
CA assembly member introduces encryption ban disguised as human trafficking bill - asimpletune
http://asmdc.org/members/a09/news-room/video-gallery/cooper-introduces-human-trafficking-investigation-legislation
======
AJ007
Here is the bottom line -- if smartphones can not be securely encrypted there
are a lot of things we can't use them for:

\- Phones aren't going to replace credit cards \- You will need to type in all
your passwords each time you use them \- Two Factor authentication will need
to be done with a different device \- Healthkit and other medical records will
need to be moved elsewhere \- Any profession where there are very serious
consequences for leaked communication will no longer be able to do it through
their smartphone (lawyers, doctors, executives.)

Basically losing or having your mobile phone stolen will be equal to a burglar
pulling up to your house or office and driving away with every sensitive
document and record in the back of a van.

No tech company wants to see the end of the mobile revolution. Forget the
national interest side to this, anyone supporting broken encryption basically
looks like a total moron.

~~~
vacri
Put a space (or is it two?) in front of each line item if you want to make a
list on HN. HN interprets this as 'code block' and doesn't reflow the text.

~~~
PhasmaFelis
Does anyone know why HN doesn't handle linebreaks correctly? I mean, I can't
imagine that it's by accident, but I also can't imagine why anyone would do it
on purpose.

If it did like HTML and completely ignored linebreaks as extraneous
whitespace, that would at least be consistent; if it expanded single
linebreaks to doubles, that would be enforcing a layout preference for inter-
paragraph blank lines; but "ignore one linebreak, print two linebreaks
normally" is just weird.

~~~
kiiski
I guess ignoring single linebreaks prevents people from wrapping lines
manually (happens surprisingly often on some forums), resulting in an annoying
reading experience.

------
Steko
Assemblyman Jim Cooper represents Elk Grove a city of ~160K just South of
Sacramento. Apple is the second largest employer in Elk Grove [1] and
currently expanding their footprint there by several thousand jobs [2].

Hopefully there's a primary challenger or soon will be, I'll donate.

[1]
[https://en.wikipedia.org/wiki/Elk_Grove,_California#Top_empl...](https://en.wikipedia.org/wiki/Elk_Grove,_California#Top_employers)

[2]
[http://www.bizjournals.com/sacramento/news/2015/12/07/someth...](http://www.bizjournals.com/sacramento/news/2015/12/07/something-
huge-is-brewing-apples-elk-grove-campus.html)

{note: [2] gives a significantly larger current headcount than [1]}

~~~
dopamean
Am I crazy or is it kinda weird that someone like that is already in office in
that area?

~~~
Bud
Not weird at all. Sacramento overall is very conservative.

~~~
diyorgasms
I don't really think this is a liberal/conservative issue. I'm what most
Americans would call extremely liberal, and yet one of the very few
legislators whose views consistently align with my own on matters of
encryption and privacy is a tea-party libertarian Republican.

I think the proper political theory axis on which to hang this debate is
libertarian-authoritarian, both of which exist in liberal and conservative
thought.

~~~
mhkeller
If you're interested more in these issues, I wrote an article last month about
california politics and silicon valley looking in particular around privacy
legislation [http://america.aljazeera.com/articles/2015/12/30/losing-
figh...](http://america.aljazeera.com/articles/2015/12/30/losing-fight-big-
data.html)

~~~
diyorgasms
I most certainly am interested. Thank you for the link.

And for what it's worth, I hope the Al Jazeera America cutbacks don't affect
the excellent written journalism you all do.

------
joshka
Same problem pretty much with the NY bill. Buy a phone that is unlocked /
decrypted at the time of sale. The next step is for the user to login and
encrypt. I don't see how this bill actually fixes that. I guess this hinges on
the definition of authorized when it comes to encrypting something I own. I
hope I don't require authorization to do this.

