Proposed Cell Phone Security Legislation Might Put You at Risk

February 9, 2016

Cell phone security raises various issues in the tech and legal world. On one hand, police officers and other law enforcement organizations would like to be able to access the data on cell phones belonging to criminals or victims if the cell phone has been seized as evidence of a crime. However, enabling police officers to decrypt phones, also called “exceptional access,” can create security risks for ordinary citizens if their phones have decreased encryption options. Normally, smartphones are made with a full-disk encryption feature that is designed to make sure that only the owner of the phone can access the contents of the cellphone and no one else can decrypt the data. However, two states are working to change that citing law enforcement concerns.
In light of the prevalence of this security feature and to provide greater options for law enforcement, New York State proposed a bill last year that would require all smartphones sold in the state to be capable of being decrypted and unlocked by the manufacturer or its operating system provider. California also introduced a bill this year with a nearly identical aim; requiring all smartphones sold in California “to be capable of being decrypted and unlocked by its manufacturer or its operating system provider.” This bill aims to assist in the apprehension of human traffickers, and the New York bill aims to fight terrorism.
These bills might seem to provide numerous crime fighting opportunities for police. But these benefits come with a huge cost. Privacy experts are very opposed to this legislation as it creates a “backdoor” for the police to access the content on an encrypted phone and decreased security measures for all phones by doing so. Additionally, legal experts assert that a state-level ban of encrypted smartphones is possibly unconstitutional. Andrew Crocker, an attorney with the Electronic Frontier Foundation, noted that a ban of smartphone encryption services could fall under the dormant Commerce Clause, and therefore only the federal government would have the power to create legislation that would burden interstate commerce in this way.
Additionally, legal experts argue that legislation like this would make law-abiding citizens’ cellphones at risk for cyber attacks, and criminals could simply obtain encrypted phones by travelling across the state border and purchasing one, further hurting law-abiding citizens and providing an evasive measure for criminals. The ease of traveling over state lines to obtain an encrypted phone also creates enforceability concerns.
The two proposed bills also create difficulties for smartphone producers like Apple. Apple iPhones are encrypted by default and significant changes would have to be made to ensure that the phones they are selling in New York and California comply with the proposed legislation. Neema Singh Guliani, at attorney with the American Civil Liberties Union, sees three options for phone companies. First, Apple could sell only phones without the encryption technology, it could stop selling phones in New York and California, or it could create unique phones to sell in those states that comply with the proposed laws. Singh Guliani postulates that the third option is most likely yet this legislation would pose a “logistical nightmare” for Apple and other smartphone companies.
As these bills wait to move forward in the legislative process, Matthew Titone, the New York Assemblyman who introduced the New York Bill told Wired that the he hopes his state’s bill will pressure Congress to “follow with its own legislation.” It is interesting to note that Congress has not moved to create any legislation like this. Congress actually seems inclined to do the opposite and has been informed by security experts that “[exceptional access] proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”
The report notes three key problems: “First, providing exceptional access to communications would force a U-turn from the best practices now being deployed to make the Internet more secure.” In this way, allowing exceptional access would eliminate the ability to use “forward secrecy,” a system where “decryption keys are deleted immediately after use, so that stealing the encryption key used by a communications server would not compromise earlier or later communications.” Second, “building in exceptional access would substantially increase system complexity.” To implement this system of exceptional access, new features would have to be tested with developers all over the globe and each new feature create vulnerabilities when it interacts with others. Finally, “exceptional access would create concentrated targets that could attract bad actors.” The proposed legislation states that the ability to unlock a phone would have to be stored with the provider and law enforcement agencies making them vulnerable to an inside attack.

While these bills seek to assist law enforcement and protect citizens, at this point is seems that exceptional access is not the most useful or efficient method of achieving this goal.