> If protection of the casual user was an argument, there would be an easy option to unlock your system, be that phones or desktop computers.
Making it easy to unlock could make it easy(er) for scammers to get it unlocked:
> I received the same type of call a little later in the day. They were very adamant they were calling from the Bell data centre, on a terrible line and I made them call back three more times while I considered their requests. They wanted to have me download a program that would have given them controI of my laptop. […]
> Making it easy to unlock could make it easy(er) for scammers to get it unlocked
Making laptops that weigh two pounds instead of 40 pounds could make it easier for thieves to steal them. Making computers less expensive could increase the number of spammers who can afford one and make it easier to send spam. Making encryption widely available could make it easier for bad actors to communicate.
But these things have countervailing benefits, so we do them anyway and then address the problems by a different means. When someone insists on doing it in the way that "incidentally" provides them with a commercial advantage, suspect an ulterior motive.
Easy doesn't mean without any warning, it just means that the device is unlockable by design and without OEM's approval.
It would be reasonable to:
- factory reset the device before unlocking it to protect existing data (like Android phones require)
- display warnings, for example "if someone's asking you to do this, it's probably a scam"
- for the owner to be allowed to permanently disable unlocking, e.g. the commonly cited example of someone setting the device up for their elderly parents
> for the owner to be allowed to permanently disable unlocking, e.g. the commonly cited example of someone setting the device up for their elderly parents
This opens a wormhole that warps us back to one of the core issues / battlegrounds in computing: ownership, and specifically, the balance of power and responsibility between the owner and the user, when they're not the same person.
Unfortunately, the same means and the same arguments cited in case of "someone setting the device up for their elderly parents" also apply to employers "setting the device up" for their employees (where "setting the device up" may just mean letting it access the company network), vendors "helpfully" "setting the device up" for the customers (this is basically the whole history of mobile phones - bootloaders now, SIM locks before), etc.
I don't know what the good answer is. I'm personally strongly biased towards "end-user should always be the owner" perspective, and while I recognize there are strong examples where this isn't the case, I can't figure out how to cleanly separate "legitimate interest" from for-profit or for-power abuse.
The balance of power between a company and you, vs you and another person, are vastly different, which IMO makes the issues distinct. Presumably the elderly parents are willingly relinquishing control to someone they trust, and they can always go out and buy their own phone if they don't want that.
It seems relatively simple to me. Only the owner is allowed to make these decisions, more or less. Employers can only do it to devices they own and provide. Phone vendors cannot do it, and cannot make any services contingent on doing it. A family member in this situation is reasonably acting on the owner's behalf.
And while we're at it, let's not allow apps to refuse to run because of rooting.
In that scenario I think employers should have the right to make this decision since they own the device and it likely contains sensitive data and credentials belonging to them. But vendors selling devices to retail customers shouldn't be allowed to make that decision unless the customer explicitly asks for help.
I think it's pretty consistent, whoever legally owns the device should be allowed to decide what is and isn't allowed to run on it.
Yes, my point is that in practice, this gets abused. In particular, the possibility enables vendors to invent business models that rely on denying users ownership, and those happen to outcompete the fair, honest models.
> factory reset the device before unlocking it to protect existing data (like Android phones require)
I never understood this point. From what threat is it protecting the data from? Surely a thief should not be able to unlock a device without first typing the correct pin/password, and it they can do that they should be able to access the data regardless.
In principle I agree but the edge case I think has to be accounted for is that many people have weak PINs protecting highly sensitive apps (financial, banking) on their phones like that could be backdoored with root access.
There have been times when I really wished that I could OEM unlock my Android device without wiping but overall I think I sleep better knowing that my PIN isn't sufficient to extract all of its data.
Unlocking should require a physical modification, like soldering a jumper or flipping an internal switch requiring disassembly. That would filter out basically all scam victims. If a scammer can teach a complete novice how to do micro soldering, they've earned their pay.
The Chromebooks that require removing a single internal screw are a fairly civilized example of this approach (might be a little harder to execute in a phone).
The Prusa Mini required you to snap a part of the pcb off to flash custom firmware. I actually like this approach, you have to very deliberately break apart of it to signal that you know what you are doing.
Making it easy to unlock could make it easy(er) for scammers to get it unlocked:
> I received the same type of call a little later in the day. They were very adamant they were calling from the Bell data centre, on a terrible line and I made them call back three more times while I considered their requests. They wanted to have me download a program that would have given them controI of my laptop. […]
* https://forum.bell.ca/t5/Internet/Call-stating-that-an-issue...