A University Hack Exposed 63,000 Social Security Numbers. Face, Meet Palm.
University of Central Florida president John Hitt announced Thursday that the school has been, well, hacked. Discovered at the beginning of January, the breach exposed the social security numbers and other identifying personal information of 63,000 students, former students, and faculty/staff.
The announcement, spotted by Gizmodo, notes that credit card numbers, financial records, medical records, and grades were not affected. UCF is a big community—the school enrolled 60,810 students in 2014—but it seems that the breach centered on certain groups (perhaps based on which information was easiest for the hackers to access). UCF's investigation showed that current and former student athletes, students who work for the university, and certain categories of staff are at high risk.
UCF is sending letters to everyone whose information was compromised and will offer a year of free credit and identity monitoring to them. The university is offering a website and hotline that community members can use to get information.
Hitt wrote, "Safeguarding your personal information is of the utmost importance at UCF. To ensure our vigilance, I have called for a thorough review of our online systems, policies and training to determine what improvements we can make in light of this recent incident."
The university has taken solid steps to address the hack and disclosed it fairly quickly. But it wouldn't be a public hack disclosure without a few out-of-touch comments. In answering the question, "What should I do to help protect myself from identity theft?" the University’s Q&A says, "Out of an abundance of caution, we recommend that you carefully check credit reports for accounts or inquiries you do not recognize." But it's not really an "abundance of caution" when your school has been hacked, right?
Europe’s Brand-New Data Transfer Agreement With the U.S. Is Already Drawing Criticism
The European Union’s highest court struck down the 15-year-old “Safe Harbor” data-transfer pact in October. But on Tuesday the European Commission announced that it had brokered a new data-flow agreement with the United States. Known as the “Privacy Shield,” the revision is meant to address the court’s problems with the old arrangement. But critics are already beginning to emerge.
The broad goal of this type of agreement is to shuttle data from EU to U.S. data centers in a way that complies with EU privacy laws and protects data from all sorts of government surveillance. The Privacy Shield promises to impose stricter standards on how companies communicate with customers and handle their data and calls for increased enforcement from the U.S. Department of Commerce and Federal Trade Commission. These agencies will also be involved in conflict resolution if Europeans feel that their data is being mishandled.
At this point the Privacy Shield needs to be turned into a full draft proposal so it can be submitted for approval by the 28 nation states in the EU. U.S. agencies and businesses also need to figure out how they will comply with the changes.
The plan is already generating skepticism and criticism, though. On Wednesday a group of European privacy agencies asked for a number of clarifications about the new agreement, fearing that it doesn’t do enough to protect European citizens from surveillance by U.S. government agencies. Isabelle Falque-Pierrotin, chief of privacy in France and chair of an EU body of data protection authorities, told the New York Times, “We want to receive the documents to assess whether the E.U.-U.S. Privacy Shield can answer our concerns. ... We have to review the consequences of this arrangement.”
Others worry about whether the new agreement will be viable. Austrian privacy campaigner Max Schrems told Ars Technica, “If this case goes back to the ECJ [European Court of Justice]—which it very likely will do, if there is a new safe harbour that does not meet the test of the court—then it will fail again, and nobody wants that.”
For businesses, especially small businesses, the cost burden of reforming to meet the new agreement could be significant, costing hundreds of millions of dollars across various industries. And the European Commission didn’t attempt to downplay this fact. In its announcement the commission said that U.S. companies would have “robust obligations” if they want to serve EU customers. Allison Grande wrote on Law360 on Tuesday, “The increase in compliance obligations and legal exposure compared with the previous regime should make companies think twice about blindly signing on to the revamped deal.”
When a full Privacy Shield draft emerges in the next few weeks, there will be more for interests groups to pick apart. But privacy regulations are so contentious right now that even without a draft it only took a few hours for the controversy to heat up.
The Dutch Have Devised the Best Drone Defense System: Trained Eagles
There are many ways to stop an errant or hostile drone from venturing over forbidden territory—more and more methods every month, it seems. “Shooting it down with a shotgun” is a popular method, but also unimaginative, and generally illegal. In October, I wrote about the DroneDefender, a futuristic rifle-shaped device that uses directed radio waves to force wandering drones to the ground. In January, a professor at Michigan Technological University announced a drone taker-downer that was basically just another drone equipped with a big net. Now, there’s a new method for repelling unwanted drones, and that method is a trained eagle.
