California Lawmakers Manage To Turn Encrypted Phone Ban Legislation Into Encryption Backdoor Legislation

from the your-tax-dollars-malfunctioning dept

Post sponsored by

Golden Frog

As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.


The California Assembly has been tinkering with Assemblyman Jim Cooper's smartphone encryption ban… and for the worse. First noticed by EFF Staff Attorney Andrew Crocker, legislators have turned the proposed ban into something that accomplishes the same goals without actually "banning" anything.

Rather than forbid the sale of smartphones that can't be decrypted by their manufacturers, the new wording will direct fines at manufacturers who can't decrypt phones upon receipt of a warrant or other court order. (added/altered wording in bold)

(b) A smartphone manufactured on or after January 1, 2017, that is not capable of being decrypted and unlocked by its manufacturer or its operating system provider shall subject the manufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, shall be subject to a civil penalty of two thousand five hundred dollars ($2,500) for each smartphone sold or leased in California if instance in which the manufacturer or operating system provider of the smartphone knew at the time of the sale or lease that the smartphone was not capable of being decrypted and unlocked by the manufacturer or its operating system provider. is unable to decrypt the contents of the smartphone pursuant to a state court order. A manufacturer or operating system provider who pays a civil penalty imposed pursuant to this subdivision shall not pass on any portion of that penalty to purchasers of smartphones. This civil penalty shall not preclude the imposition of any other penalty pursuant to law.
So, rather than an encrypted smartphone ban, it's an encryption backdoor mandate. In order to sell phones in California, manufacturers will have to make less secure versions specifically for that market -- ones where they hold the keys and are subject to law enforcement demands for a spare set.

This is bad for Californians looking for more secure phone options and bad for cellphone manufacturers, who have zero interest in acting as encryption key repositories. And the altered wording would allow the state to pursue manufacturers that have never sold a phone directly to Californians. Third-party retailers can still offer encrypted phones to customers without fear of reprisal as doing so would not run afoul of the proposed law. Instead, it would be the manufacturers' fault if phones without encryption backdoors were sold in the state.

The only way for phone manufacturers to ensure they comply with this law would be to stop offering encryption they can't crack, as it's inevitable that California-based retailers will still be able to find customers interested in devices without manufacturer/operating system backdoors.

This is stupid, reactionary lawmaking somehow managing to become even more stupid and reactionary after receiving input from other legislators. If this level of stupidity remains in full force, the end result could be Californians buying their cell phones directly from the state -- much in the way some states handle alcohol sales.


VyprVPN from Golden Frog is the world's fastest highly-secure VPN.
Learn more about VyprVPN »

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoor, california, encryption, sponsored post


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    hoare (profile), 7 Apr 2016 @ 10:17am

    Golden Frog Sucks

    About a year ago I was looking for a VPN so I tried Golden frog VyprVPN. They said they didn't log. I used bit torrent to download an episode of Justified that I had missed. They locked my account when they got an "infringment" notice. Even though I pay for FX and was simply time shifting. Golden Frog lies ... don't trust a thing they say. IMHO

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 7 Apr 2016 @ 10:18am

    LOLS

    That would be like charging a gun manufacturer for a murder that was committed by a felon who bought the gun from a third party reseller. Even if this were to pass into law, I doubt that it would survive a court challenge.

    link to this | view in thread ]

  3. icon
    AricTheRed (profile), 7 Apr 2016 @ 10:20am

    Looks like the legislators want Encryption for Me not for Thee

    The way I read this is Encryption for Me not for Thee.

    Simple.

    Don't want to, or can't, pay $3,200 outright for an actually encrypted iPhone ($2,500 encryption fee plus phone purchase)?

    Fine! Your device, the one for the unwashed masses, will be running FBiOS.

    All the lawmakers, rich folk, and LEO's will have encrypted phones.

    Everyone wins!

    link to this | view in thread ]

  4. icon
    steell (profile), 7 Apr 2016 @ 10:26am

    Way to drive more businesses out of the State of California and overseas.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 7 Apr 2016 @ 10:43am

    Smartphones are known to the state of Kalifornia

    Warning, this smartphone contains encryption, a software known to the state of Kalifornia to cause terrorist attacks.

    link to this | view in thread ]

  6. icon
    Trin (profile), 7 Apr 2016 @ 10:47am

    >This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.


