103 comments

[ 2.6 ms ] story [ 164 ms ] thread
This seems like a bad idea.

* Why won't someone will figure out how to trigger the phone kill switch and start wandering round SF killing people's phones at will?

* Why won't the state/NSA/whoever kill the phones of its enemies (diplomats, foreign business people, "subversives")?

* and so on.

If this such a risk, Why hasn't this happened yet? Corporate phones all have remote kill switches, and are high value targets of harassment.
2007: If sub-prime loans were really a problem, why hasn't the market crashed yet?

2008: Oh.

Nice, a kill switch in every phone. When there’s a big demonstration/revolution we’re just gonna kill all the phones out there with a simple data packet.
It would be a dumb idea to take your device to a revolution in the first place.
As a Ukrainian, who has seen that smartphones, especially used by citizen streamers, are extremely important for a revolution, I can assure that you are wrong.
Bump this n times.

I love it when activists get blamed for doing it wrong, where 'it' basically boils out to 'trying'.

Information, organization, and gathering evidence are fundamental to human rights, let alone to a revolution. Authoritarians naturally wish to ensure it becomes a "dumb idea."
For revolutionaries to assume they can rely on a system that authoritarians control is inherently a dumb idea, and the lack of any good alternatives doesn't change that.
The authoritarians control the streets. Where exactly are you going to go in an authoritarian system where you won't have to rely on something under authoritarian control? The authoritarians control you, that's why you're in the streets.
Yes, of course.

One should assume nothing. However, an even dumber idea is to advocate for a system to have more control, actively or by remaining silent, and then later stew in fatalism to the point of thinking that using a smartphone in a revolution is "dumb."

If carriers and oems can't prevent rooting or custom roms, why would they be able to prevent unauthorized locking of phones?

There are bad ideas, and then there ideas that only a legislator would advocate.

Don't forget batteries. They're very valuable to thieves too. Maybe the killswitch can make them explode.
"We're from the government, and we're here to help."
I have an idea, how about the government stay the hell away from my smartphone and let the free market decide what smartphones are theft-safe and which are not?

This is why computer science should be a required subject going forward, only individuals good at programming will be able to resist the tendrils, malware, viruses and government backdoor trojans trying to get inside us and instruct us what actions to perform today to fill other mens pockets with wealth whom we don't even know or care about.

Once there's a device kill switch in place, it will be available for anyone with a court order. Think RIAA, MPAA... organizations that support DRM must love this idea.
Or better yet, every time you need to make a phone call, your ownership of the phone will be verified on-site by a blue-gloved agent of the state...

...who will then administer a full-body pat-down. You know, for good measure.

It seems like every day I'm reading some new news article on how over bearing and strong handed California laws are. I used to hear people joke about moving out of California to a "free state" and never paid much attention to it but now I get it.
Every time I read "anti-theft technology" I get chills..

You should immediately call your representatives to stop this.

No. Too many opportunities for abuse.
I thought this was already being done via IMEI blocking.
There's already an easy way to do this (that I remember reading somewhere is already being done in Australia).

When a phone is reported stolen the carriers just need to blacklist the IMEI so it doesn't work - removes the incentive to steal devices. I don't remember where I originally read this (probably here), but the US carriers were not interested in doing this because they don't see stolen phones as a problem that hurts them (arguably it gives them more business).

We can do that in the US too. I don't believe there is coöperation between international carriers, though.
You're probably right - I think that's more valuable to coordinate rather than a mandatory kill switch.
But how? I can't see any realistic chance of a broad international agreement. Remember that it works both ways, too. What would you do if your phone stopped working because a telecoms company in (say) Nigeria accidentally asserted that your IMEI was stolen?

Saying "wouldn't it be great if the world could co-ordinate" is not the answer as it isn't realistic. It's avoiding the problem and the need to come up with practical solutions. Or even an honest "it can't be done" answer.

That makes sense - an earlier response to my comment about how apple handles things with user PINs is probably a better approach.
Surely carrier A wouldn't let carrier B be able to block an imei belonging to their customers. If carrier B did block it though, you, customer of carrier A, wouldn't be able to roam in the network of carrier B - but still work fine in your home network of carrier A.

However, that results in carriers needing to assert ownership over an imei, which would be come quite a mess - so it very well could not be done.

I do believe national blacklisting registers of imeis, as already done for many years in certain european countries is much better than not doing it though.

This and the fact that they can sell phones for a fortune (~retail price) in emergent markets, instead of local black market prices (30%) means robbers will organize shipping lots of phones overseas. That's what happens in France already.
IMEI blocking hasn't stopped phone thefts in Europe.

