Imagine a pawn shop that loans money on cell phones. Now imagine someone comes in and pawns their phone. It still has service and all, but he thinks he will come back next week and redeem it. A few months pass and he never comes back. Now the phone is legally (the pawn contract says one must completely own the collateral, so carrier subsidies etc. shouldn't be a problem) the pawn shop's property. Mr. Defaulter calls the phone company and has the IMEI blocked. Now the pawn shop is out the money and owns a useless piece of metal and plastic.
I've seen this problem with phones, tablets, and even tasers. The company will not activate them if they've been reported lost or stolen. But "finders-keepers" is legal and people can lie about theft. Of course the company also has a second interest not to help create a used market. Just like encrypted firmware schemes, this erodes personal control over our property. The legal owner with physical control should be able to use the device. Period.
There are also concerns over government or corporate disablement. Aside from obvious government malice during e.g. protests, does anyone really think either the government or the phone company can run a blacklist without false positives? Obviously not. Nobody can when your population size is >300 million. And the customer service grunt is just following the rules when your device is disabled and he cannot re-enable it.
The argument for this law is that it will reduce thefts by making the phones worthless. I understand this. I just don't think that is worth losing control over our property and devices.
A simple answer is that the pawn shop should be careful about the contracts it takes. That is, if the owner will not or can not cede control of the IMEI, the phone isn't worth very much as collateral.
You're missing the part where the pawn shop, knowing people do stuff like this, will collect the Name / Phone # of the person pawning the cell phone and can call the authorities and get said person arrested.
This isn't a worthy argument. Pawning and selling your device is nothing new. There should be paperwork for all of this in case someone calls the phone company or wrongly claims it stolen.
Sounds like always-on DRM. The rich and the technologically adept will be unaffected, but another hammer will be available for our ambivalent rulers to manipulate normal people.
This shitty DRM better be opt-in.
Fined $2,500 for every device sold lacking this DRM? Only if there is a $2,500 refund for every device accidentally bricked.
I can see media companies loving this. Watching an unlicensed movie? Your phone is now bricked. Mission creep will be inevitable.
Hmm. What happens to this with jailbroken phones? I can see it going two ways:
- killswitch is in the OS, and can be removed by jailbreak. Good for user, but means you just have to jailbreak a stolen phone to recover it / prevent it being killed.
- killswitch is in the baseband, and cannot be removed. Uhoh.
- killswitch prevents phone from being "jailbroken", as the only way this "feature" can work (beyond current IMEI blacklisting) is with "trusted" computing and a non-user-modifiable trust root. Regardless of the placating mention of "opting out", the possibility to really opt out cannot exist, as it would render the whole system useless.
Despite noble intentions, anti-theft DRM is actually the worst kind there is. It is impossible* to differentiate between a thief in possession of your phone, and you in possession of a company's phone that they're considering you renting.
If this becomes reality, it's yet another bullet point for getting a separate MiFi + actual computing device next time I'm forced to upgrade. That's the only way of regaining the concept of a service demarcation point.
(* unless every device is given a different root key, and the owner actually manages the corresponding private key. given the usability issues, this will never happen in a commercial design).
3rd way: Kill-switch is OS-based. e.g. you tell Apple that your iPhone has been stolen. You give them the serial/IMEI, (or they can match up the device based upon your itunes account). If someone wipes the phone through an exploit or jailbreak, the device is still practically useless as whenever it needs to communicate with an apple service, apple sends back a 'you are stolen' message and the phone locks up again.
End result: either the phone stays blocked or you end up with a crippled, limited-usage device that can't use many of the services that you'd expect it to (app store, etc). Re-sale value would plummet.
It would work with Android too. Stolen phones (that are reported to Google) could refuse to use the play store or accept a gmail account.
There's already an easy way to do this (that I remember reading somewhere is already being done in Australia).
When a phone is reported stolen the carriers just need to blacklist the IMEI so it doesn't work - removes the incentive to steal devices. I don't remember where I originally read this (probably here), but the US carriers were not interested in doing this because they don't see stolen phones as a problem that hurts them (arguably it gives them more business).
IMEI blocking hasn't stopped phone thefts in Europe.
Possible reasons:
1. IMEI numbers can be changed.
2. Thief can still use phone for many hours until block.
3. Stolen phones can be shipped to countries that don't implement block.
4. A blocked phone can still be used to run apps, play games, make VOIP calls on wifi etc.
The Apple system seems much more sensible. You can't use an iPhone without the pincode, and even if you get that the owner can remotely lock the phone as soon as you connect it to any network. The way to avoid that used to be to wipe the phone and reinstall the OS, but now you can't do that without the Apple ID and password of the owner. I don't know if this has reduced iPhone thefts, but unless the thief has an exploit in Apple's security I don't see why anyone would steal an iPhone nowadays. I wish Android would implement something similar.
