BILL ANALYSIS �Ó
AB 1681
Page 1
Date of Hearing: April 12, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 1681
(Cooper) - As Amended March 28, 2016
SUBJECT: Smartphones
SUMMARY: Authorizes the imposition of a $2,500 civil penalty
against the manufacturers and operating system providers of
smartphones for the failure to decrypt, pursuant to a state
court order, the contents of a smartphone sold or leased in
California. Specifically, this bill:
1)Authorizes a civil penalty of $2,500 against a manufacturer or
operating system provider of a smartphone sold or leased in
California on or after January 1, 2017, in each instance where
the manufacturer or operating system provider is unable to
decrypt the contents of the smartphone pursuant to a state
court order.
2)Prohibits a manufacturer or operating system provider who pays
a civil penalty for the sale or lease of a smartphone not
compliant with these provisions from passing on any portion of
that penalty to purchasers of smartphones.
3)Clarifies that the imposition of the civil penalty on a
manufacturer or operating system provider does not preclude
�
AB 1681
Page 2
the imposition of any other legal penalty.
4)Expressly exempts from liability under these provisions the
seller or lessor of a smartphone in instances where the
manufacturer or operating system provider is unable to decrypt
the contents of the smartphone.
5)Provides that a civil enforcement action may only be brought
by the Attorney General or a district attorney for the failure
of a manufacturer or operating system provider to decrypt a
smartphone pursuant to a state court order, although no more
than one civil penalty per smartphone may be applied pursuant
to these provisions.
6)Defines the terms "smartphone," "sold in California" and
"leased in California."
7)Makes findings and declarations relative to human trafficking
and encryption of data at rest in smartphones.
EXISTING LAW:
1)Requires, pursuant to the federal Communications Assistance
for Law Enforcement Act, telecommunications companies (common
carriers, broadband Internet access providers, and providers
of interconnected Voice over Internet Protocol service) to
enable law enforcement agencies to tap phone conversations
carried over their networks and provide call detail records.
(47 United States Code 1001-1010)
2)Requires that a smartphone that is manufactured on or after
July 1, 2015, and sold in California after that date, include
�
AB 1681
Page 3
a technological solution at the time of sale, which may
consist of software, hardware, or both software and hardware,
that, once initiated and successfully communicated to the
smartphone, can render inoperable the essential features of
the smartphone to an unauthorized user when the smartphone is
not in the possession of an authorized user, subject to civil
penalties ranging from $500 to $2,500 per violation. (Business
and Professions Code Section 22761)
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to increase law
enforcement access to criminal evidence held on smartphones by
punishing manufacturers and operating system providers for
failing to decrypt the contents of a smartphone sold or leased
in the state, pursuant to a state court order. This bill is
author-sponsored.
2)Author's statement . According to the author, "In 2014, cell
phone manufacturers began providing new operating systems for
smartphones and tablets, which employ, by default, 'full-disk
encryption' (FDE). The only way to access data stored on a
smartphone using an FDE operating system which is password
protected is by the user, or with permission from the user,
using a passcode. This includes when law enforcement
establishes probable cause, secures a judicial search warrant,
and serves that warrant on the operating systems manufacturer,
seller, or [lessor]."
"Prior to 2014, there were no operating systems with FDE
capabilities. Law enforcement, with a court order could serve
�
AB 1681
Page 4
a search warrant on an operating system manufacturer without
putting other consumers at risk from hackers and maintaining
individual privacy. Human traffickers are using encrypted
cell phones to run and conceal their criminal activities.
Full-disk encrypted operating systems provide criminals an
invaluable tool to prey on women, children, and threaten our
freedoms while making the legal process of judicial court
orders, useless. Without AB 1681, law enforcement risks
losing crucial evidence in human trafficking cases if the
contents of passcode-protected smartphones remain immune to a
court order."
3)Encryption and smartphones . Encryption is a method for
encoding messages or information so that only authorized
parties can read it. Encryption does not necessarily prevent
interception, but it does render the content incomprehensible.
Though it has historically been used for military or
governmental purposes, encryption has been increasingly
utilized in civilian communications systems over the last few
decades.
