BILL ANALYSIS Ó AB 1681 Page 1 Date of Hearing: April 12, 2016 ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION Ed Chau, Chair AB 1681 (Cooper) - As Amended March 28, 2016 SUBJECT: Smartphones SUMMARY: Authorizes the imposition of a $2,500 civil penalty against the manufacturers and operating system providers of smartphones for the failure to decrypt, pursuant to a state court order, the contents of a smartphone sold or leased in California. Specifically, this bill: 1)Authorizes a civil penalty of $2,500 against a manufacturer or operating system provider of a smartphone sold or leased in California on or after January 1, 2017, in each instance where the manufacturer or operating system provider is unable to decrypt the contents of the smartphone pursuant to a state court order. 2)Prohibits a manufacturer or operating system provider who pays a civil penalty for the sale or lease of a smartphone not compliant with these provisions from passing on any portion of that penalty to purchasers of smartphones. 3)Clarifies that the imposition of the civil penalty on a manufacturer or operating system provider does not preclude AB 1681 Page 2 the imposition of any other legal penalty. 4)Expressly exempts from liability under these provisions the seller or lessor of a smartphone in instances where the manufacturer or operating system provider is unable to decrypt the contents of the smartphone. 5)Provides that a civil enforcement action may only be brought by the Attorney General or a district attorney for the failure of a manufacturer or operating system provider to decrypt a smartphone pursuant to a state court order, although no more than one civil penalty per smartphone may be applied pursuant to these provisions. 6)Defines the terms "smartphone," "sold in California" and "leased in California." 7)Makes findings and declarations relative to human trafficking and encryption of data at rest in smartphones. EXISTING LAW: 1)Requires, pursuant to the federal Communications Assistance for Law Enforcement Act, telecommunications companies (common carriers, broadband Internet access providers, and providers of interconnected Voice over Internet Protocol service) to enable law enforcement agencies to tap phone conversations carried over their networks and provide call detail records. (47 United States Code 1001-1010) 2)Requires that a smartphone that is manufactured on or after July 1, 2015, and sold in California after that date, include AB 1681 Page 3 a technological solution at the time of sale, which may consist of software, hardware, or both software and hardware, that, once initiated and successfully communicated to the smartphone, can render inoperable the essential features of the smartphone to an unauthorized user when the smartphone is not in the possession of an authorized user, subject to civil penalties ranging from $500 to $2,500 per violation. (Business and Professions Code Section 22761) FISCAL EFFECT: Unknown COMMENTS: 1)Purpose of this bill . This bill is intended to increase law enforcement access to criminal evidence held on smartphones by punishing manufacturers and operating system providers for failing to decrypt the contents of a smartphone sold or leased in the state, pursuant to a state court order. This bill is author-sponsored. 2)Author's statement . According to the author, "In 2014, cell phone manufacturers began providing new operating systems for smartphones and tablets, which employ, by default, 'full-disk encryption' (FDE). The only way to access data stored on a smartphone using an FDE operating system which is password protected is by the user, or with permission from the user, using a passcode. This includes when law enforcement establishes probable cause, secures a judicial search warrant, and serves that warrant on the operating systems manufacturer, seller, or [lessor]." "Prior to 2014, there were no operating systems with FDE capabilities. Law enforcement, with a court order could serve AB 1681 Page 4 a search warrant on an operating system manufacturer without putting other consumers at risk from hackers and maintaining individual privacy. Human traffickers are using encrypted cell phones to run and conceal their criminal activities. Full-disk encrypted operating systems provide criminals an invaluable tool to prey on women, children, and threaten our freedoms while making the legal process of judicial court orders, useless. Without AB 1681, law enforcement risks losing crucial evidence in human trafficking cases if the contents of passcode-protected smartphones remain immune to a court order." 3)Encryption and smartphones . Encryption is a method for encoding messages or information so that only authorized parties can read it. Encryption does not necessarily prevent interception, but it does render the content incomprehensible. Though it has historically been used for military or governmental purposes, encryption has been increasingly utilized in civilian communications systems over the last few decades. Communications encryption works by taking the intended message, called plaintext, and using an encryption "key" that applies an algorithm to the message to generate a new, scrambled version called ciphertext, which can then be turned back into plaintext by use of a decryption key. Encryption schemes can differ depending on whether or not the data is moving. Encryption of data "in transit" means that information, like a phone call or a text, is protected from interception while moving between the sender and the receiver through a network. Similarly, encryption of data "at rest" describes efforts to protect from unauthorized access data that is being stored (perhaps on a flash drive, a hard drive, or even a remote server). Passwords are a common form of key for encrypted at-rest data. The scope of encryption for data at-rest can