Jamie Condliffe at Gizmodo reports that the Netherlands National Police have hit on the honestly brilliant idea of training eagles to identify errant drones and pluck them out of the air as if they were prey. That’s the long and short of it. You should basically just watch the video here to get a sense of how this would work under ideal circumstances:
The apparent ease with which eagles can be trained to swoop up and snatch consumer electronics out of midair is mildly alarming. If I were a mugger, I would acquire one of these eagles and send that sucker out to grab as many iPhones as possible. The point is, there’s a fighting-fire-with-fire mentality that seems to demand that we meet technological problems with technological solutions, but sometimes the simplest solutions can be just as good. (Not that training an eagle to attack a drone is simple, per se, but it’s simpler than building a futuristic radio-rifle or having to constantly stuff and restuff a damn net inside a second drone.)
Obviously there’s a huge difference between training an eagle to successfully grab a drone in controlled circumstances in a giant warehouse and having it do so out in the real world. But regardless of whether the eagle program is effective as a drone repellent, I suspect that it might pay unexpected benefits as a drone deterrent. I, for one, would think twice about operating my own drone recklessly if I knew there was a chance that it might be snatched from the skies by a bird of prey and carried back to some remote aerie, never to be seen again. So maybe the publicity around a campaign like this is just as important—or more so—than the actual efficacy of the program itself. And maybe American officials should be considering similar attention-grabbing methods. We’ve got the eagles!
This article is part of a Future Tense series on the future of drones and is part of a larger project, supported by a grant from Omidyar Network and Humanity United, that includes a drone primer from New America.
Future Tense Newsletter: A Hypothetical Climate
Greetings, Future Tensers,
January has come to an end, and with it our first Futurography course. By way of conclusion, we published a second excerpt from Oliver Morton’s The Planet Remade in which Morton imagines how geoengineering projects might begin with a small group of rogue nations trying to make a difference. Hypothetical as such endeavors remain, they seem a little more urgent when you consider that climate change may contribute to the spread of Zika mosquitoes in the decades ahead.
Fortunately, we’re not quite there yet, just as we’re not on the brink of some “Fourth Industrial Revolution,” despite the overeager claims of some at the World Economic Form. Real change may be incremental, as when General Electric announced this week that it would stop producing compact fluorescent light bulbs in favor of more energy-efficient LED options. Still, there’s something to be said for imagining extreme scenarios, like the one in Occupied, a Norwegian political thriller that features Russia invading after Norway cuts off oil and gas production.
Even with our geoengineering course behind us, we’ll continue to report on and discuss such issues. For now, Futurography has moved on to its next topic: the question of whether we’ve given algorithms too much power. As we did last month, we’re starting off with a conversational introduction to the topic and a cheat sheet that will introduce you to key terms, players, debates, and other essential information. We’ll have much more in the days and weeks ahead. And we’re curious to hear what you learned from our previous unit. Consider testing your knowledge with our quiz and letting us know what you think about geoengineering. We’ll be reporting on the results soon.
In the meantime, here are the other stories we read while we were losing to a computer at Go:
- Virtual reality: Companies are getting serious about VR, partly because consumers are finally getting on board—as is the open source community.
- Assistive technology: At Carnegie Mellon University, Bluetooth-emitting beacons are changing how the blind move through—and interact with—the world around them.
- Flat-earthers: Lawrence Krauss argues that the resurgence of ludicrous theories about our planet presents an opportunity to engage in some basic scientific observations.
- Oregon Trail: A co-creator of one of the best-selling video games of all time showed up on Reddit to dish about its origins. We have the details.
- Why do some regions become hubs for artistic, business, and technological innovation? Join Future Tense at Civic Hall in New York on Thursday, Feb. 11, for a conversation with Eric Weiner about his book The Geography of Genius: A Search for the World's Most Creative Places, From Ancient Athens to Silicon Valley. For more information and to RSVP, visit the New America website.
Looking for the bug spray,
for Future Tense
This Company Waited More Than a Decade for People to Get Serious About Virtual Reality
Virtual reality feels cutting-edge. It’s been around in some form since the ’90s (and even before, sort of), but the technology has really started to come into its own in the past few years. There are VR films at Sundance, VR news apps, and, of course, VR video games. So for VR company Sensics, patience has been crucial.