Communications encryption works by taking the intended message,
called plaintext, and using an encryption "key" that applies
an algorithm to the message to generate a new, scrambled
version called ciphertext, which can then be turned back into
plaintext by use of a decryption key.
Encryption schemes can differ depending on whether or not the
data is moving. Encryption of data "in transit" means that
information, like a phone call or a text, is protected from
interception while moving between the sender and the receiver
through a network. Similarly, encryption of data "at rest"
describes efforts to protect from unauthorized access data
that is being stored (perhaps on a flash drive, a hard drive,
or even a remote server). Passwords are a common form of key
for encrypted at-rest data.
The scope of encryption for data at-rest can vary widely,
�
AB 1681
Page 5
although the scheme most relevant to this bill is called "full
disk encryption" (or FDE). FDE means the encryption of nearly
everything on an entire drive, making the whole thing
inaccessible to an unauthorized user. Once a drive is
unlocked with the passcode, the data is automatically
decrypted and readable. FDE evolved in response to
perceived shortcomings in traditional file/folder encryption,
and it is notable because it encrypts nearly all files
(including metadata) on the drive, takes the default decision
over which files to encrypt out of the hands of the user,
requires authorization even prior to boot up, and provides
that destruction of the key also destroys the underlying data.
According to the author, Apple announced in 2014 that its new
operating system for smartphones and tablets (iOS 8.0) would
include FDE by default. Shortly thereafter, Google's latest
Android platform operating system offered FDE, and its Android
6.0 operating system ostensibly will make FDE the default
setting. Multiple levels of encryption may also exist: FDE
may protect access to an entire phone, while other forms of
encryption (whether standard with the phone or downloaded
after purchase) could protect data in transit on an individual
application (such as end-to-end encrypted messaging apps) or
particular data files at-rest on the smartphone.
The two major platforms discussed above (iOS and Android)
currently dominate the U.S. smartphone market. According to
Comscore's July 2015 survey, Google's Android platform
commands 51.4% of U.S. cellphone subscribers and Apple's iOS
holds 44.2%. It is worth noting that while Apple
manufacturers its own phones, Android-compliant phones are
made by a wide variety of manufacturers with differing market
shares: Samsung (27.3%), LG (8.7%), Motorola (4.9%) and HTC
(3.5%). Because Android is open source (meaning that its
source code is available for licensure and even modification
by third parties), a company that sells or leases a smartphone
�
AB 1681
Page 6
with an Android-compliant operating system that has been
modified could theoretically become the operating system
provider - not Google.
4)Law enforcement concerns about "Going Dark." According to a
November 2015 report from the Manhattan District Attorney's
Office entitled, "On Smartphone Encryption and Public Safety"
law enforcement officials believe that FDE is to blame for law
enforcement's increasing inability to access smartphones
during a criminal investigation. Specifically, the Manhattan
DA's Office states that between September 2014 and October
2015, it was unable to execute 111 search warrants for
smartphones because those devices were running Apple's iOS 8.
Historically, a law enforcement agency with a warrant could seek
an "unlock order" to compel a company like Apple to assist
with the extraction of data from the device, which would then
use a proprietary method to put the phone's data on a hard
drive and send it all back to the investigator. However, for
devices with FDE (like Apple smartphones with iOS8 and above),
the company can no longer unlock the phone because, by design,
the company no longer has a key to unlock the fully encrypted
drive - only the user has the passcode. The same report notes
that, as of October 2015, approximately 91% of all Apple
devices use iOS 8 or higher, and 23% of Android users have
Lollipop 5.0 or higher. The report also contends that FDE on
Android phones will cause a similar problem once default FDE
is in widespread use on that platform.
A 2015 report by the International Association of Chiefs of
Police (IACP) describes the encrypted smartphone problem this
way: "Due to nearly universal support for efforts to use
strong encryption and other technologies to secure cell
phones, email text messages, and other online communications
and transactions, recent initiatives by industry to develop
and deploy encryption and sophisticated tools to protect the
privacy of their customers have created impenetrable barriers
to comply with lawful court orders to provide access to
�
AB 1681
Page 7
digital evidence. As FBI Director James Comey has noted,
'Unfortunately, the law hasn't kept pace with technology, and
this disconnect has created a significant public safety
problem. We call it 'Going Dark', and what it means is this:
Those charged with protecting our people aren't always able to
access the evidence we need to prosecute crime and access
communications and information pursuant to court order, but we
lack the technical ability to do so.'"