- steal phone
- break phone
- return to Apple store for warranty replacement (minor social engineering may be required here)
Theif gets a working phone with a different IMEI. The worst part is, the friend of mine who this happened to found out about it because it invalidated her theft insurance.
5. The stolen phone can be sold to a hapless buyer shortly after it is stolen, before the theft is realized or reported and therefore before the IMEI is blocked.
This and the fact that they can sell phones for a fortune (~retail price) in emergent markets, instead of local black market prices (30%) means robbers will organize shipping lots of phones overseas. That's what happens in France already.
But how? I can't see any realistic chance of a broad international agreement. Remember that it works both ways, too. What would you do if your phone stopped working because a telecoms company in (say) Nigeria accidentally asserted that your IMEI was stolen?
Saying "wouldn't it be great if the world could co-ordinate" is not the answer as it isn't realistic. It's avoiding the problem and the need to come up with practical solutions. Or even an honest "it can't be done" answer.
Surely carrier A wouldn't let carrier B be able to block an imei belonging to their customers.
If carrier B did block it though, you, customer of carrier A, wouldn't be able to roam in the network of carrier B - but still work fine in your home network of carrier A.
However, that results in carriers needing to assert ownership over an imei, which would be come quite a mess - so it very well could not be done.
I do believe national blacklisting registers of imeis, as already done for many years in certain european countries is much better than not doing it though.
I lost my iphone some time back so when I called AT&T to report it, they kept on insisting me - please wait for few days as you may find it. They also told me once we report the phone as lost and block it using IMEI then this change can't be undone incase you find your phone then it can't be activated again. And, the block using IMEI does not work across carriers which means if its blocked in AT&T then the person carrying that lost phone can activate the phone on any other network like verizon, spring, t-mobile etc.
Carriers can maintain a centralised database to keep list of stolen phones and can also undo the change incase the owner finds it. They can also track the people who are calling using stolen phones but they dont do it. The best reason I can guess for not doing that is as you said - why they will do something which will hurt their own business
That situation seems a bit poorly implemented to me. The irreversible block only applies to AT&T's network, and is under AT&T's control... Wouldn't it make sense for AT&T to simply place the IMEI on watch, so that the next time AT&T's network sees it come online, an "alert" is triggered and AT&T can contact the owner to confirm whether or not it's in their possession?
I have an idea, how about the government stay the hell away from my smartphone and let the free market decide what smartphones are theft-safe and which are not?
This is why computer science should be a required subject going forward, only individuals good at programming will be able to resist the tendrils, malware, viruses and government backdoor trojans trying to get inside us and instruct us what actions to perform today to fill other mens pockets with wealth whom we don't even know or care about.
Serious question, not rhetorical: Is there any precedent for forcing manufacturers to modify their product simply to prevent the product from getting stolen?
Cars and houses can have alarms, and customers decide whether they need them or not. We do not require that all cars and houses come equipped with them. Wallets can be attached to a chain or placed in the front pocket. We don't require that you can only purchase a wallet with a chain.
Unlike childrens' toys that require battery covers to be screwed shut, or cars that must have seatbelts, the theft of a device does not seem to be a public safety issue. Your decision to own an expensive phone and take it out of your pocket at the train station seems no more necessary of regulation than your decision to wear an expensive necklace.
I'm not necessarily defending the mandate, but maybe I can clarify the concept behind it.
It's not a case of legislators saying "it would be better to have less phone theft so let's try to reduce it this way" - instead it's more like, users want this, but don't have the bargaining power to compel the phone makers to build it in or the telcos to support it.
Without the mandate, the makers and telcos profit from theft: the stolen phone user (not necessarily the thief) pays phone charges, the victim has to buy a new phone, and thieves have a continuing incentive to steal them. With the mandate, the phones are less valuable to thieves (and to robbers - a personal-safety gain), and the telcos can't profit from the forced transfers.
Again, not saying it's a good or bad policy (can someone remote-kill my phone when I still have it?), but these are the considerations - a kind of market-failure correction.
> It's not a case of legislators saying "it would be better to have less phone theft so let's try to reduce it this way" - instead it's more like, users want this, but don't have the bargaining power to compel the phone makers to build it in or the telcos to support it.
I am sick of reasoning like this. The purpose of government is to preserve your freedom to do something. If some users want something and cannot arrange it themselves, then they may just not be able to get it. It is not the government's place to mandate that everyone gets what some people want. That goes against personal freedom. It is certainly the government's place to punish thiefs---a person who deprives another of their freedom to control their property. The government should not mandate certain ways of arranging private (between a person and the phone company) affairs.
Indeed, there are ways to magnify your bargaining power outside of the government. Most people generally aren't willing to pay for it, though. A stolen phone fund or phone theft insurance could accomplish the same goals without involving the legislative and executive branches. However, the cost would be obvious, in the form of an upfront or recurring charge. It's much easier to assign the task to a government, and then wonder years later why taxes are going up, or the government is constantly in debt.
