New York Considers Mandating Back Doors Into Phones

With a bill reintroduced last week, a New York Assemblyman wants to make it easy for the government to get inside smartphones. It’s a proposal that would mandate smartphone manufacturers be able to unlock the phones they make. The bill comes from Assemblyman Matthew Titone, of Staten Island’s North Shore, and was first introduced last summer. It’s sat in the Consumer Affairs and Protection committee since, so it’s still a long way from becoming law. A cryptographic back door would be bad for cryptography, privacy, and consumers.

The “back door” metaphor isn’t too far from the truth, so let’s flesh it out for a minute. In a memo sent out in support of the bill this week, the bill’s author does that for us. He describes a phone that cannot be unlocked except by the owner like this:

It is as if the police get a search warrant for a safe deposit box at a bank because they have reason to believe that the safe deposit box has evidence of a crime – but they cannot open the box because the bank has thrown away its own key. Indeed, this situation is even worse because whereas a safe deposit box can, ultimately, be opened by force, a passcode-protected smartphone is virtually impregnable, unless the companies maintain the ability to open the phones that it manufactures.

Except, and I think this is the crucial point, if there’s a mandated back door, then it’s not a safe that the government can access, it’s a safe anyone can access. As security researcher Bruce Schneier wrote when Apple introduced its strong encryption:

You can’t build a backdoor that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them.

Under the New York bill, companies that don’t provide or build in these back doors could face huge legal penalties. The Independent describes it:

The proposed law would also make phone manufacturers pay a fine of $2,500 (£1,736) for every phone they sell that cannot be unlocked.

This would result in fines reaching into the tens of millions for companies like Apple, whose devices are designed to have no back door, and are only unlockable by their owner.