    Golden Frog & VyprVPN is none of these. It is one of the worst choices for a VPN if you do value your privacy and security.

    There are scores of examples that show they log & monitor your traffic. This is completely antithetical to the entire point of using a VPN.

    I hope the people reading this who are looking for a decent VPN do their research & due diligence on which VPN providers actually respect your privacy.

    Techdirt: Really? An encryption specific post that is sponsored by a company that in no way values your privacy? Next time just have the DoJ sponsor the post...they care too.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 7 Apr 2016 @ 10:49am

    Re: Golden Frog Sucks

    They....


    ALL LIE!

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 7 Apr 2016 @ 10:49am

    Re:

    You must have not been paying much attention to the courts lately.

    link to this | view in thread ]

  9. icon
    Machin Shin (profile), 7 Apr 2016 @ 10:49am

    This really makes me wonder about how companies would handle android phones, because someone could easily buy the phone and install a different ROM and lock the phone so the manufacture is not able to get in.

    How would this be handled under this law? Would they be ok so long as they could bypass their official ROM? Or would they have to promise to be able to get into others too?

    link to this | view in thread ]

  10. icon
    DB (profile), 7 Apr 2016 @ 11:08am

    This is so far from being effective legislation that we can only analyze it as we would with cartoon physics.

    First, what is a smartphone? Sure, we know one when we see it. Like my phone-shaped Android device.. that has only WiFi. But acts just like a phone with a VOIP application working over WiFi. But not my tablet with a cellular modem. Despite having the same chips, OS and applications as a smartphone, its slightly larger screen makes it a Completely Different Thing.

    Even if you think you can draw a line, next year's smartwatch equivalent will make it laughably irrelevant.

    Next, who is really responsible? Samsung, Apple and Google are clearly in the cross-hairs of this legislation. But can any of those parties ensure that Amazon's cached content be decrypted? Or any of the other almost-million applications?

    Can a phone ship with latent encryption disabled by default? Hidden? Barely hidden? Enabled only when you set a password? Not shipped by default, but automatically downloaded and installed when you set a password?

    I could spend hours poking holes into this proposal..

    link to this | view in thread ]

  11. identicon
    kallethen, 7 Apr 2016 @ 11:17am

    Re: Looks like the legislators want Encryption for Me not for Thee

    Actually, the masses will still pay only for the only phone, not the $2500 fee. The proposed legislation states that the manufacturers cannot pass the fee on to customers.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 7 Apr 2016 @ 11:24am

    Re:

    Democrats have no problem with that either.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 7 Apr 2016 @ 11:24am

    Just when you think politicians can't get any more stupid...once pops up to prove you wrong.

    link to this | view in thread ]

  14. identicon
    AJ, 7 Apr 2016 @ 11:26am

    Re: Re: Looks like the legislators want Encryption for Me not for Thee

    LOL! Companies don't pay fee's, nor taxes, hell they don't even buy material or labor. The consumer that purchases their products pay for all that. There is no way not to pass it down to consumers. One way or another, we will pay for all of it.

    link to this | view in thread ]

  15. identicon
    Vic, 7 Apr 2016 @ 11:27am

    These days you can, you know, buy directly from a manufacturer in China (lots of choices, actually) and let California law enforcement send angry letters to ... Where exactly? Many of those companies are not represented in the US!

    link to this | view in thread ]

  16. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 7 Apr 2016 @ 11:35am

    Techdirt sells out

    Thanks for letting us know.

    link to this | view in thread ]

  17. icon
    DannyB (profile), 7 Apr 2016 @ 12:38pm

    Re: Techdirt sells out

    So proudly announcing the sponsorship of a newsworthy article, in the public interest, is selling out?

    How would you react if a company approached TechDirt, says, write this specific content favorable to me, in exchange for money, and keep it a secret. Would you call that 'selling out' or would you call it good honest 'lobbying'?

    Similarly, what would your reaction be if TechDirt has an ad disguised as if it were an article? Not 'selling out' but good ol' dishonest 'advertising'?

