California Lawmakers Manage To Turn Encrypted Phone Ban Legislation Into Encryption Backdoor Legislation

from the your-tax-dollars-malfunctioning dept

Post sponsored by

Golden Frog

As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.


The California Assembly has been tinkering with Assemblyman Jim Cooper’s smartphone encryption ban… and for the worse. First noticed by EFF Staff Attorney Andrew Crocker, legislators have turned the proposed ban into something that accomplishes the same goals without actually “banning” anything.

Rather than forbid the sale of smartphones that can’t be decrypted by their manufacturers, the new wording will direct fines at manufacturers who can’t decrypt phones upon receipt of a warrant or other court order. (added/altered wording in bold)

(b) A smartphone manufactured on or after January 1, 2017, that is not capable of being decrypted and unlocked by its manufacturer or its operating system provider shall subject the manufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, shall be subject to a civil penalty of two thousand five hundred dollars ($2,500) for each smartphone sold or leased in California if instance in which the manufacturer or operating system provider of the smartphone knew at the time of the sale or lease that the smartphone was not capable of being decrypted and unlocked by the manufacturer or its operating system provider. is unable to decrypt the contents of the smartphone pursuant to a state court order. A manufacturer or operating system provider who pays a civil penalty imposed pursuant to this subdivision shall not pass on any portion of that penalty to purchasers of smartphones. This civil penalty shall not preclude the imposition of any other penalty pursuant to law.

So, rather than an encrypted smartphone ban, it’s an encryption backdoor mandate. In order to sell phones in California, manufacturers will have to make less secure versions specifically for that market — ones where they hold the keys and are subject to law enforcement demands for a spare set.

This is bad for Californians looking for more secure phone options and bad for cellphone manufacturers, who have zero interest in acting as encryption key repositories. And the altered wording would allow the state to pursue manufacturers that have never sold a phone directly to Californians. Third-party retailers can still offer encrypted phones to customers without fear of reprisal as doing so would not run afoul of the proposed law. Instead, it would be the manufacturers’ fault if phones without encryption backdoors were sold in the state.

The only way for phone manufacturers to ensure they comply with this law would be to stop offering encryption they can’t crack, as it’s inevitable that California-based retailers will still be able to find customers interested in devices without manufacturer/operating system backdoors.

This is stupid, reactionary lawmaking somehow managing to become even more stupid and reactionary after receiving input from other legislators. If this level of stupidity remains in full force, the end result could be Californians buying their cell phones directly from the state — much in the way some states handle alcohol sales.


VyprVPN from Golden Frog is the world’s fastest highly-secure VPN.
Learn more about VyprVPN »

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “California Lawmakers Manage To Turn Encrypted Phone Ban Legislation Into Encryption Backdoor Legislation”

Subscribe: RSS Leave a comment
47 Comments
hoare (profile) says:

Golden Frog Sucks

About a year ago I was looking for a VPN so I tried Golden frog VyprVPN. They said they didn’t log. I used bit torrent to download an episode of Justified that I had missed. They locked my account when they got an “infringment” notice. Even though I pay for FX and was simply time shifting. Golden Frog lies … don’t trust a thing they say. IMHO

AricTheRed says:

Looks like the legislators want Encryption for Me not for Thee

The way I read this is Encryption for Me not for Thee.

Simple.

Don’t want to, or can’t, pay $3,200 outright for an actually encrypted iPhone ($2,500 encryption fee plus phone purchase)?

Fine! Your device, the one for the unwashed masses, will be running FBiOS.

All the lawmakers, rich folk, and LEO’s will have encrypted phones.

Everyone wins!

John Fenderson (profile) says:

Re: Looks like the legislators want Encryption for Me not for Thee

Not a problem, really, since you don’t need a device manufacturer to provide the encryption built in. You can add it yourself after purchase, and (if done properly) there is nothing the government or manufacturer can do about it.

All of this just underscores an important point: built in encryption is a good thing, but you have to be able to trust whoever it is that put the crypto system in. Legislation like this just means that you can trust manufacturers even less than you could before. And trusting manufacturers or service providers has always been a pretty bad security practice.

nasch (profile) says:

Re: Re: Looks like the legislators want Encryption for Me not for Thee

You can add it yourself after purchase, and (if done properly) there is nothing the government or manufacturer can do about it.

It seems like the manufacturer or OS provider (which one, if they’re not the same entity?) would be liable even for third party encryption.

