FYI.

This story is over 5 years old.

Tech

Google's Great Encryption Backtrack

"Google has made statements that are no longer true" about requiring encryption on phones that run Android.
​Image: ​FloodG/Flickr

​In late October, Google announ​ced that Lollipop, its newest version of Android, would have "encryption by default." Monday, it was a curious reporter, not Google, reporting that would no longer be the case.

Instead of requiring every file on an Android system to be encrypted by default, the choice will be left up to manufacturers such as Samsung, LG, and Motorola as to whether to turn that feature on out of the box, Ars Tec​hnica discovered.

Advertisement

"Google has made statements that are no longer true, and it's Google's obligation to publicly correct that statement," Amie Stepanovich, US policy manager for the digital rights group Access, told me.

Google confirmed to me that encryption would not be required as a default in Lollipop and said it's "up to the [smartphone] manufacturer to determine how to implement [encryption]." The company would not give me any more information about why it's backtracking.

"If I were Apple, I would do my best to eat Google's lunch here"

It's a departure from the tune th​e company was singing back in October, when the company said Lollipop comes "with a kevlar wrapping."

"From the moment you turn on a device running Android 5.0, you'll have a wealth of new security features protecting you, like encryption by default and a lock screen that's easier and more powerful than ever," the company wrote.

That proclamation led to an incredibl​e amount of media attention, especially when combined with Apple's parallel decision to make encryption default.

The change is a big deal, and Google could be endangering its customers unless it makes it very clear that encryption will not be turned on automatically.

"We have found that users are more at risk when they believe that they have more security than they actually do. Google has been a leader on device encryption, they've allowed it for a long time," Stepanovich said. "But now, people need to be educated that they need to turn it on themselves and taught how, exactly, to do that."

Advertisement

Following the Apple and Google announcements in October, default encryption has become an ongoing controversy in the intelligence world, with th​e ​FBIJu​stice Department​NSA, and even President Obama saying that encryption makes it harder for law enforcement to do their jobs.

"We know that there's been significant government pressure, the Department of Justice has been bringing all the formal and informal pressure it can bear on Google to do exactly what they did today," Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, told me.

"Whether that pressure had any impact, I have no idea. But if the next major revision of Android comes down and doesn't include default encryption, I think all of us need to start worrying."

Google reiterated in its Android Compatibility Definition, a manual of requirements for cell phone manufacturers, that default encryption is coming, someday.

"While this [encryption] requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android," the manual said.

So, what happened here? Google appears to remain committed to encryption, eventually (the company's Nexus 6 smartphone and Nexus 9 tablet have encryption enabled by default, Google told me in an email). So, rather than looking at this as a cave to government pressure, it seems more likely that cell phone manufacturers, and maybe Google, have been slow in adopting encryption.

Preliminary tests suggest that, on many handsets, encryption impacts performance. But if handsets are built from the ground up to have what's known as "crypto hardware acceleration," that stops being an issue.

Android, unlike Apple's iOS, has to work on hundreds of handsets with hundreds of different specs. That gives consumers more choice and freedom, but it also makes implementing sweeping changes like this somewhat difficult.

"It's an amazing advantage for Apple, and it's not necessarily just optics," Cardozo said. "Apple actually has a more secure system, and if I were Apple, I would do my best to eat Google's lunch here. This is a backtrack for Google."

Stepanovich agreed: "Samsung and Motorola are not giving these issues the time they deserve so they could be enabled. It's as much up to them as it is to Google to be protecting their users here."