BILL ANALYSIS Ó 1 SENATE ENERGY, UTILITIES AND COMMUNICATIONS COMMITTEE ALEX PADILLA, CHAIR SB 962 - Leno Hearing Date: April 1, 2014 S As Amended: March 24, 2014 Non-FISCAL B 9 6 2 DESCRIPTION Current law provides that theft - the stealing, taking, or driving away with the personal property of another - is a misdemeanor when the value of the property does not exceed $950 and is punishable by fines and up to one year in the county jail. (Penal Code §§ 484 and 487) This bill , in order to deter theft of smartphones and tablets, makes any person or retail entity subject to a civil penalty of up to $2,500 for each mobile communications device sold after January 1, 2015, unless that device includes a technological solution commonly called a "kill switch" and the kill switch is enabled when sold. This bill makes any provider of mobile communications service subject to a civil penalty of up to $2,500 for each mobile device customer contract that requires an extra charge for a kill switch or requires or encourages the customer to disable the kill switch. This bill requires a kill switch that can render the essential features of the device inoperable when the device is not in the possession of the rightful owner, with essential features defined as using the device for voice communications and Internet connection including access to any mobile software applications (apps). This bill requires that the kill switch prevent reactivation of the device on a wireless network except by the rightful owner and that the kill switch be reversible so that if a rightful owner obtains possession of the device after essential features are rendered inoperable that owner can restore those essential features. This bill requires that the kill switch be able to withstand a "hard reset" so that restoration of the device to the state it was in when it left the factory will not eliminate the enabled kill switch. Current law and decisions of the Federal Communications Commission (FCC) require all providers of wireless and Internet-based communications services to enable customers to call 911 for emergency services, and establishes dates for enabling text to 911 and Next Generation 911 (Government Code §§ 53100 - 53120) This bill requires that the kill switch not render inoperable the ability to dial 911 for emergency services. This bill provides that a rightful owner may affirmatively elect to disable a kill switch after sale, and that the physical acts necessary to disable the kill switch may only be performed by the customer or a person specifically selected by the customer to disable the kill switch and not by any retail seller of the device. The bill applies the kill switch requirement to any device "sold at retail and not for resale" from a location within the state or shipped to any person at an address within the state, but provides an exception if a device is both manufactured prior to January 1, 2015, or originally sold outside of California, and resold in California "on the secondary market" or consigned and held as collateral on a loan. BACKGROUND Smartphone Theft On the Rise - As smartphones continue to transform all aspects of modern life, they also have caused a crime epidemic. More than 90 percent of all Americans own a mobile device, and nearly 60 percent a smartphone. The high resale value of smartphones and other hand-held mobile devices like tablets, and their relatively small size, make them prime targets for thieves. Many published reports document a dramatic increase of smartphone theft. According to reports summarized by the San Francisco District Attorney's Office: Most robberies now involve the theft of a smartphone; In 2012, more than 50 percent of all robberies in San Francisco and 75 percent in Oakland involved the theft of a mobile device; and An estimated 1.6 million Americans were victimized for their smartphones in 2012. Industry Response to Stem Theft - The FCC, law enforcement, and industry collaborated on efforts to address the problem in 2012. These included providing consumers more security options on devices and automatic prompts to establish passwords and launching a public education campaign urging consumers to use security apps that enable them to remotely locate, lock and wipe devices. A national database was established to help prevent lost or stolen phones from being reactivated. Wireless carriers use the database to check whether a device presented to them has been reported lost or stolen and, if so, will not allow service to be established. Its effectiveness depends on consumers reporting a lost or stolen phone. Industry reports that efforts are underway to link more foreign carriers and countries to the database. Without that international cooperation, stolen phones resold in foreign countries continue to have value. Industry continues to introduce new and more sophisticated security solutions for consumers. These include options such as Apple's "Find My iPhone" with "Activation Lock" feature that allows a person who has lost or stolen an iPhone to remotely log into a hosted platform and send a signal to lock the device and make it unusable without the original owner's security passcode established when the device was purchased. Other solutions include Samsung's "Reactivation Lock" and Android's "Lo Jack." Some solutions are built into the device or downloaded as an app, some with a fee. Legislative Proposals - Law enforcement groups, frustrated with the lack of a ubiquitous security solution that they believe would eliminate the resale value of smartphones, have focused on legislation to mandate a kill switch in all smartphones. Bills have been introduced in Illinois, Minnesota, and New York. Several measures mandating a kill switch also have been introduced in Congress, along with a measure to increase criminal penalties for smartphone theft. COMMENTS 1. Author's Purpose . According to the author, "SB 962 will require any smartphone or tablet sold in California to include a technological solution that renders the essential features of the device inoperable when stolen. Such solutions remove the incentive for thieves by eliminating the device's value on the secondary market. As a result, this legislation will go a long way towards ending the epidemic of smartphone theft and ensuring Californians are safeguarded from theft." 