Imagine a pawn shop that loans money on cell phones. Now imagine someone comes in and pawns their phone. It still has service and all, but he thinks he will come back next week and redeem it. A few months pass and he never comes back. Now the phone is legally (the pawn contract says one must completely own the collateral, so carrier subsidies etc. shouldn't be a problem) the pawn shop's property. Mr. Defaulter calls the phone company and has the IMEI blocked. Now the pawn shop is out the money and owns a useless piece of metal and plastic.
I've seen this problem with phones, tablets, and even tasers. The company will not activate them if they've been reported lost or stolen. But "finders-keepers" is legal and people can lie about theft. Of course the company also has a second interest not to help create a used market. Just like encrypted firmware schemes, this erodes personal control over our property. The legal owner with physical control should be able to use the device. Period.
There are also concerns over government or corporate disablement. Aside from obvious government malice during e.g. protests, does anyone really think either the government or the phone company can run a blacklist without false positives? Obviously not. Nobody can when your population size is >300 million. And the customer service grunt is just following the rules when your device is disabled and he cannot re-enable it.
The argument for this law is that it will reduce thefts by making the phones worthless. I understand this. I just don't think that is worth losing control over our property and devices.
A simple answer is that the pawn shop should be careful about the contracts it takes. That is, if the owner will not or can not cede control of the IMEI, the phone isn't worth very much as collateral.
You're missing the part where the pawn shop, knowing people do stuff like this, will collect the Name / Phone # of the person pawning the cell phone and can call the authorities and get said person arrested.
This isn't a worthy argument. Pawning and selling your device is nothing new. There should be paperwork for all of this in case someone calls the phone company or wrongly claims it stolen.
Sounds like always-on DRM. The rich and the technologically adept will be unaffected, but another hammer will be available for our ambivalent rulers to manipulate normal people.
This shitty DRM better be opt-in.
Fined $2,500 for every device sold lacking this DRM? Only if there is a $2,500 refund for every device accidentally bricked.
I can see media companies loving this. Watching an unlicensed movie? Your phone is now bricked. Mission creep will be inevitable.
Hmm. What happens to this with jailbroken phones? I can see it going two ways:
- killswitch is in the OS, and can be removed by jailbreak. Good for user, but means you just have to jailbreak a stolen phone to recover it / prevent it being killed.
- killswitch is in the baseband, and cannot be removed. Uhoh.
There's already an easy way to do this (that I remember reading somewhere is already being done in Australia).
When a phone is reported stolen the carriers just need to blacklist the IMEI so it doesn't work - removes the incentive to steal devices. I don't remember where I originally read this (probably here), but the US carriers were not interested in doing this because they don't see stolen phones as a problem that hurts them (arguably it gives them more business).
IMEI blocking hasn't stopped phone thefts in Europe.
Possible reasons:
1. IMEI numbers can be changed.
2. Thief can still use phone for many hours until block.
3. Stolen phones can be shipped to countries that don't implement block.
4. A blocked phone can still be used to run apps, play games, make VOIP calls on wifi etc.
The Apple system seems much more sensible. You can't use an iPhone without the pincode, and even if you get that the owner can remotely lock the phone as soon as you connect it to any network. The way to avoid that used to be to wipe the phone and reinstall the OS, but now you can't do that without the Apple ID and password of the owner. I don't know if this has reduced iPhone thefts, but unless the thief has an exploit in Apple's security I don't see why anyone would steal an iPhone nowadays. I wish Android would implement something similar.
I lost my iphone some time back so when I called AT&T to report it, they kept on insisting me - please wait for few days as you may find it. They also told me once we report the phone as lost and block it using IMEI then this change can't be undone incase you find your phone then it can't be activated again. And, the block using IMEI does not work across carriers which means if its blocked in AT&T then the person carrying that lost phone can activate the phone on any other network like verizon, spring, t-mobile etc.
Carriers can maintain a centralised database to keep list of stolen phones and can also undo the change incase the owner finds it. They can also track the people who are calling using stolen phones but they dont do it. The best reason I can guess for not doing that is as you said - why they will do something which will hurt their own business
I have an idea, how about the government stay the hell away from my smartphone and let the free market decide what smartphones are theft-safe and which are not?
