
California Law to Require Antitheft Technology in Cellphones - roin
http://bits.blogs.nytimes.com/2014/02/07/kill-switch-bill/?hpw&rref=technology
======
sdkmvx
Imagine a pawn shop that loans money on cell phones. Now imagine someone comes
in and pawns their phone. It still has service and all, but he thinks he will
come back next week and redeem it. A few months pass and he never comes back.
Now the phone is legally (the pawn contract says one must completely own the
collateral, so carrier subsidies etc. shouldn't be a problem) the pawn shop's
property. Mr. Defaulter calls the phone company and has the IMEI blocked. Now
the pawn shop is out the money and owns a useless piece of metal and plastic.

I've seen this problem with phones, tablets, and even tasers. The company will
not activate them if they've been reported lost or stolen. But "finders-
keepers" is legal and people can lie about theft. Of course the company also
has a second interest not to help create a used market. Just like encrypted
firmware schemes, this erodes personal control over our property. The legal
owner with physical control should be able to use the device. Period.

There are also concerns over government or corporate disablement. Aside from
obvious government malice during e.g. protests, does anyone really think
either the government or the phone company can run a blacklist without false
positives? Obviously not. Nobody can when your population size is >300
million. And the customer service grunt is just following the rules when your
device is disabled and he cannot re-enable it.

The argument for this law is that it will reduce thefts by making the phones
worthless. I understand this. I just don't think that is worth losing control
over our property and devices.

~~~
ChuckMcM
That will sort it out in short order, and phones will no longer be accepted by
pawn shops.

The interesting side effect will be that people will won't consider stealing a
phone and pawning it as a viable way of getting some quick cash.

~~~
Shivetya
that and those who try this stunt will find themselves behind bars in short
order, most likely for theft.

------
ihsw
Sounds like always-on DRM. The rich and the technologically adept will be
unaffected, but another hammer will be available for our ambivalent rulers to
manipulate normal people.

This shitty DRM better be opt-in.

Fined $2,500 for every device sold lacking this DRM? Only if there is a $2,500
refund for every device _accidentally_ bricked.

I can see media companies loving this. Watching an unlicensed movie? Your
phone is now bricked. Mission creep will be inevitable.

~~~
pjc50
Hmm. What happens to this with jailbroken phones? I can see it going two ways:

\- killswitch is in the OS, and can be removed by jailbreak. Good for user,
but means you just have to jailbreak a stolen phone to recover it / prevent it
being killed.

\- killswitch is in the baseband, and cannot be removed. Uhoh.

~~~
joosters
3rd way: Kill-switch is OS-based. e.g. you tell Apple that your iPhone has
been stolen. You give them the serial/IMEI, (or they can match up the device
based upon your itunes account). If someone wipes the phone through an exploit
or jailbreak, the device is still practically useless as whenever it needs to
communicate with an apple service, apple sends back a 'you are stolen' message
and the phone locks up again.

End result: either the phone stays blocked or you end up with a crippled,
limited-usage device that can't use many of the services that you'd expect it
to (app store, etc). Re-sale value would plummet.

It would work with Android too. Stolen phones (that are reported to Google)
could refuse to use the play store or accept a gmail account.

~~~
Canada
You can load your own OS on Android, so this would be pretty easy to bypass.
The baseband firmware isn't immutable either, just harder to modify.

------
fossuser
There's already an easy way to do this (that I remember reading somewhere is
already being done in Australia).

When a phone is reported stolen the carriers just need to blacklist the IMEI
so it doesn't work - removes the incentive to steal devices. I don't remember
where I originally read this (probably here), but the US carriers were not
interested in doing this because they don't see stolen phones as a problem
that hurts them (arguably it gives them more business).

~~~
billyjobob
IMEI blocking hasn't stopped phone thefts in Europe.

Possible reasons:

1\. IMEI numbers can be changed.

2\. Thief can still use phone for many hours until block.

3\. Stolen phones can be shipped to countries that don't implement block.

4\. A blocked phone can still be used to run apps, play games, make VOIP calls
on wifi etc.