“Virtual reality trade shows used to be half a dozen exhibitors. It was like a club,” says CEO Yuval Boger. Founded in the late ’90s, Sensics is based on technology developed at Johns Hopkins for Honda. When developing a new model, the car company wanted to sit in it and get a feel for its design long before investing in physical prototypes. This led to a 6-million-pixel-per-eye head-mounted display. (Currently, the optimal Oculus Rift resolution is 2,160-by-1,200, or 2.6 million pixels per eye, but computers powering the Rift process about 233 million pixels per second.)
In the early 2000s Sensics didn’t have access to cheap components and processing power like it does now, but for a cost it could deliver much of what consumers are experiencing today. Most clients were big corporations, research organizations, or defense agencies. “I remember standing in front of a mirror practicing saying, ‘These goggles cost $200,000’ without bursting into laughter,” Boger says.
For the past year, Sensics has been working with gaming company Razer on an industry standard for VR called Open-Source Virtual Reality. For $300 (compared to Oculus’ $600), consumers can buy an OSVR Hacker Dev Kit—a headset that connects to “a mid-tier gaming PC and upwards” to deliver VR experiences. OSVR is often compared with Android because it is an open-source standard accepted by 300 partners and growing. The idea is to enable manufacturers to provide VR equipment at a variety of price points and qualities while allowing Internet-connected peripherals, like smart clothing or biometric trackers, to integrate into the VR experience.
“There are going to be more and more sensors connected to the VR experience in 2016,” Boger says. “As a result, people are going to run into, ‘Oh my god, there are no standards for how devices are going to talk to each other.’ But we can say that we are the de-facto standard. Today we support hundreds of devices.”
For example, last year Oculus announced that it would stop supporting Mac development. So when Mozilla WebVR (browser-powered virtual reality) approached OSVR about a partnership, it asked about potential Mac compatibility. OSVR couldn't offer it on the spot but said it would put the challenge out to its open-source community. Within three weeks, developers around the world had volunteered their time to add the functionality Mozilla wanted.
Consumer virtual reality has certainly come a long way since products like Nintendo's Virtual Boy debuted in 1995. But the technology behind what we see today isn't just the result of a sudden boom—it’s been evolving steadily for the past two decades. Boger is enjoying it. “One of the fun things about Sensics is that for 10 years people have come in and said, ‘Here's what I want to do with VR.’ And now with a $300 device it's becoming accessible.”
Now Streaming on Netflix: A Fantastic Political Thriller on Climate Change
There is a telling moment at the end of the first episode of Occupied, the highly entertaining new Norwegian TV political thriller, now available in the United States on Netflix (with subtitles!). One of the main characters, sitting in a cafe with his family, looks bleakly through the glass at the shoppers in the mall outside, knowing they are oblivious to how fragile their world has just become.
This terrific bit of acting by Eldar Skar, who plays a secret service agent thrust into a role “above his pay grade,” is in some ways the crux of the series. As the show’s creator, best-selling crime writer Jo Nesbo, told the Guardian last year, “the feeling we are secure and things can't really change is an illusion. That is the scary bit, because things can change very fast.”
In Occupied, everything changes for Norway very fast, indeed. As the first episode opens, a new Green Party government announces its plan to live up to its rhetoric on climate change: It will cut off all oil and gas production in Norway. Unfortunately, at the same time, the Middle East is suffused in conflict and no longer exporting energy, plunging Europe into a severe energy crisis and a deep recession. Meanwhile, the United States is self-sufficient in energy and content to stay on the sidelines. With the EU’s support, Russia mounts a silk-wrapped invasion, quietly seizing Norway’s oil platforms and gas plants and resuming production. And that’s all in the first half of the first episode.
Critics of Occupied, notably the Russian government, have challenged the plausibility of the show. While there’s certainly some poetic license involved, the plot is not all that far-fetched. And if you disagree, consider suspending your disbelief: Nesbo, after all, came up with the concept before Russia annexed Crimea.
