BILL ANALYSIS �Ó 1
SENATE ENERGY, UTILITIES AND COMMUNICATIONS COMMITTEE
ALEX PADILLA, CHAIR
SB 962 - Leno Hearing Date: April 1, 2014
S
As Amended: March 24, 2014 Non-FISCAL B
9
6
2
DESCRIPTION
Current law provides that theft - the stealing, taking, or
driving away with the personal property of another - is a
misdemeanor when the value of the property does not exceed $950
and is punishable by fines and up to one year in the county jail.
(Penal Code §§ 484 and 487)
This bill , in order to deter theft of smartphones and tablets,
makes any person or retail entity subject to a civil penalty of
up to $2,500 for each mobile communications device sold after
January 1, 2015, unless that device includes a technological
solution commonly called a "kill switch" and the kill switch is
enabled when sold.
This bill makes any provider of mobile communications service
subject to a civil penalty of up to $2,500 for each mobile device
customer contract that requires an extra charge for a kill switch
or requires or encourages the customer to disable the kill
switch.
This bill requires a kill switch that can render the essential
features of the device inoperable when the device is not in the
possession of the rightful owner, with essential features defined
as using the device for voice communications and Internet
connection including access to any mobile software applications
(apps).
This bill requires that the kill switch prevent reactivation of
the device on a wireless network except by the rightful owner and
that the kill switch be reversible so that if a rightful owner
obtains possession of the device after essential features are
�
rendered inoperable that owner can restore those essential
features.
This bill requires that the kill switch be able to withstand a
"hard reset" so that restoration of the device to the state it
was in when it left the factory will not eliminate the enabled
kill switch.
Current law and decisions of the Federal Communications
Commission (FCC) require all providers of wireless and
Internet-based communications services to enable customers to
call 911 for emergency services, and establishes dates for
enabling text to 911 and Next Generation 911 (Government Code §§
53100 - 53120)
This bill requires that the kill switch not render inoperable the
ability to dial 911 for emergency services.
This bill provides that a rightful owner may affirmatively elect
to disable a kill switch after sale, and that the physical acts
necessary to disable the kill switch may only be performed by the
customer or a person specifically selected by the customer to
disable the kill switch and not by any retail seller of the
device.
The bill applies the kill switch requirement to any device "sold
at retail and not for resale" from a location within the state or
shipped to any person at an address within the state, but
provides an exception if a device is both manufactured prior to
January 1, 2015, or originally sold outside of California, and
resold in California "on the secondary market" or consigned and
held as collateral on a loan.
BACKGROUND
Smartphone Theft On the Rise - As smartphones continue to
transform all aspects of modern life, they also have caused a
crime epidemic. More than 90 percent of all Americans own a
mobile device, and nearly 60 percent a smartphone. The high
resale value of smartphones and other hand-held mobile devices
like tablets, and their relatively small size, make them prime
targets for thieves. Many published reports document a dramatic
increase of smartphone theft. According to reports summarized by
the San Francisco District Attorney's Office:
�
Most robberies now involve the theft of a smartphone;
In 2012, more than 50 percent of all robberies in San
Francisco and 75 percent in Oakland involved the theft of a
mobile device; and
An estimated 1.6 million Americans were victimized for
their smartphones in 2012.
Industry Response to Stem Theft - The FCC, law enforcement, and
industry collaborated on efforts to address the problem in 2012.
These included providing consumers more security options on
devices and automatic prompts to establish passwords and
launching a public education campaign urging consumers to use
security apps that enable them to remotely locate, lock and wipe
devices. A national database was established to help prevent
lost or stolen phones from being reactivated. Wireless carriers
use the database to check whether a device presented to them has
been reported lost or stolen and, if so, will not allow service
to be established. Its effectiveness depends on consumers
reporting a lost or stolen phone. Industry reports that efforts
are underway to link more foreign carriers and countries to the
database. Without that international cooperation, stolen phones
resold in foreign countries continue to have value.
