The government shouldn’t be in charge of smartphone kill switches

Few things are worse than realizing your smartphone’s been stolen. Your personal information is now in the hands of a dishonest soul, who can decide to either erase and sell the device or — even worse — do whatever they want with your contacts, photos and texts. If it’s happened to you, you’re not alone; millions of people have gone through the same nightmarish experience. The technology to deter thieves, known as “kill switches,” exists, but it’s up to phone makers and carriers to implement it.

Most major phone companies have committed to adding kill switches to their products, and some have already begun selling phones with the tech included. A handful of state governments, like California and Minnesota, don’t believe this is good enough, so they’re passing bills that mandate anti-theft measures in every phone sold in those states beginning next year. This seems like a great idea, but let’s take a closer look at what exactly these laws mean and if they make sense.

What is a kill switch?

The most basic definition of a kill switch is a feature that allows an owner to render a phone useless after it’s been lost or stolen. In theory, it’s supposed to deter thieves from being able to sell your phone or access any of the data on board; if every phone can be disabled remotely, why would thieves even bother trying to steal them anymore? If anything can be done to curb smartphone theft, it’s worth considering. An FCC report states these types of theft comprised nearly 30 to 40 percent of robberies in most major cities across the country in 2012. And it appears to be getting worse: According to Consumer Reports, 3.1 million Americans had their smartphones stolen in 2013 alone, which is a jump from 1.4 million in 2012.

There are two kinds of kill switches: Hard and soft. The former would “brick” the phone so it becomes a permanently disabled hunk of circuitry, never to be enjoyed or loved again, while the latter — the more popular alternative among companies and legislators — can be reversed as long as you have the authorization to do so. (At this moment, every existing switch is soft, as hard switches are much more difficult to implement.)

Even if your phone doesn’t have a kill switch, it likely can be remotely locked and wiped. This clears all of your personal data from your phone and reverts it back to the way it was when you bought it. Android’s official Device Manager is an example of this. Problem is, your device can be sold and reused. If you activate a kill switch and the thief can’t figure out how to bypass your authorization (more on that later), he or she has a useless and unsellable phone.

Regardless of government involvement, some companies are already adding soft kill switches to their products. Apple added Activation Lock to iOS 7 last year, which allows users to turn on Lost Mode (using Find my iPhone) and prevents others from unlocking your device without your Apple ID and password. Samsung’s added a similar feature called Reactivation Lock to the Galaxy Note 3 and Galaxy S5 that does essentially the same thing. Both options are opt-in, which ensures that your phone doesn’t get disabled by pure accident. That said, it also means a lot of phones will still be vulnerable if they’re stolen, so thieves still have a good shot at success if they snatch your handset.

A few preliminary studies show that kill switches have already caused a drop in smartphone theft. Police officers in London and San Francisco reported a noticeable drop in iPhone robberies (24 percent and 38 percent, respectively) between the six-month period before the feature came out and the six-month period after. This is an encouraging report, but it’ll be even more telling as a larger chunk of the wireless industry follows Apple’s and Samsung’s lead.

Within the next year, we may see exactly that — if you trust tech companies to live up to their word. Google and Microsoft have vowed to incorporate kill switch tech into the next major releases of Android and Windows Phone; and the CTIA, a lobbying group that represents nearly every wireless carrier and manufacturer in the country, teamed up with the US branches of LG, Samsung, HTC, Huawei, Motorola and Nokia, as well as the five largest US networks, to commit to adding “baseline anti-theft tools” to their devices by July 2015. Curiously, phone insurance provider Asurion was also listed as one of the supporters of the CTIA’s pledge; the company makes money by convincing people they need insurance to cover stolen phones, so the fact that it’s even voicing support for anti-theft measures is important.

Government to the rescue!

Phone makers and carriers may be getting their gears in motion, but it’s not enough for the government. In May, Minnesota passed a bill requiring that any smartphone manufactured (and sold or purchased in the state) on or after July 2015 “must be equipped with preloaded anti-theft functionality or be capable of downloading that functionality.” Additionally, it mandates manufacturers and carriers submit a report describing the anti-theft tool they use.

At first, it sounds like this is a foolproof method of ensuring that all phones will now come with a built-in kill switch, but the text of the bill is incredibly vague. It never mentions a kill switch, nor does it even specifically describe what the anti-theft functionality is supposed to do. Furthermore, it also doesn’t have to be installed on the device at launch; at minimum, it needs to be available as a free download for anyone who wants it.

Last week, California passed a very similar bill after its second run through the state Legislature, and it’s awaiting a signature from Governor Jerry Brown. In this case, the text of the bill, known as SB962, is more clear: It states that any smartphone manufactured on or after July 1, 2015, must have anti-theft functionality included at the time of sale. As long as the essential features of the phone are rendered inoperable when it’s stolen, it doesn’t matter if it’s a hardware or software solution. The feature should, “when enabled, be able to withstand a hard reset … and prevent reactivation of the smartphone on a wireless network except by an authorized user.”

