Cell Phone Shutoff Legislation is Ignorant and Ineffective

5/15/2014 Unknown 0 Comments

Cellphone theft is a big deal.  Specifically smartphone theft.  Lookout mobile security has several reports on the issue and found that one-in-ten smartphone owners become victims of smartphone theft.  This issue will only become more prevalent as higher quality smartphones are produced.

According to Lookout, ounce-per-ounce, the average smartphone is more valuable than a block of silver.  Of course that's going to attract the attention of a lot of would be thieves, because last I checked, most people don't carry around anything nearly so valuable that is also easily pocket-able and isn't tethered or connected to their person in some way.

There's been a lot of talk about smartphone "kill-switch" legislation and yesterday Minnesota became the first state to actually put such measures into law.  The bill requires that all phones sold in the state include the ability for the carrier to perform a device wipe and deactivate the service.  The bill also includes provisions to regulate the secondary market to make it more difficult to resell phones by restricting cash purchases and requiring stricter record keeping for phones that are sold.

The problem is, none of this will stop theft.  The analogy of a speed bump has been used in the past to highlight issues with copyright protections.  Speed bumps are intended to stop traffic from speeding through certain areas, but it doesn't stop everyone from speeding.  Some people can equip their vehicles to handle the speed bumps better and others just follow an alternate route that allows them to drive any speed they want.  Speed bumps do slow down ambulances and emergency vehicles, though.  In fact, for every one life saved from the existence of a speed bump in the UK, eighty-eight people die due to ambulance delays.

The same thing is true here.  This requirement puts burdens on retailers and manufacturers, but doesn't stop those equipped with the proper tools and know-how from stealing and reselling phones.  Also, it turns out that not all phone thefts are what you might think.

First, this law requires manufacturers and carriers to build hooks into their software to allow the carrier access to wipe the device.  Last time a carrier had that much insight into phones, it wasn't well received, but besides that, this legislation is just in Minnesota.  There is not a single carrier or manufacturer that I know of that operates exclusively in Minnesota.  In the US alone, there could hypothetically be 50 unique kill-switch mandates if all states enact varying legislation to prevent this.  In a mobile world where we are worried about things like forking and fragmentation, this is counter productive for any practical technological evolution.

Second, this is a problem for retailers.  There are quite a few retailers that generate most of their income from the resale of cell phones.  They already have an incentive to make sure the devices they buy aren't stolen devices, because they are the ones that are hurt when they are.  Restricting cash purchases and requiring a specific documentation process will not only be a direct loss of revenue from those that can only pay with cash, but also an additional expense to implement a system.  Especially considering (like I already said) retailers do not want to buy stolen devices today.  Stolen devices that get blacklisted or bricked are not good for business.  This legislation only adds inconvenience to a process most retailers already follow.

Besides, the speed bump kill-switch legislation won't even stop phone theft anyway.  The thing most people don't realize is that the vast majority of phone "thefts" are not thefts at all.  According to Lookout, nearly half of phone thefts occurred because the owner left the phone somewhere.  On the table at a restaurant, on the counter in a restroom, in a bar or club, on public transit.  People's phones aren't being swiped, they're being given away.

The rest of phone thefts?  Most of those occur when someone's house is burglarized or their purse/bag is stolen.  What does this mean?  Thieves are rarely targeting phones, they are usually just snagged during a larger haul when more attractive—and untraceable—items such as cash or jewelry are the target.

So the vast majority of phones will continue to be "stolen," not because the criminal wants a phone, but because it happens to be left in a public place or it's in the purse that the criminal did want.

But what about the small amount of phones that are directly targeted?  Well, those are already targeted despite the fact that carrier's already blacklist serial numbers and deactivate services on phones that are reported stolen and they're stolen despite the presence of services such as Lookout, Find My iPhone, Google Device Manager, and etc. that will lock and wipe the device in the case of theft.  They're also already stolen despite the fact that many resalers and second hand consumers already check to make sure the device is functional and has a clean ESN.

Also, all these security efforts can be negated simply by pulling the SIM card out of the phone and making sure it has no wireless connectivity.  Devices can't be wiped if they have no network connectivity.  Also, MAC addresses and serial numbers can be changed in software and phone software can be flashed to something that doesn't block device usage.

So what do all the efforts in this legislation accomplish?  44% of people will still outright lose their phones and thieves will continue to obtain phones during a standard robbery, manufacturers and service providers will continue to provide theft deterrents, consumers will continue to employ theft deterrent services on their devices, and thieves will still find ways around security.  The real effect?  Just like a speed bump, only those legitimately providing, reselling, or using devices will be negatively effected.

0 disqus:

Sound off