At least two states, New York and California, have introduced legislation that would ban smartphones sold in those states if those smartphones could not be searched under request from law enforcement. This would likely mean no phones would be sold with unbreakable encryption, although I suppose Apple or Samsung could manufacture two types of phones and then just sell all the encrypted ones from New Hampshire or something. These bills are still somewhat controversial, and as it has gotten press coverage, there has been a House bill introduced that would prevent state legislation like those bills introduced in New York and California.

I found out about this through the Security Now podcast (linked in the web directory in the sidebar) where Steve Gibson, a security (and privacy) expert, discussed these bills. Shockingly, he had come out in favor of them one of the only people in the security field to do so. In the past, Steve has discussed on his show (and agreed with) the excellent paper written by many of the world’s leading security experts on the inherent problems with key escrow. He saw this new round of legislation as different, since it would simply return to a state of affairs that existed prior to Apple (and then Google) encrypting their phones in a way that could not be broken. However, after considering the implication that other companies besides Apple would be forced to hold keys that could break users’ encryption (other companies which are not as good at encryption systems), Steve agreed it probably wasn’t worth the risk.

Steve Gibson did make a good point that if we don’t compromise here, it is possible we will be forced by political pressure to give up something much worse, like unbreakable encryption being made completely illegal. Even if Steve has decided against this position, it seems likely many other still hold it. Assuming the legislation would meet certain standards, creating this system where only Apple could decrypt the phone sounds like a reasonable position to hold, but it is nevertheless incorrect. Passing these bills would be a mistake, and here are several reasons why.

This write up covers the specific argument that we should return to the situation that existed prior to Apple embedding unbreakable encryption directly into their commercial hardware and software because it would be simple, effective, and desirable; in reality, it would provide fewer checks on government power, provide little to no benefit to fighting terrorism and other claimed social ills, and would fundamentally harm American cybersecurity.

This flawed and weak argument is not the only case made against encryption, and it’s important to check out other discussions: John Oliver had an in-depth analysis of the Apple and FBI case, Matt Blaze had a nice interview last year in Politico, and Bruce Schneier, who literally wrote the book on encryption has a very concise and simple post from 2013.