According to the IACP report, a wide variety of electronic
information does remain available to law enforcement, but
certain data protected by FDE exists only on the phone itself.
Generally speaking, phone companies can still provide voice,
text and some geolocation data for calls made over their
networks. Even Apple and Google can provide "meta data" (data
about communications but not the communication itself) about
calls and texts made over their network, as well as anything
uploaded to the companies' "cloud" servers. However, other
information such as text message content, contacts, photos,
and Internet search history, may only exist on the device
itself if it hasn't been backed up to the cloud. It is this
information only on the phone itself that law enforcement is
most concerned about losing access to.
There is also a countervailing view: because of the rapid
growth in social media and communications technologies, law
enforcement actually has unparalleled access to a wide range
of information about suspects, with some calling the current
era a "golden age of surveillance."
Harvard University's Berkman Center for Internet and Society
published a February 2016 report in entitled "Don't Panic.
Making Progress on the 'Going Dark' Debate" that states:
"[s]hort of a form of government intervention in technology
that appears contemplated by no one outside of the most
despotic regimes, communication channels resistant to
surveillance will always exist. This is especially true given
the generative nature of the modern Internet, in which new
�
AB 1681
Page 8
services and software can be made available without
centralized vetting?We argue that communications in the future
will neither be eclipsed into darkness nor illuminated without
shadow. Market forces and commercial interests will likely
limit the circumstances in which companies will offer
encryption that obscures user data from the companies
themselves, and the trajectory of technological development
points to a future abundant in unencrypted data, some of which
can fill gaps left by the very communication channels law
enforcement fears will 'go dark' and beyond reach."
The Berkman report suggests that "Going Dark" is the wrong
metaphor, and that instead "[t]here are and will always be
pockets of dimness and some dark spots - communications
channels resistant to surveillance - but this does not mean we
are completely 'going dark.' Some areas are more illuminated
now than in the past and others are brightening. Three trends
in particular facilitate government access. First, many
companies' business models rely on access to user data.
Second, products are increasingly being offered as services,
and architectures have become more centralized through cloud
computing and data centers. A service, which entails an
ongoing relationship between vendor and user, lends itself
much more to monitoring and control than a product, where a
technology is purchased once and then used without further
vendor interaction. Finally, the Internet of Things promises
a new frontier for networking objects, machines, and
environments in ways that we are just beginning to understand.
When, say, a television has a microphone and a network
connection, and is reprogrammable by its vendor, it could be
used to listen in to one side of a telephone conversation
taking place in its room - no matter how encrypted the
telephone service itself might be. These forces are on a
trajectory towards a future with more opportunities for
surveillance."
5)Of "Crypto Wars" and Clipper Chips? Surprisingly, the debate
over the use of encryption technology in personal
�
AB 1681
Page 9
communications is not new. A report from the Open Technology
Institute entitled "Doomed to Repeat History? Lessons from the
Crypto Wars of the 1990s" describes how the advent of public
key cryptography enabled businesses and individuals (rather
than just the government) to begin encrypting their own
communications at the dawn of the computer age. The report
states "[b]y the late 1970s, individuals within the US
government were already discussing how to solve the 'problem'
of the growing individual and commercial use of strong
encryption."
According to the report:
"The act that truly launched the Crypto Wars was the White
House's introduction of the 'Clipper Chip' in 1993. The
Clipper Chip was a state-of-the-art microchip developed by
government engineers which could be inserted into consumer
hardware telephones, providing the public with strong
cryptographic tools without sacrificing the ability of law
enforcement and intelligence agencies to access unencrypted
versions of those communications. ?Although White House
officials mobilized both political and technical allies in
support of the proposal, it faced immediate backlash from
technical experts, privacy advocates, and industry leaders,
who were concerned about the security and economic impact
of the technology in addition to obvious civil liberties
concerns. As the battle wore on throughout 1993 and into
1994, leaders from across the political spectrum joined the
fray, supported by a broad coalition that opposed the
Clipper Chip. When computer scientist Matt Blaze discovered
a flaw in the system in May 1994, it proved to be the final
death blow: the Clipper Chip was dead."