A few questions I posed to the NY senator earlier this week:

1\. Would you use such a phone knowing that the government / apple / seller of
the phone could easily get into it. 2\. Would it be legal for someone in the
legal profession to use such a phone without being disbarred for negligence of
the right to private communication? 3\. If sold unlocked, and then later
locked (i.e. every phone right now), where's the change? 4\. Where's the 4th
amendment fit in with this? 5\. What should we do with old phones that don't
support this? Dump them in the bay I guess? 6\. Where are the technical
experts that are telling you that this is actually feasible to do securely and
safely? I'm looking hard, but only seeing negative responses from those that
know what their talking about. 7\. Who's responsible for fixing the broken
device once the master key gets leaked? The manufacturer? The state of
{CA/NY}? 8\. the list goes on.

~~~
duskwuff
Not just the same problems as the New York bill; the wording of the two bills
appears to be nearly identical!

Here's the CA bill:
[http://www.leginfo.ca.gov/pub/15-16/bill/asm/ab_1651-1700/ab...](http://www.leginfo.ca.gov/pub/15-16/bill/asm/ab_1651-1700/ab_1681_bill_20160120_introduced.html)

Here's the NY bill:
[http://legislation.nysenate.gov/pdf/bills/2015/A8093](http://legislation.nysenate.gov/pdf/bills/2015/A8093)

~~~
5ilv3r
Dude the last paragraph is almost word for word. Who wrote these??

~~~
kabdib
NSA? FBI? I'm sure they're pretty happy with them.

I'm going to make it clear to Jim that I'm going to give money to his
political opponents in his next election.

~~~
5ilv3r
Nah this will only benefit local cops. Those big guys have network sniffing.

------
fiatmoney
For a long time gun owners have had the singular pleasure of having massively
intrusive, incoherent regulations written by people with no technical
understanding of the subject matter. It's nice to finally have some company.

~~~
apsec112
Please don't hijack the discussion with flamewar-prone tangents. HN
guidelines:

"Please avoid introducing classic flamewar topics unless you have something
genuinely new to say about them."

~~~
cgriswald
It's not strictly a tangent. The GP pointed out that the tactic being tried
here is "tried and true" and well understood by many. Although the GP should
have gone further and said that we should all be against such tactics
regardless of which side of any issue we should find ourselves on. It's a very
underhanded, anti-democratic scheme.

I've also seen guns and gun control discussed many times on HN without flames.
So I'm not quite sure it qualifies as a "classic flamewar topic" on HN even if
it qualifies as such among the general population. I would also argue that the
GP did, in a sense, have something new to say about it.

~~~
protomyth
It also gives us an answer, the National Encryption Association should be
formed with the exact same tactics.

------
Dowwie
"Full-disk encrypted operating systems provide criminals an invaluable tool to
prey on women, children, and threaten our freedoms while making the legal
process of judicial court orders useless.”

~~~
quanticle
I saw that and I couldn't help rolling my eyes. By that logic, _door locks_
also provide human traffickers the tools to involuntarily imprison innocent
women and children. So _clearly_ we need to outlaw locks on doors, everywhere.

~~~
csydas
I understand the point you're making, but the quote in full context is that it
provides the tool _while making the legal process of judicial court orders
useless_. The emphasis on the latter part is kind of where legally they have a
point that there is a difference. You can order someone to just open a lock,
bash down a door, or break in through a side window/thin wall. With even
decently implemented encryption on a device, no such alternatives exist for
law enforcement.

To be clear, I'm against the inclusion of backdoors/side-channels/key escrows
for anyone on the basis that it threatens the security of everyone for the
chance that law enforcement might glean something off a phone. But I do think
its important to be realistic and acknowledge that there are situations in
which encryption impedes the usual investigative process for law enforcement,
and that many time sensitive cases may result in serious harm to individuals
as a result.

I do believe that most people calling for backdoors do so in bad faith, but
it's not difficult to imagine actual scenarios in which such complaints do
impede an investigation. Coy reductio ad absurdum statements really don't help
the discussion at large along in either direction.

~~~
hamburglar
Burying your secrets in a hole in the desert and never revealing the location
makes the legal process of a judicial court order useless too. Should it be
illegal to hide things really well?