2. Effective to Deter Smartphone Theft v. Potential Harm . The statistics documenting a dramatic increase in smartphone theft are compelling, and no party disputes the need to address the problem. The question is whether the statutory kill switch mandate proposed by this bill will effectively deter theft without jeopardizing public safety, personal privacy, and civil liberties, or causing other undesirable consequences. Ultimately, the bill requires a cost-benefit analysis - is a kill switch mandate effective enough to produce theft deterrent public safety benefits that outweigh harmful impacts? A threshold question is whether the bill is clear enough in specifying what "technological solution" is required and whether the solution described is technologically possible. 3. Due Process: What Is Required to Avoid Penalties ? State and federal constitutional due process guarantees require that a statute be sufficiently clear to give a "fair warning" of the conduct prohibited and provide a standard or guide against which conduct can be uniformly judged by courts or agencies that enforce it. A law must give a "person of ordinary intelligence a reasonable opportunity to know what is prohibited, so that he may act accordingly."<1> This bill requires a kill switch that will do all of the following: Render the essential features of a device ------------------------ <1> Morrison v. State Board of Education (1969) 1 Cal.3d 214, 231; Zubarau v. City of Palmdale (2011) 192 Cal.App.4th 289, 308; Grayned v. City of Rockford (1972) 408 U.S. 104, 108-109). (voice and Internet service) inoperable when not in the possession of the rightful owner; Prevent reactivation of the device on a wireless network except by the rightful owner. Not disable 911 emergency telephone service; Be completely reversible to allow reactivation of all essential features by the rightful owner even after they have been rendered inoperable; Be able to withstand a hard reset so all the kill switch functions will be retained if efforts are made to return the device to the state it was in when it left the factory; and Be secure against hacking. Do these specifications give fair warning of what technological solution is required, and is it possible to achieve? 1. Do Exceptions Undermine Ubiquity Necessary to Deter Theft ? The legislative findings of the bill state that "[i]n order to be effective, these technological solutions need to be ubiquitous, as thieves cannot distinguish between those mobile devices that have the solutions enabled and those that do not." Indeed, the effectiveness of this bill rests on the premise that if thieves know that all mobile devices have an enabled kill switch (and therefore lack resale value), they will not bother to steal them. It is unclear, however, whether exceptions to the kill switch requirement in the bill, and practical realities of the marketplace, will result in enough ubiquity to be an effective theft deterrent. The following devices would not be required by this bill to have a kill switch and therefore would continue to have value for resale on the black market: All devices that fall within the exception for resale and pawnbrokers; All devices sold out of state and brought into California; All devices currently in the market, which customers typically replace every 18 to 24 months; All devices provided "free" as part of a promotion or a wireless lifeline plan; and All devices that, even if rendered inoperable by a kill switch, may have value for parts. 1. Is Customer Access to Emergency Services Guaranteed ? Public safety will be threatened if a kill switch cuts off access to emergency services. This bill requires a kill switch to render essential features inoperable, defined to include voice service and Internet connection. Recent amendments require that a kill switch not render inoperable the ability of a device to dial 911. But cutting off voice service and Internet connection will preclude text to 911, a service the large wireless carriers are required to provide by May 15, 2014. A pending FCC rule requires all wireless companies and Internet-based text service providers to enable text to 911 by the end of this year. Text to 911 offers public safety advantages for persons with disabilities, in a hostage situation or home break-in when a voice call can be dangerous, and when network congestion from high usage during a crisis makes voice connections unavailable or slow. Moreover, with voice and Internet service inoperable from a kill switch, a mobile device would not be able to receive Wireless Emergency Alerts under a program in effect since 2012 coordinated by the FCC and Federal Emergency Management Agency. These include nationwide presidential alerts, emergency alerts generated by state and local agencies, and Amber alerts like the one San Diego County Office of Emergency Services sent out in August 2013, which led to the rescue of 16-year-old kidnap victim Hannah Anderson in Idaho. Local geo-targeted reverse 911 systems used for evacuation orders, fire and weather alerts, tsunami warnings, and in connection with crimes also would be jeopardized, as would California early earthquake warning alerts. In order to protect public safety, the author and committee may wish to consider amending the bill to define "essential features" so that a kill switch is not required to render inoperable the ability of a device to access 911 emergency services by voice call or text and to receive wireless emergency alerts and warnings. 