When Snowden leaked the National Security Agency’s (NSA) dirty laundry a lot of companies’ faces were red. The leaks showed that they were either complacent in the NSA’s surveillance apparatus or helpless to stop the agency from exploiting their systems. In an attempt to rebuild customer confidence many technology companies scrambled to improve the security on their devices. Apple, being the manufacturer of very popular handsets, announced several major security improvements in iOS 8, including disabling its ability to bypass a user’s set passcode. Much to the approval of Android users Google announced that Android 5.0, also known as Lollipop, would ship with device encryption enabled by default.
But some bad news appeared yesterday. Google has backed down from enabling encryption by default in Lollipop:
Last year, Google made headlines when it revealed that its next version of Android would require full-disk encryption on all new phones. Older versions of Android had supported optional disk encryption, but Android 5.0 Lollipop would make it a standard feature.
But we’re starting to see new Lollipop phones from Google’s partners, and they aren’t encrypted by default, contradicting Google’s previous statements. At some point between the original announcement in September of 2014 and the publication of the Android 5.0 hardware requirements in January of 2015, Google apparently decided to relax the requirement, pushing it off to some future version of Android. Here’s the timeline of events.
This, in my seldom humble opinion, is a very bad idea. The justification appears to be performance related. Namely the performance of many Android devices without hardware cryptography acceleration support tend to take a huge performance dive when device encryption is enabled.
If a user wants to disable device encryption that’s their choice but I firmly believe that this option should be enabled by default even if performance noticeably suffers on some devices. We’ve seen too many stories where abusive spouse, police officers, and federal agents have retrieved data from unencrypted devices without the consent of the owner or, in the case of law enforcement, warrants. With the amount of personal data people store on their mobile devices it’s far too risky to leave that data unprotected from prying eyes. Especially when we live in a surveillance state.