I've seen this problem with phones, tablets, and even tasers. The company will not activate them if they've been reported lost or stolen. But "finders-keepers" is legal and people can lie about theft. Of course the company also has a second interest not to help create a used market. Just like encrypted firmware schemes, this erodes personal control over our property. The legal owner with physical control should be able to use the device. Period.
There are also concerns over government or corporate disablement. Aside from obvious government malice during e.g. protests, does anyone really think either the government or the phone company can run a blacklist without false positives? Obviously not. Nobody can when your population size is >300 million. And the customer service grunt is just following the rules when your device is disabled and he cannot re-enable it.
The argument for this law is that it will reduce thefts by making the phones worthless. I understand this. I just don't think that is worth losing control over our property and devices.
The interesting side effect will be that people will won't consider stealing a phone and pawning it as a viable way of getting some quick cash.
This shitty DRM better be opt-in.
Fined $2,500 for every device sold lacking this DRM? Only if there is a $2,500 refund for every device accidentally bricked.
I can see media companies loving this. Watching an unlicensed movie? Your phone is now bricked. Mission creep will be inevitable.
- killswitch is in the OS, and can be removed by jailbreak. Good for user, but means you just have to jailbreak a stolen phone to recover it / prevent it being killed.
- killswitch is in the baseband, and cannot be removed. Uhoh.
Despite noble intentions, anti-theft DRM is actually the worst kind there is. It is impossible* to differentiate between a thief in possession of your phone, and you in possession of a company's phone that they're considering you renting.
If this becomes reality, it's yet another bullet point for getting a separate MiFi + actual computing device next time I'm forced to upgrade. That's the only way of regaining the concept of a service demarcation point.
(* unless every device is given a different root key, and the owner actually manages the corresponding private key. given the usability issues, this will never happen in a commercial design).
End result: either the phone stays blocked or you end up with a crippled, limited-usage device that can't use many of the services that you'd expect it to (app store, etc). Re-sale value would plummet.
It would work with Android too. Stolen phones (that are reported to Google) could refuse to use the play store or accept a gmail account.
When a phone is reported stolen the carriers just need to blacklist the IMEI so it doesn't work - removes the incentive to steal devices. I don't remember where I originally read this (probably here), but the US carriers were not interested in doing this because they don't see stolen phones as a problem that hurts them (arguably it gives them more business).
Possible reasons:
1. IMEI numbers can be changed.
2. Thief can still use phone for many hours until block.
3. Stolen phones can be shipped to countries that don't implement block.
4. A blocked phone can still be used to run apps, play games, make VOIP calls on wifi etc.
The Apple system seems much more sensible. You can't use an iPhone without the pincode, and even if you get that the owner can remotely lock the phone as soon as you connect it to any network. The way to avoid that used to be to wipe the phone and reinstall the OS, but now you can't do that without the Apple ID and password of the owner. I don't know if this has reduced iPhone thefts, but unless the thief has an exploit in Apple's security I don't see why anyone would steal an iPhone nowadays. I wish Android would implement something similar.
- steal phone - break phone - return to Apple store for warranty replacement (minor social engineering may be required here)
Theif gets a working phone with a different IMEI. The worst part is, the friend of mine who this happened to found out about it because it invalidated her theft insurance.
Carriers can maintain a centralised database to keep list of stolen phones and can also undo the change incase the owner finds it. They can also track the people who are calling using stolen phones but they dont do it. The best reason I can guess for not doing that is as you said - why they will do something which will hurt their own business
This is why computer science should be a required subject going forward, only individuals good at programming will be able to resist the tendrils, malware, viruses and government backdoor trojans trying to get inside us and instruct us what actions to perform today to fill other mens pockets with wealth whom we don't even know or care about.
Cars and houses can have alarms, and customers decide whether they need them or not. We do not require that all cars and houses come equipped with them. Wallets can be attached to a chain or placed in the front pocket. We don't require that you can only purchase a wallet with a chain.
Unlike childrens' toys that require battery covers to be screwed shut, or cars that must have seatbelts, the theft of a device does not seem to be a public safety issue. Your decision to own an expensive phone and take it out of your pocket at the train station seems no more necessary of regulation than your decision to wear an expensive necklace.
It's not a case of legislators saying "it would be better to have less phone theft so let's try to reduce it this way" - instead it's more like, users want this, but don't have the bargaining power to compel the phone makers to build it in or the telcos to support it.
