California phone kill-switch law could lead to abuse
On Monday, California Governor Jerry Brown signed into law a bill (SB 962) that will require any smartphone sold in the state after July 1, 2015, to include a software or hardware (or both) “kill switch” that “can render inoperable the essential features of the smartphone to an unauthorized user”, i.e. anyone who is not the rightful owner of the device.
This kill switch will have to be able to withstand a hard reset and should prevent anyone who is not the device owner from reactivating it, so that the smartphone cannot be used or sold on the black market.
“According to the Office of the District Attorney for the City and County of San Francisco, in 2012, more than 50 percent of all robberies in San Francisco involved the theft of a mobile communications device,” it is noted in the bill, and the trafficking of stolen smartphones has become a lucrative business for criminal gangs.
This bill aims to reduce the number of stolen smartphones, and expectations are high, as similar blocking mechanisms have in the past reduced the car thefts in the US. Also, since Apple introduced a kill switch for iPhones last September, the number of robberies and thefts of the devices has been significantly reduced.
Microsoft and Google have already pledged to build in a kill switch into the next version of their mobile OSes. Samsung introduced it in April.
While this new law is hailed by many, there are those who worry that the feature can be misused by law enforcement, hackers, and other criminals.
“It’s great for the consumer, but it invites a lot of mischief,” says Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, commented for Wired. “You can imagine a domestic violence situation or a stalking context where someone kills [a victim’s] phone and prevents them from calling the police or reporting abuse. It will not be a surprise when you see it being used this way.”
The EFF has stated their disagreement with the proposed law in a letter in June, in which they reiterated that anti-theft technical measures for smartphones already exists in the form of security software, and that these solutions “allow the proper user of the phone to remotely activate the ‘kill switch’ in order to render the phone unusable.”
“But SB 962 is not explicit about who can activate such a switch. And more critically, the solution will be available for others to exploit as well, including malicious actors or law enforcement,” they added. “While SB 962 adopts the requirements of Public Utilities Code 7908 to regulate and limit the circumstances in which government and law enforcement officials can activate the ‘kill switch,’ the fact remains that the presence of such a mechanism in every phone by default would not be available but for the existence of the kill switch bill.”
Also, history has proven that every feature that can be used by consumers and law enforcement can also be used by hackers. This could lead to situations where they block the devices of people they consider their adversaries – private persons, law enforcement agents, and even government employees – just to get revenge.