Could Norway really afford to cease oil and gas production? It’s difficult to see that happening, given how inextricably linked the Norwegian economy is with fossil fuels. On the other hand, most domestic electricity there is from hydropower, and the prime minister’s original plan in the show is to export “clean” energy from a thorium nuclear plant. That would be very costly, but then again, Norway is sitting on the world’s largest sovereign wealth fund and always looking for investments.
It is certainly true that Europe could ill afford to lose access to Norway’s fossil fuels—or Russia’s. And while Europeans do not suborn Putin’s adventurism, they don’t exactly stand up to him, either. Who knows where that will lead if Putin keeps making the choices harder?
It’s tough to imagine the United States declining to come to Norway’s aid in such a crisis, but it’s not completely impossible in a situation short of war, either, particularly with a nuclear-armed state involved (see: Ukraine). Neo-isolationist leanings aside, America has often stood on the side of stability in our foreign policy, including at the expense of our democratic values. In the show, U.S. indifference also has to do with our departure from NATO, and while that’s unlikely to actually happen, the alliance’s long-term health is by no means assured.
A global energy crisis may seem unlikely right now, given that the world is awash in cheap oil, but it remains a possibility. With tensions rising between Iran and Saudi Arabia, including proxy fights around the region, it is not unreasonable to predict a rise in regional conflict. And North American self-sufficiency is not impossible, it cannot replace the 20 percent of global supply that flows through the Strait of Hormuz. Indeed, that self-sufficiency would be challenged in such circumstances, given that U.S. producers would just want to sell at higher prices abroad, raising the price at home, too. The world’s energy crisis would still be America’s energy crisis, no matter how much oil and gas we produce at home.
It is the core dilemma of the series that rings most true, however: There is a strong generational tension when it comes to climate change. Making a transition away from the world’s overwhelming dependence on fossil fuels too quickly would be economically and geopolitically disruptive today, but making it too slowly will be equally devastating for the future. It’s a defining conundrum of the 21st century, and in real life, it will be no easier to resolve than it is in Jo Nesbo’s fictional Norway.
Ultimately, though, the series is not really about geopolitical brinksmanship, energy security, or climate change. It’s about the small moral compromises individuals make, and how that aggregates into collective choices and ultimately, national character. Yes, that means the series is a social critique of Norway, albeit a loving one. But it is also a more general observation of human nature under pressure, and particularly the pressure of terrorism. In that respect, things could change very fast in the United States, too.
You can watch the first season of Occupied, with subtitles, on Netflix.
It’s the Beginning of the End for CFL Bulbs
In 2008, Brendan Koerner wrote on Slate, "I'm constantly being told that the simplest way to improve my green cred is to start using compact fluorescent lights." Back then it was true. CFLs were the first mainstream, energy efficient alternative to incandescent light bulbs, but they were known for giving off harsh, unattractive light.
Today CFLs have peaked and begun to decline because of competition from light-emitting diode alternatives. LED bulbs give off a warmer light, have fallen in price to rival CFLs, and are even more energy efficient. And now the decline of CFLs in the United States is receiving a full-blown nail in the coffin: On Monday, GE announced that it will cease to manufacture CFLs by the end of 2016.
The company noted that in 2015 nationwide LED bulb sales were at 15 percent; the New York Times adds that at the same time in 2014 LEDs made up less than 5 percent of bulb sales. “The time for LED is now,” said GE lighting chief operating officer John Strainic in the statement. “LED is a platform that can replace every other light source that we have developed over 130 years.”
GE also noted that come 2017, it will be more difficult for CFLs to receive Energy Star ratings from the Environmental Protection Agency. Instead of letting the technology die slowly, the company is taking a hard line.
In 2014, Seth Stevenson tested out and reviewed LED bulbs for Slate. At the time he wrote, “Yes, they’re pricier, but LEDs are vastly superior to CFLs in every other way.” Now that GE says a 60-watt-equivalent LED bulb is $3.33 at Sam’s Club, you can see why the company is ready to go all-in.
Oregon Trail’s Co-Creator Didn’t Make Much Money. He Should Have Chosen to Be a Banker.
If you grew up with Oregon Trail, the mere mention of the video game summons up the memory of huddling around dingy early Apple computers in libraries and classrooms. If we learned anything from those early experiences, it likely had more to do with what we discovered about the potential of computing than it did about the eponymous journey.
