When Google joined Apple in announcing that its new Android 5.0 Lollipop mobile operating system would ship on new devices with full-disk encryption turned on by default, the authorities were very alarmed – so much so, in fact, that demands for backdoors in encryption that only (at least in theory!) the US intelligence and law enforcement agencies can access have been flung around with wild abandon, despite even the National Intelligence Council admitting that encryption is the‘best defense’ for privacy.
Just recently, Apple CEO Tim Cook sounded a strong note of defiance at a conference designed to improve cooperation between the government and the technology industry over cybersecurity, stating that,
‘People have entrusted us with their most personal and precious information. We owe them nothing less than the best protections that we can possibly provide.’
It is therefore with disappointment that we hear Google has retreated from requiring OEM manufactures to ship new Android devices with full-disk encryption turned on, a serious climb-down from its boasts to the Washington Post last September that,
‘As part of our next Android release, encryption will be enabled by default out of the box, so you won’t even have to think about turning it on.’
Unsurprisingly, Google has not made a song and dance about dropping this requirement, but observers have noticed that new phones with Android 5.0 Lollipop installed have been shipping unencrypted. It turns out that according to a subtle change of language used in the new Android Compatibility Definition (PDF) issued to OEM manufacturers, full-disk encryption must be supported, but does not need to be turned on,
9.9 Full-Disk Encryption
If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data partition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.
This is basically no change from previous versions of Android, which have supported user-initiated full-disk encryption from Gingerbread 2.3.4 onwards.
Google has so far declined to comment on the issue, but the document quoted above does note that ‘we expect this to change to MUST in the future versions of Android’, so rather than being a climb-down from the government, the change may instead be related to performance issues that can result in encrypted Nexus 6 phones sometimes coming out behind unencrypted Nexus 5 phones during speed tests
Google may therefore be simply waiting until OEMs improve hardware specs enough compensate for any performance loss due to mandatory encryption…