By Joe Pinsker
September 2, 2014
California passed a law this week that, depending on who you believe, will bring about either a drastic drop in violent crime or an increased risk of terrorism—apparently with the possibility of little in between. The law mandates that all California-sold smartphones include a “kill switch,” an anti-theft measure that allows someone to deactivate his or her phone, rendering it useless to a thief who hopes to sell it. Why is such a straightforward technology producing such extreme statements?
“It’s the phrase ‘kill switch’ that everyone has gotten excited about,” says Marc Rogers, a researcher at the mobile security company Lookout. “It’s not a technology that allows you to make magic smoke come out of your phone so it stops working.”
Even though the California law only requires a "kill switch"—which from now on I'll refer to, less threateningly, as "remote lock"—for phones sold in-state, California is a big enough market that manufacturers will probably start including it in all phones sold nationwide.
3.1 million phones were stolen in the U.S. in 2013 (many of them violently), and remote lock works in fighting this: After Apple introduced it last fall, iPhone robberies in New York dropped 19 percent, and during the same period thefts of Samsung products went up 51 percent. Larger declines in iPhone thefts have been reported in other cities.
Despite this, many telecoms opposed the mandate of remote lock until earlier this year. There was a theory as to why—wouldn’t a phone company wantyour phone to get stolen so that you have to buy a new one?—but it doesn't hold up to close inspection. A carrier gets a lot more money from you through a contract than when you buy a device. And the explanation that telecoms are loath to cede any of their mobile-insurance revenues might not tell the full story either.
The industry’s resistance was probably more due to a preference for the status quo. “The cellphone industry has always been pretty lightly regulated, and tends to resist almost all new forms of regulation almost as reflex,” says Jan Dawson, chief analyst at Jackdaw Research. Once companies saw that the law wasn’t too demanding, most of them embraced it, even if building an effective remote-lock system can be resource-intensive.
Though most carriers and manufacturers are onboard, CTIA, the industry groupthat represents just about all of them, curiously is not. CTIA has, for its part, taken steps to decrease theft, educating consumers about mobile-security apps and the use of PIN codes. In a statement distributed to the press, it called the California law “unnecessary given the breadth of action the industry has taken.” But in a less measured bit of criticism, the CTIA has suggested that remote lock might be giving hackers a way to shut down the cellphones of Defense Department officials.
Another vocal opponent of remote lock, the non-profit Electronic Frontier Foundation, has at times taken a similar tack. In an open letter to a California legislator, the EFF cited concerns that people other than a phone’s owner would remotely lock it. Hanni Fakhoury, a staff attorney at EFF, told Wired, “You can imagine a domestic violence situation...where someone kills [a victim’s] phone and prevents them from calling the police…It will not be a surprise when you see it being used this way.” The article was headlined “How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law,” and when it’s put like that—"hackers," "abuse," "kill"—it indeed sounds scary.
To make their point, the EFF and other critics havebrought up an incident in 2011 when San Francisco’s transit system, BART, shut down cell service in its tunnels to prevent a protest. The anecdote stands as an example of how the government could shut down the communications of its own citizens, and the EFF points to the fact that the government could use remote lock if a court found it had probable cause.
The EFF is right that this is worrisome, but they might be exaggerating its applicability to the remote-lock debate. “If government wanted to do something as invasive as switching off cell coverage for an area, they’re not going to do it through handsets,” says Lookout’s Marc Rogers. It’s already been demonstrated that the government can shut down communications—that’s exactly what they did in 2011—and remote-lock isn’t going to change that.
Lee Tien, a staff attorney at the EFF, told me that the danger posed by the remote-lock law is actually that it allows the government to selectively shut down individuals' phones. "If you only look at the mass [shutdown] model, this would not seem like a technology that is likely to be abused…If, on the other hand, there are other threat models that are more surgical, more targeted, then you can start to see how it might be much more relevant," he says.
A remote-lock system isn't perfect, of course. Rogers, who has been working on anti-theft cellphone technologies for over a decade, does think it’s possible that remote lock could be hacked. “However, we live in an age when there are a lot of white-hat hackers who’ll be trying this technology for good,” he says. Of course, he advocates for the sort of caution that should accompany the rollout of any new technology.
But, more generally, it’s problematic that the arguments against remote lock have widened the scope of the conversation to the extremes, invoking horror stories about the Defense Department and domestic violence. Sure, these are possibilities, but it’s already the case that millions of people are having their phones stolen, and many of these encounters are violent. If legislation hadn’t been introduced, the industry likely would’ve continued dragging its heels in solving a well-documented problem. That solution shouldn’t be resisted in the face of far more speculative concerns.
By Joe Pinsker
September 2, 2014