41 comments

[ 2.7 ms ] story [ 69.0 ms ] thread
Wat?
Seconded. That said, this is laughably doomed for failure. It's still shocking, but this is NY. Their police force is the most militarized in the country and most of the world. Over-stepping their authority and bounds is a daily activity.
Yeah, they often propose legislation that just seems like "How far can we really go?" test. Even if this did pass, it would be virtually impossible to enforce an anti-encryption policy at a large scale. It would only end up effecting the people who are already in custody, further compounding the existing problems with prosecution of the poor here.
NY is familiar with push-the-limit prohibitions.

In comparison: NY passed the "SAFE Act" which, among other things, banned sale of "assault weapons" and required current owners register. The compliance rate with the registration requirement is about 4% ... out of a half-million owners.

NY is willing to go far, and sweep up violators as they're found.

It's really going to come back to bite them - creating essentially unenforceable laws is a bad idea if you want to maintain the rule of law.
It would allow them to add a criminal charge of possessing an illegal cell phone to people who have encrypted cell phones, then possibly force them to decrypt it through intimidation.
No, it would not. The law only criminalizes the "sale or lease" of such a device, not possession.
Although it wouldn't explicitly allow that, it's a short leap to make. That would be even more difficult to enforce though, and would mostly only impact those who are frequently arrested (pretty much the same downsides as the current issue, but on a more exaggerated scale).
This is the same state that banned selling sodas over a certain size, IIRC.
No, that was NYC's municipal government, not the state.
The Soda Ban is NYC-only, in response to the city's childhood obesity epidemic. Albany is a long way from the NYC mayor's office, both geographically and politically ;)
So that's why NYC kids are so skinny now.
The ban got overturned for exceeding the authority of the health department.
Has an underground black market for large sodas been established?
Yeah, it's called "buy two smaller ones or take advantage of the free refills".
Which isn't an entirely unreasonable response to obesity.
(comment deleted)
Something seems wrong about the dates in this article. The article has a byline for today, but the bill was proposed in June 2015, and would have an effective-of date of the first of this year.

nysenate.gov indicates that it's still in committee: http://www.nysenate.gov/legislation/bills/2015/a8093 ... hopefully dead there.

edit: from the Ars Technica article, it's been reintroduced -- see: http://assembly.state.ny.us/leg/?default_fld=&bn=A08093&term... . The EFF thinks it'll not get anywhere, though.

Even if you fully sympathize with their desire to enable law enforcement, the bill would effectively ban iPhones and no one who voted for it would ever hold office again.
Wow. Not even https and it even lets you associate your yay/nay with facebook.
Wow, $2500 USD fine.
That's "per device". For an $800 iphone, that's equivalent to banning their sale in NY.
Or Apple could offer to pay the fine for an iPhone owner and/or sell fine insurance. Great PR, uses a little of their cash. How are the phone owners going to be caught anyway?
The fine would be on the sellers, not the buyers.
They'll just alter the contracts on phones sold in NY: "You agree to not encrypt any data on this phone and will indemnify COMPANY in court"
They'll probably still be liable. I'm not sure it is something the consumer can indemnify them of.
As long as only a few locations pass laws like this, it only kills their local phone shops. Nanning sale locally really is stupid. All it does is remove protection for those that can't afford to get something from outside the state, and everyone really interested in encryption (including bad guys) is only "a bit" inconvenienced.

But it sets a worrying precedent, should it pass...

Also, something passing state-wide in a populous state like New York or California can be regarded as an end-run around the difficulty of passing such a law nationally. Vendors won't be willing to lose sales in large markets, so everyone else will get New York-compliant phones. Compare how Texas controls the market for primary/secondary school textbooks in the US.
Sooo couple of attacks on that - not sure if encryption is considered speech by the Supreme Court - but if you are able to write in code a paper letter or journal without mandatory decryption, you should be able to do it with a device.

Second - unlocked bootloader and cyanogen/AOSP. Or just ship device without the OS and make user install it later - bonus - no carrier crapware.

The reason this bill is stupid/wrong is that it's based on the government being able to secretly look in your phone. A judge could always compel you to open up your iPhone with a warrant; what they want is the ability to do it without your knowledge. It's the equivalent to the government having a literal back door into the safe in your house, with their own key.

Fuck. That.

That's not really true. For one, there is surprisingly little legal precedent for forcing someone to give up a password. It's a gray area on the edge of a 5th amendment violation. Secondly, consider the case of finding a dead body with a locked iPhone in the pocket. That phone is a brick for all eternity. Thirdly, snooping without someone's knowledge is very frequently supported by court orders. It's not a violation of due process or privacy.
If compelling someone to give up a password is illegal, but secretly breaking into the thing you needed a password for is not illegal, something is wrong.
It's perfectly reasonable. Acquiring things is covered by the 4th amendment. Forcing information out of someone's head is not.
Let the law go through and watch it have no effect whatsoever.

Perhaps if Apple wanted to make a statement, they could cease selling iPhones in NY and let the populous let them fix it by protesting to their elected officials.

If push comes to shove, the bill is pretty poorly written. At the time of selling the smartphone, the seller sold an unlocked and unencrypted device. It's only after the user logs into the device that any encryption / locking is carried out. Every seller can demonstrate that they can turn on and access any unused phone that they happen to carry. "Here's the default code 0000, go nuts officer!"

Assuming the above doesn't hold water, we can do another little thought experiment. I note that Matthew Titon (the bill's sponsor) is a former Lawyer. My simplistic understanding of the rules of the bar (IANAL) suggest that a lawyer that used such an unlockable / decryptable phone would be potentially breaking the rules of the bar when it comes to confidentiality. Hence no-one in that profession would be advised to buy a new phone in NY State that was used for work purposes if this bill went through.

Another counterpoint to consider, let's say that China decided to legislate that no phone could be manufactured in China without an ability for the Chinese government to unlock / decrypt the device. How willing would US officials be to use such a phone?

This bill really highlights that people that don't understand technology shouldn't attempt legislating against it without consultation with actual professionals.

It's not even requisite to understand the technology, but to understand how people live their lives. People expect a certain amount of privacy. Hell, as you mention even the law already acknowledges the need for confidentiality.
There are a couple of things very obviously wrong with the text of this bill. It's not clear that it'd pass a legal review.

The text: http://legislation.nysenate.gov/pdf/bills/2015/A8093

The most obvious one is that the bill fails to provide any definition of the key phrase "decrypt and unlock". I'm pretty certain that the bill wants "unlock" to mean "get past the lockscreen", but an equally common usage of "unlock" is in reference to phones which a carrier has prevented from being used with another carrier. It's not clear what the word "decrypt" refers to, either.

There isn't a technical solution in the world that can prevent end users from writing encrypted text files to their phones using a one time pad. Would all devices that let you store text become illegal under this law?