Industry continues to introduce new and more sophisticated
security solutions for consumers. These include options such as
Apple's "Find My iPhone" with "Activation Lock" feature that
allows a person who has lost or stolen an iPhone to remotely log
into a hosted platform and send a signal to lock the device and
make it unusable without the original owner's security passcode
established when the device was purchased. Other solutions
include Samsung's "Reactivation Lock" and Android's "Lo Jack."
Some solutions are built into the device or downloaded as an app,
some with a fee.
Legislative Proposals - Law enforcement groups, frustrated with
the lack of a ubiquitous security solution that they believe
would eliminate the resale value of smartphones, have focused on
legislation to mandate a kill switch in all smartphones. Bills
have been introduced in Illinois, Minnesota, and New York.
Several measures mandating a kill switch also have been
introduced in Congress, along with a measure to increase criminal
penalties for smartphone theft.
�
COMMENTS
1. Author's Purpose . According to the author, "SB 962 will
require any smartphone or tablet sold in California to
include a technological solution that renders the essential
features of the device inoperable when stolen. Such
solutions remove the incentive for thieves by eliminating
the device's value on the secondary market. As a result,
this legislation will go a long way towards ending the
epidemic of smartphone theft and ensuring Californians are
safeguarded from theft."
2. Effective to Deter Smartphone Theft v. Potential Harm .
The statistics documenting a dramatic increase in smartphone
theft are compelling, and no party disputes the need to
address the problem. The question is whether the statutory
kill switch mandate proposed by this bill will effectively
deter theft without jeopardizing public safety, personal
privacy, and civil liberties, or causing other undesirable
consequences. Ultimately, the bill requires a cost-benefit
analysis - is a kill switch mandate effective enough to
produce theft deterrent public safety benefits that outweigh
harmful impacts? A threshold question is whether the bill is
clear enough in specifying what "technological solution" is
required and whether the solution described is
technologically possible.
3. Due Process: What Is Required to Avoid Penalties ? State
and federal constitutional due process guarantees require
that a statute be sufficiently clear to give a "fair
warning" of the conduct prohibited and provide a standard or
guide against which conduct can be uniformly judged by
courts or agencies that enforce it. A law must give a
"person of ordinary intelligence a reasonable opportunity to
know what is prohibited, so that he may act accordingly."<1>
This bill requires a kill switch that will do all of the
following:
Render the essential features of a device
------------------------
<1> Morrison v. State Board of Education (1969) 1 Cal.3d 214,
231; Zubarau v. City of Palmdale (2011) 192 Cal.App.4th 289, 308;
Grayned v. City of Rockford (1972) 408 U.S. 104, 108-109).
�
(voice and Internet service) inoperable when not in
the possession of the rightful owner;
Prevent reactivation of the device on a
wireless network except by the rightful owner.
Not disable 911 emergency telephone service;
Be completely reversible to allow reactivation
of all essential features by the rightful owner even
after they have been rendered inoperable;
Be able to withstand a hard reset so all the
kill switch functions will be retained if efforts are
made to return the device to the state it was in when
it left the factory; and
Be secure against hacking.
Do these specifications give fair warning of what
technological solution is required, and is it possible to
achieve?
1. Do Exceptions Undermine Ubiquity Necessary to Deter
Theft ? The legislative findings of the bill state that "[i]n
order to be effective, these technological solutions need to
be ubiquitous, as thieves cannot distinguish between those
mobile devices that have the solutions enabled and those
that do not." Indeed, the effectiveness of this bill rests
on the premise that if thieves know that all mobile devices
have an enabled kill switch (and therefore lack resale
value), they will not bother to steal them. It is unclear,
however, whether exceptions to the kill switch requirement
in the bill, and practical realities of the marketplace,
will result in enough ubiquity to be an effective theft
deterrent. The following devices would not be required by
this bill to have a kill switch and therefore would continue
to have value for resale on the black market:
All devices that fall within the exception for
resale and pawnbrokers;
All devices sold out of state and brought into
California;
All devices currently in the market, which
customers typically replace every 18 to 24 months;
All devices provided "free" as part of a
promotion or a wireless lifeline plan; and
All devices that, even if rendered inoperable
by a kill switch, may have value for parts.