> The purpose of government is to preserve your freedom to do something.
That's maybe what you think the purpose of government should be, but it doesn't really match reality. Consider the whole section of labor laws, for instance.
I think this is more of a public safety issue. Currently, a mugger has an incentive to harm someone to take their device and sell it. If it becomes known that there is no profit in selling a disabled device, then there should be fewer mugging attacks.
Thanks, it's helpful to consider it from that perspective -- at least as potential reasoning for why the bill was written in the first place.
But we can counter that it's specious to claim customers are clamoring for this but not getting anywhere with manufacturers. Apple's Find my Phone feature is already one step toward addressing this issue, and there are a handful of third-party apps on the market that do similar things. These market solutions will continue to get better over time if they're popular.
And of course, there's the question of why it's the manufacturers' responsibility to address theft in the first place. Jewelers aren't required to engrave and register all their necklaces.
It seems like every day I'm reading some new news article on how over bearing and strong handed California laws are. I used to hear people joke about moving out of California to a "free state" and never paid much attention to it but now I get it.
It must be nice to have no valuable skills to offer society yet still find employment as an authoritarian jackass dreaming up product features without doing the actual work or assuming any of the risk. If Leno wants to add features to cell phones, he should go work for those companies instead of using the Ring of Sauron to forcibly add a "kill switch" because he thought it was a good idea. And is reducing theft the real reason or just the ostensible one? Will this become an easy hook for govs to shut off phones?
Nice, a kill switch in every phone. When there’s a big demonstration/revolution we’re just gonna kill all the phones out there with a simple data packet.
As a Ukrainian, who has seen that smartphones, especially used by citizen streamers, are extremely important for a revolution, I can assure that you are wrong.
Information, organization, and gathering evidence are fundamental to human rights, let alone to a revolution. Authoritarians naturally wish to ensure it becomes a "dumb idea."
For revolutionaries to assume they can rely on a system that authoritarians control is inherently a dumb idea, and the lack of any good alternatives doesn't change that.
The authoritarians control the streets. Where exactly are you going to go in an authoritarian system where you won't have to rely on something under authoritarian control? The authoritarians control you, that's why you're in the streets.
One should assume nothing. However, an even dumber idea is to advocate for a system to have more control, actively or by remaining silent, and then later stew in fatalism to the point of thinking that using a smartphone in a revolution is "dumb."
From what I understand, the mechanisms for this law are already in place and aren't much of a problem; any Apple customer already has this with the "Activation Lock" feature, and any carrier can already deny service based on a blacklisted ESN. The proposed law, at least in spirit, would require carriers and phone makers to honor your request to make your device unusable when you report it as stolen. It isn't so much that the government is going to be making technology and forcing everyone else to use it -- it'll let the private tech industry do whatever it needs to do to comply with the proposed "please brick my stolen phone" law.
I can understand how handset vendors other than Apple would have a problem with this. For example, where is the "activation lock" setting stored and who controls it? The handset vendor (Samsung, LG, etc)? Google (since it's an Android phone)? The carrier? Who deals with the customer when the device is stolen? That level of coordination would be a mess to deal with if you don't already control most of the stack and user experience like Apple does.
There's a huge ethical problem with a vendor imposing limits on the relationship between a human being and their tools. Apple customers are self-selected for being okay with this.
>On Friday, State Senator Mark Leno of California, a Democrat, is expected to introduce legislation requiring all smartphones and tablets sold in the state to include this kind of feature.
This should be a required option, even if it's opt out. The consumer should be able to turn off this kind of remote authorisation over their device, even if it reduces the "herd immunity".
Killing core functionality goes a step beyond IMEI blacklisting, which can be circumvented by selling the phone outside the blacklisted jurisdictions. An IMEI-blacklisted phone is a phone with a reduced market. An effectively "killed" phone is worth its recycling rebate.
Why should it be required, exactly? If people want phones with anti-theft technology, they can buy phones with anti-theft technology. What this smells like to me is a government wanting to have the power to sever your communications at will.
Having the ability to remote-brick my phone is great if I want it, but someone else having the ability to remote-brick my phone is a frickin' huge liability.
They've been unable to mind their own business for decades now. They legislated the forced use of fire-proofing chemicals in mattresses, couches, & cushions in all furniture sold in California and years later scientists discovered those chemicals are harmful hormone disruptors and don't even realistically prevent fire in real world situations. Furniture companies can't create 2 different SKUs of furniture (one without the chemicals and one with) so they just included fire retardants into all their furniture by default. All the USA has now been affected with hormone disrupting fire retardants all because one state's puppet master legislators want to enforce their enlightenment on everyone.
