California Lawmakers Manage To Turn Encrypted Phone Ban Legislation Into Encryption Backdoor Legislation
from the your-tax-dollars-malfunctioning dept
As part of our funding campaign for our coverage of encryption, we reached out to some companies that care about these issues to ask them to show their support. This post is sponsored by Golden Frog, a company dedicated to online privacy, security and freedom.
The California Assembly has been tinkering with Assemblyman Jim Cooper’s smartphone encryption ban… and for the worse. First noticed by EFF Staff Attorney Andrew Crocker, legislators have turned the proposed ban into something that accomplishes the same goals without actually “banning” anything.
Rather than forbid the sale of smartphones that can’t be decrypted by their manufacturers, the new wording will direct fines at manufacturers who can’t decrypt phones upon receipt of a warrant or other court order. (added/altered wording in bold)
(b) A
smartphone manufactured on or after January 1, 2017, that is not capable of being decrypted and unlocked by its manufacturer or its operating system provider shall subject themanufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, shall be subject to a civil penalty of two thousand five hundred dollars ($2,500) for eachsmartphone sold or leased in California ifinstance in which the manufacturer or operating system provider of the smartphoneknew at the time of the sale or lease that the smartphone was not capable of being decrypted and unlocked by the manufacturer or its operating system provider.is unable to decrypt the contents of the smartphone pursuant to a state court order. A manufacturer or operating system provider who pays a civil penalty imposed pursuant to this subdivision shall not pass on any portion of that penalty to purchasers of smartphones. This civil penalty shall not preclude the imposition of any other penalty pursuant to law.
So, rather than an encrypted smartphone ban, it’s an encryption backdoor mandate. In order to sell phones in California, manufacturers will have to make less secure versions specifically for that market — ones where they hold the keys and are subject to law enforcement demands for a spare set.
This is bad for Californians looking for more secure phone options and bad for cellphone manufacturers, who have zero interest in acting as encryption key repositories. And the altered wording would allow the state to pursue manufacturers that have never sold a phone directly to Californians. Third-party retailers can still offer encrypted phones to customers without fear of reprisal as doing so would not run afoul of the proposed law. Instead, it would be the manufacturers’ fault if phones without encryption backdoors were sold in the state.
The only way for phone manufacturers to ensure they comply with this law would be to stop offering encryption they can’t crack, as it’s inevitable that California-based retailers will still be able to find customers interested in devices without manufacturer/operating system backdoors.
This is stupid, reactionary lawmaking somehow managing to become even more stupid and reactionary after receiving input from other legislators. If this level of stupidity remains in full force, the end result could be Californians buying their cell phones directly from the state — much in the way some states handle alcohol sales.
Privacy & Security on the Golden Frog Blog:
VyprVPN from Golden Frog is the world’s fastest highly-secure VPN.
Learn more about VyprVPN »
Filed Under: backdoor, california, encryption, sponsored post
Comments on “California Lawmakers Manage To Turn Encrypted Phone Ban Legislation Into Encryption Backdoor Legislation”
Golden Frog Sucks
About a year ago I was looking for a VPN so I tried Golden frog VyprVPN. They said they didn’t log. I used bit torrent to download an episode of Justified that I had missed. They locked my account when they got an “infringment” notice. Even though I pay for FX and was simply time shifting. Golden Frog lies … don’t trust a thing they say. IMHO
Re: Golden Frog Sucks
They….
ALL LIE!
LOLS
That would be like charging a gun manufacturer for a murder that was committed by a felon who bought the gun from a third party reseller. Even if this were to pass into law, I doubt that it would survive a court challenge.
Re: Re:
You must have not been paying much attention to the courts lately.
Re: Re:
Democrats have no problem with that either.
Looks like the legislators want Encryption for Me not for Thee
The way I read this is Encryption for Me not for Thee.
Simple.
Don’t want to, or can’t, pay $3,200 outright for an actually encrypted iPhone ($2,500 encryption fee plus phone purchase)?
Fine! Your device, the one for the unwashed masses, will be running FBiOS.
All the lawmakers, rich folk, and LEO’s will have encrypted phones.
Everyone wins!