This is why computer science should be a required subject going forward, only individuals good at programming will be able to resist the tendrils, malware, viruses and government backdoor trojans trying to get inside us and instruct us what actions to perform today to fill other mens pockets with wealth whom we don't even know or care about.
Serious question, not rhetorical: Is there any precedent for forcing manufacturers to modify their product simply to prevent the product from getting stolen?
Cars and houses can have alarms, and customers decide whether they need them or not. We do not require that all cars and houses come equipped with them. Wallets can be attached to a chain or placed in the front pocket. We don't require that you can only purchase a wallet with a chain.
Unlike childrens' toys that require battery covers to be screwed shut, or cars that must have seatbelts, the theft of a device does not seem to be a public safety issue. Your decision to own an expensive phone and take it out of your pocket at the train station seems no more necessary of regulation than your decision to wear an expensive necklace.
I'm not necessarily defending the mandate, but maybe I can clarify the concept behind it.
It's not a case of legislators saying "it would be better to have less phone theft so let's try to reduce it this way" - instead it's more like, users want this, but don't have the bargaining power to compel the phone makers to build it in or the telcos to support it.
Without the mandate, the makers and telcos profit from theft: the stolen phone user (not necessarily the thief) pays phone charges, the victim has to buy a new phone, and thieves have a continuing incentive to steal them. With the mandate, the phones are less valuable to thieves (and to robbers - a personal-safety gain), and the telcos can't profit from the forced transfers.
Again, not saying it's a good or bad policy (can someone remote-kill my phone when I still have it?), but these are the considerations - a kind of market-failure correction.
It seems like every day I'm reading some new news article on how over bearing and strong handed California laws are. I used to hear people joke about moving out of California to a "free state" and never paid much attention to it but now I get it.
It must be nice to have no valuable skills to offer society yet still find employment as an authoritarian jackass dreaming up product features without doing the actual work or assuming any of the risk. If Leno wants to add features to cell phones, he should go work for those companies instead of using the Ring of Sauron to forcibly add a "kill switch" because he thought it was a good idea. And is reducing theft the real reason or just the ostensible one? Will this become an easy hook for govs to shut off phones?
Nice, a kill switch in every phone. When there’s a big demonstration/revolution we’re just gonna kill all the phones out there with a simple data packet.
From what I understand, the mechanisms for this law are already in place and aren't much of a problem; any Apple customer already has this with the "Activation Lock" feature, and any carrier can already deny service based on a blacklisted ESN. The proposed law, at least in spirit, would require carriers and phone makers to honor your request to make your device unusable when you report it as stolen. It isn't so much that the government is going to be making technology and forcing everyone else to use it -- it'll let the private tech industry do whatever it needs to do to comply with the proposed "please brick my stolen phone" law.
I can understand how handset vendors other than Apple would have a problem with this. For example, where is the "activation lock" setting stored and who controls it? The handset vendor (Samsung, LG, etc)? Google (since it's an Android phone)? The carrier? Who deals with the customer when the device is stolen? That level of coordination would be a mess to deal with if you don't already control most of the stack and user experience like Apple does.
There's a huge ethical problem with a vendor imposing limits on the relationship between a human being and their tools. Apple customers are self-selected for being okay with this.
>On Friday, State Senator Mark Leno of California, a Democrat, is expected to introduce legislation requiring all smartphones and tablets sold in the state to include this kind of feature.
This should be a required option, even if it's opt out. The consumer should be able to turn off this kind of remote authorisation over their device, even if it reduces the "herd immunity".
Killing core functionality goes a step beyond IMEI blacklisting, which can be circumvented by selling the phone outside the blacklisted jurisdictions. An IMEI-blacklisted phone is a phone with a reduced market. An effectively "killed" phone is worth its recycling rebate.
Why should it be required, exactly? If people want phones with anti-theft technology, they can buy phones with anti-theft technology. What this smells like to me is a government wanting to have the power to sever your communications at will.