vary widely, AB 1681 Page 5 although the scheme most relevant to this bill is called "full disk encryption" (or FDE). FDE means the encryption of nearly everything on an entire drive, making the whole thing inaccessible to an unauthorized user. Once a drive is unlocked with the passcode, the data is automatically decrypted and readable. FDE evolved in response to perceived shortcomings in traditional file/folder encryption, and it is notable because it encrypts nearly all files (including metadata) on the drive, takes the default decision over which files to encrypt out of the hands of the user, requires authorization even prior to boot up, and provides that destruction of the key also destroys the underlying data. According to the author, Apple announced in 2014 that its new operating system for smartphones and tablets (iOS 8.0) would include FDE by default. Shortly thereafter, Google's latest Android platform operating system offered FDE, and its Android 6.0 operating system ostensibly will make FDE the default setting. Multiple levels of encryption may also exist: FDE may protect access to an entire phone, while other forms of encryption (whether standard with the phone or downloaded after purchase) could protect data in transit on an individual application (such as end-to-end encrypted messaging apps) or particular data files at-rest on the smartphone. The two major platforms discussed above (iOS and Android) currently dominate the U.S. smartphone market. According to Comscore's July 2015 survey, Google's Android platform commands 51.4% of U.S. cellphone subscribers and Apple's iOS holds 44.2%. It is worth noting that while Apple manufacturers its own phones, Android-compliant phones are made by a wide variety of manufacturers with differing market shares: Samsung (27.3%), LG (8.7%), Motorola (4.9%) and HTC (3.5%). Because Android is open source (meaning that its source code is available for licensure and even modification by third parties), a company that sells or leases a smartphone AB 1681 Page 6 with an Android-compliant operating system that has been modified could theoretically become the operating system provider - not Google. 4)Law enforcement concerns about "Going Dark." According to a November 2015 report from the Manhattan District Attorney's Office entitled, "On Smartphone Encryption and Public Safety" law enforcement officials believe that FDE is to blame for law enforcement's increasing inability to access smartphones during a criminal investigation. Specifically, the Manhattan DA's Office states that between September 2014 and October 2015, it was unable to execute 111 search warrants for smartphones because those devices were running Apple's iOS 8. Historically, a law enforcement agency with a warrant could seek an "unlock order" to compel a company like Apple to assist with the extraction of data from the device, which would then use a proprietary method to put the phone's data on a hard drive and send it all back to the investigator. However, for devices with FDE (like Apple smartphones with iOS8 and above), the company can no longer unlock the phone because, by design, the company no longer has a key to unlock the fully encrypted drive - only the user has the passcode. The same report notes that, as of October 2015, approximately 91% of all Apple devices use iOS 8 or higher, and 23% of Android users have Lollipop 5.0 or higher. The report also contends that FDE on Android phones will cause a similar problem once default FDE is in widespread use on that platform. A 2015 report by the International Association of Chiefs of Police (IACP) describes the encrypted smartphone problem this way: "Due to nearly universal support for efforts to use strong encryption and other technologies to secure cell phones, email text messages, and other online communications and transactions, recent initiatives by industry to develop and deploy encryption and sophisticated tools to protect the privacy of their customers have created impenetrable barriers to comply with lawful court orders to provide access to AB 1681 Page 7 digital evidence. As FBI Director James Comey has noted, 'Unfortunately, the law hasn't kept pace with technology, and this disconnect has created a significant public safety problem. We call it 'Going Dark', and what it means is this: Those charged with protecting our people aren't always able to access the evidence we need to prosecute crime and access communications and information pursuant to court order, but we lack the technical ability to do so.'" According to the IACP report, a wide variety of electronic information does remain available to law enforcement, but certain data protected by FDE exists only on the phone itself. Generally speaking, phone companies can still provide voice, text and some geolocation data for calls made over their networks. Even Apple and Google can provide "meta data" (data about communications but not the communication itself) about calls and texts made over their network, as well as anything uploaded to the companies' "cloud" servers. However, other information such as text message content, contacts, photos, and Internet search history, may only exist on the device itself if it hasn't been backed up to the cloud. It is this information only on the phone itself that law enforcement is most concerned about losing access to. There is also a countervailing view: because of the rapid growth in social media and communications technologies, law enforcement actually has unparalleled access to a wide range of information about suspects, with some calling the current era a "golden age of surveillance." Harvard University's Berkman Center for Internet and Society published a February 2016 report in entitled "Don't Panic. Making Progress on the 'Going Dark' Debate" that states: "[s]hort of a form of government intervention