Re: Looks like the legislators want Encryption for Me not for Thee
Actually, the masses will still pay only for the only phone, not the $2500 fee. The proposed legislation states that the manufacturers cannot pass the fee on to customers.
Re: Re: Looks like the legislators want Encryption for Me not for Thee
LOL! Companies don’t pay fee’s, nor taxes, hell they don’t even buy material or labor. The consumer that purchases their products pay for all that. There is no way not to pass it down to consumers. One way or another, we will pay for all of it.
Re:
At only $2500 per court case this effectively guts the bill.
These cases don’t come up often enough to cause more than a
few cents cost per year for each phone sold that year.
Any phone manufacturer could absorb it as a minor cost.
That makes it no more than a token gesture for publicity.
Re: Looks like the legislators want Encryption for Me not for Thee
Not a problem, really, since you don’t need a device manufacturer to provide the encryption built in. You can add it yourself after purchase, and (if done properly) there is nothing the government or manufacturer can do about it.
All of this just underscores an important point: built in encryption is a good thing, but you have to be able to trust whoever it is that put the crypto system in. Legislation like this just means that you can trust manufacturers even less than you could before. And trusting manufacturers or service providers has always been a pretty bad security practice.
Re: Re: Looks like the legislators want Encryption for Me not for Thee
You can add it yourself after purchase, and (if done properly) there is nothing the government or manufacturer can do about it.
It seems like the manufacturer or OS provider (which one, if they’re not the same entity?) would be liable even for third party encryption.
“A manufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, shall be subject to a civil penalty of two thousand five hundred dollars ($2,500) for each instance in which the manufacturer or operating system provider of the smartphone is unable to decrypt the contents of the smartphone pursuant to a state court order.”
No specification of built-in encryption, and no exceptions for third-party encryption.
Re: Re: Re: Looks like the legislators want Encryption for Me not for Thee
Perhaps, but I’m guessing that since there’s nothing that manufacturers can do to prevent it, if such a case went to court then the manufacturer would prevail.
I’m giving the courts enough credit to recognize that the law cannot compel action which is impossible to perform. I’m not entirely certain about whether or not that’s too much credit.
Re: Re: Re:2 Looks like the legislators want Encryption for Me not for Thee
The question is whether the judge or jury could be convinced that it actually is impossible.
Way to drive more businesses out of the State of California and overseas.
Re: Re:
Foreign phone manufacturers will simply have:
1. a backdoored version for the US and other repressive regimes.
2. a secure phone for free countries.
US manufacturers will have either one phone version for everyone, or will as in the previous paragraph have two versions for free and non-free countries. Either way, nobody will trust US made phones. The other 96% of the world’s population will not want US made phones. (Even if they are physically manufactured in China.)
Good job California! Great way to destroy American business.
Smartphones are known to the state of Kalifornia
Warning, this smartphone contains encryption, a software known to the state of Kalifornia to cause terrorist attacks.
Golden Frog & VyprVPN is none of these. It is one of the worst choices for a VPN if you do value your privacy and security.
There are scores of examples that show they log & monitor your traffic. This is completely antithetical to the entire point of using a VPN.
I hope the people reading this who are looking for a decent VPN do their research & due diligence on which VPN providers actually respect your privacy.
Techdirt: Really? An encryption specific post that is sponsored by a company that in no way values your privacy? Next time just have the DoJ sponsor the post…they care too.
This really makes me wonder about how companies would handle android phones, because someone could easily buy the phone and install a different ROM and lock the phone so the manufacture is not able to get in.
How would this be handled under this law? Would they be ok so long as they could bypass their official ROM? Or would they have to promise to be able to get into others too?
Re: Re:
“someone could easily buy the phone and install a different ROM and lock the phone so the manufacture is not able to get in. “
This is precisely what I do, and have done since my very first smartphone.
This is so far from being effective legislation that we can only analyze it as we would with cartoon physics.
First, what is a smartphone? Sure, we know one when we see it. Like my phone-shaped Android device.. that has only WiFi. But acts just like a phone with a VOIP application working over WiFi. But not my tablet with a cellular modem. Despite having the same chips, OS and applications as a smartphone, its slightly larger screen makes it a Completely Different Thing.
