In less than a decade, smartphones have become an incredibly important part of peoples' lives. In the US alone, 166 million people now own them, according to a recent report by ComScore. And those devices aren't just used for making calls. More often they're used for texting, web browsing, going through email, and downloading apps, with Americans spending — on average — more than an hour a day with their eyes glued to tiny glowing screens.
All those things make them an increasingly worrisome target for theft. It's not just the hardware that's being stolen, it's potentially a chunk of your digital life too. That's why lawmakers in the US are trying (and in some cases succeeding) to pass bills requiring anti-theft features that protect consumer data while leaving thieves with a considerably less valuable piece of hardware.
The goal is to make stolen phones less valuable
The latest is a California bill that would require smartphone makers to include remote-wipe and -locking features, and it's getting closer to being signed into law. After initially being rejected by the California Senate, it has since passed and moved on to a floor vote in the state Assembly. After that, it heads to the governor, where it could be signed into law.
The bill, SB 962, was created by state Senator Mark Leno along with San Francisco District Attorney George Gascón, who's been a staunch advocate of anti-theft measures for phones. Ahead of the bill, Gascón urged cellphone makers — including Apple and Samsung — to make stolen smartphones more of a headache for thieves, going so far as to hire security experts to try and bypass the built-in security measures to illustrate that smartphone makers weren't doing enough.
The reasoning is simple: smartphones make a very attractive target for thieves. They're small, expensive, and up until manufacturers began to put anti-theft measures in place, were still very useful with a simple factory reset. Last year, 3.1 million Americans had their phones stolen, according to an often-cited study from Consumer Reports, a figure that's more troubling given a far lesser 1.6 million thefts from the year before. And while smartphone theft brings up images of thieves robbing people at gunpoint, a survey conducted by IDG on behalf of mobile security Lookout in March suggests otherwise. Only 11 percent of phones were stolen from people directly, while 44 percent of thefts were linked to people simply leaving their phone somewhere public and having it scooped up by someone else.
Many smartphones already have anti-theft features
By now, most major smartphone makers have hardened their products, and provide tools to track, wipe, and disable devices through the use of web-based tools and apps. Those services are becoming more sophisticated too. Apple initially offered its Find My iPhone service as a perk of its paid MobileMe service, but then later made it free and available to all iPads, iPods, and Macs. Apple also created a feature in last year's iOS 7 called iCloud activation lock, which will make a device completely inoperable unless you enter in the right Apple ID username and password.
Google and Microsoft have followed Apple's lead, offering free tools to help locate and disable devices remotely. And now both companies plan to add tools like Apple's that leave the hardware useless to those who don't have the master password. Those features aren't coming until the next major releases, however, the two companies said in June. In the interim, Samsung — which relies on Google's Android — has added a reactivation lock feature into its phones, though not on all its devices, and not on all the carriers.
In Apple's case, the iCloud activation lock feature has already made waves — some good and some bad. Almost immediately it managed to cause headaches for resellers and recyclers who buy, fix, resell, and dispose of used electronics. Since the feature launched to consumers last September, it's left some electronics trade-in businesses with phones and tablets that still have the lock enabled. These products are not stolen, several companies told The Verge in June. More frequently, the locked devices come from big-box retailers and carriers that outsource their trade-in services, and that aren't doing a thorough enough job screening what they get before it goes to the next party.
Early data suggests kill switches are working
On the flip side, the feature appears already to have a marked effect on what it was built for, which is reducing crime. In June, attorney generals in New York and San Francisco said that year-over-year thefts of Apple devices "plummeted" during the first five months of 2014. For San Francisco that amounted to a 38 percent decline in iPhone-related robberies, while New York tallied up a 19 and 29 percent year-over-year decline on robberies and grand larcenies that involved Apple products. During an identical time period, the same study reported an increase in robberies involving Samsung devices, which did not have the aforementioned built-in protections until April. "We can make the violent epidemic of smartphone theft a thing of the past, and these numbers prove that," Gascón said when those numbers were released.