And people who willfully confuse a couple dopey activist legislators from the state's goofiest city with the entire state can...what you said.
Also, none of that hate for NYC, or did you not bother to read that this BS is coming from both states, or more precisely, from a few dumb legislators based in the most full-of-themselves cities in the country, backed by politicians in law enforcement uniforms who can't stop crime, so they advocate putting the burden elsewhere?
> And people who willfully confuse a couple dopey activist legislators from the state's goofiest city with the entire state can
We're talking about a state legislature and governor which did in fact just ban lead bullets, a state legislature and governor elected by the entire state.
If you live in the state of CA and think this bill is a bad idea, you can look up your representative senator and send them an email asking that they vote against the bill. http://findyourrep.legislature.ca.gov/
This is really needed. In New York, there is a problem of punk kids snatching iPhones and running. It is hard for the police to do anything about it, and these kids are fencing the phones for about $150, and they are likely shipped to out of the country where carrier blocks don't work.
For whatever reason, I have heard of a bunch of people that get their iPhones snatched, but never android phones.
The market for bad ESN phones is way too strong. A simple ebay search shows that bad a ESN iPhone 5 still fetches $250. Apple needs to drive down the value of bad ESN phones to near zero for the safety of their own customers.
How quickly do these 'punk kids' sell the phones on, though? And could a system to trigger the killswitch be responsive enough to trigger it before the phone's been sold? And if it were, could it ever hope to be sure of the facts in time to catch bad requests?
I am sure they power off the phones almost immediately. I actually don't think a legislative solution is the right process. I think Apple should address the problem for the benefit of their own customers. Maybe they need to investigate this and work with Interpol.
(1) Any advanced mobile communications device that is sold in California on or after January 1, 2015, shall include a technological solution that can render the essential features of the device inoperable when the device is not in the possession of the rightful owner. A technological solution may consist of software, hardware, or a combination of both software and hardware, but shall be able to withstand a hard reset. No advanced mobile communications device may be sold in California without the technological solution enabled.
(2) The rightful owner of an advanced mobile communications device may affirmatively elect to disable the technological solution after sale. However, the physical acts necessary to disable the technological solution may only be performed by the end-use consumer or a person specifically selected by the end-use consumer to disable the technological solution and shall not be physically performed by any retail seller of the advanced mobile communications device.
Hard reset is defined as "the restoration of an advanced mobile communications device to the state it was in when it left the factory, and refers to any act of returning a device to that state, including processes commonly termed a factory reset or master reset."
Some thoughts:
* There doesn't appear to be any requirement that the phone can be remotely disabled. One interpretation of this is that the only change from the status quo where practically every phone has a PIN is that the PIN withstand a hard reset.
* The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
* The fact that the kill switch can be disabled is encouraging.
* A lot would also depend on how determination of the "rightful owner" goes. That is, is it sufficient for someone who knows the PIN to be considered a "rightful owner"? This is fine 99% of the time, but there are obviously scenarios where that isn't true. If we wanted to take this to the other extreme, we might say this would require every seller and re-seller of mobile phones to check the ID of anyone buying a phone and to record this in some sort of master ownership index. Note that this would effectively outlaw burner phones.
Activation of the OS requiring network check-in similar to Apple's iOS would potentially be able to disable devices by blacklisting serial number / imei / meid.
It's worth noting that most carriers DO NOT blacklist all types of serial numbers burned into a device with a single serial number. There should be a requirement for a blacklist of one to also blacklist all others and that a carrier should be able to search by any of the serial type number.
Further if a device is legitimately recovered by the original owner, they should be able to unblacklist it.
Finally, carriers should cover return shipping and reactivate found blacklisted devices. There are many worthless blacklisted iOS devices on eBay, but neither Apple nor carriers will activate them nor return them to their owners.
>* The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
The way that I'm reading this, a limit to what a "hard reset" can be is being set by (1). It's saying: Any process that you have in order to return a phone to factory condition must not remove the ability for it to be remotely bricked by the State of California.
It's labeling whatever that process is as a "hard reset" but they only care about the we can still brick the phone part.
That is the diametric opposite of (2), though. Unless the "disabling of the technological solution" is expected to be through software.
In order to enforce (1) and (2), California is going to have to:
a) Start certifying operating systems, and approving of their solutions for the remote bricking disabler.
and
b) Implement the remote bricker in hardware.
This is actually a really scary bill.
edit: The "rightful owner" requirement could be interpreted as really hard to satisfy, especially combined with an inability for the "retail seller" to do it. That may mean that you have to get a code, connect to the manufacturer's server, etc. to get the app to disable the bricking chip unlocked or downloaded, and the additional security theater that would entail - and the bitrot that would happen for older model phones when you had to download it (after a "hard reset") and the manufacturer is either defunct or doesn't care anymore.