Having the ability to remote-brick my phone is great if I want it, but someone else having the ability to remote-brick my phone is a frickin' huge liability.
If you live in the state of CA and think this bill is a bad idea, you can look up your representative senator and send them an email asking that they vote against the bill. http://findyourrep.legislature.ca.gov/
This is really needed. In New York, there is a problem of punk kids snatching iPhones and running. It is hard for the police to do anything about it, and these kids are fencing the phones for about $150, and they are likely shipped to out of the country where carrier blocks don't work.
For whatever reason, I have heard of a bunch of people that get their iPhones snatched, but never android phones.
The market for bad ESN phones is way too strong. A simple ebay search shows that bad a ESN iPhone 5 still fetches $250. Apple needs to drive down the value of bad ESN phones to near zero for the safety of their own customers.
How quickly do these 'punk kids' sell the phones on, though? And could a system to trigger the killswitch be responsive enough to trigger it before the phone's been sold? And if it were, could it ever hope to be sure of the facts in time to catch bad requests?
(1) Any advanced mobile communications device that is sold in California on or after January 1, 2015, shall include a technological solution that can render the essential features of the device inoperable when the device is not in the possession of the rightful owner. A technological solution may consist of software, hardware, or a combination of both software and hardware, but shall be able to withstand a hard reset. No advanced mobile communications device may be sold in California without the technological solution enabled.
(2) The rightful owner of an advanced mobile communications device may affirmatively elect to disable the technological solution after sale. However, the physical acts necessary to disable the technological solution may only be performed by the end-use consumer or a person specifically selected by the end-use consumer to disable the technological solution and shall not be physically performed by any retail seller of the advanced mobile communications device.
Hard reset is defined as "the restoration of an advanced mobile communications device to the state it was in when it left the factory, and refers to any act of returning a device to that state, including processes commonly termed a factory reset or master reset."
Some thoughts:
* There doesn't appear to be any requirement that the phone can be remotely disabled. One interpretation of this is that the only change from the status quo where practically every phone has a PIN is that the PIN withstand a hard reset.
* The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
* The fact that the kill switch can be disabled is encouraging.
* A lot would also depend on how determination of the "rightful owner" goes. That is, is it sufficient for someone who knows the PIN to be considered a "rightful owner"? This is fine 99% of the time, but there are obviously scenarios where that isn't true. If we wanted to take this to the other extreme, we might say this would require every seller and re-seller of mobile phones to check the ID of anyone buying a phone and to record this in some sort of master ownership index. Note that this would effectively outlaw burner phones.
Activation of the OS requiring network check-in similar to Apple's iOS would potentially be able to disable devices by blacklisting serial number / imei / meid.
It's worth noting that most carriers DO NOT blacklist all types of serial numbers burned into a device with a single serial number. There should be a requirement for a blacklist of one to also blacklist all others and that a carrier should be able to search by any of the serial type number.
Further if a device is legitimately recovered by the original owner, they should be able to unblacklist it.
Finally, carriers should cover return shipping and reactivate found blacklisted devices. There are many worthless blacklisted iOS devices on eBay, but neither Apple nor carriers will activate them nor return them to their owners.
>* The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
The way that I'm reading this, a limit to what a "hard reset" can be is being set by (1). It's saying: Any process that you have in order to return a phone to factory condition must not remove the ability for it to be remotely bricked by the State of California.
It's labeling whatever that process is as a "hard reset" but they only care about the we can still brick the phone part.
That is the diametric opposite of (2), though. Unless the "disabling of the technological solution" is expected to be through software.
In order to enforce (1) and (2), California is going to have to:
a) Start certifying operating systems, and approving of their solutions for the remote bricking disabler.
and
b) Implement the remote bricker in hardware.
This is actually a really scary bill.
edit: The "rightful owner" requirement could be interpreted as really hard to satisfy, especially combined with an inability for the "retail seller" to do it. That may mean that you have to get a code, connect to the manufacturer's server, etc. to get the app to disable the bricking chip unlocked or downloaded, and the additional security theater that would entail - and the bitrot that would happen for older model phones when you had to download it (after a "hard reset") and the manufacturer is either defunct or doesn't care anymore.
