State

California bill mandating cell phone encryption backdoors fails

The controversial legislation died in committee following stiff resistance from privacy advocates and even federal lawmakers.

By Alex Koma

April 15, 2016

A California bill to force cell phone manufacturers to build encryption backdoors into their products won’t be moving forward, after outcry from privacy advocates and tech companies prompted lawmakers to hold the legislation in committee.

Lawmakers in the state Assembly’s Committee on Privacy and Consumer Protection declined to advance Assembly Member Jim Cooper’s A.B. 1681 on Tuesday. The bill was aimed at giving law enforcement agencies a way to access encrypted cell phones sold in the state, and it would have fined manufacturers or operating system providers $2,500 every time prosecutors obtained a court order to search a phone but couldn’t break its encryption.

In a statement, the digital privacy advocates at the Electronic Frontier Foundation hailed the bill’s failure as a “major win for our community,” as it “posed a serious threat to smartphone security.”

Though Cooper named human traffickers and drug dealers as the main targets of the legislation, the bill quickly attracted attention for its potential effect on domestic terrorism cases in light of the massive debate over whether Apple bore any responsibility to help federal investigators unlock the iPhone used by one of the shooters in the attack in San Bernardino, California.

Indeed, Cooper’s bill even prompted a pair of congressmen to introduce federal legislation in February aimed at blocking states from passing laws mandating encryption backdoors in phones, though it’s currently awaiting a hearing in a House subcommittee.

“We can’t have individual states decide how to encrypt products just in their own state,” Rep. Ted Lieu, a California Democrat and one of the bill’s sponsors, previously told StateScoop.

However, the bill was not without its supporters. Rod Norgaard, assistant chief deputy district attorney in the Sacramento County, California, prosecutor’s office, previously told StateScoop that the bill would be a huge boon in a variety of his investigations, and several other law enforcement groups registered their support for the legislation with the Assembly committee, including the California Peace Officers’ Association and the California Police Chiefs Association.

“Regrettably, a warrant to search a smartphone engineered with full-disk encryption is as useful as a search warrant for a brick,” the California Police Chiefs Association wrote to the committee.

Yet opposition to the bill was staunch — registered dissenters included Apple, Google, the American Civil Liberties Union of California and even the California Chamber of Commerce — and concerns emerged about how exactly the legislation might work in practice.

“The bill would theoretically punish a company for being unable to decrypt ‘the contents of the smartphone,’ but it may be that the contents of the phone are encrypted at multiple levels, with some data protected by software that was not designed by the manufacturer or operating system provider,” Hank Dempsey, a legislative consultant to the committee, wrote in an April 8 analysis. “In such cases, a company could be penalized for failing to immediately unlock information encrypted by software it didn’t design and has never seen before.”

Similarly, Dempsey worried that criminals could “circumvent” these strictures by using encrypted messaging applications, and he found arguments that any weakening of encryption makes all encrypted products less secure persuasive.

“This new vulnerability would only be compounded as more electronic devices become connected via one’s smartphone (the Internet of Things) and more financial transactions become mobile-enabled,” Dempsey wrote.

But even though Cooper’s bill failed, similar legislation is still pending in New York and Louisiana. However, those bills may very well meet the same fate as the effort in California — the legislative analytics company FiscalNote gives the New York legislation just a 4.2 percent chance of ever making it out of committee, while the Louisiana bill fares only slightly better with a 4.5 percent chance.

Contact the reporter at alex.koma@statescoop.com, and follow him on Twitter @AlexKomaSNG.