
New York Wants to Force Vendors to Decrypt Users’ Phones - uptown
https://www.onthewire.io/new-york-wants-to-force-vendors-to-decrypt-users-phones/
======
cm2187
What is frustrating as always is that they invoke criminals and terrorists
(and for once no reference to paedophiles!) but these laws will be used 99% of
the time in civil cases (divorce cases, etc) and against petty crime. I
remember when the UK used the terrorism act to freeze the assets of Icelandic
banks. Terrorism has just become the keyword law enforcement officials add to
the title of any law they want to see passed, no question ask.

[http://news.bbc.co.uk/1/hi/uk_politics/7688560.stm](http://news.bbc.co.uk/1/hi/uk_politics/7688560.stm)

~~~
matthewmacleod
This isn't really related to your main point, but it's disingenuous to
describe the freezing of Landbanki's assets as a use of the "terrorism act"
just because the legislation had "anti-terrorism" in the title. The Anti-
Terrorism, Crime and Security Act is pretty wide-ranging, and as well as
whatever anti-terror legislation it contains, also contains some legislation
around economic security - which is what was used in the case of Icesave.

~~~
cm2187
That's actually precisely my point. Voted immediately after 9/11, it's a prime
example of a law titled "anti-terrorism" which actually has a much broader
range and provides powers in domains that have nothing to do whatsoever with
terrorism.

------
the8472
> The justification for the decryption requirement in the bill, as has become
> the norm, is the threat of criminals or terrorists using encrypted devices
> for nefarious deeds.

meanwhile terrorists just roll their own encryption software, making regular
citizens less secure than them.

[http://www.defenseone.com/technology/2016/01/isis-now-has-
ne...](http://www.defenseone.com/technology/2016/01/isis-now-has-new-secure-
messaging-app/125062/)

~~~
ivanca
All the eavesdropping is completely dumb, even the less technical of all
terrorists can just change a word for another and all your billion dollar
security goes to the dump. Example: when they talked personally they agreed
girl=bomb

Their texts will look like:

\- my girl is not with me, I left her at discowild

\- nothing happened mate, no idea why?

\- relax fam, ask mike to present you another girl, he is partyng next to
dominoes. We getting wasted today tho, no bs

And now is completely impossible to differentiate that conversation from all
the other 10 billions texts that happen at any Saturday night.

~~~
eru
Of course, statistics and metadata analysis still help to crack these.

~~~
SN76477
Most recent reposts that I saw showed that metadata had not lead to stopping
terrorism.

------
tracker1
Won't happen, vendors just won't be able to sell in NY, so residents will have
to buy elsewhere. And when the NY 1% can't buy their iPhone because Apple
protects their privacy, I think any such law wouldn't last long.

~~~
vinceguidry
I want the bill to pass for this reason. I want to see how the courts
interpret it. Just how much pull should local jurisdictions be able to exert
on a corporation's business practices? Say the major vendors just decide to
pull out of the NY market, yanking devices off of shelves. How exactly does NY
think they can enforce the law?

~~~
sbuttgereit
I'm not a lawyer or an expert on the commerce clause, etc.

But is seems like these issues have passed muster before. Consider that
California has stricter environmental regulations concerning the cars that are
sold there than many other states. The manufacturers simply make cars that
meet the California standard and sell them pretty much everywhere (at least
I'm pretty sure that use the be the case, haven't kept up with it though).

If that local regulation has passed any and all legal tests, then I would be
surprised if New York couldn't act independently in this case. And I think the
manufacturers would simply do something similar: you'd end up with compromised
security on all devices that come under the law even in states where that law
didn't exist.

~~~
sathackr
I buy equipment all the time that is not legal for sale in California.

But I don't go out of my way to do such. With the emissions argument, lower
emissions is generally accepted as a positive feature, though some may dislike
the reduced performance or increased cost associated with it in some
instances.

Backdoored encryption is not something generally accepted as a positive
feature, and I suspect many people will specifically seek out non-backdoored
devices if the law is passed and manufacturers start making devices for the
lowest common denominator.

But since this is a software feature, I see no reason why a single device
couldn't serve both markets, with a fused bit somewhere permanently enabling
the backdoor.

But, as said previously ad nauseam, the law would stop criminals about as
effectively as the anti-radar detector laws keeps radar detectors out of
Virginia.

The widespread use of instant-on radar and LIDAR has done far more to curb the
widespread use of them, in all states, by simply making them ineffective.

~~~
sbuttgereit
Many people would seek out such devices... but many people can still be a
small minority of your target market. If the economics makes sense to have two
different builds they'll do it, if it doesn't then you'll get one size fits
all. Also, consider how many people that buy these devices also use cloud
services available for these devices where even fourth amendment protections
are likely null/void. In some ways/shapes/forms it makes the device encryption
backdoor already moot for many.