As it happens, bringing that game to market was a journey in its own right, much of which has now been told in a substantial Ask Me Anything on Reddit with Don Rawitsch, one of the game’s three co-inventors. Rawitsch explains that he and his fellow pioneers created the game in 1971, well before the invention of the modern personal computer. They programmed its earliest versions on a mainframe “that did all its communicating via printed text.” Years later, Rawitsch went to work for the Minnesota Educational Computing Corp., where a team converted it in 1985 to make it playable on newer machines, adding in graphics, music, and “some memorable quotes” in the process.
Though Oregon Trail would go on to sell tens of millions of copies, Rawitsch and his collaborators never got rich off the proceeds. Asked by a Reddit user whether he had ever profited from the game, Rawitsch responds that it had only ever led him “to great jobs in the ed[ucational] tech industry.” When he first arrived at MECC, “we were still 5 years away from the notion that there would be a consumer software market.” Though he doesn’t seem especially bent out of shape over his lack of good fortune, Rawitsch does observe in passing that things could have been different, quipping, “In another era, I might have owned an island by now!”
Rawitsch seems to have privileged educational innovation above all else, but the game’s current owners appear to have other goals in mind. In response to a question about mobile versions of the game, Rawitsch suggests that he’s not especially involved, allowing only that they “play more like an arcade game” and that he suspects “a historical model is not involved.” Here, another Reddit user steps in, claiming to have worked on an early version of the eventual iOS release. Though the mobile version was originally intended as a more faithful update, the user claims, it eventually turned into “a basic resource management sim that served as a platform for arcade mini-games.”
Still, those who are still nostalgic for the older versions will find plenty to intrigue and amuse in Rawitsch’s public Q&A. He offers real-life tips about surviving dysentery (“it’s all about eating well”), as well as practical advice about thriving in the game (waste too much time much time hunting and you’ll hit the Rockies during winter). And though he declines to comment substantially on Oregon Trail’s place in gaming history, he has a great deal to say about the game’s handling of the historical record. “[I]t would have been interesting to add a Native American viewpoint, perhaps a character who watches the wagons come into that territory,” he adds.
Rawitsch also goes into detail about choices that were made during the game’s development. In one thread, he claims that the developers introduced the three roles you can choose from at the start of the game—banker, carpenter, and farmer—as a sort of primitive difficulty system: The banker was basically a beginner’s level, the carpenter medium-difficulty, while being the farmer allowed “a seasoned pioneer [to] give him/herself a tougher challenge as a farmer” without breaking immersion. Elsewhere in the AMA, he refuses to accept that “being the farmer sucks,” even if it does make things a little harder. “Come on now, farmers can get to Oregon too,” he writes. “But, you have to have a little more skill to solve problems without throwing money at them.”
To be fair, that’s exactly what I’d say if I’d never made a profit from a game like Oregon Trail.
Deploying Technology to Rescue the Past: A Future Tense Event Recap
For centuries, museums have been the primary means through which we’ve preserved and exhibited our collective pasts. In general, we experience them as primarily physical spaces that contain mostly physical things, but technological developments are rapidly changing our understanding of what we preserve in them and how we do it. To better understand some of the ongoing changes, Future Tense convened a panel of experts on Jan. 28, 2016, at New America in Washington, D.C., to discuss the ways technology can be used to protect the past.
Event moderator Sarah R. Graff, a senior faculty fellow at Arizona State University, kicked off the event by asking the panelists how technology had changed their work. Scott Branting, assistant professor of anthropology at the University of Central Florida, said that the availability of satellite data had made a significant impact on preservation projects, allowing scholars to monitor damage to sites and helping them zero in on especially imperiled regions. While they can’t always prevent crises, Salam Al Kuntar, assistant professor of anthropology at the University of Pennsylvania, said that scanning and digitization technologies have revolutionized archaeology, allowing researchers to produce digital copies of imperiled locales and artifacts.
Significantly, making digital copies isn’t just about preventing thefts by looters or damage from extremist groups; it also helps to protect against the damages sometimes wrought by archaeology itself. As Branting put it, “archaeology is a fundamentally destructive science,” often tearing things apart to get a glimpse of whatever’s inside them. New technologies are making it easier to avoid even such well-meaning depredations. Al Kuntar explained that imaging systems now allow researchers to look inside objects or below the ground, helping them delve with far more accuracy than they’ve ever managed before and doing less harm to the surrounding materials in the process.