“A manufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, shall be subject to a civil penalty of two thousand five hundred dollars ($2,500) for each instance in which the manufacturer or operating system provider of the smartphone is unable to decrypt the contents of the smartphone pursuant to a state court order.”

No specification of built-in encryption, and no exceptions for third-party encryption.

John Fenderson (profile) says:

Re: Re: Re: Looks like the legislators want Encryption for Me not for Thee

Perhaps, but I’m guessing that since there’s nothing that manufacturers can do to prevent it, if such a case went to court then the manufacturer would prevail.

I’m giving the courts enough credit to recognize that the law cannot compel action which is impossible to perform. I’m not entirely certain about whether or not that’s too much credit.

DannyB (profile) says:

Re: Re:

Foreign phone manufacturers will simply have:
1. a backdoored version for the US and other repressive regimes.
2. a secure phone for free countries.

US manufacturers will have either one phone version for everyone, or will as in the previous paragraph have two versions for free and non-free countries. Either way, nobody will trust US made phones. The other 96% of the world’s population will not want US made phones. (Even if they are physically manufactured in China.)

Good job California! Great way to destroy American business.

Trin (profile) says:

>This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.

Golden Frog & VyprVPN is none of these. It is one of the worst choices for a VPN if you do value your privacy and security.

There are scores of examples that show they log & monitor your traffic. This is completely antithetical to the entire point of using a VPN.

I hope the people reading this who are looking for a decent VPN do their research & due diligence on which VPN providers actually respect your privacy.

Techdirt: Really? An encryption specific post that is sponsored by a company that in no way values your privacy? Next time just have the DoJ sponsor the post…they care too.

Machin Shin (profile) says:

This really makes me wonder about how companies would handle android phones, because someone could easily buy the phone and install a different ROM and lock the phone so the manufacture is not able to get in.

How would this be handled under this law? Would they be ok so long as they could bypass their official ROM? Or would they have to promise to be able to get into others too?

DB (profile) says:

This is so far from being effective legislation that we can only analyze it as we would with cartoon physics.

First, what is a smartphone? Sure, we know one when we see it. Like my phone-shaped Android device.. that has only WiFi. But acts just like a phone with a VOIP application working over WiFi. But not my tablet with a cellular modem. Despite having the same chips, OS and applications as a smartphone, its slightly larger screen makes it a Completely Different Thing.

Even if you think you can draw a line, next year’s smartwatch equivalent will make it laughably irrelevant.

Next, who is really responsible? Samsung, Apple and Google are clearly in the cross-hairs of this legislation. But can any of those parties ensure that Amazon’s cached content be decrypted? Or any of the other almost-million applications?

Can a phone ship with latent encryption disabled by default? Hidden? Barely hidden? Enabled only when you set a password? Not shipped by default, but automatically downloaded and installed when you set a password?

I could spend hours poking holes into this proposal..

DannyB (profile) says:

Re: Techdirt sells out

So proudly announcing the sponsorship of a newsworthy article, in the public interest, is selling out?

How would you react if a company approached TechDirt, says, write this specific content favorable to me, in exchange for money, and keep it a secret. Would you call that ‘selling out’ or would you call it good honest ‘lobbying’?

Similarly, what would your reaction be if TechDirt has an ad disguised as if it were an article? Not ‘selling out’ but good ol’ dishonest ‘advertising’?

Selling Out is what happens when an artist signs with an RIAA label. Not what happens with an article is sponsored.

Anonymous Coward says:

whack a mole:
1) store encrypted docs in cloud – not on phone. then, you need a password to get to the encrypted docs. And there are too many of those

2) start selling phones in NV or AZ or OR. charter a party bus to go to those states and buy phones over there, and then bring them back into CA

3) sell a phone, in the open….with a tethered tablet to keep my selfies. cortana or icloud can forward my texts to the tablets, and tablets don’t have the communications equipment, so they are exempt from the law.

DannyB (profile) says:

The War On Terror

Here is an idea.

A bit of googling tells me that the number of people have been killed in terrorist attacks since 9/11/2001 are far, far fewer than the number of people who die in automobile accidents every single year as a result of cars driven by inferior, annoying, distracted, sleepy humans.

What if we took away all of the resources wasted on the War On Terror and spent it on a new ‘moon shot’ or ‘manhattan project’? Let’s call it: The War On Human Driven Cars.

The number of lives saved would be enormously larger.

