(1) Any advanced mobile communications device that is sold in California on or after January 1, 2015, shall include a technological solution that can render the essential features of the device inoperable when the device is not in the possession of the rightful owner. A technological solution may consist of software, hardware, or a combination of both software and hardware, but shall be able to withstand a hard reset. No advanced mobile communications device may be sold in California without the technological solution enabled.
(2) The rightful owner of an advanced mobile communications device may affirmatively elect to disable the technological solution after sale. However, the physical acts necessary to disable the technological solution may only be performed by the end-use consumer or a person specifically selected by the end-use consumer to disable the technological solution and shall not be physically performed by any retail seller of the advanced mobile communications device.
* There doesn't appear to be any requirement that the phone can be remotely disabled. One interpretation of this is that the only change from the status quo where practically every phone has a PIN is that the PIN withstand a hard reset.
* The bill defines “hard reset” as "the restoration of an advanced mobile communications device to the state it was in when it left the factory, and refers to any act of returning a device to that state, including processes commonly termed a factory reset or master reset." This is sort of dumb. When a device leaves the factory, it obviously doesn't have any knowledge of whom its proper owner is. A hard reset, by definition, has to nullify any owner-verification system and no technological solution can withstand it.
* The fact that the kill switch can be disabled is encouraging.
* A lot would also depend on how determination of the "rightful owner" goes. That is, is it sufficient for someone who knows the PIN to be considered a "rightful owner"? This is fine 99% of the time, but there are obviously scenarios where that isn't true. If we wanted to take this to the other extreme, we might say this would require every seller and re-seller of mobile phones to check the ID of anyone buying a phone and to record this in some sort of master ownership index. Note that this would effectively outlaw burner phones.
Imagine if the governments in the Ukraine or Turkey had such a kill switch. They could instantly disable most of the communication between people protesting against the government.
I agree, but phones get sold. I've bought every smartphone I've ever owned off of ebay or craigslist. How would I know the previous owner didn't retain the power to kill my phone? Or the carrier/manufacturer for that matter?
Totally agree. Though you can enable remote erase through Google, completely killing the phone may not be a good idea unless the provider has the ability to restore the phone. What happens if some underpaid and overworked CSR on the line accidently types in the wrong code and wipes out someone else phone?
This is a rather pointless bill. A significant portion of all phones that are stolen (or maybe accidentally left on a subway train seat and finders keepers) are broken down for their valuable replacement parts.
When your iPhone 5S gets a cracked screen or water damage, the place that repairs it can easily take parts from a donor phone at a nominal cost. Bricking one of the boards in there (or the nano-SIM card or whatever they end up using) isn't going to keep the screen from getting reused.
(The whole thing is like an engine kill switch for stolen cars; the thieves aren't going to try and just turn around and sell the same car intact; they're going to a chop shop where the kill switch will have zero effect on the profit margin for the thieves).
I think this fits into the "don't lock your doors" genre of argument, where one argues that there's no point in making it harder for something bad to happen because even if you do some bad things will continue to happen.
What the genre (and this instance) misses is that nobody is claiming that the solution is perfect. As long as it reduces the cost of theft more than the costs it imposes, it's a net win for society.
I'd expect this approach to reduce opportunistic theft quite a bit. Petty criminals are not big on delayed self-gratification; if they were, they'd be doing something else. If they can't use or easily sell the phone they just stole, then many will stop stealing them.
It may not reduce organized theft as much, but it would depend a lot on how hard it is to subvert the lock. If they have to throw out the motherboard of the phone, then sure, they can still sell the screen, but their per-theft profit goes down, reducing financial incentives and complicating their business model.
If they're looking for another "50-state legal" effect, I have news: that may work in hardware, where producing different behaviors is hard, but software is different. Whole complex behaviors (once written) are easily altered.
Now, if the capability doesn't exist just because the vendor(s) haven't done it yet, then it might work. If they actually don't want to do it (either because it suits them or they think it suits their customers) then they won't.
All phones have a builtin kill switch. You need to compel the phone company to turn it off. But then there are ham radios. This is how things were done in Egypt... Look at how that turned out.
Is hardware hacking really required? My S3 ran the risk of losing its IMEI when I was messing around with custom ROMs, but before a solution was found, people put up guides on how to change the IMEI with software and it looked easy.
Some time ago, I cloned the ESN of my SPH-A680 onto an identical model (using QPST). When they were both on and next to one another, calling me made them both ring, and simultaneously answering both let me hear audio out of both.
I doubt basebands have really changed - it's a culture of security through obscurity, with people unaware of the details assuming they actually provide their purported security guarantees.
Tiny bills like these get proposed by legislators all the time. Most don't pass. Just because this is a technology bill doesn't mean that it will – it's far too nanny-state and superfluous control to be remotely considered vs other priorities California has at this time.
Although Feinstein DOES seem to be doing a lot of nannying and superfluous things lately.
Do you have some evidence that this won't get considered?
It looks to me like an easy political win. Smartphones are getting stolen a lot. They are popular. They are often the most expensive thing a person caries, so people are protective. Being able to say, "Hey, we're doing something about a theft that could happen to you," seems like something that would give the average voter warm fuzzies.
Relevant portions:
(1) Any advanced mobile communications device that is sold in California on or after January 1, 2015, shall include a technological solution that can render the essential features of the device inoperable when the device is not in the possession of the rightful owner. A technological solution may consist of software, hardware, or a combination of both software and hardware, but shall be able to withstand a hard reset. No advanced mobile communications device may be sold in California without the technological solution enabled.
(2) The rightful owner of an advanced mobile communications device may affirmatively elect to disable the technological solution after sale. However, the physical acts necessary to disable the technological solution may only be performed by the end-use consumer or a person specifically selected by the end-use consumer to disable the technological solution and shall not be physically performed by any retail seller of the advanced mobile communications device.