In the past couple of weeks, the media reported that New York, and more recently California, have floated a bill aimed at crippling smartphone encryption. The criticism is not so far off the mark, despite protests to the contrary.
What the bills forbid are the sale of smartphones and tablets that cannot be decrypted by manufacturers (like Apple and Samsung) or operating system providers (like Google). Also entangled are sellers and leasers (or lessors) of smartphones to customers.
Indeed, based on how smartphones are purchased in the US, one could say that they are the ones bearing the brunt of the laws. I assume that the plan is for the leasers (which include carries like Verizon, T-Mobile, etc.) to exert pressure on manufacturers and OS providers to create “decryptable phones.” Tech companies may have come to question and fight the legality of certain government requests but may hesitate when asked by their biggest commercial partners, perhaps even unwillingly accede.
Where It All Started
The New York bill preceded California’s. Both are almost identical. The impetus for the New York bill, according to zdnet.com, is the 2015 New York District Attorney’s whitepaper on encryption and law enforcement (California denies any connection to the DA’s whitepaper despite its bill’s similarity to New York’s).
What the New York DA Has to Say
The New York DA noted that Apple was able to help law enforcement gain access to encrypted iPhones running iOS 7 and older; same goes for Google with earlier versions of Android OS. The DA argues for a return to these good old days, when serving warrants meant results and yet no one accused the iPhone’s full disk encryption of having backdoors.
(Which is true. No one accused Apple of having introduced backdoors to their encryption. Apple was just panned in certain circles for doing a terrible job security-wise.)
Divergence Between Bills and Whitepaper
While the DA may not have been calling for backdoors, these two bills certainly are. Note that the bills ask for the smartphones to be “decryptable.” Apple’s iPhones were never decryptable while running iOS 7 or older. From arstechnica.com:
Apple can bypass security passcodes on our iOS devices to extract “certain categories of active data,” though it apparently cannot bypass that protection entirely. If provided with a valid search warrant, Apple can hand over SMS messages, pictures and videos, contacts, audio recordings, and your phone’s call history, but it can’t access e-mails, calendar entries, or information from third-party applications. Devices must be running iOS 4 or newer, must be “in good working order,” and must be provided directly to Apple’s headquarters along with an external storage drive twice the size of the iOS device’s internal storage.
Apple was able to access some data but not all. This means that Apple was technically unable to decrypt phones even back then, even if it was extracting information. A Johns Hopkins professor theorizes towards the end of this blog post how Apple was able to glean information from smartphones. (Long story short, Apple was reading information from sectors that weren’t encrypted.)
However Apple was getting that data, these two bills go far beyond it.
Personally, I wonder if the bills could have been a result of telephone. The DA didn’t quite understand what Apple was doing but concluded that some form of decryption must have been going on. The bill drafters run with the word “decryptable” without realizing that it’s not what they’re actually looking for.
But then again, maybe not.
HIPAA, State Data Breach Laws
This new bill could very well put California at odds with its own laws as well as federal ones.
Many state and federal laws, including California’s own, have data privacy and breach notification laws that provide safe harbor from data breaches if the information is encrypted. California’s in particular contains this definition of encryption:
“encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
Guess what? No one in the field of information security generally accepts a technology that has confirmed (and exploited) backdoors as being “rendered unusable…to unauthorized” people. The moment this bill becomes law, smartphones that contain personal information will be legally unprotected (and actually less protected in real life. That is to say, vulnerable).
This extends to the federal level as well. For example, the HIPAA Privacy and Security Rules also provide safe harbor from data breaches if smartphones containing patient data are lost or stolen. However, HIPAA defers to the National Institute of Standards and Technology (NIST) to make the call on what is suitably encrypted and what isn’t. Federal agency or not, I cannot believe that the scientists at NIST, for political expediency, would deem iPhones and other smartphones cryptologically secure if they feature a backdoor…which is corroborated by the manufacturers themselves. I mean, they wouldn’t even have to test anything to finalize their conclusions.