"Nonetheless, the idea that the government could find a
palatable way to access the keys to encrypted
communications lived on throughout the 1990s. Many
�
AB 1681
Page 10
policymakers held onto hopes that it was possible to
securely implement what they called 'software key escrow'
to preserve access to phone calls, emails, and other
communications and storage applications. Under key escrow
schemes, a government-certified third party would keep a
'key' to every device. But the government's shift in
tactics ultimately proved unsuccessful; the privacy,
security, and economic concerns continued to outweigh any
potential benefits. By 1997, there was an overwhelming
amount of evidence against moving ahead with any key escrow
schemes."
Subsequent attempts were made to restrict the spread of strong
encryption via export controls, leading technology companies
to sell weaker versions of encrypted products overseas (and be
shut out of some foreign markets altogether). According to
the report, by the mid-1990s, "experts projected billions of
dollars in potential losses as a result of these policies."
By 1999, the White House removed virtually all restrictions on
the export of retail encryption products. The report observes
that "[i]n the decades since the resolution of the Crypto
Wars, many of the predictions about how strong encryption
would benefit the economy, strengthen Internet security, and
protect civil liberties have been borne out. In particular,
the widespread availability of robust encryption laid the
groundwork for the emergence of a vibrant marketplace of new
Internet services based on secure digital communications and
the widespread migration of sensitive communications online."
In a 2015 report from the Computer Science and Artificial
Intelligence Laboratory at the Massachusetts Institute of
Technology entitled "Keys Under Doormats", an eminent group of
computer scientists and security experts that previously
condemned the Clipper Chip proposal (including Matt Blaze)
considered the current debate over encryption in light of the
history of the debate over public encryption, writing:
�
AB 1681
Page 11
"We have found that the damage that could be caused by law
enforcement exceptional access requirements would be even
greater today than it would have been 20 years ago. In the
wake of the growing economic and social cost of the
fundamental insecurity of today's Internet environment, any
proposals that alter the security dynamics online should be
approached with caution. Exceptional access would force
Internet system developers to reverse 'forward secrecy'
design practices that seek to minimize the impact on user
privacy when systems are breached. The complexity of
today's Internet environment, with millions of apps and
globally connected services, means that new law enforcement
requirements are likely to introduce unanticipated, hard to
detect security flaws. Beyond these and other technical
vulnerabilities, the prospect of globally deployed
exceptional access systems raises difficult problems about
how such an environment would be governed and how to ensure
that such systems would respect human rights and the rule
of law."
"?[I]f all information applications had had to be designed
and certified for exceptional access, it is doubtful that
companies like Facebook and Twitter would even exist.
Another important lesson from the 1990's is that the
decline in surveillance capacity predicted by the law
enforcement 20 years ago did not happen. Indeed, in 1992,
the FBI's Advanced Telephony Unit warned that within three
years Title III wiretaps would be useless: no more than 40%
would be intelligible and that in the worst case all be
rendered useless. The world did not 'go dark'. On the
contrary, law enforcement has much better and more
effective surveillance capabilities now than it did then."
1)The "San Bernardino Cellphone" case . A focal point for the
recent encryption debate has been the well-publicized dispute
between Apple and the Federal Bureau of Investigation (FBI)
�
AB 1681
Page 12
regarding the decryption of a cellphone used by terrorists who
perpetrated a mass shooting in San Bernardino in December
2015.
According to the New York Times, investigators recovered an
Apple iPhone used by one of the shooters, but were unable to
open it because of its advanced security features (password
protected FDE combined with a self-destruct feature that wiped
the memory after a set number of failed password entries).
Seeking to unlock the phone in the search for further evidence
and potential co-conspirators, the FBI announced that it was
unable to crack the phone and asked Apple for help -
requesting that it create a new version of the phone's
operating system that would allow the FBI to bypass certain
security features. ("Explaining Apple's Fight With the
F.B.I."; Feb 17, 2016)
Apple, concerned about creating a new operating system that
would bypass the security of the original version, refused to
do so, calling the request a "chilling" breach of privacy and
a dangerous precedent. The FBI sued in federal court to
compel Apple to write the requested software. The suit was
dropped in March after the FBI identified a third-party that
was able to unlock the phone.