The bill specifies that a soft switch is required; it must be reversible so that the owner can reuse their phone if it’s recovered. It’s also opt-out, which implies that manufacturers can enable the kill switch right out of the box as long as they let the user disable it at any time.

Arguably, California’s bill is important because it could impact devices all across the country. Since the state boasts a good chunk of the nation’s smartphone buyers, it likely doesn’t make sense for manufacturers to push out state-specific firmware. And because most companies are already committed to adding kill switches to their products anyway, this is simply more incentive for them to do so on all of their devices — precisely what the government wants.

Enforcing kill switches on a state-by-state basis might be messy, so it makes sense that it’s also being considered on a federal level. Members of Congress have proposed the Smartphone Theft Prevention Act, which is very similar to California’s in that a soft kill switch be made available to all new phones. It hasn’t been brought to the floor yet, and there’s no indication of if or when it’ll actually be voted on.

That’s a bad thing?

Just because these laws may seem innocent and even helpful doesn’t mean they’re the best idea for the consumer. If companies are already adopting kill switches, do we really need the government getting in the way? The Electronic Frontier Foundation (EFF), a nonprofit that focuses on defending digital civil liberties, doesn’t think so. The group argues that numerous kill switches are already available to the end user, either as built-in features or as third-party approaches (such as Lookout, Avast, Prey and others). And once the government gets in the way, SB962 could potentially “lock in” options that aren’t as effective and could therefore stifle competition and innovation among third-party developers. “Technology is fast; the law is slow,” the EFF’s Adi Kamdar said. The other issue, the EFF claims, is that the bill isn’t specific enough in its language regarding who’s “authorized” to activate the kill switch. If it’s not explicitly defined, the group argues, what’s stopping the government or wireless providers from considering themselves authorized to do it as well?

Even the CTIA, which (as mentioned earlier) voiced its support for the installation of kill switches in April, opposes SB962 for several reasons. The CTIA argues that the bill doesn’t make mention of educating consumers on smartphone theft and how to protect yourself; a stolen-phone database was established late last year and the government hasn’t given it enough time to prove its usefulness; state law may interfere with federal smartphone requirements, such as the mandate that each phone gets 911 service at all times; and if individual states pass bills with different requirements, it’ll make it more difficult for manufacturers to produce phones that can be sold in all 50 states.

Finally, other opponents of the measure, such as California state Sen. Mark Wyland, believe that the maximum $2,500 penalty that manufacturers would have to pay per phone is too high — especially if the wrong devices accidentally get shipped to California instead of some other part of the country. “It’s a big burden on a retailer to ensure that every single product they sell meets every single standard,” Wyland told the LA Times.

California and Minnesota may be the first states to pass legislation, but they may not be alone for long. New York and Illinois are also discussing similar measures, and other states — especially those with high rates of smartphone theft — could follow along as well. Additionally, a group of elected officials and law enforcement leaders signed the Secure Our Smartphones Initiative in June 2013, which calls for a hard kill switch in every device.

Kill switches in their current form aren’t foolproof, either. They can’t be activated without an internet connection, so the thief can simply activate airplane mode before the victim realizes the phone is missing. Hackers may also be able to find ways to bypass the switch and falsify authorization. After Apple introduced Activation Lock, a few loopholes were found in the phone’s security that allowed knowledgeable thieves to bypass the kill switch; the iPhone has fallen victim to a few of these bugs, and to its credit, Apple is often quick to fix them. But will other manufacturers take care of similar issues in a timely and effective manner? Especially when they require additional carrier tests before they can roll out? Proper and successful kill switch implementation takes time.

Sadly, although there are plenty of reasons to oppose legislation, state mandates still hold more weight than the CTIA’s commitment. Just because a group of companies have agreed to add anti-theft tech to their phones, doesn’t mean they’re held to a blood oath. The agreement isn’t an enforceable contract, nor will ramifications befall any of them if they fail to get it done in time.

There’s no longer any reason a phone shouldn’t have kill switches installed, but companies — not the government — need to be in charge of making sure the functionality is done properly. State involvement isn’t anywhere close to a perfect solution, but without their interference, individual companies won’t be held accountable if they sit on their hands and take forever to add this functionality to their phones. States like New York and Illinois aren’t going to wait around and see if companies will stay true to their word; if the wireless industry puts it off for too long, the government will simply take matters into its own hands.

[Image credits: Getty Creative (pickpocket), Getty Images (Killswitch Engage, California chambers)]

Filed under: Cellphones, Wireless, Mobile, Apple, Microsoft, Google

Comments

.CPlase_panel display:none;