in technology that appears contemplated by no one outside of the most despotic regimes, communication channels resistant to surveillance will always exist. This is especially true given the generative nature of the modern Internet, in which new AB 1681 Page 8 services and software can be made available without centralized vetting?We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow. Market forces and commercial interests will likely limit the circumstances in which companies will offer encryption that obscures user data from the companies themselves, and the trajectory of technological development points to a future abundant in unencrypted data, some of which can fill gaps left by the very communication channels law enforcement fears will 'go dark' and beyond reach." The Berkman report suggests that "Going Dark" is the wrong metaphor, and that instead "[t]here are and will always be pockets of dimness and some dark spots - communications channels resistant to surveillance - but this does not mean we are completely 'going dark.' Some areas are more illuminated now than in the past and others are brightening. Three trends in particular facilitate government access. First, many companies' business models rely on access to user data. Second, products are increasingly being offered as services, and architectures have become more centralized through cloud computing and data centers. A service, which entails an ongoing relationship between vendor and user, lends itself much more to monitoring and control than a product, where a technology is purchased once and then used without further vendor interaction. Finally, the Internet of Things promises a new frontier for networking objects, machines, and environments in ways that we are just beginning to understand. When, say, a television has a microphone and a network connection, and is reprogrammable by its vendor, it could be used to listen in to one side of a telephone conversation taking place in its room - no matter how encrypted the telephone service itself might be. These forces are on a trajectory towards a future with more opportunities for surveillance." 5)Of "Crypto Wars" and Clipper Chips? Surprisingly, the debate over the use of encryption technology in personal AB 1681 Page 9 communications is not new. A report from the Open Technology Institute entitled "Doomed to Repeat History? Lessons from the Crypto Wars of the 1990s" describes how the advent of public key cryptography enabled businesses and individuals (rather than just the government) to begin encrypting their own communications at the dawn of the computer age. The report states "[b]y the late 1970s, individuals within the US government were already discussing how to solve the 'problem' of the growing individual and commercial use of strong encryption." According to the report: "The act that truly launched the Crypto Wars was the White House's introduction of the 'Clipper Chip' in 1993. The Clipper Chip was a state-of-the-art microchip developed by government engineers which could be inserted into consumer hardware telephones, providing the public with strong cryptographic tools without sacrificing the ability of law enforcement and intelligence agencies to access unencrypted versions of those communications. ?Although White House officials mobilized both political and technical allies in support of the proposal, it faced immediate backlash from technical experts, privacy advocates, and industry leaders, who were concerned about the security and economic impact of the technology in addition to obvious civil liberties concerns. As the battle wore on throughout 1993 and into 1994, leaders from across the political spectrum joined the fray, supported by a broad coalition that opposed the Clipper Chip. When computer scientist Matt Blaze discovered a flaw in the system in May 1994, it proved to be the final death blow: the Clipper Chip was dead." "Nonetheless, the idea that the government could find a palatable way to access the keys to encrypted communications lived on throughout the 1990s. Many AB 1681 Page 10 policymakers held onto hopes that it was possible to securely implement what they called 'software key escrow' to preserve access to phone calls, emails, and other communications and storage applications. Under key escrow schemes, a government-certified third party would keep a 'key' to every device. But the government's shift in tactics ultimately proved unsuccessful; the privacy, security, and economic concerns continued to outweigh any potential benefits. By 1997, there was an overwhelming amount of evidence against moving ahead with any key escrow schemes." Subsequent attempts were made to restrict the spread of strong encryption via export controls, leading technology companies to sell weaker versions of encrypted products overseas (and be shut out of some foreign markets altogether). According to the report, by the mid-1990s, "experts projected billions of dollars in potential losses as a result of these policies." By 1999, the White House removed virtually all restrictions on the export of retail encryption products. The report observes that "[i]n the decades since the resolution of the Crypto Wars, many of the predictions about how strong encryption would benefit the economy, strengthen Internet security, and protect civil liberties have been borne out. In particular, the widespread availability of robust encryption laid the groundwork for the emergence of a vibrant marketplace of new Internet services based on secure digital communications and the widespread migration of sensitive communications online." In a 2015 report from the Computer Science and Artificial Intelligence Laboratory at the Massachusetts Institute of Technology entitled "Keys Under Doormats", an eminent group of computer scientists and security experts that previously condemned the Clipper Chip proposal (including Matt Blaze) considered the current debate over encryption in light of the history of the debate over public encryption, writing: AB 1681 Page 11 "We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today's Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse 'forward secrecy' design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today's Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law." "?