That case is relevant to this bill in that it illustrates the
challenges that law enforcement run into because of smartphone
encryption. However, it should also be noted that this
particular case dealt with a Federal issue concerning a 200+
year old federal statute (the All Writs Act), and whether or
not that Act vests a court with sufficient power to compel a
company like Apple to design a new operating system in
furtherance of a law enforcement objective. As the case was
dropped, the question regarding the power and extent of the
All Writs Act remains unanswered.
6)Federal legislative efforts around smartphone decryption . As
a matter that has garnered nationwide attention over the last
few months, no fewer than three separate pieces of
�
AB 1681
Page 13
Congressional legislation dealing with smartphone encryption
have been publicly discussed.
The first, HR 4528 (Lieu/Farenthold), dubbed the "Ensuring
National Constitutional Rights for Your Private
Telecommunications Act of 2016" (ENCRYPT Act), would prohibit
a state or local government from requiring smartphones sold in
the state to be able to be decrypted at the request of a
government entity. That bill would effectively nullify the
provisions of AB 1681 if enacted. HR 4528 has been referred
to the House Energy and Commerce Committee and the Judiciary
Committee, although a hearing date has not yet been set.
A second bill proposed by Senators Burr and Feinstein (Chair
and Vice Chair of the Senate Intelligence Committee) is
currently being drafted but has not yet been introduced, and
would allow law enforcement and intelligence agencies access
to encrypted information once a warrant is obtained.
Finally, a joint effort by Rep McCaul (HR 4651) and Senator
Warner (S. 2604) would create the Digital Security Commission
Act of 2016. The act would create a National Commission on
Security and Technology Challenges that would bring together
leading experts and practitioners from the technology sector,
cryptography, law enforcement, intelligence, the privacy and
civil liberties community, global commerce and economics, and
the national security community to discuss issues such as the
"going dark" problem and make recommendations to Congress for
action. Both bills have been referred to committee in their
respective houses, but have not yet been heard.
7)Questions for the Committee . In its current form, the
language of this bill presents a number of questions and
ambiguities that, if unaddressed, may lead to problems with
implementation that could undercut its effectiveness or lead
to unintended negative consequences. The Committee may wish
to inquire of the author as to how these questions might best
�
AB 1681
Page 14
be addressed.
One set of issues involve drafting ambiguities in the language
of the bill itself. The most important question involves
time: How long does a manufacturer or operating system
provider have to decrypt a phone before the civil penalty can
be imposed? According to the author, the standard response
time for a warrant is ten days, although that may not be
enough time in cases where a company may have to engineer a
new decryption solution, respond to hundreds or thousands of
requests, or is based overseas. Furthermore, the bill would
theoretically punish a company for being unable to decrypt
"the contents of the smartphone," but it may be that the
contents of the phone are encrypted at multiple levels, with
some data protected by software that was not designed by the
manufacturer or operating system provider. In such cases, a
company could be penalized for failing to immediately unlock
information encrypted by software it didn't design and has
never seen before. Finally, in cases where the manufacturer
and the operating system provider are not the same company, it
is unclear whether or not both would be liable for decrypting
a phone's contents, whether or not either or both have the
technological capacity to do so. Nor is it clear how a
manufacturer could be expected to decrypt an operating system
that it didn't develop. However, according to the author's
office, the intent was to focus only on operating system
providers - and not on a manufacturer that didn't develop the
operating system as well.
Another set of concerns involves circumvention. If the intent
of the bill is to ensure that those who commit crimes in
California only have access to phones that can be decrypted
with a court order, a criminal would be able to defeat that
requirement by downloading aftermarket software (or even a new
operating system) that provides encryption for data files at
rest that the original manufacturer or operating system
provider may not be able to unlock (and could be punished for
�
AB 1681
Page 15
not doing so). Criminals could also use ephemeral messaging
apps that automatically destroy messages after a short period
of time. Finally, someone using an Android-compliant phone
might be able to download an aftermarket Android-compliant
open source operating system with FDE that was developed by a
private party or a company overseas - parties that may well be
beyond the influence of a warrant or civil penalty.