~~~
sathackr
Yes...I'm curious to see how 'things stored in the cloud' will eventually work
out with the 4th/5th amendment protections.

Seems most of the current law applies to them as electronic communications,
but I think they are becoming more and more like a safe deposit box, which I
think has fared a bit better. It's unfortunate that it will likely take a few
guinea pigs with a lot of money and the right type of case to force the
judicial system to work this out.

Of course, the prudent criminal would encrypt anything, using non-backdoored
encryption, before it left his/her control thus making LEO/Government access
to their cloud storage ineffective.

------
downandout
This just shows the ignorance of the bill's author, Assemblyman Matthew
Titone. If you live in New York and have the ability to vote for this person's
opponent next time he is up for election, you should probably do so.
Apple/Google et al are not going to make an insecure "New York Edition" of
their operating systems and phones.

Cell dealers in the state would simply not have any phones to sell that comply
with the law, and New Yorkers would either go without phones or would buy them
from out of state on eBay. I'll let you guess which of those outcomes is most
likely. Apple Stores in New York would have to stop carrying the iPhone. Of
course none of this will ever happen, because this bill is idiotic and would
cause enormous economic damage to the state. But dangerous, ignorant
politicians like this should be voted out of office at the earliest
opportunity.

------
Spooky23
The good news is that in New York, this kind of thing needs to be linked to
the budget to go anywhere, and this isn't.

The endemic corruption and routine prosecution of NY legislators gives me hope
that this thing will go nowhere, because they have something to hide.

The bill is more of a trial balloon.

------
JustSomeNobody
When are we finally going to get fed up with the government's terrorism crap?

------
imamoron
Simple solution don’t sell your products in New York anymore … They can go
back to the stone age for all I care … honestly I’m tired of this … They
understand by doing something like this they put more people in danger of
fraud … Politicians need to get over themselves, they are not gods and just
because they can’t as easily snoop on people as they have been since phones
were invented they try to one up with this crap. The real Criminals will have
strong encryption no matter what. It’s public knowledge and easy to implement
and now it’s even easier to build your own phone with working sim …
Beaglebone, raspberry phi, mino, etc… This stuff is cheap and you can
customize a version of android that would omit this back door very easily …
It’s open source. Anyone who is for this and thinks it will actually work on
criminals is a complete moron.

------
jensen123
I'm wondering - are big cities becoming obsolete? I suppose there is no
coincidence that some of the worst anti-privacy stuff is coming from big
cities like New York or countries that are totally centered around a big city
such as the UK or France. A big city of 10 million seems far more vulnerable
to terrorism than 10 cities of 1 million each.

In the past, if you wanted a decent life, you kinda had to live in a big city.
Now, however, thanks to the Internet, that is perhaps becoming less the case?
The Internet now has a fantastic selection of shops. You'll also find lots of
radio stations, music and video streaming online. There are more and more
opportunities for remote work.

On the other hand, a city of 10 million has far more restaurants, clubs and
social opportunities than a city of 1 million. So I'm not really sure whether
big cities are becoming obsolete. Still, I'll be reluctant to move to a big
city if it means that I have to give up my privacy. Not saying I'll never make
such a move, but the balance of pros and cons seems to be changing.

~~~
JshWright
What does a city have to do with it? I live in semi-rural area and I would be
impacted by this law if it were to pass (it's not going to).

~~~
jensen123
Rural areas in jurisdictions that have big cities, such as the UK or the state
of New York, will of course be impacted by such laws (if they pass). However,
rural areas in other countries/states that don't have big cities are less
likely to ever get such laws.

------
MrQuincle
There doesn't seem any comment that considers the pro, so I'll try to raise
two points:

* It is possible to ensure that encryption will physically destroy the phone. Preferably it destroys the antenna, the screen, the battery, etc. In that case the law must be pretty sure, you're the bad guy and the use of it as a backdoor becomes limited to people that value your data above the value of your phone.

* If manufacturers have to open up parts of the phone to certain parties, there is a possibility that they have to open up these parts to the consumer as well. It might have on the long term a positive effect on the ability to root your own phone. If the government might own my phone, perhaps I might myself own my phone as well.

