California Lawmakers Manage To Turn Encrypted Phone Ban Legislation Into Encryption Backdoor Legislation
from the your-tax-dollars-malfunctioning dept
As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.
The California Assembly has been tinkering with Assemblyman Jim Cooper's smartphone encryption ban… and for the worse. First noticed by EFF Staff Attorney Andrew Crocker, legislators have turned the proposed ban into something that accomplishes the same goals without actually "banning" anything.
Rather than forbid the sale of smartphones that can't be decrypted by their manufacturers, the new wording will direct fines at manufacturers who can't decrypt phones upon receipt of a warrant or other court order. (added/altered wording in bold)
(b) ASo, rather than an encrypted smartphone ban, it's an encryption backdoor mandate. In order to sell phones in California, manufacturers will have to make less secure versions specifically for that market -- ones where they hold the keys and are subject to law enforcement demands for a spare set.smartphone manufactured on or after January 1, 2017, that is not capable of being decrypted and unlocked by its manufacturer or its operating system provider shall subject themanufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, shall be subject to a civil penalty of two thousand five hundred dollars ($2,500) for eachsmartphone sold or leased in California ifinstance in which the manufacturer or operating system provider of the smartphoneknew at the time of the sale or lease that the smartphone was not capable of being decrypted and unlocked by the manufacturer or its operating system provider.is unable to decrypt the contents of the smartphone pursuant to a state court order. A manufacturer or operating system provider who pays a civil penalty imposed pursuant to this subdivision shall not pass on any portion of that penalty to purchasers of smartphones. This civil penalty shall not preclude the imposition of any other penalty pursuant to law.
This is bad for Californians looking for more secure phone options and bad for cellphone manufacturers, who have zero interest in acting as encryption key repositories. And the altered wording would allow the state to pursue manufacturers that have never sold a phone directly to Californians. Third-party retailers can still offer encrypted phones to customers without fear of reprisal as doing so would not run afoul of the proposed law. Instead, it would be the manufacturers' fault if phones without encryption backdoors were sold in the state.
The only way for phone manufacturers to ensure they comply with this law would be to stop offering encryption they can't crack, as it's inevitable that California-based retailers will still be able to find customers interested in devices without manufacturer/operating system backdoors.
This is stupid, reactionary lawmaking somehow managing to become even more stupid and reactionary after receiving input from other legislators. If this level of stupidity remains in full force, the end result could be Californians buying their cell phones directly from the state -- much in the way some states handle alcohol sales.
Privacy & Security on the Golden Frog Blog:
VyprVPN from Golden Frog is the world's fastest highly-secure VPN.
Learn more about VyprVPN »
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoor, california, encryption, sponsored post
Reader Comments
Subscribe: RSS
View by: Time | Thread
Golden Frog Sucks
[ link to this | view in chronology ]
Re: Golden Frog Sucks
ALL LIE!
[ link to this | view in chronology ]
That would be like charging a gun manufacturer for a murder that was committed by a felon who bought the gun from a third party reseller. Even if this were to pass into law, I doubt that it would survive a court challenge.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Looks like the legislators want Encryption for Me not for Thee
Simple.
Don't want to, or can't, pay $3,200 outright for an actually encrypted iPhone ($2,500 encryption fee plus phone purchase)?
Fine! Your device, the one for the unwashed masses, will be running FBiOS.
All the lawmakers, rich folk, and LEO's will have encrypted phones.
Everyone wins!
[ link to this | view in chronology ]
Re: Looks like the legislators want Encryption for Me not for Thee
[ link to this | view in chronology ]
Re: Re: Looks like the legislators want Encryption for Me not for Thee
[ link to this | view in chronology ]
These cases don't come up often enough to cause more than a
few cents cost per year for each phone sold that year.
Any phone manufacturer could absorb it as a minor cost.
That makes it no more than a token gesture for publicity.
[ link to this | view in chronology ]
Re: Looks like the legislators want Encryption for Me not for Thee
All of this just underscores an important point: built in encryption is a good thing, but you have to be able to trust whoever it is that put the crypto system in. Legislation like this just means that you can trust manufacturers even less than you could before. And trusting manufacturers or service providers has always been a pretty bad security practice.