There is also the broader technological problem of how to
increase law enforcement access without weakening security.
As discussed elsewhere in this analysis, one of the most
consistently voiced concerns about requiring smartphones to be
engineered to facilitate government access is that it would
weaken the overall security of the products against outside
attacks. To the extent that a decryption mandate would
require smartphone makers to introduce new potential
weaknesses into the security architecture of future phones, it
would increase the likelihood of those phones being hacked and
their personal information being compromised. This new
vulnerability would only be compounded as more electronic
devices become connected via one's smartphone (the Internet of
Things) and more financial transactions become mobile-enabled.
Finally, there are practical questions as well. A
state-specific mandate for law enforcement decryption on
demand could undercut discussions currently going on in
Congress that aim to find a nationwide solution. This bill's
approach would also seem to run counter to the smartphone
security statute passed in 2014 by Senator Mark Leno (SB 962),
which intended to curb the market in stolen smartphones by
requiring the installation of a "killswitch" to prevent the
phones from being cracked. Lastly, there is a humanitarian
concern that repressive foreign governments may use the
existence of the mandated decryption capability to demand
access to the personal communications of their own citizens
without adequate respect for the individual's human rights.
�
AB 1681
Page 16
8)Arguments in support . According to the California Peace
Officers' Association (CPOA), "CPOA's nearly 3,000 peace
officer members across California encounter encrypted
smartphones and devices frequently during the course of their
duties. Under appropriate warrants, these devices often when
searched provide necessary information that aids in the
solving of crimes as they occur. Provisions in the bill that
also provide for civil penalties for sellers or lessors who
violate decryption requirements also holds accountable those
who impede on crucial investigations. Purchasers of the
devices are also protected by AB 1681's prohibition of passing
any civil penalty fines incurred by sellers or lessors onto
purchasers."
The California Police Chiefs Association writes, "Pursuant to
[existing law], a government entity may compel the production
of, or access to, electronic communication information from a
service provider or compel the production of, or access to,
electronic device information from any person or entity other
than the authorized possessor of the device pursuant to a
warrant, wiretap order, order for electronic reader records or
subpoena issued pursuant to state law. The aforementioned
warrant requirements strike a balance between the privacy
rights of the public and the needs of law enforcement.
Regrettably, a warrant to search a smartphone engineered with
full-disk encryption is as useful as a search warrant for a
brick."
9)Arguments in opposition . A broad coalition of opponents from
the technology industry writes, "While we support the author's
goal of combating human trafficking and other heinous crimes,
AB 1681 is the wrong approach."
�
AB 1681
Page 17
The coalition expressed a number of major concerns with the
operation of the bill. First, is that the bill would
undermine the security of smartphones: "There is no way to
build a 'back door' into a smartphone that can only be used by
one person. Once a vulnerability exists, any party that
discovers it - including criminals - can exploit it to bypass
device security and access sensitive data. Foreign
governments, including repressive regimes, can assert the same
right to use that vulnerability as U.S. law enforcement
agents. AB 1681 undermines efforts to make sure this data is
as safe as possible by continuing to improve encryption and
data security.
AB 1681 may also harm innovation: "Under the language of AB
1681, smartphone manufacturers and operating service providers
are liable if they cannot decrypt a smartphone upon demand -
even if the device has been encrypted through software
installed by the user. This means companies would have to lock
down devices so that users cannot install third party software
that might prevent decryption. This would cripple innovation
in smartphone operating systems and applications."
Moreover, this bill would reverse recent gains made against
smartphone theft by the introduction of "killswitch"
technology: "According to Consumer Reports, there were nearly
3.1 million victims of smartphone theft in 2013, nearly
doubling the number of victims in 2012. That number fell to
2.1 million in 2014 after many smartphone manufacturers and
software companies-at the request of law enforcement
authorities-deployed kill switch technology. Strong
encryption is intrinsic to these protections, as without it,
they are more easily compromised." The coalition goes on to
say that this bill would directly undo the work of SB 962
(Leno) passed in 2014 with law enforcement support to mandate
killswitches in smartphones.