Possible reasons:

1. IMEI numbers can be changed.

2. Thief can still use phone for many hours until block.

3. Stolen phones can be shipped to countries that don't implement block.

4. A blocked phone can still be used to run apps, play games, make VOIP calls on wifi etc.

The Apple system seems much more sensible. You can't use an iPhone without the pincode, and even if you get that the owner can remotely lock the phone as soon as you connect it to any network. The way to avoid that used to be to wipe the phone and reinstall the OS, but now you can't do that without the Apple ID and password of the owner. I don't know if this has reduced iPhone thefts, but unless the thief has an exploit in Apple's security I don't see why anyone would steal an iPhone nowadays. I wish Android would implement something similar.

Phones will still be stolen for spare parts.
Apple theft exploit:

- steal phone - break phone - return to Apple store for warranty replacement (minor social engineering may be required here)

Theif gets a working phone with a different IMEI. The worst part is, the friend of mine who this happened to found out about it because it invalidated her theft insurance.

While that exploit may work - it doesn't scale too well.
5. The stolen phone can be sold to a hapless buyer shortly after it is stolen, before the theft is realized or reported and therefore before the IMEI is blocked.
aren't we doing this in Canada?
I lost my iphone some time back so when I called AT&T to report it, they kept on insisting me - please wait for few days as you may find it. They also told me once we report the phone as lost and block it using IMEI then this change can't be undone incase you find your phone then it can't be activated again. And, the block using IMEI does not work across carriers which means if its blocked in AT&T then the person carrying that lost phone can activate the phone on any other network like verizon, spring, t-mobile etc.

Carriers can maintain a centralised database to keep list of stolen phones and can also undo the change incase the owner finds it. They can also track the people who are calling using stolen phones but they dont do it. The best reason I can guess for not doing that is as you said - why they will do something which will hurt their own business

That situation seems a bit poorly implemented to me. The irreversible block only applies to AT&T's network, and is under AT&T's control... Wouldn't it make sense for AT&T to simply place the IMEI on watch, so that the next time AT&T's network sees it come online, an "alert" is triggered and AT&T can contact the owner to confirm whether or not it's in their possession?
Yes, they should have this feature but I don't know what is holding them from it
And in tonight's segment of "Shit we didn't need or could do ourselves, but the state insists it be mandatory..."
Sounds like always-on DRM. The rich and the technologically adept will be unaffected, but another hammer will be available for our ambivalent rulers to manipulate normal people.

This shitty DRM better be opt-in.

Fined $2,500 for every device sold lacking this DRM? Only if there is a $2,500 refund for every device accidentally bricked.

I can see media companies loving this. Watching an unlicensed movie? Your phone is now bricked. Mission creep will be inevitable.

Hmm. What happens to this with jailbroken phones? I can see it going two ways:

- killswitch is in the OS, and can be removed by jailbreak. Good for user, but means you just have to jailbreak a stolen phone to recover it / prevent it being killed.

- killswitch is in the baseband, and cannot be removed. Uhoh.

- killswitch prevents phone from being "jailbroken", as the only way this "feature" can work (beyond current IMEI blacklisting) is with "trusted" computing and a non-user-modifiable trust root. Regardless of the placating mention of "opting out", the possibility to really opt out cannot exist, as it would render the whole system useless.

Despite noble intentions, anti-theft DRM is actually the worst kind there is. It is impossible* to differentiate between a thief in possession of your phone, and you in possession of a company's phone that they're considering you renting.

If this becomes reality, it's yet another bullet point for getting a separate MiFi + actual computing device next time I'm forced to upgrade. That's the only way of regaining the concept of a service demarcation point.

(* unless every device is given a different root key, and the owner actually manages the corresponding private key. given the usability issues, this will never happen in a commercial design).

3rd way: Kill-switch is OS-based. e.g. you tell Apple that your iPhone has been stolen. You give them the serial/IMEI, (or they can match up the device based upon your itunes account). If someone wipes the phone through an exploit or jailbreak, the device is still practically useless as whenever it needs to communicate with an apple service, apple sends back a 'you are stolen' message and the phone locks up again.

End result: either the phone stays blocked or you end up with a crippled, limited-usage device that can't use many of the services that you'd expect it to (app store, etc). Re-sale value would plummet.

It would work with Android too. Stolen phones (that are reported to Google) could refuse to use the play store or accept a gmail account.

