Yes, Google can remotely reset Android passcode. There's a catch

Newer Android phone and tablet owners aren't affected, but it does say something about Android's fragmentation of device security.
Written by Zack Whittaker, Contributor
(Image: CNET/CBS Interactive, file photo)

The one-sided encryption debate continues. Now, it's being used as a tool to spread what's commonly known as "fear, uncertainty, and doubt."

If you ventured to Reddit this weekend, you might have read a startling claim by the Manhattan district attorney's office, who last week released a report into smartphone encryption and public safety.

It reads [PDF]:

"Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device."

But there's a problem: that's only half of the story. And while it's true, it requires a great deal more context.

The next few lines read:

"For Android devices running operating systems Lollipop 5.0 and above, however, Google plans to use default [device] encryption, like that being used by Apple, that will make it impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction."

If you thought you heard that before, that's because you have.

Google, which develops Android, said in its "Lollipop" 5.0 upgrade two years ago it would enable device encryption by default, which forces law enforcement, federal agents, and intelligence agencies to go to the device owner themselves rather than Google.

This so-called "zero knowledge" encryption -- because the phone makers have zero knowledge of your encryption keys -- also led Apple to do a similar thing with iOS 8 and later. Apple now has 91 percent of its devices using device encryption.

However, there was some flip-flopping on Google's part because there were reports of poor device performance. Eventually, the company said it would bring device encryption by default to its own brand of Nexus devices. Then, it said that its newest "Marshmallow" 6.0 upgrade will enable device encryption by default.

It took a year, but Google got there in the end.

The US government, and its law enforcement and prosecutors were concerned. They have argued that they need access to device data, but now they have to go to the very people they are investigating or prosecuting.

Only a fraction of Android devices, however, are protected.

According to latest figures, only 0.3 percent of all Android devices are running "Marshmallow" 6.0, which comes with device encryption by default. And while "Lollipop" 5.0 is used on more than one-quarter of all Android devices, the vast majority of those who have device encryption enabled by default are Nexus owners.

And that is a problem -- at least for Google. Despite wanting to wash its hands of any complicity in handing over user data to the government -- something it has been vocal about in recent months -- it still has to in the very vast majority of cases.

Pro-encryption Android owners: You have two options.

Either, you can buy a new Nexus device that runs the latest Android operating system, or you can upgrade to a newer "Marshmallow" 6.0-enabled device. Or, you can buy a new iPhone, which offers vastly the same device encryption.

Carriers, which argue they need to test Android updates before rolling them out to their customers, are the biggest barriers in the way of getting a software upgrade. The sad fact is that most devices never see software upgrades, forcing users into old and unsafe software, or into cashing out for a new device.

Security is everyone's responsibility, not just those with a carrier willing to make the leap, or for the others with the cash to upgrade.

If there's one lesson in today's story: You don't have to believe everything you read, but at very least read the whole thing before you panic.

Google did not immediately respond to a request for comment on Sunday.

Editorial standards