    Selling Out is what happens when an artist signs with an RIAA label. Not what happens with an article is sponsored.

    link to this | view in thread ]

  18. icon
    DannyB (profile), 7 Apr 2016 @ 12:43pm

    Re:

    Foreign phone manufacturers will simply have:
    1. a backdoored version for the US and other repressive regimes.
    2. a secure phone for free countries.

    US manufacturers will have either one phone version for everyone, or will as in the previous paragraph have two versions for free and non-free countries. Either way, nobody will trust US made phones. The other 96% of the world's population will not want US made phones. (Even if they are physically manufactured in China.)

    Good job California! Great way to destroy American business.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 7 Apr 2016 @ 12:44pm

    whack a mole:
    1) store encrypted docs in cloud - not on phone. then, you need a password to get to the encrypted docs. And there are too many of those

    2) start selling phones in NV or AZ or OR. charter a party bus to go to those states and buy phones over there, and then bring them back into CA

    3) sell a phone, in the open....with a tethered tablet to keep my selfies. cortana or icloud can forward my texts to the tablets, and tablets don't have the communications equipment, so they are exempt from the law.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 7 Apr 2016 @ 12:50pm

    what happens when a smart phone is without encryption...except for an app like WhatsApp?

    link to this | view in thread ]

  21. icon
    DannyB (profile), 7 Apr 2016 @ 12:51pm

    The War On Terror

    Here is an idea.

    A bit of googling tells me that the number of people have been killed in terrorist attacks since 9/11/2001 are far, far fewer than the number of people who die in automobile accidents every single year as a result of cars driven by inferior, annoying, distracted, sleepy humans.

    What if we took away all of the resources wasted on the War On Terror and spent it on a new 'moon shot' or 'manhattan project'? Let's call it: The War On Human Driven Cars.

    The number of lives saved would be enormously larger.

    The FBI's top attorney says:
    http://www.usnews.com/news/articles/2016-04-05/top-fbi-attorney-james-baker-worried-about-whats app-encryption
    "If the public does nothing, encryption like that will continue to roll out," he said. "It has public safety costs. Folks have to understand that, and figure out how they are going to deal with that. Do they want the public to bear those costs? Do they want the victims of terrorism to bear those costs?"
    Maybe bearing those costs would be far better than bearing the costs of human driven vehicles?

    link to this | view in thread ]

  22. identicon
    Anonmylous, 7 Apr 2016 @ 12:52pm

    That's so cute!

    "A manufacturer or operating system provider who pays a civil penalty imposed pursuant to this subdivision shall not pass on any portion of that penalty to purchasers of smartphones."

    Hahah. Hah. HAHAHAHAHAHAHAHAHAHAHAHAH!

    Cause we all know cell phone prices are based on hard numbers and regulated profit margins allowed by law, and not just whatever the manufacturer and retailers decide upon.

    Pretty sure if this passes we'll ALL suddenly be paying even higher retail costs for cell phones. Thank you California!

    link to this | view in thread ]

  23. icon
    DannyB (profile), 7 Apr 2016 @ 12:53pm

    What if a THIRD PARTY APP has the encryption?

    Suppose the phone is backdoored as per the US Government.

    Suppose the user is using an app like WhatsApp that is end to end encrypted?

    What if the user is using an obscure app not on the phone's app store, but was installed manually onto the phone? (Not that hard to do on Android.)

    link to this | view in thread ]

  24. icon
    Aaron Walkhouse (profile), 7 Apr 2016 @ 1:36pm

    At only $2500 per court case this effectively guts the bill.

    These cases don't come up often enough to cause more than a
    few cents cost per year for each phone sold that year.

    Any phone manufacturer could absorb it as a minor cost.
    That makes it no more than a token gesture for publicity.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 7 Apr 2016 @ 2:11pm

    Soooo....

    So will phones used in California be like their cars which have to have extra, super-duper smog eliminating gadgets in them? Does that mean that when the phone is no longer in California (or is sold and then shipped out of California) the back door can be removed/eliminated with a patch of some sort? Since this is California specific, I suppose people traveling to the Worst Coast will just have to leave their own phones at home and get a burner to use when out there...

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 7 Apr 2016 @ 2:14pm

    Had it not been for the government wanting in everyone's underware, encryption would not have sprouted and blossomed as much as it has.