Even if you think you can draw a line, next year’s smartwatch equivalent will make it laughably irrelevant.
Next, who is really responsible? Samsung, Apple and Google are clearly in the cross-hairs of this legislation. But can any of those parties ensure that Amazon’s cached content be decrypted? Or any of the other almost-million applications?
Can a phone ship with latent encryption disabled by default? Hidden? Barely hidden? Enabled only when you set a password? Not shipped by default, but automatically downloaded and installed when you set a password?
I could spend hours poking holes into this proposal..
Just when you think politicians can’t get any more stupid…once pops up to prove you wrong.
These days you can, you know, buy directly from a manufacturer in China (lots of choices, actually) and let California law enforcement send angry letters to … Where exactly? Many of those companies are not represented in the US!
Techdirt sells out
Thanks for letting us know.
Re: Techdirt sells out
So proudly announcing the sponsorship of a newsworthy article, in the public interest, is selling out?
How would you react if a company approached TechDirt, says, write this specific content favorable to me, in exchange for money, and keep it a secret. Would you call that ‘selling out’ or would you call it good honest ‘lobbying’?
Similarly, what would your reaction be if TechDirt has an ad disguised as if it were an article? Not ‘selling out’ but good ol’ dishonest ‘advertising’?
Selling Out is what happens when an artist signs with an RIAA label. Not what happens with an article is sponsored.
Re: Re: Techdirt sells out
Just when you think politicians can’t get any more stupid…once pops up to prove you wrong.
Re: Techdirt sells out
Do you work for a paycheck? What a sellout.
whack a mole:
1) store encrypted docs in cloud – not on phone. then, you need a password to get to the encrypted docs. And there are too many of those
2) start selling phones in NV or AZ or OR. charter a party bus to go to those states and buy phones over there, and then bring them back into CA
3) sell a phone, in the open….with a tethered tablet to keep my selfies. cortana or icloud can forward my texts to the tablets, and tablets don’t have the communications equipment, so they are exempt from the law.
what happens when a smart phone is without encryption…except for an app like WhatsApp?
Re: Re:
what happens when a smart phone is without encryption…except for an app like WhatsApp?
It could be argued that according to this bill the manufacturer of the phone or developer of the operating system can be fined for not being able to decrypt messages that they have no control over and had nothing to do with.
The War On Terror
Here is an idea.
A bit of googling tells me that the number of people have been killed in terrorist attacks since 9/11/2001 are far, far fewer than the number of people who die in automobile accidents every single year as a result of cars driven by inferior, annoying, distracted, sleepy humans.
What if we took away all of the resources wasted on the War On Terror and spent it on a new ‘moon shot’ or ‘manhattan project’? Let’s call it: The War On Human Driven Cars.
The number of lives saved would be enormously larger.
The FBI’s top attorney says:
http://www.usnews.com/news/articles/2016-04-05/top-fbi-attorney-james-baker-worried-about-whatsapp-encryption
Maybe bearing those costs would be far better than bearing the costs of human driven vehicles?
Re: The War On Terror
A bit of googling tells me that the number of people have been killed in terrorist attacks since 9/11/2001 are far, far fewer than the number of people who die in automobile accidents every single year as a result of cars driven by inferior, annoying, distracted, sleepy humans.
In fact, the number of people killed in the US by terrorism and car accidents in September 2001 was similar.
Re: Re: The War On Terror
Maybe I’m falling victim to Poe’s Law here, but you do realize that’s not even close to the same thing, right?
Terrorism related deaths spiked in 2001, but have severely dropped since then. Automobile related deaths have been more or less stable since then.
As such, it is possible that terrorism deaths equaled automobile deaths in September 2001, and that automobile related deaths far outpaced terrorism related deaths since 9/11/2001.
Terrorism has actually been less of an issue in recent years, the IRA just isn’t that active these days. Yet it’s still the go-to boogeyman, even though it’s a minor threat in the grand scheme of things. Not to mention that reacting to terrorism like it was an existential threat is exactly what said terrorists want people to do, it gives them validation.
Re: Re: Re: The War On Terror
Maybe I’m falling victim to Poe’s Law here, but you do realize that’s not even close to the same thing, right?