[ link to this | view in chronology ]
Re: Re: Looks like the legislators want Encryption for Me not for Thee
It seems like the manufacturer or OS provider (which one, if they're not the same entity?) would be liable even for third party encryption.
"A manufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, shall be subject to a civil penalty of two thousand five hundred dollars ($2,500) for each instance in which the manufacturer or operating system provider of the smartphone is unable to decrypt the contents of the smartphone pursuant to a state court order."
No specification of built-in encryption, and no exceptions for third-party encryption.
[ link to this | view in chronology ]
Re: Re: Re: Looks like the legislators want Encryption for Me not for Thee
I'm giving the courts enough credit to recognize that the law cannot compel action which is impossible to perform. I'm not entirely certain about whether or not that's too much credit.
[ link to this | view in chronology ]
Re: Re: Re: Re: Looks like the legislators want Encryption for Me not for Thee
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
1. a backdoored version for the US and other repressive regimes.
2. a secure phone for free countries.
US manufacturers will have either one phone version for everyone, or will as in the previous paragraph have two versions for free and non-free countries. Either way, nobody will trust US made phones. The other 96% of the world's population will not want US made phones. (Even if they are physically manufactured in China.)
Good job California! Great way to destroy American business.
[ link to this | view in chronology ]
Smartphones are known to the state of Kalifornia
[ link to this | view in chronology ]
Golden Frog & VyprVPN is none of these. It is one of the worst choices for a VPN if you do value your privacy and security.
There are scores of examples that show they log & monitor your traffic. This is completely antithetical to the entire point of using a VPN.
I hope the people reading this who are looking for a decent VPN do their research & due diligence on which VPN providers actually respect your privacy.
Techdirt: Really? An encryption specific post that is sponsored by a company that in no way values your privacy? Next time just have the DoJ sponsor the post...they care too.
[ link to this | view in chronology ]
How would this be handled under this law? Would they be ok so long as they could bypass their official ROM? Or would they have to promise to be able to get into others too?
[ link to this | view in chronology ]
Re:
This is precisely what I do, and have done since my very first smartphone.
[ link to this | view in chronology ]
First, what is a smartphone? Sure, we know one when we see it. Like my phone-shaped Android device.. that has only WiFi. But acts just like a phone with a VOIP application working over WiFi. But not my tablet with a cellular modem. Despite having the same chips, OS and applications as a smartphone, its slightly larger screen makes it a Completely Different Thing.
Even if you think you can draw a line, next year's smartwatch equivalent will make it laughably irrelevant.
Next, who is really responsible? Samsung, Apple and Google are clearly in the cross-hairs of this legislation. But can any of those parties ensure that Amazon's cached content be decrypted? Or any of the other almost-million applications?
Can a phone ship with latent encryption disabled by default? Hidden? Barely hidden? Enabled only when you set a password? Not shipped by default, but automatically downloaded and installed when you set a password?
I could spend hours poking holes into this proposal..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Techdirt sells out
[ link to this | view in chronology ]
Re: Techdirt sells out
How would you react if a company approached TechDirt, says, write this specific content favorable to me, in exchange for money, and keep it a secret. Would you call that 'selling out' or would you call it good honest 'lobbying'?
Similarly, what would your reaction be if TechDirt has an ad disguised as if it were an article? Not 'selling out' but good ol' dishonest 'advertising'?
Selling Out is what happens when an artist signs with an RIAA label. Not what happens with an article is sponsored.
[ link to this | view in chronology ]
Re: Re: Techdirt sells out
[ link to this | view in chronology ]
Re: Techdirt sells out
[ link to this | view in chronology ]
1) store encrypted docs in cloud - not on phone. then, you need a password to get to the encrypted docs. And there are too many of those
2) start selling phones in NV or AZ or OR. charter a party bus to go to those states and buy phones over there, and then bring them back into CA
3) sell a phone, in the open....with a tethered tablet to keep my selfies. cortana or icloud can forward my texts to the tablets, and tablets don't have the communications equipment, so they are exempt from the law.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It could be argued that according to this bill the manufacturer of the phone or developer of the operating system can be fined for not being able to decrypt messages that they have no control over and had nothing to do with.
[ link to this | view in chronology ]
The War On Terror
A bit of googling tells me that the number of people have been killed in terrorist attacks since 9/11/2001 are far, far fewer than the number of people who die in automobile accidents every single year as a result of cars driven by inferior, annoying, distracted, sleepy humans.
