The California Assembly Bill 1681 was quietly dropped this week without a vote. The bill would have authorized $2,500 penalties for phone manufacturers and operating system providers if they do not comply with court orders to decrypt phones. In effect, it would force phone providers to include a backdoor or face repeated fines.
Assemblyman Jim Cooper had claimed it was simply wrong that a search warrant could allow law enforcement agencies to search homes, but not necessarily phones. “I’m not concerned about terrorism. The federal investigators deal with that,” he said, but “local law enforcement deals with cases every day and they cannot access this information.”
The bill had faced opposition from civil liberties organizations such as the EFF, the tech industry including Apple and Google, and business representation including the California Chamber of Commerce and the California Bankers Association.
The original bill introduced in January had specifically required that all phones sold in California should, at the point of sale, have the technical ability to be unlocked and decrypted. This was later amended to a requirement to obey court orders.
“The bill, both before and after it was amended, posed a serious threat to smartphone security,” wrote the EFF in a blog post Wednesday. “It would have forced companies to dedicate resources to finding ways to defeat their own encryption or insert backdoors to facilitate decryption. As a result, the bill would have essentially prohibited companies from offering full disk encryption for their phones.”
This echoed the industry view. “Fundamentally weakening the security of smartphones in the way AB 1681 envisions not only doesn’t make us safer, it actually makes us less safe,” warned Internet Association lobbyist Robert Callahan (reported in the Sacramento Bee), who called encryption “an incredibly important tool in today’s interconnected, Internet-enabled world to keep data secure.”
The practicality of such a bill also needs to be questioned. Phone manufacturers would need to abandon the security of encryption altogether. Manufacturing two versions, one for California and one for the rest of the world, is neither feasible nor effective. Customers would just purchase phones across state lines or via the internet – leaving the manufacturer still open to legal sanctions in California.
For such a requirement to work, it would need to be not merely nationwide, but ultimately worldwide. It is worth remembering that compulsory breach disclosure laws in America started in California and were then copied by other states.
However, this defeat in California can be seen as a win for encryption and the tech companies that provide encryption throughout the country.
“The tech industry was very helpful in killing this bill. It would be bad for business and bad for their customers – which is all of us,” EFF’s Rebecca Jeschke told SecurityWeek. “We certainly hope that this will make it easier to protect encryption from misguided efforts to break it.”