Some smartphone manufacturers are not configuring devices running the latest version of Android to automatically encrypt personal data, which Google had said would scramble data by default.
Google has apparently left it up to manufacturers to turn encryption on or off, a surprising change that came after the company pledged last September to strengthen defenses around personal data.
It’s unclear why Google did not publicize the change, although it is possible some hardware devices will not perform as well with encryption turned on. Analyst Canalys tweeted it was a wise move for Google, as many devices do not have the right hardware to accommodate it.
Company officials could not immediately be reached for comment.
The U.S. government has strongly opposed moves by technology companies to strengthen security around data using encryption, arguing it could jeopardize time-sensitive investigations.
Previous versions of Android have had a full-disk encryption feature, but it wasn’t turned on by default. Ensuring encryption is on by default helps protect less sophisticated users who may not know such an option exists.
Ars Technica found that Motorola’s Moto E and Samsung’s S6, which is on display this week at the Mobile World Congress in Barcelona, do not have encryption on by default. The publication noted that Google’s Nexus 6 and 9 devices do have it on by default.
A technical document released by Google on Jan. 11 shows how Google softened its requirements. It describes technical specifications that smartphones must meet in order for Lollipop to perform smoothly.
Manufacturers “should” enable full-disk encryption, it said, adding the caveat that Google may change its stance and make it mandatory for future versions of Android. The document does not explain why manufacturers have the option to leave it off for now.
Apple automatically encrypts data in iOS 8 if the user has a passcode enabled. As with Android, the encryption keys are held on the device, which means that law enforcement would have to serve a user with a court order to turn over their password that unlocks the encryption key.
Many technology companies are moving to systems that make it impossible to comply with a legal order to turn over a user’s data. That is accomplished by not storing a copy of the private key necessary to decrypt data.
A person served with a court order could claim the password has been forgotten, leaving law enforcement to try to either figure it out through other means or employ special forensic tools to recover data.