[I]f all information applications had had to be designed and certified for exceptional access, it is doubtful that companies like Facebook and Twitter would even exist. Another important lesson from the 1990's is that the decline in surveillance capacity predicted by the law enforcement 20 years ago did not happen. Indeed, in 1992, the FBI's Advanced Telephony Unit warned that within three years Title III wiretaps would be useless: no more than 40% would be intelligible and that in the worst case all be rendered useless. The world did not 'go dark'. On the contrary, law enforcement has much better and more effective surveillance capabilities now than it did then." 1)The "San Bernardino Cellphone" case . A focal point for the recent encryption debate has been the well-publicized dispute between Apple and the Federal Bureau of Investigation (FBI) AB 1681 Page 12 regarding the decryption of a cellphone used by terrorists who perpetrated a mass shooting in San Bernardino in December 2015. According to the New York Times, investigators recovered an Apple iPhone used by one of the shooters, but were unable to open it because of its advanced security features (password protected FDE combined with a self-destruct feature that wiped the memory after a set number of failed password entries). Seeking to unlock the phone in the search for further evidence and potential co-conspirators, the FBI announced that it was unable to crack the phone and asked Apple for help - requesting that it create a new version of the phone's operating system that would allow the FBI to bypass certain security features. ("Explaining Apple's Fight With the F.B.I."; Feb 17, 2016) Apple, concerned about creating a new operating system that would bypass the security of the original version, refused to do so, calling the request a "chilling" breach of privacy and a dangerous precedent. The FBI sued in federal court to compel Apple to write the requested software. The suit was dropped in March after the FBI identified a third-party that was able to unlock the phone. That case is relevant to this bill in that it illustrates the challenges that law enforcement run into because of smartphone encryption. However, it should also be noted that this particular case dealt with a Federal issue concerning a 200+ year old federal statute (the All Writs Act), and whether or not that Act vests a court with sufficient power to compel a company like Apple to design a new operating system in furtherance of a law enforcement objective. As the case was dropped, the question regarding the power and extent of the All Writs Act remains unanswered. 6)Federal legislative efforts around smartphone decryption . As a matter that has garnered nationwide attention over the last few months, no fewer than three separate pieces of AB 1681 Page 13 Congressional legislation dealing with smartphone encryption have been publicly discussed. The first, HR 4528 (Lieu/Farenthold), dubbed the "Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016" (ENCRYPT Act), would prohibit a state or local government from requiring smartphones sold in the state to be able to be decrypted at the request of a government entity. That bill would effectively nullify the provisions of AB 1681 if enacted. HR 4528 has been referred to the House Energy and Commerce Committee and the Judiciary Committee, although a hearing date has not yet been set. A second bill proposed by Senators Burr and Feinstein (Chair and Vice Chair of the Senate Intelligence Committee) is currently being drafted but has not yet been introduced, and would allow law enforcement and intelligence agencies access to encrypted information once a warrant is obtained. Finally, a joint effort by Rep McCaul (HR 4651) and Senator Warner (S. 2604) would create the Digital Security Commission Act of 2016. The act would create a National Commission on Security and Technology Challenges that would bring together leading experts and practitioners from the technology sector, cryptography, law enforcement, intelligence, the privacy and civil liberties community, global commerce and economics, and the national security community to discuss issues such as the "going dark" problem and make recommendations to Congress for action. Both bills have been referred to committee in their respective houses, but have not yet been heard. 7)Questions for the Committee . In its current form, the language of this bill presents a number of questions and ambiguities that, if unaddressed, may lead to problems with implementation that could undercut its effectiveness or lead to unintended negative consequences. The Committee may wish to inquire of the author as to how these questions might best AB 1681 Page 14 be addressed. One set of issues involve drafting ambiguities in the language of the bill itself. The most important question involves time: How long does a manufacturer or operating system provider have to decrypt a phone before the civil penalty can be imposed? According to the author, the standard response time for a warrant is ten days, although that may not be enough time in cases where a company may have to engineer a new decryption solution, respond to hundreds or thousands of requests, or is based overseas. Furthermore, the bill would theoretically punish a company for being unable to decrypt "the contents of the smartphone," but it may be that the contents of the