Without the mandate, the makers and telcos profit from theft: the stolen phone user (not necessarily the thief) pays phone charges, the victim has to buy a new phone, and thieves have a continuing incentive to steal them. With the mandate, the phones are less valuable to thieves (and to robbers - a personal-safety gain), and the telcos can't profit from the forced transfers.
Again, not saying it's a good or bad policy (can someone remote-kill my phone when I still have it?), but these are the considerations - a kind of market-failure correction.
I am sick of reasoning like this. The purpose of government is to preserve your freedom to do something. If some users want something and cannot arrange it themselves, then they may just not be able to get it. It is not the government's place to mandate that everyone gets what some people want. That goes against personal freedom. It is certainly the government's place to punish thiefs---a person who deprives another of their freedom to control their property. The government should not mandate certain ways of arranging private (between a person and the phone company) affairs.
But we can counter that it's specious to claim customers are clamoring for this but not getting anywhere with manufacturers. Apple's Find my Phone feature is already one step toward addressing this issue, and there are a handful of third-party apps on the market that do similar things. These market solutions will continue to get better over time if they're popular.
And of course, there's the question of why it's the manufacturers' responsibility to address theft in the first place. Jewelers aren't required to engrave and register all their necklaces.
I can understand how handset vendors other than Apple would have a problem with this. For example, where is the "activation lock" setting stored and who controls it? The handset vendor (Samsung, LG, etc)? Google (since it's an Android phone)? The carrier? Who deals with the customer when the device is stolen? That level of coordination would be a mess to deal with if you don't already control most of the stack and user experience like Apple does.
As a side note, Apple already does this with Mac hardware too: https://discussions.apple.com/message/19010713 .
This should be a required option, even if it's opt out. The consumer should be able to turn off this kind of remote authorisation over their device, even if it reduces the "herd immunity".
Killing core functionality goes a step beyond IMEI blacklisting, which can be circumvented by selling the phone outside the blacklisted jurisdictions. An IMEI-blacklisted phone is a phone with a reduced market. An effectively "killed" phone is worth its recycling rebate.
Having the ability to remote-brick my phone is great if I want it, but someone else having the ability to remote-brick my phone is a frickin' huge liability.
There are bad ideas, and then there ideas that only a legislator would advocate.
Governments seem increasingly interested in accessing and controlling our phones.
[1] http://en.wikipedia.org/wiki/Personal_Localized_Alerting_Net...
For whatever reason, I have heard of a bunch of people that get their iPhones snatched, but never android phones.
The market for bad ESN phones is way too strong. A simple ebay search shows that bad a ESN iPhone 5 still fetches $250. Apple needs to drive down the value of bad ESN phones to near zero for the safety of their own customers.
You should immediately call your representatives to stop this.
Actual draft of the bill is here: http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?...
Relevant portions:
(1) Any advanced mobile communications device that is sold in California on or after January 1, 2015, shall include a technological solution that can render the essential features of the device inoperable when the device is not in the possession of the rightful owner. A technological solution may consist of software, hardware, or a combination of both software and hardware, but shall be able to withstand a hard reset. No advanced mobile communications device may be sold in California without the technological solution enabled.
(2) The rightful owner of an advanced mobile communications device may affirmatively elect to disable the technological solution after sale. However, the physical acts necessary to disable the technological solution may only be performed by the end-use consumer or a person specifically selected by the end-use consumer to disable the technological solution and shall not be physically performed by any retail seller of the advanced mobile communications device.
Hard reset is defined as "the restoration of an advanced mobile communications device to the state it was in when it left the factory, and refers to any act of returning a device to that state, including processes commonly termed a factory reset or master reset."
Some thoughts:
* There doesn't appear to be any requirement that the phone can be remotely disabled. One interpretation of this is that the only change from the status quo where practically every phone has a PIN is that the PIN withstand a hard reset.
* The hard reset definition is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
* The fact that the kill switch can be disabled is encouraging.
* A lot would also depend on how determination of the "rightful owner" goes. That is, is it sufficient for someone who knows the PIN to be considered a "rightful owner"? This is fine 99% of the time, but there are obviously scenarios where that isn't true. If we wanted to take this to the other extreme, we might say this would require every seller and re-seller of mobile phones to check the ID of anyone buying a phone and to record this in some sort of master ownership index. Note that this would effectively outlaw burner phones.