This bill has too many goodies for too many entrenched interests not to pass.
edit2: "Rightful owner" is really creeping me out. That might be seen as insuring that the State must be the one with the killswitch. Who can determine a rightful owner? It could be that you are the one who knows the PIN, or it could be that you file a police report, and they kill the phone from the station.
Rightful owner is the person with title, a concept well established in law in other contexts. I think this is a terrible bill, but the notion that the kill switch is going to be operated by the state seems like a complete misreading of the bill's text to me.
> * The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
Not really. This is, more or less, a fairly easy problem to solve: Upon first use and any subsequent hard resets, the device phones home to ask to be activated. On first use, the activation server replies with an unconditional 'YES'. Upon activation after a hard reset, the server goes 'Before I answer, can solve this challange' (PIN or username/password).
This is how Apple implemented Activation Lock on it's iOS devices and it's more or less uncrackable.
Perhaps they can also consider a cap on the price of cell phones sold in California. If no one's carrying around a phone that cost over $50, that would also reduce the incentive to steal them.
This bill would be a great accompaniment to the next minimum wage increase.
I'm all for careful legislation to force companies to improve security and protect consumers but I unfortunately most legislators dont have the technology knowledge to know what is wise and what is not. The devil is in the details here - if we mandated that the disable capability could only be enacted by the consumer that owned the device - say with a kill code password that no one else is allowed to store - then its not so bad, but I doubt such protections against misuse are in place. I surely dont want a kill switch that could be invoked by the manufacturer or cell provider.. Given that the market already provides this on tons of devices it seems unnecessary to legislate.
This law is intended to mitigate the escalation in armed robberies for smartphones that is hitting urban areas in California.
Armed robbers are aware that many (most?) people of even modest means are carrying around devices that, once stolen by force, can be sold (probably to a fencing operation) for a few hundred bucks.
The ability to render smartphones worthless if stolen would go a long way toward reducing the incentive to commit these particular robberies, which constitute a large part of the recent increase in California's armed robbery (and by implication violent crime) rate.
Recently in the Bay Area, where I live, an armed robber held up several people at once, and took all the phones ... except a feature phone.
A bill that requires manufacturers to offer phones that have this feature and phones that don't have this feature I could see as being okay, but to require all phones to have it and leave the user no choice (fwiw, being able to disable it after purchase is a false choice) is ridiculous.
Kill switches are never the right choice to solve this. Once this technology exists and is widespread (as the article points out, manufacturers are unlikely to maintain two models, with and without this unless legally required), what stops oppressive countries from using this feature from disabling the phones of people legitimately protesting like those in the Ukraine right now?
Once there's a device kill switch in place, it will be available for anyone with a court order. Think RIAA, MPAA... organizations that support DRM must love this idea.
Last phone I bought from Walmart, T-Mobile refused to activate because they claimed it was stolen.
I was really taken aback to have purchased a device in a sealed box when someone had already cloned the IMEI. (Or maybe T-Mobile's setup is just really buggy...)
I was fortunately able to return it and get a new phone, worked fine.
But if I could fix that problem, maybe stolen phones will just get laundered through returns that way. (ie, buy a new phone, return the stolen one as defective).
This is not to stop theft. I can wipe my phone remotely right now if my phone is stolen.
The goal is to secure the phone so that all the info on it is not accessible if the owner is not there. Especially considering that more and more the phone is the key to everything due to two step authentication (for email accounts, banks, etc. ) If things need to get more secure online then the phone needs to get even more secure.
We all know how this is going to end: Someone is going to hack the method used to disable the phones and massively disable millions of people's phones. As always, the road to hell is paved with good intentions. I'd much rather see technology that temporarily disables access to my phone's private contents while turning a permanent GPS [on] switch so my stolen phone can be located.
This is a cellphone carriers' lobbyist work at its finest! This law is not about the customers; its about those rare examples where customers are screwing the carriers when the phone is being stolen and the police report is good enough to get out of a lengthy & expensive contracts.
It's all very well to say that smartphone thefts are "reaching an all-time high", but what is smartphone ownership doing? I doubt it's reached saturation yet, and one would imagine that thefts would increase in line with units owned...
This is another example of how government tries to simplify its job by creating problems for others. If the anti-theft technology of any use, more companies would introduce them and users would buy such phones.
Government already can do that by co-opting the phone companies.
@wehadfun, I like the general concept of identifying and taking action against the bad actors, but there are two flaws in your plan.
(a) Most of the users of stolen phones are not the thieves, they're secondary buyers. And amongst them, how do you propose to distinguish knowing buyers of stolen goods from innocent purchasers? Maybe in some cases the circumstances are suspicious, but what if you buy from someone on craigslist with a reasonable story and pay a market price?
(b) While in theory it's possible to trace back to the thief, in practice police don't have the resources to do the necessary investigation when the value is only a few hundred dollars. In many jurisdictions they won't even send an officer unless someone is bleeding.