    Corporations have had to go to encryption and will be pushed to continue to go to it as long as the government wants in everyone's personal lives. They have to do that in order to maintain creditability on the global market place.

    Once you seal off the possibility of keeping a good reputation through encryption to prevent spying, you also kill the market for the product globally. No wonder so many of these communications corporations are moving out of the US and using the tax problem as the reason. After they've received an NSL they can't say that was the reason.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 7 Apr 2016 @ 2:57pm

    just wait for Hollywood celeb nudes

    Just wait for it.

    As soon as mandatory backdoors are installed and people figure out how to access them (which they will in... I'm guessing about 30 minutes after release) celebrity phone hacks will skyrocket since they'll be so easy.

    Once every famous idiot in Hollywood starts screaming, their studio exec handlers will start screaming, and that will cause their lobbyists to start screaming. At which point this legislation will mysteriously "disappear".

    link to this | view in thread ]

  28. icon
    nasch (profile), 7 Apr 2016 @ 3:02pm

    Re:

    what happens when a smart phone is without encryption...except for an app like WhatsApp?

    It could be argued that according to this bill the manufacturer of the phone or developer of the operating system can be fined for not being able to decrypt messages that they have no control over and had nothing to do with.

    link to this | view in thread ]

  29. icon
    nasch (profile), 7 Apr 2016 @ 3:04pm

    Re: The War On Terror

    A bit of googling tells me that the number of people have been killed in terrorist attacks since 9/11/2001 are far, far fewer than the number of people who die in automobile accidents every single year as a result of cars driven by inferior, annoying, distracted, sleepy humans.

    In fact, the number of people killed in the US by terrorism and car accidents in September 2001 was similar.

    link to this | view in thread ]

  30. icon
    nasch (profile), 7 Apr 2016 @ 3:11pm

    Re: Soooo....

    Since this is California specific, I suppose people traveling to the Worst Coast will just have to leave their own phones at home and get a burner to use when out there...

    It's not the user's problem, put whatever encryption you want on your phone whether you live in CA or not.

    link to this | view in thread ]

  31. identicon
    Mr Big Content, 7 Apr 2016 @ 4:30pm

    Makes You Proud To Be A American

    We dont use end-to-end encryption in Muskogee
    We dont take no trips on VPN
    We dont run no TOR relays down on Main Street
    We like livin right, and bein free.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 7 Apr 2016 @ 6:41pm

    Too many steps backwards

    Man.. these guys are practically moon walking, by attempting to ban encryption on mobile phones. I expect them to encounter all sorts of problems, you know, because they aren't looking forward.

    link to this | view in thread ]

  33. identicon
    Seth, 7 Apr 2016 @ 8:58pm

    Maybe Apple and Google should just not sell smartphones in CA any more. When the people start to revolt, just let them know it was their idiot politicians who did it.

    link to this | view in thread ]

  34. icon
    Kal Zekdor (profile), 7 Apr 2016 @ 9:26pm

    Re: Re: The War On Terror

    Maybe I'm falling victim to Poe's Law here, but you do realize that's not even close to the same thing, right?

    Terrorism related deaths spiked in 2001, but have severely dropped since then. Automobile related deaths have been more or less stable since then.

    As such, it is possible that terrorism deaths equaled automobile deaths in September 2001, and that automobile related deaths far outpaced terrorism related deaths since 9/11/2001.

    Terrorism has actually been less of an issue in recent years, the IRA just isn't that active these days. Yet it's still the go-to boogeyman, even though it's a minor threat in the grand scheme of things. Not to mention that reacting to terrorism like it was an existential threat is exactly what said terrorists want people to do, it gives them validation.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 8 Apr 2016 @ 2:15am

    Yuck.. Paid lies.. Why does techdirt sink so low?

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 8 Apr 2016 @ 2:18am

    Lying site. Cannot trust goldfrog at all. They log and they will hand you over in a second

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 8 Apr 2016 @ 2:22am

    Good bye techdirt. Endorsing a site like goldfrog is insane, i cannt fanthom what is going through your mind not vetting who you are doing paid stories for.