I’m not sure what you mean. Obviously terrorism and car accidents are not the same thing. My point is that the worst terrorist attacks in the history of the country were only as bad as a typical month of car accidents, yet we decided to freak out about one and we’re mostly OK with the other. I say mostly because we continue to improve car safety, but hardly anyone seems very concerned about the issue, certainly not to the extent of terrorism. This despite the fact that car accidents are far more dangerous.
That's so cute!
“A manufacturer or operating system provider who pays a civil penalty imposed pursuant to this subdivision shall not pass on any portion of that penalty to purchasers of smartphones.”
Hahah. Hah. HAHAHAHAHAHAHAHAHAHAHAHAH!
Cause we all know cell phone prices are based on hard numbers and regulated profit margins allowed by law, and not just whatever the manufacturer and retailers decide upon.
Pretty sure if this passes we’ll ALL suddenly be paying even higher retail costs for cell phones. Thank you California!
What if a THIRD PARTY APP has the encryption?
Suppose the phone is backdoored as per the US Government.
Suppose the user is using an app like WhatsApp that is end to end encrypted?
What if the user is using an obscure app not on the phone’s app store, but was installed manually onto the phone? (Not that hard to do on Android.)
Soooo....
So will phones used in California be like their cars which have to have extra, super-duper smog eliminating gadgets in them? Does that mean that when the phone is no longer in California (or is sold and then shipped out of California) the back door can be removed/eliminated with a patch of some sort? Since this is California specific, I suppose people traveling to the Worst Coast will just have to leave their own phones at home and get a burner to use when out there…
Re: Soooo....
Since this is California specific, I suppose people traveling to the Worst Coast will just have to leave their own phones at home and get a burner to use when out there…
It’s not the user’s problem, put whatever encryption you want on your phone whether you live in CA or not.
Had it not been for the government wanting in everyone’s underware, encryption would not have sprouted and blossomed as much as it has.
Corporations have had to go to encryption and will be pushed to continue to go to it as long as the government wants in everyone’s personal lives. They have to do that in order to maintain creditability on the global market place.
Once you seal off the possibility of keeping a good reputation through encryption to prevent spying, you also kill the market for the product globally. No wonder so many of these communications corporations are moving out of the US and using the tax problem as the reason. After they’ve received an NSL they can’t say that was the reason.
just wait for Hollywood celeb nudes
Just wait for it.
As soon as mandatory backdoors are installed and people figure out how to access them (which they will in… I’m guessing about 30 minutes after release) celebrity phone hacks will skyrocket since they’ll be so easy.
Once every famous idiot in Hollywood starts screaming, their studio exec handlers will start screaming, and that will cause their lobbyists to start screaming. At which point this legislation will mysteriously “disappear”.
Makes You Proud To Be A American
We dont use end-to-end encryption in Muskogee
We dont take no trips on VPN
We dont run no TOR relays down on Main Street
We like livin right, and bein free.
Too many steps backwards
Man.. these guys are practically moon walking, by attempting to ban encryption on mobile phones. I expect them to encounter all sorts of problems, you know, because they aren’t looking forward.
Maybe Apple and Google should just not sell smartphones in CA any more. When the people start to revolt, just let them know it was their idiot politicians who did it.
Yuck.. Paid lies.. Why does techdirt sink so low?
Lying site. Cannot trust goldfrog at all. They log and they will hand you over in a second
Good bye techdirt. Endorsing a site like goldfrog is insane, i cannt fanthom what is going through your mind not vetting who you are doing paid stories for.
I am out, between gretchens daily spam and your constant book pushing. Its just not worth the value anymore
Doesn't look like they defined "smartphone"
at least in the segment shown above.
Could just use a tablet or PC instead. If this legislation is really put into effect, which I suspect it won’t, what would stop manufacturers going down the LG G5 module route and building a “phone” module to add on to small tablet type device? Even as a concept build it could go towards the argument that most smartphones these days are less phone, more mobile device.
California AB 1681 defeated
“California phone decryption bill defeated”, By Jeremy B. White, The Sacramento Bee, Apr 12, 2016