phone are encrypted at multiple levels, with some data protected by software that was not designed by the manufacturer or operating system provider. In such cases, a company could be penalized for failing to immediately unlock information encrypted by software it didn't design and has never seen before. Finally, in cases where the manufacturer and the operating system provider are not the same company, it is unclear whether or not both would be liable for decrypting a phone's contents, whether or not either or both have the technological capacity to do so. Nor is it clear how a manufacturer could be expected to decrypt an operating system that it didn't develop. However, according to the author's office, the intent was to focus only on operating system providers - and not on a manufacturer that didn't develop the operating system as well. Another set of concerns involves circumvention. If the intent of the bill is to ensure that those who commit crimes in California only have access to phones that can be decrypted with a court order, a criminal would be able to defeat that requirement by downloading aftermarket software (or even a new operating system) that provides encryption for data files at rest that the original manufacturer or operating system provider may not be able to unlock (and could be punished for AB 1681 Page 15 not doing so). Criminals could also use ephemeral messaging apps that automatically destroy messages after a short period of time. Finally, someone using an Android-compliant phone might be able to download an aftermarket Android-compliant open source operating system with FDE that was developed by a private party or a company overseas - parties that may well be beyond the influence of a warrant or civil penalty. There is also the broader technological problem of how to increase law enforcement access without weakening security. As discussed elsewhere in this analysis, one of the most consistently voiced concerns about requiring smartphones to be engineered to facilitate government access is that it would weaken the overall security of the products against outside attacks. To the extent that a decryption mandate would require smartphone makers to introduce new potential weaknesses into the security architecture of future phones, it would increase the likelihood of those phones being hacked and their personal information being compromised. This new vulnerability would only be compounded as more electronic devices become connected via one's smartphone (the Internet of Things) and more financial transactions become mobile-enabled. Finally, there are practical questions as well. A state-specific mandate for law enforcement decryption on demand could undercut discussions currently going on in Congress that aim to find a nationwide solution. This bill's approach would also seem to run counter to the smartphone security statute passed in 2014 by Senator Mark Leno (SB 962), which intended to curb the market in stolen smartphones by requiring the installation of a "killswitch" to prevent the phones from being cracked. Lastly, there is a humanitarian concern that repressive foreign governments may use the existence of the mandated decryption capability to demand access to the personal communications of their own citizens without adequate respect for the individual's human rights. AB 1681 Page 16 8)Arguments in support . According to the California Peace Officers' Association (CPOA), "CPOA's nearly 3,000 peace officer members across California encounter encrypted smartphones and devices frequently during the course of their duties. Under appropriate warrants, these devices often when searched provide necessary information that aids in the solving of crimes as they occur. Provisions in the bill that also provide for civil penalties for sellers or lessors who violate decryption requirements also holds accountable those who impede on crucial investigations. Purchasers of the devices are also protected by AB 1681's prohibition of passing any civil penalty fines incurred by sellers or lessors onto purchasers." The California Police Chiefs Association writes, "Pursuant to [existing law], a government entity may compel the production of, or access to, electronic communication information from a service provider or compel the production of, or access to, electronic device information from any person or entity other than the authorized possessor of the device pursuant to a warrant, wiretap order, order for electronic reader records or subpoena issued pursuant to state law. The aforementioned warrant requirements strike a balance between the privacy rights of the public and the needs of law enforcement. Regrettably, a warrant to search a smartphone engineered with full-disk encryption is as useful as a search warrant for a brick." 9)Arguments in opposition . A broad coalition of opponents from the technology industry writes, "While we support the author's goal of combating human trafficking and other heinous crimes, AB 1681 is the wrong approach." AB 1681 Page 17 The coalition expressed a number of major concerns with the operation of the bill. First, is that the bill would undermine the security of smartphones: "There is no way to build a 'back door' into a smartphone that can only be used by one person. Once a vulnerability exists, any party that discovers it - including criminals - can exploit it to bypass device security and access sensitive data. Foreign governments, including repressive regimes, can assert the same right to use that vulnerability as U.S. law enforcement agents. AB 1681 undermines efforts to make sure this data is as safe as possible by continuing to improve encryption and data security. AB 1681 may also harm innovation: "Under the language of AB 1681, smartphone manufacturers and operating service providers are liable if they cannot decrypt