�
1. Is Customer Access to Emergency Services Guaranteed ?
Public safety will be threatened if a kill switch cuts off
access to emergency services. This bill requires a kill
switch to render essential features inoperable, defined to
include voice service and Internet connection. Recent
amendments require that a kill switch not render inoperable
the ability of a device to dial 911. But cutting off voice
service and Internet connection will preclude text to 911, a
service the large wireless carriers are required to provide
by May 15, 2014. A pending FCC rule requires all wireless
companies and Internet-based text service providers to
enable text to 911 by the end of this year. Text to 911
offers public safety advantages for persons with
disabilities, in a hostage situation or home break-in when a
voice call can be dangerous, and when network congestion
from high usage during a crisis makes voice connections
unavailable or slow.
Moreover, with voice and Internet service inoperable from a
kill switch, a mobile device would not be able to receive
Wireless Emergency Alerts under a program in effect since
2012 coordinated by the FCC and Federal Emergency Management
Agency. These include nationwide presidential alerts,
emergency alerts generated by state and local agencies, and
Amber alerts like the one San Diego County Office of
Emergency Services sent out in August 2013, which led to the
rescue of 16-year-old kidnap victim Hannah Anderson in
Idaho. Local geo-targeted reverse 911 systems used for
evacuation orders, fire and weather alerts, tsunami
warnings, and in connection with crimes also would be
jeopardized, as would California early earthquake warning
alerts. In order to protect public safety, the author and
committee may wish to consider amending the bill to define
"essential features" so that a kill switch is not required
to render inoperable the ability of a device to access 911
emergency services by voice call or text and to receive
wireless emergency alerts and warnings.
2. Is Customer Privacy Protected, Especially Children's
Privacy ? A kill switch can affect customer privacy if it
includes geolocation functionality that enables tracking and
locating the device and sending signals to remotely trigger
a locking function. The bill does not require a geolocation
function, but it is integral to kill switch solutions such
�
as Apple's "Find My iPhone Activation Lock," which
supporters identify as likely complying with the bill (if it
is enabled). A geolocation function increases the odds of
retrieving a stolen device, or finding it if it turns out to
have just been lost.
Because geolocation services on mobile devices result in
retention of personal location information and enable
tracking, federal and state regulators have adopted an
opt-in standard, requiring that companies obtain affirmative
express consent from the consumer with just-in-time
disclosure of how an app or service will collect and retain
geolocation data so that users can make an informed decision
on whether to opt in. Both the Federal Trade Commission and
the California Attorney General have adopted and enforced
this standard. When consumers are children, disclosure and
affirmative consent practices for geolocation services are
subject to additional requirements.<2>
To the extent a kill switch solution includes geolocation
functionality, this bill runs counter to that opt-in
standard of privacy protection by prohibiting sale of a
mobile device unless a kill switch is enabled.
Significantly, the bill makes no exception to this default
opt-out requirement when a device is sold for use by a
child. Moreover, the bill requires no disclosure or
customer notification about geolocation functionality and
prohibits a retailer from helping a customer when making a
decision about the service that impacts privacy.
Some supporters of the bill state that there appears to be
no technological reason that geolocation and kill switch
functions must be coupled. As stated by TURN: "It is our
understanding that the technology exists for a customer to
-------------------------
<2> "Mobile Privacy Disclosures" Federal Trade Commission
(February 2013) at
http://www.ftc.gov/sites/default/files/documents/reports/mobile-pr
ivacy-disclosures-building-trust-through-transparency-federal-trad
e-commission-staff-report/130201mobileprivacyreport.pdf :, and
"Privacy on the Go," California Attorney General (January 2013)
at
http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_th
e_go.pdf ?