It's not about not being careful with your devices. In many places in California, people are routinely having guns pointed at them and their electronics are being taken by force, even when the devices are not being visibly used.
CA can require that every phone sold in their state must have it. Since it's easier not to have multiple models, until another state makes it illegal to have it, the models sold in other state will have it by default.
I've seen this problem with phones, tablets, and even tasers. The company will not activate them if they've been reported lost or stolen. But "finders-keepers" is legal and people can lie about theft. Of course the company also has a second interest not to help create a used market. Just like encrypted firmware schemes, this erodes personal control over our property. The legal owner with physical control should be able to use the device. Period.
There are also concerns over government or corporate disablement. Aside from obvious government malice during e.g. protests, does anyone really think either the government or the phone company can run a blacklist without false positives? Obviously not. Nobody can when your population size is >300 million. And the customer service grunt is just following the rules when your device is disabled and he cannot re-enable it.
The argument for this law is that it will reduce thefts by making the phones worthless. I understand this. I just don't think that is worth losing control over our property and devices.
The interesting side effect will be that people will won't consider stealing a phone and pawning it as a viable way of getting some quick cash.
This shitty DRM better be opt-in.
Fined $2,500 for every device sold lacking this DRM? Only if there is a $2,500 refund for every device accidentally bricked.
I can see media companies loving this. Watching an unlicensed movie? Your phone is now bricked. Mission creep will be inevitable.
- killswitch is in the OS, and can be removed by jailbreak. Good for user, but means you just have to jailbreak a stolen phone to recover it / prevent it being killed.
- killswitch is in the baseband, and cannot be removed. Uhoh.
Despite noble intentions, anti-theft DRM is actually the worst kind there is. It is impossible* to differentiate between a thief in possession of your phone, and you in possession of a company's phone that they're considering you renting.
If this becomes reality, it's yet another bullet point for getting a separate MiFi + actual computing device next time I'm forced to upgrade. That's the only way of regaining the concept of a service demarcation point.
(* unless every device is given a different root key, and the owner actually manages the corresponding private key. given the usability issues, this will never happen in a commercial design).
End result: either the phone stays blocked or you end up with a crippled, limited-usage device that can't use many of the services that you'd expect it to (app store, etc). Re-sale value would plummet.
It would work with Android too. Stolen phones (that are reported to Google) could refuse to use the play store or accept a gmail account.
When a phone is reported stolen the carriers just need to blacklist the IMEI so it doesn't work - removes the incentive to steal devices. I don't remember where I originally read this (probably here), but the US carriers were not interested in doing this because they don't see stolen phones as a problem that hurts them (arguably it gives them more business).
Possible reasons:
1. IMEI numbers can be changed.
2. Thief can still use phone for many hours until block.
3. Stolen phones can be shipped to countries that don't implement block.
4. A blocked phone can still be used to run apps, play games, make VOIP calls on wifi etc.
The Apple system seems much more sensible. You can't use an iPhone without the pincode, and even if you get that the owner can remotely lock the phone as soon as you connect it to any network. The way to avoid that used to be to wipe the phone and reinstall the OS, but now you can't do that without the Apple ID and password of the owner. I don't know if this has reduced iPhone thefts, but unless the thief has an exploit in Apple's security I don't see why anyone would steal an iPhone nowadays. I wish Android would implement something similar.
- steal phone - break phone - return to Apple store for warranty replacement (minor social engineering may be required here)
Theif gets a working phone with a different IMEI. The worst part is, the friend of mine who this happened to found out about it because it invalidated her theft insurance.
Saying "wouldn't it be great if the world could co-ordinate" is not the answer as it isn't realistic. It's avoiding the problem and the need to come up with practical solutions. Or even an honest "it can't be done" answer.
However, that results in carriers needing to assert ownership over an imei, which would be come quite a mess - so it very well could not be done.
I do believe national blacklisting registers of imeis, as already done for many years in certain european countries is much better than not doing it though.
Carriers can maintain a centralised database to keep list of stolen phones and can also undo the change incase the owner finds it. They can also track the people who are calling using stolen phones but they dont do it. The best reason I can guess for not doing that is as you said - why they will do something which will hurt their own business
This is why computer science should be a required subject going forward, only individuals good at programming will be able to resist the tendrils, malware, viruses and government backdoor trojans trying to get inside us and instruct us what actions to perform today to fill other mens pockets with wealth whom we don't even know or care about.
Cars and houses can have alarms, and customers decide whether they need them or not. We do not require that all cars and houses come equipped with them. Wallets can be attached to a chain or placed in the front pocket. We don't require that you can only purchase a wallet with a chain.
Unlike childrens' toys that require battery covers to be screwed shut, or cars that must have seatbelts, the theft of a device does not seem to be a public safety issue. Your decision to own an expensive phone and take it out of your pocket at the train station seems no more necessary of regulation than your decision to wear an expensive necklace.
