
How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law - acheron
http://www.wired.com/2014/08/how-cops-and-hackers-could-abuse-californias-new-phone-kill-switch-law/
======
tzs
> “It’s great for the consumer, but it invites a lot of mischief,” says Hanni
> Fakhoury, staff attorney for the Electronic Frontier Foundation, which
> opposes the law. “You can imagine a domestic violence situation or a
> stalking context where someone kills [a victim's] phone and prevents them
> from calling the police or reporting abuse. It will not be a surprise when
> you see it being used this way.”

This will depend on how the phone manufacturer or operating system
manufacturer chooses to implement it. The law only requires rendering
"essential features" of the smartphone inoperable.

The law defines "essential features" thusly:

• "'Essential features' of a smartphone are the ability to use the smartphone
for voice communications, text messaging, and the ability to browse the
Internet, including the ability to access and use mobile software
applications. 'Essential features' do not include any functionality needed for
the operation of the technological solution, nor does it include the ability
of the smartphone to access emergency services by a voice call or text to the
numerals '911,' the ability of a smartphone to receive wireless emergency
alerts and warnings, or the ability to call an emergency number predesignated
by the owner."

Note that 911 ability is specifically not an "essential feature".

Anyone happen to know how Apple handles this? I have not been able to find
anything about what works on an iOS 7 phone after you use the activation lock
feature from iCloud to kill it.

~~~
justizin
I've used the activation lock, but I didn't really record what was there.
IIRC, something like a lock screen, probably with the ability to make
emergency calls.

------
spindritf
Any implementation details? How will the autodestruct signal be sent? And if
the consumer can opt out of the kill swtich, wouldn't the thief also be able
to opt out?

I have a bad feeling that 10 years from now you will have to wipe your phone
and install some makeshift build from xda right after purchase just to use it
confidently.

~~~
Zikes
Flashing a new ROM wouldn't be enough, malicious software can still live in
the firmware and even the SIM card.

------
tzs
> The law raises concerns about how the switch might be used or abused,
> because it also provides law enforcement with the authority to use the
> feature to kill phones.

This law does no such thing. What they are basing this on is a
misunderstanding of this section of the law: "Any request by a government
agency to interrupt communications service utilizing a technological solution
required by this section is subject to Section 7908 of the Public Utilities
Code".

That does not grant any authority to law enforcement. It's just saying in
effect that they cannot use this new kill switch to bypass the restrictions
7908 imposes on government interruption of communication services. It's simply
making sure that the new law is not introducing a loophole that would give law
enforcement MORE ability to interrupt communications than they already have.

It's kind of like when schools teach kids in sex ed that they should always
use a condom when they have sex. That's not supposed to be taken as granting
the kids permission to go out and have sex.

~~~
fenomas
No, the article is right. The law mandates kill-switches into existence and
then says law enforcement can't violate the utilities code when using them.
This is equivalent to saying law enforcement _can_ use the switch so long as
it's in accordance with the utilities code. Either way access to the feature
comes from the law.

The EFF letter even makes this same point:

> ..the presence of such a mechanism in every phone by default would not be
> available but for the existence of the kill switch bill. In essence, SB 962
> mandates the technical ability to disable every phone sold in California,
> and PUC § 7908 provides the necessary legal roadmap to do the same.

~~~
tzs
I'll comment on you argument in a moment, but first I want to comment on your
EFF quote.

I don't know what is going on with the EFF, but they are seriously botching it
on this. I have a hard time believing that whoever wrote the excerpt you quote
from their letter even read the law. They say, "In essence, SB 962 mandates
the technical ability to disable every phone sold in California".

Every phone? The bill only applies to smartphones. It explains what a
smartphone is thusly:

\-------- begin quote

(1) (A) “Smartphone” means a cellular radio telephone or other mobile voice
communications handset device that includes all of the following features:

(i) Utilizes a mobile operating system.

(ii) Possesses the capability to utilize mobile software applications, access
and browse the Internet, utilize text messaging, utilize digital voice
service, and send and receive email.

(iii) Has wireless network connectivity.

(iv) Is capable of operating on a long-term evolution network or successor
wireless data network communication standards.

(B) A “smartphone” does not include a radio cellular telephone commonly
referred to as a “feature” or “messaging” telephone, a laptop, a tablet
device, or a device that only has electronic reading capability.

\-------- end quote

(It's interesting that under that definition, no iPhone prior to the iPhone 5
is a smartphone).

The original article says "The law raises concerns about how the switch might
be used or abused, because it also provides law enforcement with the authority
to use the feature to kill phones".