You can load your own OS on Android, so this would be pretty easy to bypass. The baseband firmware isn't immutable either, just harder to modify.
It's all very well to say that smartphone thefts are "reaching an all-time high", but what is smartphone ownership doing? I doubt it's reached saturation yet, and one would imagine that thefts would increase in line with units owned...
Doesn't the IMEI on GSM and the MEID on newer CDMA phones already solve the problem of stolen phones, and we just don't use this functionality?
This is really needed. In New York, there is a problem of punk kids snatching iPhones and running. It is hard for the police to do anything about it, and these kids are fencing the phones for about $150, and they are likely shipped to out of the country where carrier blocks don't work.

For whatever reason, I have heard of a bunch of people that get their iPhones snatched, but never android phones.

The market for bad ESN phones is way too strong. A simple ebay search shows that bad a ESN iPhone 5 still fetches $250. Apple needs to drive down the value of bad ESN phones to near zero for the safety of their own customers.

How quickly do these 'punk kids' sell the phones on, though? And could a system to trigger the killswitch be responsive enough to trigger it before the phone's been sold? And if it were, could it ever hope to be sure of the facts in time to catch bad requests?
I am sure they power off the phones almost immediately. I actually don't think a legislative solution is the right process. I think Apple should address the problem for the benefit of their own customers. Maybe they need to investigate this and work with Interpol.
How can California do this? Interstate commerce clause and all that.
CA can require that every phone sold in their state must have it. Since it's easier not to have multiple models, until another state makes it illegal to have it, the models sold in other state will have it by default.
>On Friday, State Senator Mark Leno of California, a Democrat, is expected to introduce legislation requiring all smartphones and tablets sold in the state to include this kind of feature.

This should be a required option, even if it's opt out. The consumer should be able to turn off this kind of remote authorisation over their device, even if it reduces the "herd immunity".

Killing core functionality goes a step beyond IMEI blacklisting, which can be circumvented by selling the phone outside the blacklisted jurisdictions. An IMEI-blacklisted phone is a phone with a reduced market. An effectively "killed" phone is worth its recycling rebate.

Why should it be required, exactly? If people want phones with anti-theft technology, they can buy phones with anti-theft technology. What this smells like to me is a government wanting to have the power to sever your communications at will.

Having the ability to remote-brick my phone is great if I want it, but someone else having the ability to remote-brick my phone is a frickin' huge liability.

Exactly! California can go F itself. They should not be legislating this crap.
They've been unable to mind their own business for decades now. They legislated the forced use of fire-proofing chemicals in mattresses, couches, & cushions in all furniture sold in California and years later scientists discovered those chemicals are harmful hormone disruptors and don't even realistically prevent fire in real world situations. Furniture companies can't create 2 different SKUs of furniture (one without the chemicals and one with) so they just included fire retardants into all their furniture by default. All the USA has now been affected with hormone disrupting fire retardants all because one state's puppet master legislators want to enforce their enlightenment on everyone.
And people who willfully confuse a couple dopey activist legislators from the state's goofiest city with the entire state can...what you said. Also, none of that hate for NYC, or did you not bother to read that this BS is coming from both states, or more precisely, from a few dumb legislators based in the most full-of-themselves cities in the country, backed by politicians in law enforcement uniforms who can't stop crime, so they advocate putting the burden elsewhere?
> And people who willfully confuse a couple dopey activist legislators from the state's goofiest city with the entire state can

We're talking about a state legislature and governor which did in fact just ban lead bullets, a state legislature and governor elected by the entire state.

From what I understand, the mechanisms for this law are already in place and aren't much of a problem; any Apple customer already has this with the "Activation Lock" feature, and any carrier can already deny service based on a blacklisted ESN. The proposed law, at least in spirit, would require carriers and phone makers to honor your request to make your device unusable when you report it as stolen. It isn't so much that the government is going to be making technology and forcing everyone else to use it -- it'll let the private tech industry do whatever it needs to do to comply with the proposed "please brick my stolen phone" law.

I can understand how handset vendors other than Apple would have a problem with this. For example, where is the "activation lock" setting stored and who controls it? The handset vendor (Samsung, LG, etc)? Google (since it's an Android phone)? The carrier? Who deals with the customer when the device is stolen? That level of coordination would be a mess to deal with if you don't already control most of the stack and user experience like Apple does.

As a side note, Apple already does this with Mac hardware too: https://discussions.apple.com/message/19010713 .

There's a huge ethical problem with a vendor imposing limits on the relationship between a human being and their tools. Apple customers are self-selected for being okay with this.
They are doing this all wrong.