The Apple system seems much more sensible. You can't use an iPhone without the
pincode, and even if you get that the owner can remotely lock the phone as
soon as you connect it to any network. The way to avoid that used to be to
wipe the phone and reinstall the OS, but now you can't do that without the
Apple ID and password of the owner. I don't know if this has reduced iPhone
thefts, but unless the thief has an exploit in Apple's security I don't see
why anyone would steal an iPhone nowadays. I wish Android would implement
something similar.

~~~
pjc50
Apple theft exploit:

\- steal phone \- break phone \- return to Apple store for warranty
replacement (minor social engineering may be required here)

Theif gets a working phone with a different IMEI. The worst part is, the
friend of mine who this happened to found out about it because it invalidated
her theft insurance.

~~~
uptown
While that exploit may work - it doesn't scale too well.

------
sentientmachine
I have an idea, how about the government stay the hell away from my smartphone
and let the free market decide what smartphones are theft-safe and which are
not?

This is why computer science should be a required subject going forward, only
individuals good at programming will be able to resist the tendrils, malware,
viruses and government backdoor trojans trying to get inside us and instruct
us what actions to perform today to fill other mens pockets with wealth whom
we don't even know or care about.

------
aasarava
Serious question, not rhetorical: Is there any precedent for forcing
manufacturers to modify their product simply to prevent the product from
getting stolen?

Cars and houses can have alarms, and customers decide whether they need them
or not. We do not require that all cars and houses come equipped with them.
Wallets can be attached to a chain or placed in the front pocket. We don't
require that you can only purchase a wallet with a chain.

Unlike childrens' toys that require battery covers to be screwed shut, or cars
that must have seatbelts, the theft of a device does not seem to be a public
safety issue. Your decision to own an expensive phone and take it out of your
pocket at the train station seems no more necessary of regulation than your
decision to wear an expensive necklace.

~~~
ds9
I'm not necessarily defending the mandate, but maybe I can clarify the concept
behind it.

It's not a case of legislators saying "it would be better to have less phone
theft so let's try to reduce it this way" \- instead it's more like, users
want this, but don't have the bargaining power to compel the phone makers to
build it in or the telcos to support it.

Without the mandate, the makers and telcos profit from theft: the stolen phone
user (not necessarily the thief) pays phone charges, the victim has to buy a
new phone, and thieves have a continuing incentive to steal them. With the
mandate, the phones are less valuable to thieves (and to robbers - a personal-
safety gain), and the telcos can't profit from the forced transfers.

Again, not saying it's a good or bad policy (can someone remote-kill my phone
when I still have it?), but these are the considerations - a kind of market-
failure correction.

~~~
sdkmvx
> It's not a case of legislators saying "it would be better to have less phone
> theft so let's try to reduce it this way" \- instead it's more like, users
> want this, but don't have the bargaining power to compel the phone makers to
> build it in or the telcos to support it.

I am sick of reasoning like this. The purpose of government is to preserve
your freedom to do something. If some users want something and cannot arrange
it themselves, then they may just not be able to get it. It is not the
government's place to mandate that everyone gets what some people want. That
goes against personal freedom. It is certainly the government's place to
punish thiefs---a person who deprives another of their freedom to control
their property. The government should not mandate certain ways of arranging
private (between a person and the phone company) affairs.

~~~
kbolino
Indeed, there are ways to magnify your bargaining power outside of the
government. Most people generally aren't willing to pay for it, though. A
stolen phone fund or phone theft insurance could accomplish the same goals
without involving the legislative and executive branches. However, the cost
would be obvious, in the form of an upfront or recurring charge. It's much
easier to assign the task to a government, and then wonder years later why
taxes are going up, or the government is constantly in debt.

------
BryanB55
It seems like every day I'm reading some new news article on how over bearing
and strong handed California laws are. I used to hear people joke about moving
out of California to a "free state" and never paid much attention to it but
now I get it.

------
ahallock
It must be nice to have no valuable skills to offer society yet still find
employment as an authoritarian jackass dreaming up product features without
doing the actual work or assuming any of the risk. If Leno wants to add
features to cell phones, he should go work for those companies instead of
using the Ring of Sauron to forcibly add a "kill switch" because he thought it
was a good idea. And is reducing theft the real reason or just the ostensible
one? Will this become an easy hook for govs to shut off phones?

------
kirab
Nice, a kill switch in every phone. When there’s a big
demonstration/revolution we’re just gonna kill all the phones out there with a
simple data packet.

