![\"Lock_Case\"](\"http:\/\/www.founditdata.com\/blog\/wp-content\/uploads\/2016\/02\/Lock_Case.jpg\")
<\/a>\nAmerican politics has <\/span>long accepted the strange notion that just a pair of states\u2014namely Iowa and New Hampshire\u2014get an outsize vote in choosing America\u2019s next president. The idea of letting just two states choose whether we all get to have secure encryption on our smartphones, on the other hand, has no such track record. And it\u2019s not a plan that seems to make much sense for anyone: phone manufacturers, consumers, or even the law enforcement officials it\u2019s meant to empower.<\/p>\n
Last week, a California state legislator\u00a0introduced a bill that would ban the retail sale of smartphones with that full-disk encryption feature\u2014a security measure designed to ensure that no one can decrypt and read your phone\u2019s contents except you. The bill is the second piece of state-level legislation to propose that sort of smartphone crypto ban, following a similar New York state assembly proposal that was first floated last year and re-introduced earlier this month. Both bills are intended to ensure that law enforcement can access the phones of criminals or victims when their devices are seized as evidence.<\/p>\n
If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones?<\/strong><\/p>\n Those two proposed crypto bans have put another twist in an already tangled debate: The privacy and cryptography community has long opposed any such \u201cbackdoor\u201d scenario that gives cops access to encrypted smartphones at the risk of weakening every device\u2019s data protections. But legal and technical experts argue that even if a national<\/em> ban on fully encrypted smartphones were a reasonable privacy sacrifice for the sake of law enforcement, a state<\/em>-level ban wouldn\u2019t be. They say, the most likely result of any state banning the sale of encrypted smartphones would be to make the devices of law-abiding residents\u2019 more vulnerable, while still letting criminals obtain an encrypted phone with a quick trip across the state border or even a trivial software update.<\/p>\n If the New York and California smartphone encryption bans passed, a company like Apple that sells encrypted-by-defaulted iPhones would have three options, argues Neema Singh Guliani, an attorney with the American Civil Liberties Union: It could cease to fully encrypt any of its phones, contradicting a year of outspoken statements on privacy by its CEO Tim Cook. \u00a0It could stop selling phones in two of America\u2019s richest states. Or finally, it could create special versions of its phones for those states to abide by their anti-encryption laws.<\/p>\n The last of those scenarios is Apple\u2019s most likely move, says Singh Guliani, and yet would result in a \u201clogistical nightmare\u201d that still wouldn\u2019t keep criminals from encrypting their phones\u2019 secrets. She compares the laws to state-wide liquor regulations: \u201cPeople will travel over the border to buy alcohol in states with the standards that suit them,\u201d she says. If consumers will cross borders to fill a booze cabinet, what\u2019s to prevent New York criminals from foiling surveillance with New Jersey iPhones? \u201cNothing would stop those who wanted a more privacy protective phone to get one from out of state.\u201d<\/p>\n In the hypothetical future where the state bills have passed, fully encrypting an iPhone might not even require buying an out-of-state device, but merely downloading out-of-state firmware. After all, it\u2019s unlikely Apple would go to the expense of manufacturing different hardware for its phones to disable encryption in some of them, argues Jonathan Zdziarski, an iOS forensics expert who has worked with police to decrypt phones. \u201cThat would be a massive technical change to support this kind of device,\u201d Zdziarski argues. \u201cIt would be literally cheaper for Apple to stop selling phones in California altogether.\u201d Instead, he says, it would likely sell the same hardware for all of its devices and merely disable full-disk encryption through a different version of its firmware activated at the time of the phone\u2019s purchase. And nothing in the current bills would prevent Apple from making the fully encryption-enabled version of its firmware available to anyone who restores their device from factory settings.<\/p>\n The technologically savvy will find ways to get encryption, while the average smartphone user\u2019s data will be left more vulnerable.