�
opt for the theft prevention solution but not the GPS
functionality and the bill allows for such decoupling -
which eliminates this privacy concern." A more precise and
definitive way to eliminate the privacy concern is to remove
the opt-out requirement from the bill if a kill switch
solution includes a geolocation function. This would give
industry flexibility to develop a kill switch with or
without a geolocation function, and, if a geolocation
function is included, would give consumers, especially
children, the full protection of existing privacy laws and
regulations. Thus, the author and committee may wish to
consider amending the bill to strike subparagraph (3) on
page 5, lines 15 to 22, and modify the following on page 5,
lines 1 to 3: "No advanced mobile communications device may
be sold in California without the technological solution
enabled, unless the solution includes a geolocation
function. "
3. Are Civil Liberties Protected ? Mandating a kill switch
that can cut off voice service and Internet connections to
all mobile devices creates a communications infrastructure
that enables new ways to shut down communications of
individuals or groups. A bad actor such as a prankster,
disgruntled employee, or domestic abuser with either access
to another user's security code or the technical savvy to
break through a lock could trigger a kill switch. In
addition, law enforcement may view a kill switch as an
effective way to track down a criminal or thwart a crime and
seek access from a carrier or manufacturer to trigger the
switch. Indeed, a news story just this week reported on law
enforcement's attempts to unlock smartphones because "[y]our
calls, your emails, your calendar, your photos - not to
mention the GPS data embedded in those photos - could make a
whole case, in one convenient package."<3>
It also is conceivable that a government entity may attempt
to use kill switch technology to intentionally cut off
service of protesters or government critics, which is not
uncommon in countries that lack free speech protection.
-------------------------
<3> "Your Smartphone Is A Crucial Police Tool, If They Can Crack
It," National Public Radio, March 25, 2014, at
http://www.npr.org/blogs/alltechconsidered/2014/03/25/291925559/yo
ur-smartphone-is-a-crucial-police-tool-if-they-can-crack-it
�
After BART shut down wireless service for three hours in
response to a public protest, the Legislature enacted SB 380
(Padilla, 2013), which added Section 7908 to the Public
Utilities Code to require a court order to "interrupt
communication service." Transparency reports of
communications service providers document thousands of law
enforcement requests a year, and any request by government
to activate a kill switch also should be included in these
reports.<4> In order to protect against kill switch
technology from threatening civil liberties of users of
mobile devices, the author and committee may wish to
consider amending the bill to expressly state that any
request by a government agency to interrupt communications
service through a kill switch technology is subject to
Section 7908 of the Public Utilities Code.
4. Are Retailer Restrictions Lawful ? This bill makes any
provider of mobile communications service subject to a civil
penalty of up to $2,500 for each customer contract that
requires an extra charge for a kill switch or requires or
encourages the rightful owner to disable the kill switch.
These provisions raise several concerns. First, the
prohibition on charging for a kill switch likely violates
federal law that expressly preempts state regulation of
rates for wireless service (47 U.S.C. 332(c)). Second, even
if not preempted, this prohibition is underinclusive in that
it does not prohibit a charge for a kill switch provided by
a device manufacturer or app provider. If it did, this
would inhibit industry from offering a variety of security
solutions that customers are willing to pay for. Third, the
prohibition on a contract term that "requires or encourages"
a consumer to disable a kill switch is a content-based
restriction on commercial speech that raises First Amendment
issues, would be difficult to enforce, and interferes with a
provider's relationship with a customer who may have privacy
or other reasons for wanting a kill switch disabled and is
seeking help to make an informed decision. Accordingly, the
author and committee may wish to consider amending the bill
--------------------------
<4> See, for example, the transparency report of AT&T at
http://about.att.com/content/csr/home/frequently-requested-info/go
vernance/transparencyreport.html , Google, at
http://www.google.com/transparencyreport/removals/government/ ,
and Verizon at http://transparency.verizon.com/
�
to delete these prohibitions on page 5, lines 23 through 29,
and the corresponding penalty provision on page 5, line 35
through page 6, line 2.
