishing few now, governements allow their citizens to do the same.
  
  Walmart sells some Android tablet models specially tailored for them...
  
  And some Walmart customers CHOOSE to buy them. Or should those customers not be allow to CHOOSE to buy something they can control? Should Walmart be FORCED to only sell the phones that you think are "safe" to their customers?
  [ link to this | view in chronology ]
Mr. Oizo, 3 Mar 2015 @ 11:27pm

Nothing unexpected
I believe I mentioned something about Google's show all being theater. Sad that I was right apparently. Mind you, this would not be the first time that Google in a blitz-PR effort tries to convince everyone that they are the 'good' guys. Maybe you should just consider that they might be an obvious part of the NSA program.
[ link to this | view in chronology ]
- R.H. (profile), 4 Mar 2015 @ 6:34am
  
  Re: Nothing unexpected
  You say this but, the Nexus branded Android devices (you know, the ones Google designs themselves) do have encryption enabled by default. Google just isn't forcing encryption on their OEM's. I think they should but, that's my own opinion.
  [ link to this | view in chronology ]
  - Mr. Oizo, 4 Mar 2015 @ 3:03pm
    
    Re: Re: Nothing unexpected
    Fox watching the hen-house much ?
    
    The maker of the OS that promises not to look at the data. Next year I will believe Barack O'Bummer as well.
    [ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2015 @ 12:08am

You should have began this article with your other oft used opener: "As expected,.."
[ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2015 @ 1:27am

Its just a setting - its not like you can't have an encrypted phone if you want it and having it encrypted means having to put in a password every time you turn it on which is a pain in the ass!
[ link to this | view in chronology ]
toyotabedzrock (profile), 4 Mar 2015 @ 2:28am

The reason why is that most android phones have no encryption acceleration extensions in their 32bit arm SOCs. That will change as armv8 is rolled out.
[ link to this | view in chronology ]
Ed (profile), 4 Mar 2015 @ 6:55am

It is easy enough to tell if your Android device has hardware or software based encryption available. Go to the Settings > Security and see if the encryption is listed as "hardware" or "software". My HTC One M8 says "Hardware-backed", so the system does have dedicated encryption hardware. My old MyTouch 4G Slide, however, says "software", so that phone did not have the hardware to do it and relied upon the OS for encryption.
I don't have the encryption activated on my M8 because I choose to not have a locked phone. I live alone and it is simply unlikely that my phone is ever out of my site or possession, so I'm not worried about it. The convenience of not having to enter an unlock code every time I open the case overrules any benefit I might get from encrypting the phone. But, that's just me. I can understand others might want and need that added security, and it is available to them should they choose it.
[ link to this | view in chronology ]
No, 4 Mar 2015 @ 8:59am

Go Figure
Maybe there are those who are disappointed that encryption on phones is not offered by default from such companies, but doubtful there can be anyone surprised given these companies' track records for willingness to invade privacy.
[ link to this | view in chronology ]
- John Fenderson (profile), 4 Mar 2015 @ 9:07am
  
  Re: Go Figure
  That doesn't follow. Enabling encryption by default in no way stops the types of spying that those companies engage in.
  [ link to this | view in chronology ]