Just my two cents!

~~~
Coding_Cat
>becomes limited to people that value your data above the value of your phone.

Pretty sure me and some random mugger are the only people who even care about
the value of my phone.

>there is a possibility that they have to open up these parts to the consumer
as well.

There is a whole lot of precedent that says this isn't going to happen. Even
if manufacturers wanted to do this, I'd expect we'd see laws in turn which gag
them so that " the terrorists can't break our backdoors".

------
sandworm101
These statehouse bills come up regularly. Ignore them. NY has seen a half
dozen "must decrypt", "must register" and "must identify" bills come and go.
Some lawmaker has dinner with a low-ranking officer at some agency and come
away thinking the sky is falling because of some new technology.

The reality is that these statehouse bills are normally trumped (I hate that
word now) by federal legislation. Even if not, there are enough people in
places like NY that understand that the courts will shred these things. So
they never pass. Once the news is over, once the bill proponents have made
their peaches, they are quietly disappeared.

------
derekp7
I think the most realistic anti-encryption legislation would be to ban a
vendor from shipping a device with encryption enabled by default. If they were
to provide an api to plug in a third party encryption module, then most people
would probably leave the phone in the default settings. Which would return
things to the previous status quo -- most devices would be searchable, and
only people who new what they were doing (including a subset of "bad" people)
would have encrypted devices.

Note: I'm not endorsing this, but I do believe it would satisfy the
governments.

~~~
cmurf
I doubt it would satisfy them, if the language of the bill, and the arguments
being used thus far, is a valid indication. What they want is the ability to
decrypt, and to get that means compelling companies to enduring cryptographic
key escrow service, which law enforcement can use a subpoena to have Apple,
Google, Microsoft, etc use to turn over plain text.

So far this is "data at rest" request. It's for data on the phone. It's not
for data in motion which is another technology that PFS makes rather difficult
to impractical to setup key escrowing for, that's sorta the point. But then,
the basebands are all proprietary and probably compromised by state (nations)
actors.

------
bobby_9x
I feel like the reasons against such laws parallels the gun debates in the US:
harsher laws won't effect the crimininal or terrorist, but the avetage
citizen.

------
Bud
Another story also previously posted:

[https://news.ycombinator.com/item?id=10906636](https://news.ycombinator.com/item?id=10906636)

------
macspoofing
I think it's only a matter of time until back-doors are (re)added. At some
point, Russia, or India, or China, or Europe, or America will come up with
some legislation that says "backdoor or GTFO" and a few vendors will decide to
adhere, and others will be forced to follow so they don't miss out and that'll
be that.

------
such_a_casual
We're gonna finally catch all the bad guys.

------
cmdrfred
So NY going to ban books?
[https://en.wikipedia.org/wiki/Book_cipher](https://en.wikipedia.org/wiki/Book_cipher)

------
javajosh
"New York" doesn't want anything - it's a state, not a person. This bill was
introduced by Assemblyman Matthew Titone - mentioned in the 7th paragraph of
the article. Gee whiz I wonder who's paying his election bills?

"The fact is that, although the new software may enhance privacy for some
users, it severely hampers law enforcement’s ability to aid victims."

 _This is actually an argument against privacy itself_. Astounding.

------
joshka
Also discussed at:
[https://news.ycombinator.com/item?id=10903084](https://news.ycombinator.com/item?id=10903084)

------
spdustin
Government keeps wanting this sort of thing to help them find "the needle in
the haystack" when all it does is make a bigger haystack.

------
known
"Never do anything against conscience even if the state demands it."
\--Einstein

------
Findeton
I'm in the UK, with Virgin Media as ISP, and for some reason onthewire.io is
blocked. WTF

~~~
justincormack
Is that the "porn blocker", or general censorship?

Andrews & Arnold is pretty much the only uncensored ISP in the uk.

------
DyslexicAtheist
this is how I picture the discussion between politicians and their technical
advisers:
[https://www.youtube.com/watch?v=vh3tuL_DVsE](https://www.youtube.com/watch?v=vh3tuL_DVsE)

------
forrestthewoods
#NewYorkValues

------
horsecaptin
Great time for Apple to close it's stores in NY and open a few extra in the
neighboring states.

------
CamperBob2
This is the outcome Apple must have expected when they announced their
encryption policy. They can now claim that they _tried_ to do the right thing
-- they _would_ have taken the steps needed to guarantee their users' safety
from illegal spying, warrantless surveillance, and unconstitutional gag orders
-- but the evil government won't let them.

Pretty smart in retrospect to force the government to play Bad Cop.

~~~
Bud
Completely disagree. Apple sincerely wants to maintain its current encryption
policy. It has substantial business value and improves the quality of their
products. There is no evidence whatsoever that Tim Cook goes out and tells
lies, as you allege, about major pieces of Apple's technology.

See also:

[https://theintercept.com/2016/01/12/apples-tim-cook-
lashes-o...](https://theintercept.com/2016/01/12/apples-tim-cook-lashes-out-
at-white-house-officials-for-being-wishy-washy-on-encryption/)

~~~
newman314
Agreed. No consumer is going to say I want to buy a less secure phone because
that is better

~~~
CamperBob2
No one is going to ask the question that way. "Do you want to buy a less
secure phone?" is exactly the same question as, "Do you agree that law
enforcement should be able to access a suspected terrorist or pedophile's cell
phone conversations and data with an appropriate court order?"

You will get vastly different answers depending on which phrasing you use.
That's what the politicians count on.

