New Android Lollipop Devices Don't Need Encryption by Default: Google

Google earlier announced that all Android Lollipop devices, including those manufactured by OEMs, would have to ship with encryption by default. Early Android Lollipop devices (essentially, the new Nexus devices) did in fact follow this system, but now new Lollipop devices manufactured by OEMs are, in some cases, shipping without encryption. As is evident, Google has backed off on this requirement, probably intending to implement it in a future version of Android.

The Android Compatibility Definition document, in section 9.9, states that "If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data, (/datapartition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android."

This essentially opens the door for manufacturer devices to ship without encryption, provided they continue to support it (which remains mandatory). The Samsung Galaxy S6 and HTC One M9 could now be sold without encryption.

According to Android Police, the requirement has been changed in order to allow OEMs to implement faster storage and better file systems to handle the increased system overhead, since there is slight performance degradation due to encryption even with modern hardware. It is also speculated that law enforcement agencies in the United States are responsible for preventing encryption, but those are conspiracy theories at best.