Yet another bill seeks to weaken encryption-by-default on smartphones

A second state lawmaker has now introduced a bill that would prohibit the sale of smartphones with unbreakable encryption. Except this time, despite very similar language to a pending New York bill, the stated rationale is to fight human trafficking, rather than terrorism.

Specifically, California Assemblymember Jim Cooper’s (D-Elk Grove) new bill, which was introduced Wednesday, would "require a smartphone that is manufactured on or after January 1, 2017, and sold in California, to be capable of being decrypted and unlocked by its manufacturer or its operating system provider."

If the bill passes both the Assembly and State Senate and is signed into law by Gov. Jerry Brown (D), it would affect modern iOS and Android devices, which enable full-disk encryption that neither Apple nor Google can access. AB 1681’s language is nearly identical to another bill re-introduced in New York state earlier this month, but Cooper denied that it was based on any model legislation, saying simply that it was researched by his staff. He also noted that the sale of his own iPhone would be made illegal in California under this bill.

Cooper himself, a 30 year veteran with the Sacramento County Sheriff’s Department, told Ars that allowing local law enforcement to access unencrypted phones through the warrant process was not the same thing as allowing the National Security Agency or the CIA free rein. He also noted that "99 percent" of Californians would never have their phones be implicated in a law enforcement operation, implying that they should not have to worry.

The lawmaker also re-iterated many of the talking points that he said at a press conference earlier in the day, with various law enforcement officials and anti-human trafficking advocates at his side. The press conference, which Ars did not find out about until after it had concluded, portrayed the issue as a question of "human trafficking evidentiary access"—scarcely even using the word encryption.

"If you're a bad guy [we] can get a search record for your bank, for your house, you can get a search warrant for just about anything," Cooper told Ars in a brief phone call on Wednesday afternoon. "For the industry to say it's privacy, it really doesn't hold any water. We're going after human traffickers and people who are doing bad and evil things. Human trafficking trumps privacy, no ifs, ands, or buts about it."

Impractical and possibly illegal

Two privacy lawyers that Ars spoke to said the bill has two major problems as currently written.

"Human trafficking is obviously a major social issue that we need to address," Gautam Hans, an attorney with the Center for Democracy and Technology, told Ars by e-mail.

"However, I don't think this is the best way to solve that issue. Weakening encryption will do a great deal of harm to the security of the Internet, and it's not clear that it helps with the law enforcement goals. Encryption proposals that include backdoors are fundamentally insecure and would create vulnerabilities that unauthorized actors could exploit."

Similarly, Andrew Crocker, an attorney with the Electronic Frontier Foundation, told Ars that the bill had "glaring problems" and that it was "entirely infeasible from a technical perspective."

"There is no way to ensure that phones can be decrypted by the police and not the ‘bad guys,’" he e-mailed Ars. "Just as in New York, this California lawmaker misses the point that it's not about privacy but security—the security of innocent people's devices against hackers, thieves and others. It could well be unconstitutional under the First Amendment as well."

"As for the protect the children argument, I am sympathetic, but there are always limits on law enforcement's power to investigate crime," he added. "No matter how terrible the crime, we don't allow the police to disregard other important values like privacy and security, and this is a law that would make us all less secure. Meanwhile the police have access to lots of other tools to get at this evidence, from hacking or brute forcing the device to getting cloud backups to forcing the owner to unlock the phone. Moreover the sophisticated bad guys will resort to third-party tools to cover their tracks."

Both lawyers speculated that the bill would also likely be illegal under the Dormant Commerce Clause, the federal legal doctrine that forbids states from imposing undue burdens on interstate commerce.

“Technologically stupid”

As of press time, neither Cooper nor his staff had provided any evidence that there has been a large number of cases, much less any cases in his district or statewide, that were unable to be prosecuted due to an encrypted smartphone.

In July 2015, Wired reported that in Manhattan, District Attorney Cyrus Vance, Jr. said that there were just 74 out of a total of 10,000 cases local prosecutors handle annually that involved unlockable phones. Vance did not say whether such cases were not prosecuted at all.

Neither Google nor Apple immediately responded to Ars’ request for comment, but Apple’s position has been made very clear by its CEO, Tim Cook. In September 2014, Apple took a new strong pro-encryption stance, saying that under iOS 8 (and later) devices it was unable to access customer data. Currently, Apple is also fighting a federal government demand to help unlock a criminal suspect’s iPhone in federal court in New York.

At a congressional hearing in April 2015, Rep. Ted Lieu (D-Calif.) wholly dismissed law enforcement’s arguments that they needed new expansive powers to weaken cryptography. Rep. Lieu, a computer science major and a Lieutenant Colonel in the United States Air Force Reserves, said giving the government a backdoor was ludicrous.

"It is clear to me that creating a pathway for decryption only for good guys is technologically stupid. You just can't do that," he said at the time.

More recently, in July 2015, 15 of the nation’s top cryptographers lambasted attempts to diminish security.

As they concluded:

Policy-makers need to be clear-eyed in evaluating the likely costs and benefits. It is no surprise that this report has ended with more questions than answers, as the requirements for exceptional access are still vague. If law enforcement wishes to prioritize exceptional access, we suggest that they need to provide evidence to document their requirements and then develop genuine, detailed specifications for what they expect exceptional access mechanisms to do. As computer scientists and security experts, we are committed to remaining engaged in the dialogue with all parts of our governments, to help discern the best path through these complex questions.