It's not a case of legislators saying "it would be better to have less phone theft so let's try to reduce it this way" - instead it's more like, users want this, but don't have the bargaining power to compel the phone makers to build it in or the telcos to support it.
Without the mandate, the makers and telcos profit from theft: the stolen phone user (not necessarily the thief) pays phone charges, the victim has to buy a new phone, and thieves have a continuing incentive to steal them. With the mandate, the phones are less valuable to thieves (and to robbers - a personal-safety gain), and the telcos can't profit from the forced transfers.
Again, not saying it's a good or bad policy (can someone remote-kill my phone when I still have it?), but these are the considerations - a kind of market-failure correction.
I am sick of reasoning like this. The purpose of government is to preserve your freedom to do something. If some users want something and cannot arrange it themselves, then they may just not be able to get it. It is not the government's place to mandate that everyone gets what some people want. That goes against personal freedom. It is certainly the government's place to punish thiefs---a person who deprives another of their freedom to control their property. The government should not mandate certain ways of arranging private (between a person and the phone company) affairs.
That's maybe what you think the purpose of government should be, but it doesn't really match reality. Consider the whole section of labor laws, for instance.
But we can counter that it's specious to claim customers are clamoring for this but not getting anywhere with manufacturers. Apple's Find my Phone feature is already one step toward addressing this issue, and there are a handful of third-party apps on the market that do similar things. These market solutions will continue to get better over time if they're popular.
And of course, there's the question of why it's the manufacturers' responsibility to address theft in the first place. Jewelers aren't required to engrave and register all their necklaces.
I love it when activists get blamed for doing it wrong, where 'it' basically boils out to 'trying'.
One should assume nothing. However, an even dumber idea is to advocate for a system to have more control, actively or by remaining silent, and then later stew in fatalism to the point of thinking that using a smartphone in a revolution is "dumb."
I can understand how handset vendors other than Apple would have a problem with this. For example, where is the "activation lock" setting stored and who controls it? The handset vendor (Samsung, LG, etc)? Google (since it's an Android phone)? The carrier? Who deals with the customer when the device is stolen? That level of coordination would be a mess to deal with if you don't already control most of the stack and user experience like Apple does.
As a side note, Apple already does this with Mac hardware too: https://discussions.apple.com/message/19010713 .
This should be a required option, even if it's opt out. The consumer should be able to turn off this kind of remote authorisation over their device, even if it reduces the "herd immunity".
Killing core functionality goes a step beyond IMEI blacklisting, which can be circumvented by selling the phone outside the blacklisted jurisdictions. An IMEI-blacklisted phone is a phone with a reduced market. An effectively "killed" phone is worth its recycling rebate.
Having the ability to remote-brick my phone is great if I want it, but someone else having the ability to remote-brick my phone is a frickin' huge liability.
We're talking about a state legislature and governor which did in fact just ban lead bullets, a state legislature and governor elected by the entire state.
There are bad ideas, and then there ideas that only a legislator would advocate.
Governments seem increasingly interested in accessing and controlling our phones.
[1] http://en.wikipedia.org/wiki/Personal_Localized_Alerting_Net...
For whatever reason, I have heard of a bunch of people that get their iPhones snatched, but never android phones.
The market for bad ESN phones is way too strong. A simple ebay search shows that bad a ESN iPhone 5 still fetches $250. Apple needs to drive down the value of bad ESN phones to near zero for the safety of their own customers.
You should immediately call your representatives to stop this.
Actual draft of the bill is here: http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?...
Relevant portions:
(1) Any advanced mobile communications device that is sold in California on or after January 1, 2015, shall include a technological solution that can render the essential features of the device inoperable when the device is not in the possession of the rightful owner. A technological solution may consist of software, hardware, or a combination of both software and hardware, but shall be able to withstand a hard reset. No advanced mobile communications device may be sold in California without the technological solution enabled.
(2) The rightful owner of an advanced mobile communications device may affirmatively elect to disable the technological solution after sale. However, the physical acts necessary to disable the technological solution may only be performed by the end-use consumer or a person specifically selected by the end-use consumer to disable the technological solution and shall not be physically performed by any retail seller of the advanced mobile communications device.
Hard reset is defined as "the restoration of an advanced mobile communications device to the state it was in when it left the factory, and refers to any act of returning a device to that state, including processes commonly termed a factory reset or master reset."
Some thoughts:
* There doesn't appear to be any requirement that the phone can be remotely disabled. One interpretation of this is that the only change from the status quo where practically every phone has a PIN is that the PIN withstand a hard reset.
* The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
* The fact that the kill switch can be disabled is encouraging.