Digitization and 3-D printing technologies have also contributed to preservation efforts by allowing anthropologists to produce multiple copies of objects. As Kirk Johnson, Sant director of the Smithsonian National Museum of Natural History, pointed out, museums have always dealt in copies and imitations: Look at an exhibition of dinosaur skeletons, and inevitably only some of the fossils will be originals, while others will be skillful imitations, replacing components that have already been lost to the ravages of time. In archaeology, digitization massively improves the survival rate of imperiled artifacts—and on a larger scale it can give a clearer sense of how those objects fit into their respective life worlds. But as Branting acknowledged, “It’s excellent to have that copy, but it’s still a copy. You wouldn’t mistake a mannequin for a human being.”
With this observation, the potential dark side of archaeological preservation technologies began to reveal itself. Just as satellites and social media facilitate the discovery and protection of historically significant locations, they may also make it easier to take advantage of those sites. Indeed, the panelists noted, even calling attention to the destruction of a site can sometimes accelerate that process of ruination. Looters, for example, can monitor social media much as researchers do, looking for news of previously unnoticed locations that might contain valuable finds. In this sense, the very technologies empowering archaeology may be its undoing.
For all that, the panelists agreed the benefits of new innovations largely outweigh the risks. Observing that everything “comes back to access of information,” Al Kuntar affirmed a point that Branting and Johnson also made: The real responsibility of archaeology is to educate us about humanity’s story. Building on this, Branting suggested that researchers have to trust that ordinary people will recognize the value of such work. “And hopefully that faith in humanity outweighs the risk of bad stuff,” he said.
Why Proposed State Bans on Phone Encryption Are Moronic
American politics has long accepted the strange notion that just a pair of states—namely Iowa and New Hampshire—get an outsize vote in choosing America’s next president. The idea of letting just two states choose whether we all get to have secure encryption on our smartphones, on the other hand, has no such track record. And it’s not a plan that seems to make much sense for anyone: phone manufacturers, consumers, or even the law enforcement officials it’s meant to empower.
Last week, a California state legislator introduced a bill that would ban the retail sale of smartphones with that full-disk encryption feature—a security measure designed to ensure that no one can decrypt and read your phone’s contents except you. The bill is the second piece of state-level legislation to propose that sort of smartphone crypto ban, following a similar New York state assembly proposal that was first floated last year and re-introduced earlier this month. Both bills are intended to ensure that law enforcement can access the phones of criminals or victims when their devices are seized as evidence.
If consumers will cross borders to fill a booze cabinet, what's to prevent New York criminals from foiling surveillance with New Jersey iPhones?
Those two proposed crypto bans have put another twist in an already tangled debate: The privacy and cryptography community has long opposed any such “backdoor” scenario that gives cops access to encrypted smartphones at the risk of weakening every device’s data protections. But legal and technical experts argue that even if a national ban on fully encrypted smartphones were a reasonable privacy sacrifice for the sake of law enforcement, a state-level ban wouldn’t be. They say, the most likely result of any state banning the sale of encrypted smartphones would be to make the devices of law-abiding residents’ more vulnerable, while still letting criminals obtain an encrypted phone with a quick trip across the state border or even a trivial software update.
If the New York and California smartphone encryption bans passed, a company like Apple that sells encrypted-by-defaulted iPhones would have three options, argues Neema Singh Guliani, an attorney with the American Civil Liberties Union: It could cease to fully encrypt any of its phones, contradicting a year of outspoken statements on privacy by its CEO Tim Cook. It could stop selling phones in two of America’s richest states. Or finally, it could create special versions of its phones for those states to abide by their anti-encryption laws.
The last of those scenarios is Apple’s most likely move, says Singh Guliani, and yet would result in a “logistical nightmare” that still wouldn’t keep criminals from encrypting their phones’ secrets. She compares the laws to state-wide liquor regulations: “People will travel over the border to buy alcohol in states with the standards that suit them,” she says. If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones? “Nothing would stop those who wanted a more privacy protective phone to get one from out of state.”