This bill has too many goodies for too many entrenched interests not to pass.
edit2: "Rightful owner" is really creeping me out. That might be seen as insuring that the State must be the one with the killswitch. Who can determine a rightful owner? It could be that you are the one who knows the PIN, or it could be that you file a police report, and they kill the phone from the station.
> * The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
Not really. This is, more or less, a fairly easy problem to solve: Upon first use and any subsequent hard resets, the device phones home to ask to be activated. On first use, the activation server replies with an unconditional 'YES'. Upon activation after a hard reset, the server goes 'Before I answer, can solve this challange' (PIN or username/password).
This is how Apple implemented Activation Lock on it's iOS devices and it's more or less uncrackable.
[+] [-] sdkmvx|12 years ago|reply
I've seen this problem with phones, tablets, and even tasers. The company will not activate them if they've been reported lost or stolen. But "finders-keepers" is legal and people can lie about theft. Of course the company also has a second interest not to help create a used market. Just like encrypted firmware schemes, this erodes personal control over our property. The legal owner with physical control should be able to use the device. Period.
There are also concerns over government or corporate disablement. Aside from obvious government malice during e.g. protests, does anyone really think either the government or the phone company can run a blacklist without false positives? Obviously not. Nobody can when your population size is >300 million. And the customer service grunt is just following the rules when your device is disabled and he cannot re-enable it.
The argument for this law is that it will reduce thefts by making the phones worthless. I understand this. I just don't think that is worth losing control over our property and devices.
[+] [-] ChuckMcM|12 years ago|reply
The interesting side effect will be that people will won't consider stealing a phone and pawning it as a viable way of getting some quick cash.
[+] [-] maxerickson|12 years ago|reply
[+] [-] manacit|12 years ago|reply
[+] [-] poopsintub|12 years ago|reply
[+] [-] ihsw|12 years ago|reply
This shitty DRM better be opt-in.
Fined $2,500 for every device sold lacking this DRM? Only if there is a $2,500 refund for every device accidentally bricked.
I can see media companies loving this. Watching an unlicensed movie? Your phone is now bricked. Mission creep will be inevitable.
[+] [-] pjc50|12 years ago|reply
- killswitch is in the OS, and can be removed by jailbreak. Good for user, but means you just have to jailbreak a stolen phone to recover it / prevent it being killed.
- killswitch is in the baseband, and cannot be removed. Uhoh.
[+] [-] gonehome|12 years ago|reply
When a phone is reported stolen the carriers just need to blacklist the IMEI so it doesn't work - removes the incentive to steal devices. I don't remember where I originally read this (probably here), but the US carriers were not interested in doing this because they don't see stolen phones as a problem that hurts them (arguably it gives them more business).
[+] [-] billyjobob|12 years ago|reply
Possible reasons:
1. IMEI numbers can be changed.
2. Thief can still use phone for many hours until block.
3. Stolen phones can be shipped to countries that don't implement block.
4. A blocked phone can still be used to run apps, play games, make VOIP calls on wifi etc.
The Apple system seems much more sensible. You can't use an iPhone without the pincode, and even if you get that the owner can remotely lock the phone as soon as you connect it to any network. The way to avoid that used to be to wipe the phone and reinstall the OS, but now you can't do that without the Apple ID and password of the owner. I don't know if this has reduced iPhone thefts, but unless the thief has an exploit in Apple's security I don't see why anyone would steal an iPhone nowadays. I wish Android would implement something similar.
[+] [-] jimktrains2|12 years ago|reply
[+] [-] mandeepj|12 years ago|reply
Carriers can maintain a centralised database to keep list of stolen phones and can also undo the change incase the owner finds it. They can also track the people who are calling using stolen phones but they dont do it. The best reason I can guess for not doing that is as you said - why they will do something which will hurt their own business
[+] [-] lazyant|12 years ago|reply
[+] [-] sentientmachine|12 years ago|reply
This is why computer science should be a required subject going forward, only individuals good at programming will be able to resist the tendrils, malware, viruses and government backdoor trojans trying to get inside us and instruct us what actions to perform today to fill other mens pockets with wealth whom we don't even know or care about.