It's worth noting that most carriers DO NOT blacklist all types of serial numbers burned into a device with a single serial number. There should be a requirement for a blacklist of one to also blacklist all others and that a carrier should be able to search by any of the serial type number.
Further if a device is legitimately recovered by the original owner, they should be able to unblacklist it.
Finally, carriers should cover return shipping and reactivate found blacklisted devices. There are many worthless blacklisted iOS devices on eBay, but neither Apple nor carriers will activate them nor return them to their owners.
The way that I'm reading this, a limit to what a "hard reset" can be is being set by (1). It's saying: Any process that you have in order to return a phone to factory condition must not remove the ability for it to be remotely bricked by the State of California.
It's labeling whatever that process is as a "hard reset" but they only care about the we can still brick the phone part.
That is the diametric opposite of (2), though. Unless the "disabling of the technological solution" is expected to be through software.
In order to enforce (1) and (2), California is going to have to:
a) Start certifying operating systems, and approving of their solutions for the remote bricking disabler.
and
b) Implement the remote bricker in hardware.
This is actually a really scary bill.
edit: The "rightful owner" requirement could be interpreted as really hard to satisfy, especially combined with an inability for the "retail seller" to do it. That may mean that you have to get a code, connect to the manufacturer's server, etc. to get the app to disable the bricking chip unlocked or downloaded, and the additional security theater that would entail - and the bitrot that would happen for older model phones when you had to download it (after a "hard reset") and the manufacturer is either defunct or doesn't care anymore.
This bill has too many goodies for too many entrenched interests not to pass.
edit2: "Rightful owner" is really creeping me out. That might be seen as insuring that the State must be the one with the killswitch. Who can determine a rightful owner? It could be that you are the one who knows the PIN, or it could be that you file a police report, and they kill the phone from the station.
Not really. This is, more or less, a fairly easy problem to solve: Upon first use and any subsequent hard resets, the device phones home to ask to be activated. On first use, the activation server replies with an unconditional 'YES'. Upon activation after a hard reset, the server goes 'Before I answer, can solve this challange' (PIN or username/password).
This is how Apple implemented Activation Lock on it's iOS devices and it's more or less uncrackable.
* Why won't someone will figure out how to trigger the phone kill switch and start wandering round SF killing people's phones at will?
* Why won't the state/NSA/whoever kill the phones of its enemies (diplomats, foreign business people, "subversives")?
* and so on.
I just wrote a blog post about it: (https://news.ycombinator.com/item?id=7198054)
This bill would be a great accompaniment to the next minimum wage increase.
Armed robbers are aware that many (most?) people of even modest means are carrying around devices that, once stolen by force, can be sold (probably to a fencing operation) for a few hundred bucks.
The ability to render smartphones worthless if stolen would go a long way toward reducing the incentive to commit these particular robberies, which constitute a large part of the recent increase in California's armed robbery (and by implication violent crime) rate.
Recently in the Bay Area, where I live, an armed robber held up several people at once, and took all the phones ... except a feature phone.
EDIT: wording.
Kill switches are never the right choice to solve this. Once this technology exists and is widespread (as the article points out, manufacturers are unlikely to maintain two models, with and without this unless legally required), what stops oppressive countries from using this feature from disabling the phones of people legitimately protesting like those in the Ukraine right now?
...who will then administer a full-body pat-down. You know, for good measure.
I was really taken aback to have purchased a device in a sealed box when someone had already cloned the IMEI. (Or maybe T-Mobile's setup is just really buggy...)
I was fortunately able to return it and get a new phone, worked fine.
But if I could fix that problem, maybe stolen phones will just get laundered through returns that way. (ie, buy a new phone, return the stolen one as defective).
Thieves can use different parts of the phone that would not be effected by a kill switch, batteries, screen, ...
What they really need is to turn on the GPS find where the phone is and start arresting folk.
You really want to give the government permission to remotely enable GPS?
@wehadfun, I like the general concept of identifying and taking action against the bad actors, but there are two flaws in your plan.
(a) Most of the users of stolen phones are not the thieves, they're secondary buyers. And amongst them, how do you propose to distinguish knowing buyers of stolen goods from innocent purchasers? Maybe in some cases the circumstances are suspicious, but what if you buy from someone on craigslist with a reasonable story and pay a market price?
(b) While in theory it's possible to trace back to the thief, in practice police don't have the resources to do the necessary investigation when the value is only a few hundred dollars. In many jurisdictions they won't even send an officer unless someone is bleeding.