<\/strong><\/p>\n In other words, that would make the New York and California crypto bans statewide bans on software<\/em>, an idea\u00a0roughly\u00a0as practical as policing undocumented birds crossing the Mexican border. And if\u00a0Apple were to try to accommodate the spirit of the law by preventing customers from restoring their phone with full-disk encryption inside California or New York, Zdziarski is confident iPhone owners could circumvent\u00a0any\u00a0location tracking, proxying their IP address or putting the phone in a Faraday bag to block its GPS. \u201cThis legislation is going to be technologically useless,\u201d says Zdziarski. \u201cAnyone who wants a device that doesn\u2019t have law-enforcement-reversible encryption will be able to get one.\u201d<\/p>\n Neither Apple nor Google, which followed Apple\u2019s lead last year by declaring that all devices running the latest version of Android will have default full-disk encryption, responded to WIRED\u2019s request for comment on the California or New York bills. The office of New York Assemblyman Matthew Titone, who introduced the New York bill, tells\u00a0WIRED that the state-level bill is meant to pressure Congress\u00a0to follow with its own legislation. \u201cWhen there\u2019s no national legislation, states take efforts on\u00a0their\u00a0own to solve an issue,\u201d says Titone\u2019s chief of staff Chris Bauer. \u201cThat can speed the process along to make the federal government take steps.\u201d<\/p>\n Skyler Wonnacott, the director of communications for the California bill\u2019s sponsor Assemblyman Jim Cooper, offered a similar argument. \u201cCalifornia is leading the fight\u2026It\u2019s got to start somewhere,\u201d Wonnacott says. \u201cJust because you can drive into Nevada and buy a phone or download software doesn\u2019t mean there isn\u2019t an issue and these phones aren\u2019t used in crimes.\u201d<\/p>\n Congress\u00a0has yet to introduce legislation to limit full-disk encryption in smartphones, despite several congressional hearings over the last year in which officials, including FBI Director James Comey and New York District Attorney Cyrus Vance, warned of the dangers of allowing criminals access to devices with data they couldn\u2019t decrypt. (Vance said at the time that New York police had been stymied by smartphone encryption 74 times in the nine months before the hearing, out of roughly 100,000 cases it deals with in a year.) A spokesperson in Vance\u2019s office writes to WIRED that the DA\u2019s office pushed for state legislation, and still hopes to find a compromise with\u00a0device makers. \u201cWhen Apple and Google announced the switch to full-disk encryption\u2026with no regard for the effect it would have on local law enforcement and domestic crime victims, they left us with no choice but to seek legislative solutions at all levels, state and federal,\u201d writes the district attorney\u2019s director of communications Joan Vollero. \u201cIf the companies have a solution, we encourage them to engage in a productive dialogue.\u201d<\/p>\n But even if state laws do put pressure on Apple and Google to cave on encryption, they may do so unconstitutionally, says Andrew Crocker, an attorney with the Electronic Frontier Foundation. He says statewide smartphone encryption bans may fall under the \u201cdormant Commerce Clause,\u201d which gives the exclusive right to regulate commerce between states to the federal government. \u201cStates don\u2019t have unlimited power to enact regulations to burden interstate commerce,\u201d says Crocker. \u201cIf I\u2019m Apple, this seems like a huge burden on my business.\u201d<\/p>\n Congress, on the other hand, would have the power to ban default full-disk encryption in smartphones\u2014though they\u2019d do so against the advice of nearly every technical expert in the field of cryptography. In July of last year, for instance, 15 renowned cryptographers published a paper cautioning against any deliberate weakening of encryption for the sake of law enforcement. \u201cNew law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,\u201d the paper reads. \u201cThe prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.\u201d<\/p>\n And Crocker reiterates that state-level bills wouldn\u2019t be just problematic or risky, but \u201cwildly ineffective,\u201d as those who want encryption will easily get it from out of state\u2014in either software or hardware form. The technologically savvy will use it to defeat police surveillance or to protect their phone from hackers and thieves, while the average smartphone user\u2019s data will be left more vulnerable. \u201cThe ones who will actually be impacted are the less sophisticated people who don\u2019t know how to get this protection,\u201d says Crocker. \u201cYou\u2019re looking at a cost that falls on innocent people, not criminals or terrorists.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":" American politics has long accepted the strange notion that just a pair of states\u2014namely Iowa and New Hampshire\u2014get an outsize vote in choosing America\u2019s next president. The idea of letting just two states choose whether we all get to … Continue reading Crypto Has No Borders<\/h3>\n
Pressuring Congress<\/h3>\n
Constitutional Questions<\/h3>\n