------
jonathaneunice
This is the game. There will never be a "Prohibiting Encryption and Preventing
Privacy Act." It will always be a ostensible act of patriotism and protection.
Combatting terrorists, child molesters, sex traffickers, drug cartels, money
launderers, and other easy-to-demonize scary folk.

------
MichaelBurge
Here's the actual bill:
[http://www.leginfo.ca.gov/pub/15-16/bill/asm/ab_1651-1700/ab...](http://www.leginfo.ca.gov/pub/15-16/bill/asm/ab_1651-1700/ab_1681_bill_20160120_introduced.html)

~~~
cmurf
Includes leased phones, and any phone shipped to a California address. So any
legit purchased phone basically would need to have a key escrow system in
place by either the manufacturer or OS vendor, it wouldn't just be Apple and
Google (as California companies) it includes Microsoft Windows Phones also.
That sounds like it affects interstate commerce.

Also interesting, the language only says "smartphones" so this doesn't include
devices that aren't smartphones. OK tablets and laptops aren't included then.
But what is a smartphone? What about an iPod Touch? Only if the device has a
GSM/LTE/CDMA radio in it is a smartphone?

~~~
tlrobinson

        "Smartphone" has the same meaning as in Section 22761.
    

[http://www.leginfo.ca.gov/cgi-
bin/displaycode?section=bpc&gr...](http://www.leginfo.ca.gov/cgi-
bin/displaycode?section=bpc&group=22001-23000&file=22760-22761)

    
    
        22761.  (a) For purposes of this section, the following terms have
        the following meanings:
           (1) (A) "Smartphone" means a cellular radio telephone or other
        mobile voice communications handset device that includes all of the
        following features:
           (i) Utilizes a mobile operating system.
           (ii) Possesses the capability to utilize mobile software
        applications, access and browse the Internet, utilize text messaging,
        utilize digital voice service, and send and receive email.
           (iii) Has wireless network connectivity.
           (iv) Is capable of operating on a long-term evolution network or
        successor wireless data network communication standards.
           (B) A "smartphone" does not include a radio cellular telephone
        commonly referred to as a "feature" or "messaging" telephone, a
        laptop, a tablet device, or a device that only has electronic reading
        capability.
    
    

It seems like a tablet with a cellular radio could arguably fit that
definition as well.

~~~
cmurf
(iv) mean LTE or newer. That suggests NOT tablets, including iPod Touch like
devices, because it must have all of the listed features.

It also, weirdly, suggests not anything 3.5G or lower. What? Why?

And in any case, Apple's end-to-end encrypted iMessage does not depend at all
on such a cell network of any version. It does work on WiFi only just fine. So
why are these devices exempt from terrorists and kiddie porn sickos and human
traffickers?

If you're going to be serious about catching that, it seems like everything
that does full disk encryption would be broadly included. Desktop and laptop
computers, and tablets. Why does Layer 1 matter to this?

~~~
tlrobinson
iPad does has LTE.

~~~
marshray
Not mine. I specifically got the model without cellular.

~~~
tlrobinson
Sure, I was talking about iPads with cellular.

------
cmurf
Cryptography yields two components: encryption/decryption, and authentication.
Break one of those, and they're both broken. And that's what really bothers me
about all of these politicians who only fixate on the encryption part. They're
oblivious to extreme risk introduced by breaking authentication.

~~~
rietta
While you raise a point, I am not sure that the law in a heavy regulation
environment will be that specific. For example, in the area of ham radio
encryption is strictly forbidden and has been for years and yet
cryptographically secure authentication is still arguably acceptable as long
as it does not "obscure the meaning of the communication". I wrote about this
in 2004 while I was a student and posted on my blog in 2009 at
[https://rietta.com/blog/2009/08/17/authentication-without-
en...](https://rietta.com/blog/2009/08/17/authentication-without-encryption-
for/).

To my knowledge the idea has not taken hold as the ham radio hobby moves
slowly and the need for strong authentication is not typically a felt need of
most operators who want to chat broadly and make new friends. It's part of the
ham radio culture as a hobby.

------
trhway
>Full-disk encrypted operating systems provide criminals an invaluable tool to
prey on women, children, and threaten our freedoms

"If You’re Typing the Letters A-E-S Into Your Code You’re Doing Wrong"

