Encryption Is a Luxury

Last year, a team of technology experts warned against giving law enforcement special access to encrypted communications. They explained that this special access would “undermine and reverse” the technology industry’s efforts to bolster digital security.

The landmark paper addressed a conflict between technology companies and the government that had been brewing for some time. And when Apple and the FBI faced off in court seven months later, computer experts and civil-rights groups rushed to defend Apple as it resisted a federal judge’s order to circumvent its own security features. The experts said that cooperating with law enforcement would put smartphone users at increased risk of snooping from hackers and the government.

That’s certainly true for the tens of millions of iPhone users in the United States, whose devices currently protect their data with strong encryption: A concession to the government’s push for special access to encrypted data would be a tangible step backward for those users’ privacy.

But for many of the remaining American smartphone users, strong data encryption was never really an option. Most Android phones don’t encrypt the data that’s stored on the device, and many come with messaging services that don’t encrypt data that’s sent back and forth between devices.

Unlike iPhones, which are exclusively made by Apple, Android phones are produced by many different manufacturers. That’s made it much more difficult for Google—the company that designs Android software—to turn on device encryption by default. Many of the devices that run Android software have cheap or out-of-date hardware that can’t handle continuous encryption and decryption. Google recently required that all new Android devices encrypt device data by default—but exempted slower (and therefore cheaper) phones, making encryption a de-facto luxury feature.

(Apple sells its cheapest current iPhone for 400 dollars; new Android phones are available for as cheap as 30 dollars.)

That disparity affects most smartphone users in the U.S. According to recent data from comScore, a company that studies technology use, about 53 percent of the 198.5 million smartphone owners in the U.S. use Android phones. That’s about 105 million people.

And there are some clear patterns that separate the kinds of people that own Apple and Android devices. According to 2013 survey data from Pew Research, high-earning and highly educated people are more likely to own an iPhone. The survey also showed that African-American people are more likely to use Android phones.

The groups most likely to use Androids—low-income people and African-Americans—are also the groups that are under the most daily government surveillance, says Michele Gilman, a civil-rights lawyer and law professor at the University of Baltimore. She says this is a long-standing pattern that’s been amplified by modern technology.

“When encryption remains a luxury feature, those who are the most surveilled in our society are using devices that protect them the least from that surveillance,” said Christopher Soghoian, the principal technologist at the American Civil Liberties Union. He calls this the “digital-security divide.”

The lack of strong encryption in older and cheaper Android phones allows police to obtain user data more easily. When the contents of a phone are not encrypted, forensic tools that can extract those contents allow police to read all the phone’s data.

And the default messaging applications on Android phones are also less secure than Apple’s iMessage service. When Apple users text one another, their messages are encrypted end-to-end—that is, not even Apple can read them. (Apple can, however, read iMessage conversations that are backed up to its iCloud service.)

By contrast, Android phones come with SMS messaging by default, and most include Google’s Hangouts chat program. Neither of those tools is end-to-end encrypted, meaning that the companies that carry the messages from one phone to the other can turn over message contents to police if they’re required to.

Many Android phones also run outdated versions of the Android operating system, which leaves them more vulnerable to hacking. Even after Google releases patches for security holes, many phones don’t get those updates, because of the decentralized way that Android phones are sold.

“It’s clear that the woeful state of Android privacy and security is disproportionately impacting the most vulnerable in our society,” says Soghoian.

Google has made efforts to step up the security features available on Android devices. Its decision to require default encryption on devices running new versions of the Android operating system was an important change—but one that was hobbled by the exemption extended to lower-end phones. Soghoian predicts that cheap Android phones won’t be capable of disk encryption “for the foreseeable future.”

And a Google prototype called Project Vault would turn existing phones into a “digital safe” by encrypting both the data stored on the phones, and the data sent between phones—text messages and voice and video calls. But Google won’t say if and when the project, which was announced at a developer’s conference last year, will be released.

For now, apps are available for both iPhones and Androids that give users alternative ways to communicate securely. WhatsApp, which is owned by Facebook, encrypts messages end-to-end. More than a billion users have signed up for WhatsApp, although the app hasn’t caught on in the U.S. nearly as much as it has abroad. Another app called Signal has won praise from technology experts for its robust security features, but it hasn’t taken off among ordinary users.

But most smartphone users stick to the default set of features that come with their phones, and many aren’t aware of the security downsides of using certain hardware and software. That means that users that can afford fancy smartphones like an iPhone or Google’s own Nexus phone will be protected by cutting-edge encryption, whether or not they know it (or care). It also means that users who can only buy the cheapest possible smartphone are the most vulnerable to surveillance—and simultaneously the most likely to be surveilled.