~~~
revscat
It would be a dumb idea to take your device to a revolution in the first
place.

~~~
vdaniuk
As a Ukrainian, who has seen that smartphones, especially used by citizen
streamers, are extremely important for a revolution, I can assure that you are
wrong.

~~~
undoware
Bump this n times.

I love it when activists get blamed for doing it wrong, where 'it' basically
boils out to 'trying'.

------
clinton_sf
From what I understand, the mechanisms for this law are already in place and
aren't much of a problem; any Apple customer already has this with the
"Activation Lock" feature, and any carrier can already deny service based on a
blacklisted ESN. The proposed law, at least in spirit, would require carriers
and phone makers to honor your request to make your device unusable when you
report it as stolen. It isn't so much that the government is going to be
making technology and forcing everyone else to use it -- it'll let the private
tech industry do whatever it needs to do to comply with the proposed "please
brick my stolen phone" law.

I can understand how handset vendors other than Apple would have a problem
with this. For example, where is the "activation lock" setting stored and who
controls it? The handset vendor (Samsung, LG, etc)? Google (since it's an
Android phone)? The carrier? Who deals with the customer when the device is
stolen? That level of coordination would be a mess to deal with if you don't
already control most of the stack and user experience like Apple does.

As a side note, Apple already does this with Mac hardware too:
[https://discussions.apple.com/message/19010713](https://discussions.apple.com/message/19010713)
.

~~~
prodigal_erik
There's a huge ethical problem with a vendor imposing limits on the
relationship between a human being and their tools. Apple customers are self-
selected for being okay with this.

------
JumpCrisscross
> _On Friday, State Senator Mark Leno of California, a Democrat, is expected
> to introduce legislation requiring all smartphones and tablets sold in the
> state to include this kind of feature._

This should be a required option, even if it's opt out. The consumer should be
able to turn off this kind of remote authorisation over their device, even if
it reduces the "herd immunity".

Killing core functionality goes a step beyond IMEI blacklisting, which can be
circumvented by selling the phone outside the blacklisted jurisdictions. An
IMEI-blacklisted phone is a phone with a reduced market. An effectively
"killed" phone is worth its recycling rebate.

~~~
cheald
Why should it be required, exactly? If people want phones with anti-theft
technology, they can buy phones with anti-theft technology. What this smells
like to me is a government wanting to have the power to sever your
communications at will.

Having the ability to remote-brick _my_ phone is great if I want it, but
someone else having the ability to remote-brick my phone is a frickin' huge
liability.

~~~
sigzero
Exactly! California can go F itself. They should not be legislating this crap.

~~~
sabbatic13
And people who willfully confuse a couple dopey activist legislators from the
state's goofiest city with the entire state can...what you said. Also, none of
that hate for NYC, or did you not bother to read that this BS is coming from
both states, or more precisely, from a few dumb legislators based in the most
full-of-themselves cities in the country, backed by politicians in law
enforcement uniforms who can't stop crime, so they advocate putting the burden
elsewhere?

~~~
wtbob
> And people who willfully confuse a couple dopey activist legislators from
> the state's goofiest city with the entire state can

We're talking about a state legislature and governor which did in fact just
ban lead bullets, a state legislature and governor elected by the entire
state.

------
droopybuns
If carriers and oems can't prevent rooting or custom roms, why would they be
able to prevent unauthorized locking of phones?

There are bad ideas, and then there ideas that only a legislator would
advocate.

------
unclebucknasty
Reminds me of FEMA requiring carriers to install a chip for emergency messages
(PLAN = Personal Localized Alerting Network). [1]

Governments seem increasingly interested in accessing and controlling our
phones.

[1]
[http://en.wikipedia.org/wiki/Personal_Localized_Alerting_Net...](http://en.wikipedia.org/wiki/Personal_Localized_Alerting_Network)

------
thrillgore
And in tonight's segment of "Shit we didn't need or could do ourselves, but
the state insists it be mandatory..."

------
ryanjshaw
Don't forget batteries. They're very valuable to thieves too. Maybe the
killswitch can make them explode.

------
aasarava
If you live in the state of CA and think this bill is a bad idea, you can look
up your representative senator and send them an email asking that they vote
against the bill.
[http://findyourrep.legislature.ca.gov/](http://findyourrep.legislature.ca.gov/)

------
jcampbell1
This is _really_ needed. In New York, there is a problem of punk kids
snatching iPhones and running. It is hard for the police to do anything about
it, and these kids are fencing the phones for about $150, and they are likely
shipped to out of the country where carrier blocks don't work.

For whatever reason, I have heard of a bunch of people that get their iPhones
snatched, but never android phones.

The market for bad ESN phones is way too strong. A simple ebay search shows
that bad a ESN iPhone 5 still fetches $250. Apple needs to drive down the
value of bad ESN phones to near zero for the safety of their own customers.

~~~
eponeponepon
How quickly do these 'punk kids' sell the phones on, though? And could a
system to trigger the killswitch be responsive enough to trigger it before the
phone's been sold? And if it were, could it ever hope to be sure of the facts
in time to catch bad requests?

~~~
jcampbell1
I am sure they power off the phones almost immediately. I actually don't think
a legislative solution is the right process. I think Apple should address the
problem for the benefit of their own customers. Maybe they need to investigate
this and work with Interpol.

------
pera
Every time I read "anti-theft technology" I get chills..

You should immediately call your representatives to stop this.

------
snake_plissken
Doesn't the IMEI on GSM and the MEID on newer CDMA phones already solve the
problem of stolen phones, and we just don't use this functionality?

------
andrewfong
Cross-posting from the other discussion on this topic
([https://news.ycombinator.com/item?id=7197416](https://news.ycombinator.com/item?id=7197416)):

Actual draft of the bill is here:
[http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?...](http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB962)

Relevant portions:

(1) Any advanced mobile communications device that is sold in California on or
after January 1, 2015, shall include a technological solution that can render
the essential features of the device inoperable when the device is not in the
possession of the rightful owner. A technological solution may consist of
software, hardware, or a combination of both software and hardware, but shall
be able to withstand a hard reset. No advanced mobile communications device
may be sold in California without the technological solution enabled.

(2) The rightful owner of an advanced mobile communications device may
affirmatively elect to disable the technological solution after sale. However,
the physical acts necessary to disable the technological solution may only be
performed by the end-use consumer or a person specifically selected by the
end-use consumer to disable the technological solution and shall not be
physically performed by any retail seller of the advanced mobile
communications device.

Hard reset is defined as "the restoration of an advanced mobile communications
device to the state it was in when it left the factory, and refers to any act
of returning a device to that state, including processes commonly termed a
factory reset or master reset."

Some thoughts:

* There doesn't appear to be any requirement that the phone can be remotely disabled. One interpretation of this is that the only change from the status quo where practically every phone has a PIN is that the PIN withstand a hard reset.

* The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.

* The fact that the kill switch can be disabled is encouraging.

* A lot would also depend on how determination of the "rightful owner" goes. That is, is it sufficient for someone who knows the PIN to be considered a "rightful owner"? This is fine 99% of the time, but there are obviously scenarios where that isn't true. If we wanted to take this to the other extreme, we might say this would require every seller and re-seller of mobile phones to check the ID of anyone buying a phone and to record this in some sort of master ownership index. Note that this would effectively outlaw burner phones.

~~~
pessimizer
>* The hard reset definition is sort of dumb. When a device leaves the
factory, it obviously doesn't have any knowledge of whom its proper owner is.
A hard reset, by definition, has to nullify any owner-verification system and
no technological solution can withstand it.

The way that I'm reading this, a limit to what a "hard reset" can be is being
set by (1). It's saying: Any process that you have in order to return a phone
to factory condition _must not_ remove the ability for it to be remotely
bricked by the State of California.

It's labeling whatever that process is as a "hard reset" but they only care
about the we can still brick the phone part.

That is the diametric opposite of (2), though. _Unless_ the "disabling of the
technological solution" is expected to be through _software._

In order to enforce (1) and (2), California is going to have to:

a) Start certifying operating systems, and approving of their solutions for
the remote bricking disabler.

and

b) Implement the remote bricker in hardware.

This is actually a really scary bill.

edit: The "rightful owner" requirement could be interpreted as really hard to
satisfy, especially combined with an inability for the "retail seller" to do
it. That may mean that you have to get a code, connect to the manufacturer's
server, etc. to get the app to disable the bricking chip unlocked or
downloaded, and the additional security theater that would entail - and the
bitrot that would happen for older model phones when you had to download it
(after a "hard reset") and the manufacturer is either defunct or doesn't care
anymore.

This bill has too many goodies for too many entrenched interests not to pass.

edit2: "Rightful owner" is _really_ creeping me out. That might be seen as
insuring that the State must be the one with the killswitch. Who can determine
a rightful owner? It could be that you are the one who knows the PIN, _or_ it
could be that you file a police report, and they kill the phone from the
station.

~~~
anigbrowl
Rightful owner is the person with title, a concept well established in law in
other contexts. I think this is a terrible bill, but the notion that the kill
switch is going to be operated by the state seems like a complete misreading
of the bill's text to me.

~~~
nitrogen
First, create the kill switch. Second, create the ability to use it.

------
ciderpunx
This seems like a bad idea.

* Why won't someone will figure out how to trigger the phone kill switch and start wandering round SF killing people's phones at will?

* Why won't the state/NSA/whoever kill the phones of its enemies (diplomats, foreign business people, "subversives")?

* and so on.

~~~
judk
If this such a risk, Why hasn't this happened yet? Corporate phones all have
remote kill switches, and are high value targets of harassment.

~~~
undoware
2007: If sub-prime loans were really a problem, why hasn't the market crashed
yet?

2008: Oh.

------
roin
I actually think this is a good idea and requires government intervention due
to the positive externalities involved.

I just wrote a blog post about it:
([https://news.ycombinator.com/item?id=7198054](https://news.ycombinator.com/item?id=7198054))

------
mhb
Perhaps they can also consider a cap on the price of cell phones sold in
California. If no one's carrying around a phone that cost over $50, that would
also reduce the incentive to steal them.

This bill would be a great accompaniment to the next minimum wage increase.

------
baconner
I'm all for careful legislation to force companies to improve security and
protect consumers but I unfortunately most legislators dont have the
technology knowledge to know what is wise and what is not. The devil is in the
details here - if we mandated that the disable capability could only be
enacted by the consumer that owned the device - say with a kill code password
that no one else is allowed to store - then its not so bad, but I doubt such
protections against misuse are in place. I surely dont want a kill switch that
could be invoked by the manufacturer or cell provider.. Given that the market
already provides this on tons of devices it seems unnecessary to legislate.

------
djs123sdj
This law is intended to mitigate the escalation in armed robberies for
smartphones that is hitting urban areas in California.

Armed robbers are aware that many (most?) people of even modest means are
carrying around devices that, once stolen by force, can be sold (probably to a
fencing operation) for a few hundred bucks.

The ability to render smartphones worthless if stolen would go a long way
toward reducing the incentive to commit these particular robberies, which
constitute a large part of the recent increase in California's armed robbery
(and by implication violent crime) rate.

Recently in the Bay Area, where I live, an armed robber held up several people
at once, and took all the phones ... except a feature phone.

EDIT: wording.

------
malandrew
A bill that requires manufacturers to offer phones that have this feature and
phones that don't have this feature I could see as being okay, but to require
all phones to have it and leave the user no choice (fwiw, being able to
disable it after purchase is a false choice) is ridiculous.

Kill switches are never the right choice to solve this. Once this technology
exists and is widespread (as the article points out, manufacturers are
unlikely to maintain two models, with and without this unless legally
required), what stops oppressive countries from using this feature from
disabling the phones of people legitimately protesting like those in the
Ukraine right now?

------
nateabele
Or better yet, every time you need to make a phone call, your ownership of the
phone will be verified on-site by a blue-gloved agent of the state...

...who will then administer a full-body pat-down. You know, for good measure.

------
nateabele
"We're from the government, and we're here to help."

------
natch
Once there's a device kill switch in place, it will be available for anyone
with a court order. Think RIAA, MPAA... organizations that support DRM must
love this idea.

------
ballard
Prey project is semi open-source, freemium and works on ios, android and most
desktop OSes too.

[https://preyproject.com/](https://preyproject.com/)

------
brownbat
Last phone I bought from Walmart, T-Mobile refused to activate because they
claimed it was stolen.

I was really taken aback to have purchased a device in a sealed box when
someone had already cloned the IMEI. (Or maybe T-Mobile's setup is just really
buggy...)

I was fortunately able to return it and get a new phone, worked fine.

But if I could fix that problem, maybe stolen phones will just get laundered
through returns that way. (ie, buy a new phone, return the stolen one as
defective).

------
mnglkhn2
This is not to stop theft. I can wipe my phone remotely right now if my phone
is stolen. The goal is to secure the phone so that all the info on it is not
accessible if the owner is not there. Especially considering that more and
more the phone is the key to everything due to two step authentication (for
email accounts, banks, etc. ) If things need to get more secure online then
the phone needs to get even more secure.

------
sivanmz
Have there been any reports on how iOS7 affects thefts?

------
ChrisNorstrom
We all know how this is going to end: Someone is going to hack the method used
to disable the phones and massively disable millions of people's phones. As
always, the road to hell is paved with good intentions. I'd much rather see
technology that temporarily disables access to my phone's private contents
while turning a permanent GPS [on] switch so my stolen phone can be located.

------
pbreit
It's a shame the device manufacturers apparently dragged their feet on this
and couldn't avoid legislation.

------
joering2
This is a cellphone carriers' lobbyist work at its finest! This law is not
about the customers; its about those rare examples where customers are
screwing the carriers when the phone is being stolen and the police report is
good enough to get out of a lengthy & expensive contracts.

------
eponeponepon
It's all very well to say that smartphone thefts are "reaching an all-time
high", but what is smartphone ownership doing? I doubt it's reached saturation
yet, and one would imagine that thefts would increase in line with units
owned...

------
tn13
This is another example of how government tries to simplify its job by
creating problems for others. If the anti-theft technology of any use, more
companies would introduce them and users would buy such phones.

------
wehadfun
They are doing this all wrong.

Thieves can use different parts of the phone that would not be effected by a
kill switch, batteries, screen, ...

What they really need is to turn on the GPS find where the phone is and start
arresting folk.

~~~
uptown
"What they really need is to turn on the GPS find where the phone is and start
arresting folk."

You really want to give the government permission to remotely enable GPS?

~~~
ds9
Government already can do that by co-opting the phone companies.

@wehadfun, I like the general concept of identifying and taking action against
the bad actors, but there are two flaws in your plan.

(a) Most of the users of stolen phones are not the thieves, they're secondary
buyers. And amongst them, how do you propose to distinguish knowing buyers of
stolen goods from innocent purchasers? Maybe in some cases the circumstances
are suspicious, but what if you buy from someone on craigslist with a
reasonable story and pay a market price?

(b) While in theory it's possible to trace back to the thief, in practice
police don't have the resources to do the necessary investigation when the
value is only a few hundred dollars. In many jurisdictions they won't even
send an officer unless someone is bleeding.

------
guelo
I thought this was already being done via IMEI blocking.

------
crypt1d
How about you just be a bit more careful with your iphone? No law in world can
stop people from being stupid.

~~~
djs123sdj
It's not about not being careful with your devices. In many places in
California, people are routinely having guns pointed at them and their
electronics are being taken by force, even when the devices are not being
visibly used.

------
fit2rule
Ah, the velvet glove. It rises to view again. Shall I buy? Shall I not? 'tis
but an upvote away ..

------
pionar
How can California do this? Interstate commerce clause and all that.

~~~
jimktrains2
CA can require that every phone sold in their state must have it. Since it's
easier not to have multiple models, until another state makes it illegal to
have it, the models sold in other state will have it by default.

------
andyl
No. Too many opportunities for abuse.