a smartphone upon demand - even if the device has been encrypted through software installed by the user. This means companies would have to lock down devices so that users cannot install third party software that might prevent decryption. This would cripple innovation in smartphone operating systems and applications." Moreover, this bill would reverse recent gains made against smartphone theft by the introduction of "killswitch" technology: "According to Consumer Reports, there were nearly 3.1 million victims of smartphone theft in 2013, nearly doubling the number of victims in 2012. That number fell to 2.1 million in 2014 after many smartphone manufacturers and software companies-at the request of law enforcement authorities-deployed kill switch technology. Strong encryption is intrinsic to these protections, as without it, they are more easily compromised." The coalition goes on to say that this bill would directly undo the work of SB 962 (Leno) passed in 2014 with law enforcement support to mandate killswitches in smartphones. Similarly, the coalition argues more broadly that the growth in mobile computing means that the technology needs to become more secure, not less: "As more of our lives move to mobile AB 1681 Page 18 phones - via email, photo sharing, social networks, maps and geolocation - the need to protect these devices grows. Identity theft continues to be a significant problem. To help combat these issues, the Federal Trade Commission (FTC) has long called for encryption and continues to do so...The payment and user authentication credentials that enable services that banks, online stores and app creators rely on will only be available if devices are secure." The coalition also argues that the bill will fail in practice because other new technologies will allow criminals to circumvent mandated decryption: "Even if all smartphones in California had their security fundamentally weakened as this bill envisions, criminals could still? bypass any prohibitions on third-party software and layer on some of the strongest open-source encryption technology available to anyone on the Internet. Weakening the security of the mobile phone ecosystem would not stop bad actors seeking to hide their actions." Finally, the coalition argues that this bill sets "a dangerous precedent": "The enactment of AB 1681 would represent a first-of-its-kind mandate essentially making it easier and more defensible for governments to weaken important consumer protections across other types of devices, technologies, and data. This would increase cyber risk to consumers and make it easier for hackers and criminals to exploit online." According to the Institute of Electrical and Electronics Engineers in the United States, "we are concerned about the potential risk to consumers created by AB 1681. While the goal of this legislation is improving public safety, we believe that by banning fully encrypted smartphones, the bill in fact compromises public safety?Helping law enforcement is an admirable goal. Unfortunately, AB 1681 would make it illegal to create a secure cell phone?We are concerned that intentionally building vulnerabilities into cell phones, which is what AB 1681 requires, would significantly increase risks to California's cell phone users as well as damage the AB 1681 Page 19 cell-phone marketplace." The Firearms Policy Coalition states, "As a civil rights organization that represents the interests of some of the most regulated, tracked and legislated classes of people, it is imperative that our constituency have access to their constitutionally guaranteed rights to assembly, speech and privacy without compromise?Unfortunately, AB 1681 chills these rights and we must respectfully ask your 'NO' vote." Apple writes, "We support the government's mission to protect innocent people from violent criminals, and we work closely with law enforcement agencies to prevent and solve crime. But we cannot afford to fall behind those who would exploit technology to cause chaos?The encryption technology built into today's iPhone represents the best data security available to consumers. The cryptographic protections on the device don't just help prevent unauthorized access to our customers' personal data; they're also a critical line of defense against criminals who seek to gain access to a business, public utility, or government agency?.By mandating companies to weaken their security systems, the bill would leave millions of unsuspecting Californians dangerously exposed to cyber-attacks." 10)Previous legislation . SB 962 (Leno), Chapter 275, Statutes of 2014, requires smartphones manufactured after July 1, 2015, and sold in California to contain a technological solution at the time of sale that will render the essential features of the smartphone inoperable when not in the possession of the authorized user, and also provides a civil penalty for violations and limits retail liability if the solution is circumvented. 11)Double-referral . This bill is double-referred to the Assembly Judiciary Committee, where it will be heard if passed by this Committee. AB 1681 Page 20 REGISTERED SUPPORT / OPPOSITION: Support California Peace Officers' Association (CPOA) California Police Chiefs Association Peace Officers Research Association of California (PORAC) Opposition ACLU of California Apple Application Developers Alliance CalChamber California Bankers Association California Right To Carry Center for Democracy & Technology CompTIA CTIA - The Wireless Association Electronic Frontier Foundation AB 1681 Page 21 Firearms Policy Coalition Google Internet Association NetChoice Oakland Privacy Working Group Silicon Valley Leadership Group State Privacy & Security Coalition TechNet The Institute of Electrical and Electronics Engineers (IEEE) Two individuals Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200