    I am out, between gretchens daily spam and your constant book pushing. Its just not worth the value anymore

    link to this | view in thread ]

  38. identicon
    Dingledore the Flabberghaster, 8 Apr 2016 @ 2:42am

    Doesn't look like they defined "smartphone"

    at least in the segment shown above.

    Could just use a tablet or PC instead. If this legislation is really put into effect, which I suspect it won't, what would stop manufacturers going down the LG G5 module route and building a "phone" module to add on to small tablet type device? Even as a concept build it could go towards the argument that most smartphones these days are less phone, more mobile device.

    link to this | view in thread ]

  39. icon
    nasch (profile), 8 Apr 2016 @ 7:01am

    Re: Re: Re: The War On Terror

    Maybe I'm falling victim to Poe's Law here, but you do realize that's not even close to the same thing, right?

    I'm not sure what you mean. Obviously terrorism and car accidents are not the same thing. My point is that the worst terrorist attacks in the history of the country were only as bad as a typical month of car accidents, yet we decided to freak out about one and we're mostly OK with the other. I say mostly because we continue to improve car safety, but hardly anyone seems very concerned about the issue, certainly not to the extent of terrorism. This despite the fact that car accidents are far more dangerous.

    link to this | view in thread ]

  40. icon
    John Fenderson (profile), 9 Apr 2016 @ 1:29pm

    Re: Looks like the legislators want Encryption for Me not for Thee

    Not a problem, really, since you don't need a device manufacturer to provide the encryption built in. You can add it yourself after purchase, and (if done properly) there is nothing the government or manufacturer can do about it.

    All of this just underscores an important point: built in encryption is a good thing, but you have to be able to trust whoever it is that put the crypto system in. Legislation like this just means that you can trust manufacturers even less than you could before. And trusting manufacturers or service providers has always been a pretty bad security practice.

    link to this | view in thread ]

  41. icon
    John Fenderson (profile), 9 Apr 2016 @ 1:32pm

    Re:

    "someone could easily buy the phone and install a different ROM and lock the phone so the manufacture is not able to get in. "

    This is precisely what I do, and have done since my very first smartphone.

    link to this | view in thread ]

  42. icon
    John Fenderson (profile), 9 Apr 2016 @ 1:33pm

    Re: Techdirt sells out

    Do you work for a paycheck? What a sellout.

    link to this | view in thread ]

  43. icon
    nasch (profile), 10 Apr 2016 @ 8:06am

    Re: Re: Looks like the legislators want Encryption for Me not for Thee

    You can add it yourself after purchase, and (if done properly) there is nothing the government or manufacturer can do about it.

    It seems like the manufacturer or OS provider (which one, if they're not the same entity?) would be liable even for third party encryption.

    "A manufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, shall be subject to a civil penalty of two thousand five hundred dollars ($2,500) for each instance in which the manufacturer or operating system provider of the smartphone is unable to decrypt the contents of the smartphone pursuant to a state court order."

    No specification of built-in encryption, and no exceptions for third-party encryption.

    link to this | view in thread ]

  44. icon
    John Fenderson (profile), 11 Apr 2016 @ 6:53am

    Re: Re: Re: Looks like the legislators want Encryption for Me not for Thee

    Perhaps, but I'm guessing that since there's nothing that manufacturers can do to prevent it, if such a case went to court then the manufacturer would prevail.

    I'm giving the courts enough credit to recognize that the law cannot compel action which is impossible to perform. I'm not entirely certain about whether or not that's too much credit.

    link to this | view in thread ]

  45. icon
    nasch (profile), 11 Apr 2016 @ 7:04am

    Re: Re: Re: Re: Looks like the legislators want Encryption for Me not for Thee

    The question is whether the judge or jury could be convinced that it actually is impossible.

    link to this | view in thread ]

  46. identicon
    Neelam Sumitra, 11 Apr 2016 @ 8:29am

    Re: Re: Techdirt sells out

    Just when you think politicians can't get any more stupid...once pops up to prove you wrong.

    link to this | view in thread ]

  47. identicon
    Anonymous Coward, 13 Apr 2016 @ 12:43pm

    California AB 1681 defeated

    California phone decryption bill defeated”, By Jeremy B. White, The Sacramento Bee, Apr 12, 2016
    The bill did not receive a vote . . .

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.