5. How Is the Kill Switch Requirement Enforced ? The bill
does not specify a process or authority for enforcement of
the kill switch mandate, so presumably any district attorney
or the Attorney General could bring an action to collect
civil penalties against any person or retail entity that
sells mobile devices. To avoid penalties, a device must
have a kill switch, and it must be enabled when sold. The
bill does not specify, however, if a device will have a
label or other marking indicating a kill switch is included,
or if on-site inspections at retail stores are anticipated.
Given that the bill authorizes a kill switch to be hardware,
software, or both, which could be a downloaded app, it seems
that an inspection of the device as it is set up at the time
of sale would be required.
Determining whether a kill switch is enabled when "sold" is
especially problematic, particularly for a device "shipped
to an end-use consumer at an address within the state," as
specified in the definition of "Sold in California." The
bill allows a customer to decide to disable a kill switch,
so how will it be determined if the disabling occurred
before or after the sale? Moreover, any enforcement that
requires customers to provide law enforcement access to
their smartphones raises significant constitutional concerns
given the extensive personal information about all aspects
of one's life contained in a smartphone. To protect
individual's rights to privacy and against unlawful searches
and seizures, the author and committee may wish to consider
amending the bill to require officials enforcing this kill
switch requirement to obtain a warrant before inspecting an
individual's mobile device.
6. Is the Resale Exception Clear ? This bill applies the kill
switch requirement to any device "sold at retail and not for
resale" from a location within the state or shipped to any
person at an address within the state, but provides an
exception if a device is both (A) manufactured prior to
January 1, 2015, or originally sold outside of California;
and (B) resold in California "on the secondary market" or
�
consigned and held as collateral on a loan. This exception
for resold and consigned devices would be more clear if
incorporated into the definition of "Sold in California."
Also, the language in (A) seems unnecessarily confusing
given the apparent intent to exempt any device that is
"resold" from the kill switch requirement. In addition, the
reference to "secondary market" is confusing because many
parties in support of the bill refer to smartphone thieves
as reselling stolen phones on the "secondary market." Thus,
the author and committee may wish to consider amending the
bill to strike the provisions on page 5, lines 7 to 13, and
instead amend the definition of "Sold in California" on page
4, lines 23 to 27 as follows:
(5) "Sold in California" means that the advanced mobile
communications device is sold at retail , and not for
resale, from a location within the state, or the
advanced mobile communications device is sold and
shipped to an end-use consumer at an address within the
state. " Sold in California" does not include an
advanced mobile communications device that is resold in
California on the second-hand market or is consigned
and held as collateral on a loan.
POSITIONS
Sponsor:
San Francisco District Attorney, George Gascón
Support:
Alameda County District Attorney, Nancy O'Malley
Associated Students of the University of California
California District Attorneys Association
California Pawnbroker's Association
California Police Chiefs Association
California Transit Association
City of Los Angeles
City of Oakland
City of San Diego
City of San Francisco
City of Santa Ana
Consumer Federation of California
Consumer Union
�
Hayward Police Department
Neighborhood Crime Prevention Councils of Oakland
San Francisco Bay Area Rapid Transit District
San Francisco Municipal Transportation Agency
Temescal Merchants Association
The Utility Reform Network
Concerns:
AT&T
California Chamber of Commerce
California Retailers Association
CTIA, The Wireless Association
Google
Huawei
Los Angeles Area Chamber of Commerce
Microsoft
Motorola
Nokia
Silicon Valley Leadership Group
Sprint
T-Mobile
TechAmerica
TechNet
Verizon
Oppose:
TechNet
Jacqueline Kinney
SB 962 Analysis
Hearing Date: April 1, 2014