~~~
tiddlydum
Sorry, I don't follow. How is the quote you highlighted related to not rolling
your own crypto?

~~~
koenigdavidmj
He changed the quote from "doing it wrong" to "doing wrong".

------
mdip
It's a political tactic that's been used _forever_.

When the legislature wants to do something unpopular (or even _stupid_ which
is what this is), associate it with the "Evil Of The Era" and propose the bad
legislation as the solution to said evil. These days, popular "Evils" are
Human Trafficking, Child Porn, and "Terrorism". The first two evoke extreme
emotion of crimes committed against the most innocent of victims, so they're
the _best_ choice in this scenario. In the 80s-90s it was anything to reduce
"Crack Babies" or win "The War on Drugs".

It's an old trick -- when people talk about logical limits placed on the first
amendment, you'll hear the phrase "Shouting Fire in a Crowded Theater". Most
of those who utter it don't realize that this phrase originated as part of a
ruling that had nothing to do with "fire" or a "crowded theater" but was made
to curtail the _dangerous speech of opposing the draft during World War I_
[1].

[1]
[https://en.wikipedia.org/wiki/Shouting_fire_in_a_crowded_the...](https://en.wikipedia.org/wiki/Shouting_fire_in_a_crowded_theater)

------
kabdib
The bill says "...shall be capable of being decrypted and unlocked by its
manufacturer or its operating system provider."

It doesn't say _how_ , and it doesn't give a time frame.

So: Provide an API to accept a key. Allow two key attempts per second. Start
with key 0x0000..000, next try 0x000..0001. This is guaranteed to complete,
you just have to be prepared to wait a while.

(Yes, I know that courts are unhappy with this kind of thing. But the bill is
a crappy bill, in many regards).

~~~
rietta
Yeah, that's not going to work. Just like Mr. Levison giving the FBI the key
printed in tiny font did not fly from the court's point of view.

Lavabit found in contempt for trolling the FBI with 4-point font
[http://www.dailydot.com/crime/ladar-levison-lavabit-
founder-...](http://www.dailydot.com/crime/ladar-levison-lavabit-founder-
denied-appeal/)

~~~
cgriswald
That was contempt of court, though; in which he was ordered to do something,
and by delivering the 4-point font basically failed to do as the court
ordered.

The tactic suggested by the GP is similar, but distinct, and has a better
chance of working because it isn't an attempt to circumvent the court itself.
It's an attempt to have the law seen as vague and therefore void. Still, IMO,
not likely to work, but it's not exactly like the Lavabit case.

~~~
kabdib
Yeah, a better written bill would include "Within 48 hours" or "Within three
seconds of a request from someone whose third cousin is a dog-catcher who can
spell 'Lawful request'" (too much to hope for "Within heat-death of the known
universe").

These two bills are actually clever probes, IMHO.

What are the chances they run afoul of interstate commerce provisions?

But hey, C compilers are tiny. It's no problem to put one on a phone.

I would:

\- Comply. Rip encryption out of the OS. [keep reading!]

\- Make a plug-in for the crypto. That probably already exists in the form of
a library, but in any event it doesn't seem hard.

\- Have a system update -- one that is fetched very, very early in system
setup -- download and install that plugin. To avoid the possibility that
downloads can be blocked, you release the source code and give existing
phones, already in many hands, the ability to compile that code on the device
(some handwaving here, but you can probably make that secure, for specifically
that plugin, and maybe exactly that version of the source). You need a way to
distribute bug fixes, but again you're dealing with source that's not part of
the OS.

That source-level plugin isn't an operating system, and we're back in
territory where the government has to ban specific software components, and
maybe ban source code (which is going to be a really difficult 1st Amendment
argument).

------
mmanfrin
What a severe irony for this idiot to be on the _Privacy and Consumer
Protection Committee_.

------
pdkl95
So the 2nd crypto war has move beyond mere fighting words. The long term
battlefield is usually the court of public opinion, so I hope Silicon Valley
recognizes this challenge to their power. Tech firms should have been
attacking this rhetoric hard when it started, but accusing politicians of not
understanding math/crypto has been a common response.