2. Is Customer Privacy Protected, Especially Children's Privacy ? A kill switch can affect customer privacy if it includes geolocation functionality that enables tracking and locating the device and sending signals to remotely trigger a locking function. The bill does not require a geolocation function, but it is integral to kill switch solutions such as Apple's "Find My iPhone Activation Lock," which supporters identify as likely complying with the bill (if it is enabled). A geolocation function increases the odds of retrieving a stolen device, or finding it if it turns out to have just been lost. Because geolocation services on mobile devices result in retention of personal location information and enable tracking, federal and state regulators have adopted an opt-in standard, requiring that companies obtain affirmative express consent from the consumer with just-in-time disclosure of how an app or service will collect and retain geolocation data so that users can make an informed decision on whether to opt in. Both the Federal Trade Commission and the California Attorney General have adopted and enforced this standard. When consumers are children, disclosure and affirmative consent practices for geolocation services are subject to additional requirements.<2> To the extent a kill switch solution includes geolocation functionality, this bill runs counter to that opt-in standard of privacy protection by prohibiting sale of a mobile device unless a kill switch is enabled. Significantly, the bill makes no exception to this default opt-out requirement when a device is sold for use by a child. Moreover, the bill requires no disclosure or customer notification about geolocation functionality and prohibits a retailer from helping a customer when making a decision about the service that impacts privacy. Some supporters of the bill state that there appears to be no technological reason that geolocation and kill switch functions must be coupled. As stated by TURN: "It is our understanding that the technology exists for a customer to ------------------------- <2> "Mobile Privacy Disclosures" Federal Trade Commission (February 2013) at http://www.ftc.gov/sites/default/files/documents/reports/mobile-pr ivacy-disclosures-building-trust-through-transparency-federal-trad e-commission-staff-report/130201mobileprivacyreport.pdf :, and "Privacy on the Go," California Attorney General (January 2013) at http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_th e_go.pdf ? opt for the theft prevention solution but not the GPS functionality and the bill allows for such decoupling - which eliminates this privacy concern." A more precise and definitive way to eliminate the privacy concern is to remove the opt-out requirement from the bill if a kill switch solution includes a geolocation function. This would give industry flexibility to develop a kill switch with or without a geolocation function, and, if a geolocation function is included, would give consumers, especially children, the full protection of existing privacy laws and regulations. Thus, the author and committee may wish to consider amending the bill to strike subparagraph (3) on page 5, lines 15 to 22, and modify the following on page 5, lines 1 to 3: "No advanced mobile communications device may be sold in California without the technological solution enabled, unless the solution includes a geolocation function. " 3. Are Civil Liberties Protected ? Mandating a kill switch that can cut off voice service and Internet connections to all mobile devices creates a communications infrastructure that enables new ways to shut down communications of individuals or groups. A bad actor such as a prankster, disgruntled employee, or domestic abuser with either access to another user's security code or the technical savvy to break through a lock could trigger a kill switch. In addition, law enforcement may view a kill switch as an effective way to track down a criminal or thwart a crime and seek access from a carrier or manufacturer to trigger the switch. Indeed, a news story just this week reported on law enforcement's attempts to unlock smartphones because "[y]our calls, your emails, your calendar, your photos - not to mention the GPS data embedded in those photos - could make a whole case, in one convenient package."<3> It also is conceivable that a government entity may attempt to use kill switch technology to intentionally cut off service of protesters or government critics, which is not uncommon in countries that lack free speech protection. ------------------------- <3> "Your Smartphone Is A Crucial Police Tool, If They Can Crack It," National Public Radio, March 25, 2014, at http://www.npr.org/blogs/alltechconsidered/2014/03/25/291925559/yo ur-smartphone-is-a-crucial-police-tool-if-they-can-crack-it After BART shut down wireless service for three hours in response to a public protest, the Legislature enacted SB 380 (Padilla, 2013), which added Section 7908 to the Public Utilities Code to require a court order to "interrupt communication service." Transparency reports of communications service providers document thousands of law enforcement requests a year, and any request by government to activate a kill switch also should be included in these reports.