
California Senate Rejects Smartphone ‘Kill Switch’ Law - ternaryoperator
http://bits.blogs.nytimes.com/2014/04/24/california-senate-rejects-smartphone-kill-switch-law
======
schoen
Here is the text of the bill that the Senate rejected:

[http://www.leginfo.ca.gov/pub/13-14/bill/sen/sb_0951-1000/sb...](http://www.leginfo.ca.gov/pub/13-14/bill/sen/sb_0951-1000/sb_962_bill_20140206_introduced.htm)

One thing that CTIA did while lobbying against this was to announce their
"Voluntary Commitment" as an alternative:

[http://www.ctia.org/policy-initiatives/voluntary-
guidelines/...](http://www.ctia.org/policy-initiatives/voluntary-
guidelines/smartphone-anti-theft-voluntary-commitment)

As you can see from the reporting and the text of the two documents, one of
Senator Leno's biggest disagreements with the industry is about whether the
mechanisms should be opt-in or opt-out.

An issue that I have raised indirectly on behalf of EFF is whether someone
other than the phone owner has the technical ability to kill the phone, and,
if so, whether the phone owner can reverse this on their own. Neither Sen.
Leno's text nor CTIA's definitively answers this, and we haven't seen it
publicly discussed very much.

The worst-case scenarios for me are if a government can order a carrier to
disable the phones of everyone who attended a particular protest (or everyone
who has recently exchanged SMS messages with a particular person), or if
there's a master list of keys sitting around on some hard drive that could be
used to disable every phone of a particular model in an entire country.

~~~
dobbsbob
I've always assumed bricking legislation has nothing to do with theft and
everything to do with shutting down communications during civil unrest to
prevent even adhoc wireless networks by completely bricking the device. The
proponents of a similar bill in my country are all intel agency shills that
normally never dabble in any laws regarding street crime yet are heavily
lobbying for this. The ability of the owner to opt-out or perform this remote
brick themselves was also rejected with the police having sole power over the
keys.

~~~
001sky
This. And the authorities are using the existence of remote wipe to pretext
warrantless searches. None of this is 'consumer protection'. Its strictly
aimed at thwarting the diffisuion of communications outside the reach of the
government.

------
higherpurpose
Good. This sort of thing has no place as a law. Also, it should _always_ be up
to the user whether he wants to enable it or not, if they want to be protected
against theft like that. The most companies should do is perhaps prompt them
about it in the initial set-up of the phone.

------
nlh
To add to this a bit, because it's not explicitly mentioned in this article
(but I recall reading about this previously):

> “With their no vote, 17 members of the Senate chose to protect billion-
> dollar industry profits over the safety of the constituents they were
> elected to serve.”

They're referring to the insurance premiums charged by the mobile providers
and companies like Asurion. They make a ton of $$ by selling
damage/theft/replacement insurance and the associated deductibles, and the
thought is that revenue stream could be damaged if the incentive (and
therefore risk) of theft is reduced.

------
ggreer
I naively assumed that the vast majority of phones already had kill switches.
If my iPhone gets stolen, I can track it and remotely brick it. A thief can't
erase/restore without my Apple ID.[1] It looks like it takes more effort to
get this behavior on an Android device. A thief won't be able to get the data
off my Nexus 7, but it looks like they can still restore it and sell it.

I think that as wireless and battery technologies become cheaper/better, more
devices will have remote tracking/bricking. The incremental cost will be
minuscule, but the benefit (drastically reducing likelihood of theft) is
great.

1\. [http://support.apple.com/kb/HT5818](http://support.apple.com/kb/HT5818)

~~~
schoen
The "Find My iPhone" feature has to be turned on ahead of time, so one issue
between proponents of the existing SB962 and the industry is whether these
features should be deployed as opt-in or opt-out.

~~~
toomuchtodo
Could Apple not just require it at phone activation?

~~~
schoen
I think that would satisfy SB962 if it became law, though Apple and others
would prefer not to be required to do this.

~~~
toomuchtodo
> though Apple and others would prefer not to be required to do this.

Why?

~~~
icameron
A private manufacturer being told by politicians how to design their own
product for reasons other than consumer or environmental protection is not
right. The traditional example is the auto industry regulation... Requiring
seat belts in new cars for example. Or requiring private companies to properly
dispose of waste because pollutants in the environment is a health risk. But
this issue is not a case of safety. Nobody will be injured by a device that
doesn't brick itself. That is overreaching into an area not controlled by the
government. It wouldn't be good for Apple to implement and support an
unnecessary feature.

~~~
toomuchtodo
I don't believe requiring Find My Phone to be activated as part of the
activation would be that onerous of a regulation.