Do you want crypto to work? Or do you want to be forced to replace crypto with
security theater? Is your business actually willing to _actively_ protect a
free internet? Or is it easier to assume this is "someone else's problem"?

I guess we will see which companies defend themselves, and which companies
think being a collaborator is more profitable?

------
trhway
so basically there should be 2 components sold separately - "dumb GSM
connectivity module" and "smart OS module" (iPod basically). The latter not
having cell phone connectivity wouldn't be subject to that law and thus can
have FDE/whatever. The GSM module can just attach to the "iPod" back like
external battery.

~~~
vidarh
I have a "mifi" device sittin in my coat pocket right now. Even better than
attaching to the back, and readily available - it takes a sim card and creates
a wifi hotspot for all your devices, and can optionally export a media library
or network drive to all connected devices.

------
ianamartin
The "shall" wording is going to keep this in courts for years, even if it does
pass.

Shall is the source of more litigation than any other single word in the
English language. It can always be debated because no one knows if it reliably
means "can", "must", "may", "might", "will", "should", "ought to", or "is
allowed to".

All the above uses can be supported with evidence. Because language evolves.

It's killer word for any law or contract and guaranteed to be disputed.

I am not a lawyer, btw.

But if this somehow passes, it will get tossed because of the wording.

~~~
tempestn
I haven't done any research or anything, but I can't imagine any reasonable
person interpreting "shall" to mean "can", "might", "may", or "is allowed to".

Shall means "will" or "must". Like any uncommon word I'm sure it's frequently
used incorrectly, and I recognize that language evolves, but I have difficulty
believing those other uses have become prevalent enough to be considered
valid.

~~~
ianamartin
I have done the research. It can mean all of the things that I mentioned.

------
ams6110
Would Apple have the balls to stop selling phones in California?

~~~
5ilv3r
They have the balls to lie.

------
passwordreset
Where the hell is Anonymous in all this? Shouldn't they be out there doxxing
and haxxoring and whatever it is that they do to these kinds of people? I'd
figure if someone stands up and says "Encryption should be illegal", they
probably don't encrypt jack shit themselves, and they're probably easy
targets. They might even take the hint and say "shit, I should have encrypted
my internetz" and change their stance. Eh, doubtful.

------
LinuxBender
What impact might this have on tax revenue from said controlled devices no
longer being purchased in California?

Do we start referring to encrypted devices without back doors as contraband?

~~~
tlrobinson
Unfortunately, the vast majority of consumers don't understand what this means
and will continue to purchase their phones from the local
Apple/AT&T/Verizon/Sprint/TMobile Store.

~~~
5ilv3r
Most people also buy the "nothing to hide" argument, in the interest of not
making trouble.

~~~
colejohnson66
Whenever someone brings up that argument, I ask them to let me see their
phone, PC, etc. and all the data on it. The majority will ask why, to which I
respond, "you have nothing to hide, right? So what's the deal with me seeing
it?"

------
peteretep
Someone needs to make a big deal about how this is bad for business because it
allows the Chinese/Russians/French/Welsh/whoever to steal American
Innovations(TM) and then write to whomever this person will be challenged by
in upcoming elections with "x is anti American Business" talking points. Both
sides can play "Won't someone think of the children?"

~~~
vidarh
If you want to play that dirty, rather than make statements about it, ask
rhetorical questions about _why_ the people proposing this wants to give the
Chinese and Russian an easier way of stealing silicon your secrets, and ask
what they've got to hide.

------
jegutman
Might as well try to ban speaking pig latin in public.

------
tdkl
I'm waiting on the day something like this gets proposed in all of the EU
states, for the same BS reasons.

As a matter of fact, I'm certain that current leaders of the EU countries who
publicly invited immigrants to their state (we all know the most prominent
one), was considering this as a easy way to change the privacy laws - and be
applauded for it.

------
rdudek
Fair question, if I wanted to buy a phone now, which manufacturer/OS comes
with ability to do FDE and said party does not have a copy of the key?