[+] [-] aasarava|12 years ago|reply
Cars and houses can have alarms, and customers decide whether they need them or not. We do not require that all cars and houses come equipped with them. Wallets can be attached to a chain or placed in the front pocket. We don't require that you can only purchase a wallet with a chain.
Unlike childrens' toys that require battery covers to be screwed shut, or cars that must have seatbelts, the theft of a device does not seem to be a public safety issue. Your decision to own an expensive phone and take it out of your pocket at the train station seems no more necessary of regulation than your decision to wear an expensive necklace.
[+] [-] ds9|12 years ago|reply
It's not a case of legislators saying "it would be better to have less phone theft so let's try to reduce it this way" - instead it's more like, users want this, but don't have the bargaining power to compel the phone makers to build it in or the telcos to support it.
Without the mandate, the makers and telcos profit from theft: the stolen phone user (not necessarily the thief) pays phone charges, the victim has to buy a new phone, and thieves have a continuing incentive to steal them. With the mandate, the phones are less valuable to thieves (and to robbers - a personal-safety gain), and the telcos can't profit from the forced transfers.
Again, not saying it's a good or bad policy (can someone remote-kill my phone when I still have it?), but these are the considerations - a kind of market-failure correction.
[+] [-] BryanB55|12 years ago|reply
[+] [-] ahallock|12 years ago|reply
[+] [-] kirab|12 years ago|reply
[+] [-] oftenwrong|12 years ago|reply
[+] [-] revscat|12 years ago|reply
[+] [-] clinton_sf|12 years ago|reply
I can understand how handset vendors other than Apple would have a problem with this. For example, where is the "activation lock" setting stored and who controls it? The handset vendor (Samsung, LG, etc)? Google (since it's an Android phone)? The carrier? Who deals with the customer when the device is stolen? That level of coordination would be a mess to deal with if you don't already control most of the stack and user experience like Apple does.
As a side note, Apple already does this with Mac hardware too: https://discussions.apple.com/message/19010713 .
[+] [-] prodigal_erik|12 years ago|reply
[+] [-] JumpCrisscross|12 years ago|reply
This should be a required option, even if it's opt out. The consumer should be able to turn off this kind of remote authorisation over their device, even if it reduces the "herd immunity".
Killing core functionality goes a step beyond IMEI blacklisting, which can be circumvented by selling the phone outside the blacklisted jurisdictions. An IMEI-blacklisted phone is a phone with a reduced market. An effectively "killed" phone is worth its recycling rebate.
[+] [-] cheald|12 years ago|reply
Having the ability to remote-brick my phone is great if I want it, but someone else having the ability to remote-brick my phone is a frickin' huge liability.
[+] [-] droopybuns|12 years ago|reply
There are bad ideas, and then there ideas that only a legislator would advocate.
[+] [-] unclebucknasty|12 years ago|reply
Governments seem increasingly interested in accessing and controlling our phones.
[1] http://en.wikipedia.org/wiki/Personal_Localized_Alerting_Net...
[+] [-] thrillgore|12 years ago|reply
[+] [-] ryanjshaw|12 years ago|reply
[+] [-] aasarava|12 years ago|reply
[+] [-] jcampbell1|12 years ago|reply
For whatever reason, I have heard of a bunch of people that get their iPhones snatched, but never android phones.
The market for bad ESN phones is way too strong. A simple ebay search shows that bad a ESN iPhone 5 still fetches $250. Apple needs to drive down the value of bad ESN phones to near zero for the safety of their own customers.
[+] [-] eponeponepon|12 years ago|reply
[+] [-] pera|12 years ago|reply
You should immediately call your representatives to stop this.
[+] [-] snake_plissken|12 years ago|reply
[+] [-] andrewfong|12 years ago|reply
Actual draft of the bill is here: http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?...
