This week, California passed a new law that will require any smartphone sold in the state to include anti-theft measures. It's likely to have effects far outside California's borders. Here's what it means for you.
What the Law States
As of right now, most smartphones do not come with anti-theft security features (such as the ability to remotely lock or wipe the phone) enabled by default. Apple and Google both offer optional services (Find My iPhone and Android Device Manager, respectively), but many handsets either don't require the user to enable them when they first set up their phone, or worse, don't mention them at all.
This law changes that. Any smartphone that is sold within California will be required to ship with a solution that allows the owner to remotely render the device inoperable. The prompt to enable this feature must occur during initial setup, must be opt-out instead of opt-in, and perhaps most importantly, it must be reversible. Here's the relevant text from the bill:
Any smartphone that is manufactured on or after July 1, 2015, and sold in California after that date, shall include a technological solution at the time of sale, to be provided by the manufacturer or operating system provider, that, once initiated and successfully communicated to the smartphone, can render the essential features of the smartphone inoperable to an unauthorized user when the smartphone is not in the possession of an authorized user. The smartphone shall, during the initial device setup process, prompt an authorized user to enable the technological solution. The technological solution shall be reversible, so that if an authorized user obtains possession of the smartphone after the essential features of the smartphone have been rendered inoperable, the operation of those essential features can be restored by an authorized user. A technological solution may consist of software, hardware, or a combination of both software and hardware, and when enabled, shall be able to withstand a hard reset or operating system downgrade and shall prevent reactivation of the smartphone on a wireless network except by an authorized user.
At the moment, existing solutions probably don't meet the law's standards (both Apple and Google's remote wipe features are irreversible, and a simple remote lock may not be able to withstand a hard reset).
Who It Affects
Legally, the news only affects smartphones sold in California. Practically, however, this will have effects throughout the industry. It's a bigger pain to OS and hardware makers to create region-specific software than it is to create a security feature everyone can use. To that point, many companies already signed an agreement with the CTIA to offer features more or less identical to what this law requires before the law was actually passed. That list of companies includes:
Apple
AT&T
Google
HTC America
Huawei Device USA
LG USA
Motorola Mobility
Microsoft
Nokia
Samsung America
Sprint
T-Mobile USA
US Cellular
Verizon Wireless
ZTE USA
Notably, all the companies listed are the American subsidiaries of their parent companies (where applicable), so it's not clear if they'll offer the feature worldwide. However, if you're in the United States, it's likely you'll get the same phone that Californians get. As California goes, so goes the country. At least when it comes to smartphones.
The list is also fairly comprehensive. Not only are Apple and Google (who make the two biggest smartphone platforms, encompassing most of the smartphone market) on the list, but Microsoft/Nokia have jumped on board as well. As well as every major US carrier, and most major (and minor) smartphone manufacturers. In other words, everyone's voluntarily hopping into the same boat here.
How (and When) It Works
According to the law (as well as the voluntary CTIA agreement), any phone sold in the US after July 1st 2015 must have this feature enabled. Realistically, the feature will probably arrive shortly before then on some handsets (Samsung and HTC notably launch their new flagships in the Spring, and Apple's newest handset comes out next month).
The California law doesn't explain the details for how the feature will work, but the CTIA agreement provides some insight. On top of existing features (like remote wipe and remote screen lock), the industry promises to prevent factory resets without authorization "to the extent technologically feasible", as well as the ability to reverse data wipes. Both exist in some partial capacity right now (Apple may actually be the closest to seamless compliance with iCloud backups), but we can expect these features to become more robust over time.
The Fine Print
In general, this is a pretty good thing. Despite the scary images conjured up by the "kill switch" terminology, the law is aimed at preventing smartphone theft by expanding on features that already exist. It's a solution that actually sort of works. Authorities in New York, San Francisco, and London have all pointed to remote lock/wipe functionality as the cause for reduced smartphone theft.
However, some organizations like the EFF are concerned about potential government involvement. As the consumer advocacy group points out, the tech industry has already voluntarily agreed to make these changes, but the law fails to clarify who can trigger it. Namely, the EFF argues that government and law enforcement may, in certain circumstances, be authorized to lock or wipe a citizen's phone:
SB 962 is not explicit about who can activate such a switch. And more critically,the solution will be available for others to exploit as well, including malicious actors or law enforcement. While SB 962 adopts the requirements of Public Utilities Code § 7908 to regulate and limit the circumstances in which government and law enforcement officials can activate the "kill switch," the fact remains that the presence of such a mechanism in every phone by default would not be available but for the existence of the kill switch bill.
The Public Utilities Code that the EFF cites does already put limits on law enforcement's ability to interrupt service to a communications device. The law requires that a "judicial officer" sign off on the interruption, that probably cause be determined ahead of time, and that there must be an imminent danger to public safety to justify an interruption. This restriction applies to the new law as well as law enforcement's existing capability to block or interrupt communications services.
What all that legal mumbo jumbo means is that the EFF can't rule out a scenario in which the security features being adopted are used by law enforcement or government agents to lock or wipe a user's phone. The new law doesn't specifically give this ability to law enforcement either, but it's something that privacy advocates should keep an eye on.
While the privacy debate is its own problem, the bulk of the effect on end users is that your remote security features are about to get better (though arguably this would have happened with or without the law). Starting July 1st 2015, every smartphone you use in California (and probably the entire US, or more) will ask you to either set up security features, or opt-out. Worry about government interference aside, that's something everyone should care more about anyway.
Photos by Justin Brockie and Highways Agency.