EFF sent a letter this week opposing SB 962, a bill by California Senator Mark Leno that mandates every phone that will be sold in the state to have a "kill switch"—a technological solution that would remotely disable a smartphone if, say, it were stolen or lost. Despite our concerns, the bill passed out of committee in the Assembly.
There's a simple reason why we opposed this particular bill—and why we almost always oppose bills with technological mandates. Technology is fast; the law is slow. While there is an important place for policy in a world where the Internet and devices are readily available to both consumers and government actors, institutionalizing specific technical solutions—such as making every cell phone manufacturer feature a "kill switch" program—is risky.
We focused on two issues in this particular case: "lock in" and legitimizing a technical means.
Lock in describes when a particular technology is frozen in place due to a technological mandate, so other technologies—perhaps better technologies—have no chance of competing. In this case, the smartphone security suite features dozens of options for Android, iOS, and Blackberry. We wrote:
With an eye to the current landscape of security tools, if a "manufacturer or operating system provider" chooses a particular solution, innovation in this space may be discouraged—especially since the current number of "manufacturers or operating system providers" falls short of the number of security tools. Mandating any technological fix could "lock in" a less effective solution, preventing stronger third-party anti-theft applications from competing and innovating.
The second, more grave reason for not supporting this bill has to do with potential for abuse. We were especially concerned with giving government actors any more ability to shut off cell phones after wireless service was shut off during the 2011 BART protests. In response, California passed what became Public Utilities Code § 7908, which took great steps to prevent law enforcement from cutting off communications services, though it sunsets at the end of this decade. PUC § 7908, however, also legitimized a legal process for law enforcement to interrupt communications. SB 962, by mandating kill switches in every phone, would legitimize a technical means.
SB 962 is not explicit about who can activate such a switch. And more critically, the solution will be available for others to exploit as well, including malicious actors or law enforcement. While SB 962 adopts the requirements of Public Utilities Code § 7908 to regulate and limit the circumstances in which government and law enforcement officials can activate the "kill switch," the fact remains that the presence of such a mechanism in every phone by default would not be available but for the existence of the kill switch bill. In essence, SB 962 mandates the technical ability to disable every phone sold in California, and PUC § 7908 provides the necessary legal roadmap to do the same. Within two years, we would have legitimized a process that was seen to be quite extreme. While users have the ability to opt-out of such a tool, it is widely known that default settings are rarely changed.
The passage of a bill like SB 962 would present a host of challenges. While we firmly believe that such laws are generally a bad idea, the case of mandating a "kill switch" in cell phones sold in California—a demand that would affect phones sold around the country, if not the world—could have grave consequences. We've seen instances of governments abusing the ability to block communications both home and abroad; while this bill acknowledges safeguards to prevent such abuses in California, a large barrier—technical access to our phones—will have disappeared.