Relevant portions:
(1) Any advanced mobile communications device that is sold in California on or after January 1, 2015, shall include a technological solution that can render the essential features of the device inoperable when the device is not in the possession of the rightful owner. A technological solution may consist of software, hardware, or a combination of both software and hardware, but shall be able to withstand a hard reset. No advanced mobile communications device may be sold in California without the technological solution enabled.
(2) The rightful owner of an advanced mobile communications device may affirmatively elect to disable the technological solution after sale. However, the physical acts necessary to disable the technological solution may only be performed by the end-use consumer or a person specifically selected by the end-use consumer to disable the technological solution and shall not be physically performed by any retail seller of the advanced mobile communications device.
Hard reset is defined as "the restoration of an advanced mobile communications device to the state it was in when it left the factory, and refers to any act of returning a device to that state, including processes commonly termed a factory reset or master reset."
Some thoughts:
* There doesn't appear to be any requirement that the phone can be remotely disabled. One interpretation of this is that the only change from the status quo where practically every phone has a PIN is that the PIN withstand a hard reset.
* The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
* The fact that the kill switch can be disabled is encouraging.
* A lot would also depend on how determination of the "rightful owner" goes. That is, is it sufficient for someone who knows the PIN to be considered a "rightful owner"? This is fine 99% of the time, but there are obviously scenarios where that isn't true. If we wanted to take this to the other extreme, we might say this would require every seller and re-seller of mobile phones to check the ID of anyone buying a phone and to record this in some sort of master ownership index. Note that this would effectively outlaw burner phones.
[+] [-] ballard|12 years ago|reply
It's worth noting that most carriers DO NOT blacklist all types of serial numbers burned into a device with a single serial number. There should be a requirement for a blacklist of one to also blacklist all others and that a carrier should be able to search by any of the serial type number.
Further if a device is legitimately recovered by the original owner, they should be able to unblacklist it.
Finally, carriers should cover return shipping and reactivate found blacklisted devices. There are many worthless blacklisted iOS devices on eBay, but neither Apple nor carriers will activate them nor return them to their owners.
[+] [-] pessimizer|12 years ago|reply
The way that I'm reading this, a limit to what a "hard reset" can be is being set by (1). It's saying: Any process that you have in order to return a phone to factory condition must not remove the ability for it to be remotely bricked by the State of California.
It's labeling whatever that process is as a "hard reset" but they only care about the we can still brick the phone part.
That is the diametric opposite of (2), though. Unless the "disabling of the technological solution" is expected to be through software.
In order to enforce (1) and (2), California is going to have to:
a) Start certifying operating systems, and approving of their solutions for the remote bricking disabler.
and
b) Implement the remote bricker in hardware.
This is actually a really scary bill.
edit: The "rightful owner" requirement could be interpreted as really hard to satisfy, especially combined with an inability for the "retail seller" to do it. That may mean that you have to get a code, connect to the manufacturer's server, etc. to get the app to disable the bricking chip unlocked or downloaded, and the additional security theater that would entail - and the bitrot that would happen for older model phones when you had to download it (after a "hard reset") and the manufacturer is either defunct or doesn't care anymore.
This bill has too many goodies for too many entrenched interests not to pass.
edit2: "Rightful owner" is really creeping me out. That might be seen as insuring that the State must be the one with the killswitch. Who can determine a rightful owner? It could be that you are the one who knows the PIN, or it could be that you file a police report, and they kill the phone from the station.
[+] [-] madeofpalk|12 years ago|reply
Not really. This is, more or less, a fairly easy problem to solve: Upon first use and any subsequent hard resets, the device phones home to ask to be activated. On first use, the activation server replies with an unconditional 'YES'. Upon activation after a hard reset, the server goes 'Before I answer, can solve this challange' (PIN or username/password).
This is how Apple implemented Activation Lock on it's iOS devices and it's more or less uncrackable.
[+] [-] ciderpunx|12 years ago|reply
* Why won't someone will figure out how to trigger the phone kill switch and start wandering round SF killing people's phones at will?
* Why won't the state/NSA/whoever kill the phones of its enemies (diplomats, foreign business people, "subversives")?
* and so on.
[+] [-] judk|12 years ago|reply