In the hypothetical future where the state bills have passed, fully encrypting an iPhone might not even require buying an out-of-state device, but merely downloading out-of-state firmware. After all, it’s unlikely Apple would go to the expense of manufacturing different hardware for its phones to disable encryption in some of them, argues Jonathan Zdziarski, an iOS forensics expert who has worked with police to decrypt phones. “That would be a massive technical change to support this kind of device,” Zdziarski argues. “It would be literally cheaper for Apple to stop selling phones in California altogether.” Instead, he says, it would likely sell the same hardware for all of its devices and merely disable full-disk encryption through a different version of its firmware activated at the time of the phone’s purchase. And nothing in the current bills would prevent Apple from making the fully encryption-enabled version of its firmware available to anyone who restores their device from factory settings.
The technologically savvy will find ways to get encryption, while the average smartphone user’s data will be left more vulnerable.
In other words, that would make the New York and California crypto bans statewide bans on software, an idea roughly as practical as policing undocumented birds crossing the Mexican border. And if Apple were to try to accommodate the spirit of the law by preventing customers from restoring their phone with full-disk encryption inside California or New York, Zdziarski is confident iPhone owners could circumvent any location tracking, proxying their IP address or putting the phone in a Faraday bag to block its GPS. “This legislation is going to be technologically useless,” says Zdziarski. “Anyone who wants a device that doesn’t have law-enforcement-reversible encryption will be able to get one.”
Neither Apple nor Google, which followed Apple’s lead last year by declaring that all devices running the latest version of Android will have default full-disk encryption, responded to Wired’s request for comment on the California or New York bills. The office of New York Assemblyman Matthew Titone, who introduced the New York bill, tells Wired that the state-level bill is meant to pressure Congress to follow with its own legislation. “When there’s no national legislation, states take efforts on their own to solve an issue,” says Titone’s chief of staff Chris Bauer. “That can speed the process along to make the federal government take steps.”
Skyler Wonnacott, the director of communications for the California bill’s sponsor Assemblyman Jim Cooper, offered a similar argument. “California is leading the fight … It’s got to start somewhere,” Wonnacott says. “Just because you can drive into Nevada and buy a phone or download software doesn’t mean there isn’t an issue and these phones aren’t used in crimes.”
Congress has yet to introduce legislation to limit full-disk encryption in smartphones, despite several congressional hearings over the last year in which officials, including FBI Director James Comey and New York District Attorney Cyrus Vance, warned of the dangers of allowing criminals access to devices with data they couldn’t decrypt. (Vance said at the time that New York police had been stymied by smartphone encryption 74 times in the nine months before the hearing, out of roughly 100,000 cases it deals with in a year.) A spokesperson in Vance’s office writes to Wired that the DA’s office pushed for state legislation, and still hopes to find a compromise with device makers. “When Apple and Google announced the switch to full-disk encryption…with no regard for the effect it would have on local law enforcement and domestic crime victims, they left us with no choice but to seek legislative solutions at all levels, state and federal,” writes the district attorney’s director of communications Joan Vollero. “If the companies have a solution, we encourage them to engage in a productive dialogue.”
But even if state laws do put pressure on Apple and Google to cave on encryption, they may do so unconstitutionally, says Andrew Crocker, an attorney with the Electronic Frontier Foundation. He says statewide smartphone encryption bans may fall under the “dormant Commerce Clause,” which gives the exclusive right to regulate commerce between states to the federal government. “States don’t have unlimited power to enact regulations to burden interstate commerce,” says Crocker. “If I’m Apple, this seems like a huge burden on my business.”
Congress, on the other hand, would have the power to ban default full-disk encryption in smartphones—though they’d do so against the advice of nearly every technical expert in the field of cryptography. In July of last year, for instance, 15 renowned cryptographers published a paper cautioning against any deliberate weakening of encryption for the sake of law enforcement. “New law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” the paper reads. “The prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.”
And Crocker reiterates that state-level bills wouldn’t be just problematic or risky, but “wildly ineffective,” as those who want encryption will easily get it from out of state—in either software or hardware form. The technologically savvy will use it to defeat police surveillance or to protect their phone from hackers and thieves, while the average smartphone user’s data will be left more vulnerable. “The ones who will actually be impacted are the less sophisticated people who don’t know how to get this protection,” says Crocker. “You’re looking at a cost that falls on innocent people, not criminals or terrorists.”
Also in Wired: