

Proposed bill would require kill switch in California phones, tablets - throwaway_yy2Di
http://news.cnet.com/8301-1035_3-57618530-94/proposed-bill-would-require-kill-switch-in-calif-phones-tablets/

======
andrewfong
Actual draft of the bill is here:
[http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?...](http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB962)

Relevant portions:

(1) Any advanced mobile communications device that is sold in California on or
after January 1, 2015, shall include a technological solution that can render
the essential features of the device inoperable when the device is not in the
possession of the rightful owner. A technological solution may consist of
software, hardware, or a combination of both software and hardware, but shall
be able to withstand a hard reset. No advanced mobile communications device
may be sold in California without the technological solution enabled.

(2) The rightful owner of an advanced mobile communications device may
affirmatively elect to disable the technological solution after sale. However,
the physical acts necessary to disable the technological solution may only be
performed by the end-use consumer or a person specifically selected by the
end-use consumer to disable the technological solution and shall not be
physically performed by any retail seller of the advanced mobile
communications device.

~~~
andrewfong
A few thoughts based on the above:

* There doesn't appear to be any requirement that the phone can be _remotely_ disabled. One interpretation of this is that the only change from the status quo where practically every phone has a PIN is that the PIN withstand a hard reset.

* The bill defines “hard reset” as "the restoration of an advanced mobile communications device to the state it was in when it left the factory, and refers to any act of returning a device to that state, including processes commonly termed a factory reset or master reset." This is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.

* The fact that the kill switch can be disabled is encouraging.

* A lot would also depend on how determination of the "rightful owner" goes. That is, is it sufficient for someone who knows the PIN to be considered a "rightful owner"? This is fine 99% of the time, but there are obviously scenarios where that isn't true. If we wanted to take this to the other extreme, we might say this would require every seller and re-seller of mobile phones to check the ID of anyone buying a phone and to record this in some sort of master ownership index. Note that this would effectively outlaw burner phones.

------
bad_alloc
Imagine if the governments in the Ukraine or Turkey had such a kill switch.
They could instantly disable most of the communication between people
protesting against the government.

~~~
thisisandyok
That was my first thought as well. The potential for abuse seems to be pretty
high

~~~
justwanttotalk
America would NEVER abuse such a privilege. :|

------
nathan_long
This is a great idea _if_ the user has, or can take, _sole_ control over that
switch.

If my phone must enable _me_ to kill it remotely, neato. If anyone else will
be able to kill it while I have it, that's terrible.

~~~
rdudek
Totally agree. Though you can enable remote erase through Google, completely
killing the phone may not be a good idea unless the provider has the ability
to restore the phone. What happens if some underpaid and overworked CSR on the
line accidently types in the wrong code and wipes out someone else phone?

~~~
Consultant32452
What happens if I sell you my phone and then brick it remotely?

~~~
maxerickson
If the manufacturer can do a meaningful transfer of control over to me, I will
probably end up with the same capability.

"Get the remote block when you buy a phone" is at least a nice clear message.

------
mchannon
This is a rather pointless bill. A significant portion of all phones that are
stolen (or maybe accidentally left on a subway train seat and finders keepers)
are broken down for their valuable replacement parts.

When your iPhone 5S gets a cracked screen or water damage, the place that
repairs it can easily take parts from a donor phone at a nominal cost.
Bricking one of the boards in there (or the nano-SIM card or whatever they end
up using) isn't going to keep the screen from getting reused.

(The whole thing is like an engine kill switch for stolen cars; the thieves
aren't going to try and just turn around and sell the same car intact; they're
going to a chop shop where the kill switch will have zero effect on the profit
margin for the thieves).

~~~
wpietri
I think this fits into the "don't lock your doors" genre of argument, where
one argues that there's no point in making it harder for something bad to
happen because even if you do some bad things will continue to happen.

What the genre (and this instance) misses is that nobody is claiming that the
solution is perfect. As long as it reduces the cost of theft more than the
costs it imposes, it's a net win for society.

I'd expect this approach to reduce opportunistic theft quite a bit. Petty
criminals are not big on delayed self-gratification; if they were, they'd be
doing something else. If they can't use or easily sell the phone they just
stole, then many will stop stealing them.

It may not reduce organized theft as much, but it would depend a lot on how
hard it is to subvert the lock. If they have to throw out the motherboard of
the phone, then sure, they can still sell the screen, but their per-theft
profit goes down, reducing financial incentives and complicating their
business model.

------
jccooper
If they're looking for another "50-state legal" effect, I have news: that may
work in hardware, where producing different behaviors is hard, but software is
different. Whole complex behaviors (once written) are easily altered.

Now, if the capability doesn't exist just because the vendor(s) haven't done
it yet, then it might work. If they actually don't want to do it (either
because it suits them or they think it suits their customers) then they won't.

------
LoganCale
This _will_ be abused. Maybe not immediately, but it's just a matter of time.

------
fsckin
All phones have a builtin kill switch. You need to compel the phone company to
turn it off. But then there are ham radios. This is how things were done in
Egypt... Look at how that turned out.

~~~
nathan_long
A phone "killed" via service termination could just be given a different SIM.

~~~
Karunamon
Not if it was added to the lost/stolen phone list. This blacklists the
MEID/IMEI, which you're not getting around without hardware hacking.

~~~
gareim
Is hardware hacking really required? My S3 ran the risk of losing its IMEI
when I was messing around with custom ROMs, but before a solution was found,
people put up guides on how to change the IMEI with software and it looked
easy.

~~~
mindslight
Some time ago, I cloned the ESN of my SPH-A680 onto an identical model (using
QPST). When they were both on and next to one another, calling me made them
both ring, and simultaneously answering both let me hear audio out of both.

I doubt basebands have really changed - it's a culture of security through
obscurity, with people unaware of the details assuming they actually provide
their purported security guarantees.

------
kunai
Tiny bills like these get proposed by legislators all the time. Most don't
pass. Just because this is a technology bill doesn't mean that it will – it's
far too nanny-state and superfluous control to be remotely considered vs other
priorities California has at this time.

Although Feinstein DOES seem to be doing a lot of nannying and superfluous
things lately.

~~~
wpietri
Do you have some evidence that this won't get considered?

It looks to me like an easy political win. Smartphones are getting stolen a
lot. They are popular. They are often the most expensive thing a person
caries, so people are protective. Being able to say, "Hey, we're doing
something about a theft that could happen to _you_ ," seems like something
that would give the average voter warm fuzzies.

