In the lead-up to the launch of Android 5.0 Lollipop, there was much ado about Google encrypting devices for a higher level of security. At the time law enforcement officials cried foul, with device keys no longer in the hands of Google (or anyone) to unlock data stored on the phone. But it seems that Google has backtracked on the requirement for OEMs to enable ecryption by defualt on new Lollipop devices being launched.
Ars Technica first noticed the difference on newly released Android 5.0 devices arriving in the market. The user partition on the newly released generation 2 Motorola Moto E was not encrypted and when the Galaxy S6 was checked after the launch the other night, they noted that this was also true of these models as well.
Ars Technica points to the change in the Android Compatibility Definition document, the guidelines to which Android OEMs must adhere in order to produce Google-approved devices running Lollipop and found a subtle difference. Previously, in a snapshot taken on October 25th 2014, the Android Compatibility Definition document reads simply :
9.9. Full-Disk Encryption
IF the device has lockscreen, the device MUST support full-disk encryption.
But if you read the current Android Compatibility Definition document this has now been amended to (Note: Emphasis below is Google’s) :
9.9 Full-Disk Encryption
If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data patition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.
The underlying tone is that as long as OEMs offer the ability to encrypt devices if the user so chooses, that is now good enough now to pass the requirements.
The question of whether the full device encryption requirement has been removed due to the insistence behind the scenes of law-enforcement, from OEM pushback, or even from reports of slow response times on devices like the Nexus 6 when running encrypted systems vs unencrypted is unknown.
This now boils down to a choice for users: if you want your device encrypted then you can enable it, but if you don’t then you will no longer be required to run your device encrypted out of the box – something the average user will most likely not do, to the applause of the NSA and security agencies everywhere.