------
walshemj
Why is a state even debating this to work kill switches need to be introduced
for the entire NANP area - let the FCC do its job.

A waste of CA taxpayers money - motion should have been moved next business
inside 30 seconds.

------
finnn
>To continue reading this article, please log in or register for free.

>As a registered user, you'll also enjoy recommendations and the ability to
save, comment, and share.

I have to log in to read a blog? nothx

~~~
mikestew
If you're reading Hacker News, it should take longer to type a complaint about
logins that it does to find a way around said login.

~~~
click170
I'm with OP on this one. I won't read your page/blog if I have to create any
kind of account to do so. Full stop.

Displaying ads is one thing, this is entirely different and the loss of my
privacy in that way is disproportionate to whatever benefit I get from reading
your page.

~~~
mikestew
> I'm with OP on this one. I won't read your page/blog if I have to create any
> kind of account to do so. Full stop.

I completely respect that. Is it necessary, though, to submit a comment
complaining about it every time it comes up? And I'm allowing that some feel
that it _is_ necessary, but to what end?

For me, the page works just fine without registering on Android Chrome and
desktop Chrome on my home box. <shrug>

~~~
nitrogen
By submitting a comment about it every time, one might hope that eventually
site owners would get the message. Lobbying required persistence.

------
pixelcort
If this passes someday and then later on a hobbyist smartphone-building
community pops up, how would that community be affected?

~~~
smsm42
You probably won't be able to sell anything that is not up to regulations.
Since airwaves are considered public, you may also be banned from using any
wireless communications either - regardless of if the regulation relates to
the communication per se, as using public medium enables the government to
regulate you and deny that use if you do not satisfy their conditions. Which
means any hobbyist probably would have to follow that law if it is ever
passed, unless some kind of special exception is added.

------
zaroth
I think this bill is very poorly written. It would require that my handheld
device (phones, tables, maybe Google Glass) needs to "render inoperable the
essential features of the device [including "apps"] when the device is not in
the possession of the rightful owner." This functionality must be enabled, and
only the rightful owner can opt-in to disable it.

Digging into this "requirements document" instantly raises all sorts of
questions around how to actually do the initial setup / enrollment, what are
the user interaction points, what are all the failure modes and edge case. It
has sloppy definitions of terms, making it unclear if certain classes of
devices are even supposed to be covered.

I mean, let's start with the core premise of this bill. When is a phone "not
in the possession of the rightful owner"? Are we talking about a mandatory
lock screen here? So I need a technological solution to render the device
useless, when "not in the posession of the rightful owner", which by law must
be enabled by default. What could possibly go wrong?

And how about this gem;

    
    
       (3) “Essential features” of an advanced mobile communications 
           device include the ability to use the device for voice 
           communications and the ability to connect to the Internet, including 
           the ability to access and use mobile software applications 
           commonly known as “apps.”
    

What if instead of going dead, I want my phone to actually help itself be
found and returned? Instead of a kill switch, perhaps the device...

    
    
      - Locks into a 'Please return to X' mode, and
      - Maybe offers a escrowed reward in Bitcoin, and
      - Maybe uploads snippets of video, audio, and GPS location every X seconds,
        while displaying a huge 'YOU ARE BEING RECORDED' message
    

But the point is, it's easy to brainstorm ideas that may be better than a kill
switch. Technology moves fast, good ideas will proliferate, and government
regulation should stay far away from this cycle.

I for one am happy this did not pass. A kill switch is not a safety feature.
It's not an accessibility feature. It's not a anti-collusion feature. 17
members of the senate correctly identified that we shouldn't be regulating
what features a piece of software MUST ship with, unless something much more
substantial lies in the balance.

A kill switch must obviously be opt-in because it's giving a software agent
permission to nuke the data on your phone, not to mention possibly monitor
your location. A designer may reasonably want to limit the number of choices a
user must make before they start using their device! The process of activating
your new phone in the first moments after unwrapping is a critical time for
making a good first impression of the software / device. It's when you want
the user saying "Wow", not feeling like a trip to the DMV because the State of
California passed SB 962.

The client and server software implementing the kill switch needs to be
written, tested extensively (think of the failure modes), monitored, and
maintained to continuously improve its security. Security vulnerabilities in
the kill switch architecture or user authentication could be exploited to
catastrophic effect, which is a good enough reason to choose not to offer the
feature, or at least make users demonstrate a basic level of sophistication
before enabling it. Didn't we just read about the Wired editor whose kill
switch was turned against him?

Next we'll be reading about SB 962b - Anti-Kill-Switch legislation, due to the
increasing and alarming number of extortion attempts leveraging the kill
switches built into our mobile devices.

Also, cylons love kill switches.