Thieves can use different parts of the phone that would not be effected by a kill switch, batteries, screen, ...

What they really need is to turn on the GPS find where the phone is and start arresting folk.

"What they really need is to turn on the GPS find where the phone is and start arresting folk."

You really want to give the government permission to remotely enable GPS?

Government already can do that by co-opting the phone companies.

@wehadfun, I like the general concept of identifying and taking action against the bad actors, but there are two flaws in your plan.

(a) Most of the users of stolen phones are not the thieves, they're secondary buyers. And amongst them, how do you propose to distinguish knowing buyers of stolen goods from innocent purchasers? Maybe in some cases the circumstances are suspicious, but what if you buy from someone on craigslist with a reasonable story and pay a market price?

(b) While in theory it's possible to trace back to the thief, in practice police don't have the resources to do the necessary investigation when the value is only a few hundred dollars. In many jurisdictions they won't even send an officer unless someone is bleeding.

It must be nice to have no valuable skills to offer society yet still find employment as an authoritarian jackass dreaming up product features without doing the actual work or assuming any of the risk. If Leno wants to add features to cell phones, he should go work for those companies instead of using the Ring of Sauron to forcibly add a "kill switch" because he thought it was a good idea. And is reducing theft the real reason or just the ostensible one? Will this become an easy hook for govs to shut off phones?
Serious question, not rhetorical: Is there any precedent for forcing manufacturers to modify their product simply to prevent the product from getting stolen?

Cars and houses can have alarms, and customers decide whether they need them or not. We do not require that all cars and houses come equipped with them. Wallets can be attached to a chain or placed in the front pocket. We don't require that you can only purchase a wallet with a chain.

Unlike childrens' toys that require battery covers to be screwed shut, or cars that must have seatbelts, the theft of a device does not seem to be a public safety issue. Your decision to own an expensive phone and take it out of your pocket at the train station seems no more necessary of regulation than your decision to wear an expensive necklace.

I'm not necessarily defending the mandate, but maybe I can clarify the concept behind it.

It's not a case of legislators saying "it would be better to have less phone theft so let's try to reduce it this way" - instead it's more like, users want this, but don't have the bargaining power to compel the phone makers to build it in or the telcos to support it.

Without the mandate, the makers and telcos profit from theft: the stolen phone user (not necessarily the thief) pays phone charges, the victim has to buy a new phone, and thieves have a continuing incentive to steal them. With the mandate, the phones are less valuable to thieves (and to robbers - a personal-safety gain), and the telcos can't profit from the forced transfers.

Again, not saying it's a good or bad policy (can someone remote-kill my phone when I still have it?), but these are the considerations - a kind of market-failure correction.

Thanks, it's helpful to consider it from that perspective -- at least as potential reasoning for why the bill was written in the first place.

But we can counter that it's specious to claim customers are clamoring for this but not getting anywhere with manufacturers. Apple's Find my Phone feature is already one step toward addressing this issue, and there are a handful of third-party apps on the market that do similar things. These market solutions will continue to get better over time if they're popular.

And of course, there's the question of why it's the manufacturers' responsibility to address theft in the first place. Jewelers aren't required to engrave and register all their necklaces.

> It's not a case of legislators saying "it would be better to have less phone theft so let's try to reduce it this way" - instead it's more like, users want this, but don't have the bargaining power to compel the phone makers to build it in or the telcos to support it.

I am sick of reasoning like this. The purpose of government is to preserve your freedom to do something. If some users want something and cannot arrange it themselves, then they may just not be able to get it. It is not the government's place to mandate that everyone gets what some people want. That goes against personal freedom. It is certainly the government's place to punish thiefs---a person who deprives another of their freedom to control their property. The government should not mandate certain ways of arranging private (between a person and the phone company) affairs.

Indeed, there are ways to magnify your bargaining power outside of the government. Most people generally aren't willing to pay for it, though. A stolen phone fund or phone theft insurance could accomplish the same goals without involving the legislative and executive branches. However, the cost would be obvious, in the form of an upfront or recurring charge. It's much easier to assign the task to a government, and then wonder years later why taxes are going up, or the government is constantly in debt.
> The purpose of government is to preserve your freedom to do something.

That's maybe what you think the purpose of government should be, but it doesn't really match reality. Consider the whole section of labor laws, for instance.

That is one perspective on the purpose of government, yes.
I think this is more of a public safety issue. Currently, a mugger has an incentive to harm someone to take their device and sell it. If it becomes known that there is no profit in selling a disabled device, then there should be fewer mugging attacks.