<4> In order to protect against kill switch technology from threatening civil liberties of users of mobile devices, the author and committee may wish to consider amending the bill to expressly state that any request by a government agency to interrupt communications service through a kill switch technology is subject to Section 7908 of the Public Utilities Code. 4. Are Retailer Restrictions Lawful ? This bill makes any provider of mobile communications service subject to a civil penalty of up to $2,500 for each customer contract that requires an extra charge for a kill switch or requires or encourages the rightful owner to disable the kill switch. These provisions raise several concerns. First, the prohibition on charging for a kill switch likely violates federal law that expressly preempts state regulation of rates for wireless service (47 U.S.C. 332(c)). Second, even if not preempted, this prohibition is underinclusive in that it does not prohibit a charge for a kill switch provided by a device manufacturer or app provider. If it did, this would inhibit industry from offering a variety of security solutions that customers are willing to pay for. Third, the prohibition on a contract term that "requires or encourages" a consumer to disable a kill switch is a content-based restriction on commercial speech that raises First Amendment issues, would be difficult to enforce, and interferes with a provider's relationship with a customer who may have privacy or other reasons for wanting a kill switch disabled and is seeking help to make an informed decision. Accordingly, the author and committee may wish to consider amending the bill -------------------------- <4> See, for example, the transparency report of AT&T at http://about.att.com/content/csr/home/frequently-requested-info/go vernance/transparencyreport.html , Google, at http://www.google.com/transparencyreport/removals/government/ , and Verizon at http://transparency.verizon.com/ to delete these prohibitions on page 5, lines 23 through 29, and the corresponding penalty provision on page 5, line 35 through page 6, line 2. 5. How Is the Kill Switch Requirement Enforced ? The bill does not specify a process or authority for enforcement of the kill switch mandate, so presumably any district attorney or the Attorney General could bring an action to collect civil penalties against any person or retail entity that sells mobile devices. To avoid penalties, a device must have a kill switch, and it must be enabled when sold. The bill does not specify, however, if a device will have a label or other marking indicating a kill switch is included, or if on-site inspections at retail stores are anticipated. Given that the bill authorizes a kill switch to be hardware, software, or both, which could be a downloaded app, it seems that an inspection of the device as it is set up at the time of sale would be required. Determining whether a kill switch is enabled when "sold" is especially problematic, particularly for a device "shipped to an end-use consumer at an address within the state," as specified in the definition of "Sold in California." The bill allows a customer to decide to disable a kill switch, so how will it be determined if the disabling occurred before or after the sale? Moreover, any enforcement that requires customers to provide law enforcement access to their smartphones raises significant constitutional concerns given the extensive personal information about all aspects of one's life contained in a smartphone. To protect individual's rights to privacy and against unlawful searches and seizures, the author and committee may wish to consider amending the bill to require officials enforcing this kill switch requirement to obtain a warrant before inspecting an individual's mobile device. 6. Is the Resale Exception Clear ? This bill applies the kill switch requirement to any device "sold at retail and not for resale" from a location within the state or shipped to any person at an address within the state, but provides an exception if a device is both (A) manufactured prior to January 1, 2015, or originally sold outside of California; and (B) resold in California "on the secondary market" or consigned and held as collateral on a loan. This exception for resold and consigned devices would be more clear if incorporated into the definition of "Sold in California." Also, the language in (A) seems unnecessarily confusing given the apparent intent to exempt any device that is "resold" from the kill switch requirement. In addition, the reference to "secondary market" is confusing because many parties in support of the bill refer to smartphone thieves as reselling stolen phones on the "secondary market." Thus, the author and committee may wish to consider amending the bill to strike the provisions on page 5, lines 7 to 13, and instead amend the definition of "Sold in California" on page 4, lines 23 to 27 as follows: (5) "Sold in California" means that the advanced mobile communications device is sold at retail, and not for resale,from a location within the state, or the advanced mobile communications device is sold and shipped to an end-use consumer at an address within the state. " Sold in California" does not include an advanced mobile communications device that is resold in California on the second-hand market or is consigned and held as collateral on a loan. POSITIONS Sponsor: San Francisco District Attorney, George Gascón Support: Alameda County District Attorney, Nancy O'Malley Associated Students of the University of California California District Attorneys Association California Pawnbroker's Association California Police Chiefs Association California Transit Association City of Los Angeles City of Oakland City of San Diego City of San Francisco City of Santa Ana Consumer Federation of California Consumer Union Hayward Police Department Neighborhood Crime Prevention Councils of Oakland San Francisco Bay Area Rapid Transit District San Francisco Municipal Transportation Agency Temescal Merchants Association The Utility Reform Network Concerns: AT&T California Chamber of Commerce California Retailers Association CTIA, The Wireless Association Google Huawei Los Angeles Area Chamber of Commerce Microsoft Motorola Nokia Silicon Valley Leadership Group Sprint T-Mobile TechAmerica TechNet Verizon Oppose: TechNet Jacqueline Kinney SB 962 Analysis Hearing Date: April 1, 2014