* A lot would also depend on how determination of the "rightful owner" goes. That is, is it sufficient for someone who knows the PIN to be considered a "rightful owner"? This is fine 99% of the time, but there are obviously scenarios where that isn't true. If we wanted to take this to the other extreme, we might say this would require every seller and re-seller of mobile phones to check the ID of anyone buying a phone and to record this in some sort of master ownership index. Note that this would effectively outlaw burner phones.
It's worth noting that most carriers DO NOT blacklist all types of serial numbers burned into a device with a single serial number. There should be a requirement for a blacklist of one to also blacklist all others and that a carrier should be able to search by any of the serial type number.
Further if a device is legitimately recovered by the original owner, they should be able to unblacklist it.
Finally, carriers should cover return shipping and reactivate found blacklisted devices. There are many worthless blacklisted iOS devices on eBay, but neither Apple nor carriers will activate them nor return them to their owners.
The way that I'm reading this, a limit to what a "hard reset" can be is being set by (1). It's saying: Any process that you have in order to return a phone to factory condition must not remove the ability for it to be remotely bricked by the State of California.
It's labeling whatever that process is as a "hard reset" but they only care about the we can still brick the phone part.
That is the diametric opposite of (2), though. Unless the "disabling of the technological solution" is expected to be through software.
In order to enforce (1) and (2), California is going to have to:
a) Start certifying operating systems, and approving of their solutions for the remote bricking disabler.
and
b) Implement the remote bricker in hardware.
This is actually a really scary bill.
edit: The "rightful owner" requirement could be interpreted as really hard to satisfy, especially combined with an inability for the "retail seller" to do it. That may mean that you have to get a code, connect to the manufacturer's server, etc. to get the app to disable the bricking chip unlocked or downloaded, and the additional security theater that would entail - and the bitrot that would happen for older model phones when you had to download it (after a "hard reset") and the manufacturer is either defunct or doesn't care anymore.
This bill has too many goodies for too many entrenched interests not to pass.
edit2: "Rightful owner" is really creeping me out. That might be seen as insuring that the State must be the one with the killswitch. Who can determine a rightful owner? It could be that you are the one who knows the PIN, or it could be that you file a police report, and they kill the phone from the station.
Not really. This is, more or less, a fairly easy problem to solve: Upon first use and any subsequent hard resets, the device phones home to ask to be activated. On first use, the activation server replies with an unconditional 'YES'. Upon activation after a hard reset, the server goes 'Before I answer, can solve this challange' (PIN or username/password).
This is how Apple implemented Activation Lock on it's iOS devices and it's more or less uncrackable.
* Why won't someone will figure out how to trigger the phone kill switch and start wandering round SF killing people's phones at will?
* Why won't the state/NSA/whoever kill the phones of its enemies (diplomats, foreign business people, "subversives")?
* and so on.
2008: Oh.
I just wrote a blog post about it: (https://www.hackerneue.com/item?id=7198054)
This bill would be a great accompaniment to the next minimum wage increase.
Armed robbers are aware that many (most?) people of even modest means are carrying around devices that, once stolen by force, can be sold (probably to a fencing operation) for a few hundred bucks.
The ability to render smartphones worthless if stolen would go a long way toward reducing the incentive to commit these particular robberies, which constitute a large part of the recent increase in California's armed robbery (and by implication violent crime) rate.
Recently in the Bay Area, where I live, an armed robber held up several people at once, and took all the phones ... except a feature phone.
EDIT: wording.
Kill switches are never the right choice to solve this. Once this technology exists and is widespread (as the article points out, manufacturers are unlikely to maintain two models, with and without this unless legally required), what stops oppressive countries from using this feature from disabling the phones of people legitimately protesting like those in the Ukraine right now?
...who will then administer a full-body pat-down. You know, for good measure.
https://preyproject.com/
I was really taken aback to have purchased a device in a sealed box when someone had already cloned the IMEI. (Or maybe T-Mobile's setup is just really buggy...)
I was fortunately able to return it and get a new phone, worked fine.
But if I could fix that problem, maybe stolen phones will just get laundered through returns that way. (ie, buy a new phone, return the stolen one as defective).
Thieves can use different parts of the phone that would not be effected by a kill switch, batteries, screen, ...
What they really need is to turn on the GPS find where the phone is and start arresting folk.
You really want to give the government permission to remotely enable GPS?
@wehadfun, I like the general concept of identifying and taking action against the bad actors, but there are two flaws in your plan.
(a) Most of the users of stolen phones are not the thieves, they're secondary buyers. And amongst them, how do you propose to distinguish knowing buyers of stolen goods from innocent purchasers? Maybe in some cases the circumstances are suspicious, but what if you buy from someone on craigslist with a reasonable story and pay a market price?
(b) While in theory it's possible to trace back to the thief, in practice police don't have the resources to do the necessary investigation when the value is only a few hundred dollars. In many jurisdictions they won't even send an officer unless someone is bleeding.