Similarly, the coalition argues more broadly that the growth in
mobile computing means that the technology needs to become
more secure, not less: "As more of our lives move to mobile
�
AB 1681
Page 18
phones - via email, photo sharing, social networks, maps and
geolocation - the need to protect these devices grows.
Identity theft continues to be a significant problem. To help
combat these issues, the Federal Trade Commission (FTC) has
long called for encryption and continues to do so...The
payment and user authentication credentials that enable
services that banks, online stores and app creators rely on
will only be available if devices are secure."
The coalition also argues that the bill will fail in practice
because other new technologies will allow criminals to
circumvent mandated decryption: "Even if all smartphones in
California had their security fundamentally weakened as this
bill envisions, criminals could still? bypass any prohibitions
on third-party software and layer on some of the strongest
open-source encryption technology available to anyone on the
Internet. Weakening the security of the mobile phone
ecosystem would not stop bad actors seeking to hide their
actions."
Finally, the coalition argues that this bill sets "a dangerous
precedent": "The enactment of AB 1681 would represent a
first-of-its-kind mandate essentially making it easier and
more defensible for governments to weaken important consumer
protections across other types of devices, technologies, and
data. This would increase cyber risk to consumers and make it
easier for hackers and criminals to exploit online."
According to the Institute of Electrical and Electronics
Engineers in the United States, "we are concerned about the
potential risk to consumers created by AB 1681. While the
goal of this legislation is improving public safety, we
believe that by banning fully encrypted smartphones, the bill
in fact compromises public safety?Helping law enforcement is
an admirable goal. Unfortunately, AB 1681 would make it
illegal to create a secure cell phone?We are concerned that
intentionally building vulnerabilities into cell phones, which
is what AB 1681 requires, would significantly increase risks
to California's cell phone users as well as damage the
�
AB 1681
Page 19
cell-phone marketplace."
The Firearms Policy Coalition states, "As a civil rights
organization that represents the interests of some of the most
regulated, tracked and legislated classes of people, it is
imperative that our constituency have access to their
constitutionally guaranteed rights to assembly, speech and
privacy without compromise?Unfortunately, AB 1681 chills these
rights and we must respectfully ask your 'NO' vote."
Apple writes, "We support the government's mission to protect
innocent people from violent criminals, and we work closely
with law enforcement agencies to prevent and solve crime. But
we cannot afford to fall behind those who would exploit
technology to cause chaos?The encryption technology built into
today's iPhone represents the best data security available to
consumers. The cryptographic protections on the device don't
just help prevent unauthorized access to our customers'
personal data; they're also a critical line of defense against
criminals who seek to gain access to a business, public
utility, or government agency?.By mandating companies to
weaken their security systems, the bill would leave millions
of unsuspecting Californians dangerously exposed to
cyber-attacks."
10)Previous legislation . SB 962 (Leno), Chapter 275, Statutes
of 2014, requires smartphones manufactured after July 1, 2015,
and sold in California to contain a technological solution at
the time of sale that will render the essential features of
the smartphone inoperable when not in the possession of the
authorized user, and also provides a civil penalty for
violations and limits retail liability if the solution is
circumvented.
11)Double-referral . This bill is double-referred to the
Assembly Judiciary Committee, where it will be heard if passed
by this Committee.
�
AB 1681
Page 20
REGISTERED SUPPORT / OPPOSITION:
Support
California Peace Officers' Association (CPOA)
California Police Chiefs Association
Peace Officers Research Association of California (PORAC)
Opposition
ACLU of California
Apple
Application Developers Alliance
CalChamber
California Bankers Association
California Right To Carry
Center for Democracy & Technology
CompTIA
CTIA - The Wireless Association
Electronic Frontier Foundation
�
AB 1681
Page 21
Firearms Policy Coalition
Google
Internet Association
NetChoice
Oakland Privacy Working Group
Silicon Valley Leadership Group
State Privacy & Security Coalition
TechNet
The Institute of Electrical and Electronics Engineers (IEEE)
Two individuals
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200