The FBI’s top attorney says:
http://www.usnews.com/news/articles/2016-04-05/top-fbi-attorney-james-baker-worried-about-whatsapp-encryption

“If the public does nothing, encryption like that will continue to roll out,” he said. “It has public safety costs. Folks have to understand that, and figure out how they are going to deal with that. Do they want the public to bear those costs? Do they want the victims of terrorism to bear those costs?”

Maybe bearing those costs would be far better than bearing the costs of human driven vehicles?

nasch (profile) says:

Re: The War On Terror

A bit of googling tells me that the number of people have been killed in terrorist attacks since 9/11/2001 are far, far fewer than the number of people who die in automobile accidents every single year as a result of cars driven by inferior, annoying, distracted, sleepy humans.

In fact, the number of people killed in the US by terrorism and car accidents in September 2001 was similar.

Kal Zekdor (profile) says:

Re: Re: The War On Terror

Maybe I’m falling victim to Poe’s Law here, but you do realize that’s not even close to the same thing, right?

Terrorism related deaths spiked in 2001, but have severely dropped since then. Automobile related deaths have been more or less stable since then.

As such, it is possible that terrorism deaths equaled automobile deaths in September 2001, and that automobile related deaths far outpaced terrorism related deaths since 9/11/2001.

Terrorism has actually been less of an issue in recent years, the IRA just isn’t that active these days. Yet it’s still the go-to boogeyman, even though it’s a minor threat in the grand scheme of things. Not to mention that reacting to terrorism like it was an existential threat is exactly what said terrorists want people to do, it gives them validation.

nasch (profile) says:

Re: Re: Re: The War On Terror

Maybe I’m falling victim to Poe’s Law here, but you do realize that’s not even close to the same thing, right?

I’m not sure what you mean. Obviously terrorism and car accidents are not the same thing. My point is that the worst terrorist attacks in the history of the country were only as bad as a typical month of car accidents, yet we decided to freak out about one and we’re mostly OK with the other. I say mostly because we continue to improve car safety, but hardly anyone seems very concerned about the issue, certainly not to the extent of terrorism. This despite the fact that car accidents are far more dangerous.

Anonmylous says:

That's so cute!

“A manufacturer or operating system provider who pays a civil penalty imposed pursuant to this subdivision shall not pass on any portion of that penalty to purchasers of smartphones.”

Hahah. Hah. HAHAHAHAHAHAHAHAHAHAHAHAH!

Cause we all know cell phone prices are based on hard numbers and regulated profit margins allowed by law, and not just whatever the manufacturer and retailers decide upon.

Pretty sure if this passes we’ll ALL suddenly be paying even higher retail costs for cell phones. Thank you California!

Anonymous Coward says:

Soooo....

So will phones used in California be like their cars which have to have extra, super-duper smog eliminating gadgets in them? Does that mean that when the phone is no longer in California (or is sold and then shipped out of California) the back door can be removed/eliminated with a patch of some sort? Since this is California specific, I suppose people traveling to the Worst Coast will just have to leave their own phones at home and get a burner to use when out there…

Anonymous Coward says:

Had it not been for the government wanting in everyone’s underware, encryption would not have sprouted and blossomed as much as it has.

Corporations have had to go to encryption and will be pushed to continue to go to it as long as the government wants in everyone’s personal lives. They have to do that in order to maintain creditability on the global market place.

Once you seal off the possibility of keeping a good reputation through encryption to prevent spying, you also kill the market for the product globally. No wonder so many of these communications corporations are moving out of the US and using the tax problem as the reason. After they’ve received an NSL they can’t say that was the reason.

Anonymous Coward says:

just wait for Hollywood celeb nudes

Just wait for it.

As soon as mandatory backdoors are installed and people figure out how to access them (which they will in… I’m guessing about 30 minutes after release) celebrity phone hacks will skyrocket since they’ll be so easy.

Once every famous idiot in Hollywood starts screaming, their studio exec handlers will start screaming, and that will cause their lobbyists to start screaming. At which point this legislation will mysteriously “disappear”.

Dingledore the Flabberghaster says:

Doesn't look like they defined "smartphone"

at least in the segment shown above.

Could just use a tablet or PC instead. If this legislation is really put into effect, which I suspect it won’t, what would stop manufacturers going down the LG G5 module route and building a “phone” module to add on to small tablet type device? Even as a concept build it could go towards the argument that most smartphones these days are less phone, more mobile device.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...