What does "authority" mean? I generally take it as something more positive or
more active than "not forbidden". Suppose the bill said nothing at all about
government agency use of the kill switch. Would you say that the bill gives
them authority to use the kill switch.

I would say no.

The provision in the bill adds a restriction to what might be allowed if the
bill was silent on this. (I say "might" because I think one can reasonably
read 7908 as applying even if the bill were silent on this). Since I think
silence would not be a grant of authority, I don't see how allowing less than
what silence would allow can be a grant of authority.

------
golemotron
I'd like to see a company like Samsung say "okay, we won't sell our phones in
California."

In an increasingly integrated world I think it's bad that a single state has
the power to change an industry impacting people who are not its citizens. New
York State pulls the same sort of thing too.

~~~
justizin
On the other hand, a number of things that people outside of NY and CA refused
to fight for on their own, they have for free because of states like this.

If you go on the far end of the spectrum from electronics to schoolbooks, you
find that there are only two customers for history: California and Texas. You
can have the California hippie flavor or the racist civil rights denying Texas
version.

Since Apple already provides a feature which complies, I don't see how this is
a real threat to the industry.

~~~
privong
> If you go on the far end of the spectrum from electronics to schoolbooks,
> you find that there are only two customers for history: California and
> Texas.

Purportedly, Texas also has a significant influence on what goes into science
textbooks.

~~~
justizin
"Purportedly, Texas also has a significant influence on what goes into science
textbooks."

Do they, though? Maybe under mineral sciences and alternatives to evolution.
;)

< Disclaimer: I was born and raised in Texas >

~~~
pessimizer
[http://www.nytimes.com/2013/11/23/education/texas-
education-...](http://www.nytimes.com/2013/11/23/education/texas-education-
board-flags-biology-textbook-over-evolution-concerns.html)

------
sologoub
How's this different from the current iOS capability to remote-wipe your phone
via iCloud?

~~~
tzs
It's pretty much the same as the iOS 7 version of that. Here's what the law
requires:

• New smartphones (the law does not apply to feature phones or messaging
phones or other phone-like devices) have to include at the time of sale a
technological solution that can remotely "render the essential features of the
smartphone inoperable to an unauthorized user when the smartphone is not in
the possession of an authorized user"

Apple already does this.

• "The smartphone shall, during the initial device setup process, prompt an
authorized user to enable the technological solution. The technological
solution shall be reversible, so that if an authorized user obtains possession
of the smartphone after the essential features of the smartphone have been
rendered inoperable, the operation of those essential features can be restored
by an authorized user"

Apple already does almost all of this. I don't know if they do the required
prompting during initial setup.

• "A technological solution may consist of software, hardware, or a
combination of both software and hardware, and when enabled, shall be able to
withstand a hard reset or operating system downgrade and shall prevent
reactivation of the smartphone on a wireless network except by an authorized
user"

iOS 7 does this.

The law also says:

• "An authorized user of a smartphone may affirmatively elect to disable or
opt-out of enabling the technological solution at any time. However, the
physical acts necessary to disable or opt-out of enabling the technological
solution may only be performed by the authorized user or a person specifically
selected by the authorized user to disable or opt-out of enabling the
technological solution"

Apple does this. I believe I've read that Samsung's version works almost
identically to Apple's.

~~~
sologoub
Second point reads like an opt-in, if so, I think iOS has that already for the
initial setup and can be enabled/disabled afterwards.

------
byoung2
Presumably you could purchase an unlocked phone from a jurisdiction where this
law doesn't apply I bet there is a state like Nevada or Texas who won't follow
California's lead, and there is always Canada.

~~~
Zikes
Once the phone manufacturers have implemented the software feature, do you
think it's likely they would maintain two separate code branches to
accommodate California vs everywhere else, or would they just roll it out to
all states?

I'm thinking the latter is more likely.

~~~
byoung2
I also mentioned Canada (or any other country really) as a possibility. There
is already precedent for a US version vs international versions of phones,
with the US versions usually being customized by the carrier, and the
international version being unlocked and more vanilla. My wife's Samsung Note
is a good example, rather than getting the T-Mobile one, we got an unlocked
one from Amazon without all of the carrier bloat.

------
ryanmarsh
How Cops and Hackers _Will_ Abuse California’s New Phone Kill-Switch Law

FTFY

------
famousactress
This is great (if someone manages to kill every phone in California). We need
public-understandable demonstrations that ability == eventual-reality. This
seems like a perfect opportunity to open the "who-cares-if-you-don't-have-
anything-to-hide-crowd"'s minds.

~~~
lotsofmangos
That would be an amusing day in Cupertino for sure.