Pickpocket warning sign in Venice, Italy. (Matt Chan / Flickr)
Even with that positive early data, critics worry that a legal mandate requiring the technology could have unintended consequences. In the California bill's case, the Electronic Frontier Foundation warns that the bill could hinder better technologies that haven't been invented yet, and could be rife for abuse from law enforcement agencies.
"There's a simple reason why we opposed this particular bill — and why we almost always oppose bills with technological mandates. Technology is fast; the law is slow," the group said in a blog post last month. "While there is an important place for policy in a world where the internet and devices are readily available to both consumers and government actors, institutionalizing specific technical solutions — such as making every cellphone manufacturer feature a ‘kill switch' program — is risky."
"Technology is fast; the law is slow."
More bluntly, a consortium of wireless companies and major hardware manufacturers are balking at the need for legal requirements in the first place, arguing that they've already added, or are in the process of adding, such features and want self-regulation instead.
"We've rolled out stolen-phones databases, consumer-education campaigns, anti-theft apps and features and most recently a ‘Smartphone Anti-Theft Voluntary Commitment,' which provides a uniform national technology solution at no cost to the consumer," says Jamie Hastings, the vice president of external and state affairs with the CTIA, a group made up of wireless carriers and manufacturers including Apple, Google, Microsoft, and others. "State-by-state technology mandates stifle innovation to the ultimate detriment to the consumer," she added.
That "Smartphone Anti-Theft Voluntary Commitment" Hastings is referring to is effectively the same thing you'll find in the California law. That includes remote wipe, remote lock, and a lock against reactivation. There's also a clause requiring manufacturers to provide a way for consumers to get everything on a recovered phone working again, including their data. These things are all set to be a self-regulated standard for every device manufactured by smartphone makers after July 2015, which is when the California bill would begin if signed into law.
Minnesota Governor Mark Dayton signing the state's anti-theft bill into law. (Office of Governor Mark Dayton)
So why would state laws be useful then? One example is Minnesota, which so far is the first and only state to pass an anti-theft phone bill. Unlike California, it's not asking for a way to remotely disable or wipe a phone, just that the phone needs to come "equipped with preloaded anti-theft functionality," or at least be able to download it later — all for free. Minnesota's governor signed the bill into law this past May, and under its requirements, it's not just about anti-theft measures on the device, but also deals with devices that are resold. The law criminalizes buying and selling phones between people without documentation, so the state can track where phones are going. It also prohibits used cellphone dealers from paying in cash or selling to people under the age of 18. These are things designed to hinder potential thieves by putting more of the business of selling phones on the record when it goes into effect next July.
A federal law is in the works too
Along with those efforts, there's a separate federal bill designed to accomplish some of the same things outlined in the state laws for remote wiping and disabling phones, but at a national level. The Smartphone Theft Prevention Act, which was introduced by a group of Democratic senators in February, aims to amend the Communications Act of 1934 to require any phones sold in the US to offer remote wipe, remote disable, and restrict reactivation without a proper passcode. So far it has only been introduced, and still needs to make its way through the House and Senate before ultimately making its way to the president to be signed into law.
The federal bill could ultimately spell a simpler solution than the state laws by unifying the requirements manufacturers need to comply with in order to sell there. But these bills — short of what Minnesota is doing to control how phones are sold — all aim to get companies to do something that many are already doing, or have plans to offer soon. The only difference is that there could be fines, and those phones wouldn't make it to store shelves. And if you believe the EFF, slapping a mandate on companies to go with any one particular solution is shortsighted at best, and potentially disastrous for newer, better ways to deal with the problem that could be invented in the future.
"With an eye to the current landscape of security tools, if a ‘manufacturer or operating system provider' chooses a particular solution, innovation in this space may be discouraged," EFF attorneys said in a letter opposing the California bill in June. "Mandating any technological fix could ‘lock in' a less effective solution, preventing stronger third-party anti-theft applications from competing and innovating."