What if we took away all of the resources wasted on the War On Terror and spent it on a new 'moon shot' or 'manhattan project'? Let's call it: The War On Human Driven Cars.
The number of lives saved would be enormously larger.
The FBI's top attorney says:
http://www.usnews.com/news/articles/2016-04-05/top-fbi-attorney-james-baker-worried-about-whats app-encryption
Maybe bearing those costs would be far better than bearing the costs of human driven vehicles?
[ link to this | view in chronology ]
Re: The War On Terror
In fact, the number of people killed in the US by terrorism and car accidents in September 2001 was similar.
[ link to this | view in chronology ]
Re: Re: The War On Terror
Terrorism related deaths spiked in 2001, but have severely dropped since then. Automobile related deaths have been more or less stable since then.
As such, it is possible that terrorism deaths equaled automobile deaths in September 2001, and that automobile related deaths far outpaced terrorism related deaths since 9/11/2001.
Terrorism has actually been less of an issue in recent years, the IRA just isn't that active these days. Yet it's still the go-to boogeyman, even though it's a minor threat in the grand scheme of things. Not to mention that reacting to terrorism like it was an existential threat is exactly what said terrorists want people to do, it gives them validation.
[ link to this | view in chronology ]
Re: Re: Re: The War On Terror
I'm not sure what you mean. Obviously terrorism and car accidents are not the same thing. My point is that the worst terrorist attacks in the history of the country were only as bad as a typical month of car accidents, yet we decided to freak out about one and we're mostly OK with the other. I say mostly because we continue to improve car safety, but hardly anyone seems very concerned about the issue, certainly not to the extent of terrorism. This despite the fact that car accidents are far more dangerous.
[ link to this | view in chronology ]
That's so cute!
Hahah. Hah. HAHAHAHAHAHAHAHAHAHAHAHAH!
Cause we all know cell phone prices are based on hard numbers and regulated profit margins allowed by law, and not just whatever the manufacturer and retailers decide upon.
Pretty sure if this passes we'll ALL suddenly be paying even higher retail costs for cell phones. Thank you California!
[ link to this | view in chronology ]
What if a THIRD PARTY APP has the encryption?
Suppose the user is using an app like WhatsApp that is end to end encrypted?
What if the user is using an obscure app not on the phone's app store, but was installed manually onto the phone? (Not that hard to do on Android.)
[ link to this | view in chronology ]
Soooo....
[ link to this | view in chronology ]
Re: Soooo....
It's not the user's problem, put whatever encryption you want on your phone whether you live in CA or not.
[ link to this | view in chronology ]
Corporations have had to go to encryption and will be pushed to continue to go to it as long as the government wants in everyone's personal lives. They have to do that in order to maintain creditability on the global market place.
Once you seal off the possibility of keeping a good reputation through encryption to prevent spying, you also kill the market for the product globally. No wonder so many of these communications corporations are moving out of the US and using the tax problem as the reason. After they've received an NSL they can't say that was the reason.
[ link to this | view in chronology ]
just wait for Hollywood celeb nudes
As soon as mandatory backdoors are installed and people figure out how to access them (which they will in... I'm guessing about 30 minutes after release) celebrity phone hacks will skyrocket since they'll be so easy.
Once every famous idiot in Hollywood starts screaming, their studio exec handlers will start screaming, and that will cause their lobbyists to start screaming. At which point this legislation will mysteriously "disappear".
[ link to this | view in chronology ]
Makes You Proud To Be A American
We dont take no trips on VPN
We dont run no TOR relays down on Main Street
We like livin right, and bein free.
[ link to this | view in chronology ]
Too many steps backwards
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I am out, between gretchens daily spam and your constant book pushing. Its just not worth the value anymore
[ link to this | view in chronology ]
Doesn't look like they defined "smartphone"
Could just use a tablet or PC instead. If this legislation is really put into effect, which I suspect it won't, what would stop manufacturers going down the LG G5 module route and building a "phone" module to add on to small tablet type device? Even as a concept build it could go towards the argument that most smartphones these days are less phone, more mobile device.
[ link to this | view in chronology ]
California AB 1681 defeated
[ link to this | view in chronology ]