February 24, 2014
The California legislature is considering a new law which would require all mobile communications devices sold in or shipped to California to include the capability to disable the device remotely. Mandatory use of these so-called “kill switches” is seen by some observers as a useful response to the dramatically increasing volume of mobile device theft. Opponents of the approach believe it is an unnecessary additional regulation which could have adverse consequences.
The rapidly increasing volume of mobile device theft poses important security risks to individuals and to organizations. When unsecured smartphones and other devices are lost or stolen, the information stored on those devices can be misused. In today’s environment, mobile devices routinely contain a substantial amount of information that is sensitive for both individuals and organizations.
Consumer advocates and a variety of government authorities have long urged the mobile equipment industry to make their devices more secure by integrating disabling function into the equipment for use when the devices are lost or stolen. Law enforcement authorities generally support device disabling functions in the context of securing missing equipment, however, they may sometimes appreciate the absence of a kill switch when they are trying to obtain information from devices used by individuals they are investigating.
In generally, the equipment industry has been reluctant to integrate disabling capability into devices. Part of the concern is based on the fear that a built-in disabling capability could be hacked by unauthorized parties, enabling them to make devices unusable, even by their owners.
Some members of the California legislature and state government intend to force the industry to consider device disabling systems more seriously than in the past. If the proposed legislation becomes law, all mobile devices that are sold in or shipped into California will be required to have a built-in disabling capability.
The challenge of securing mobile communications devices is a complex one. Mandatory use of kill switch systems is a useful approach, but it is not the only possible option. There are a variety of potential methods available to make mobile devices more secure.
California authorities should be applauded for their efforts to push equipment manufacturers in the direction of implementing more effective security measures for the devices they manufacture. We should not, however, make the mistake of assuming that the mandatory kill switch option advocated in California is the only effective approach to the challenge of securing mobile communications devices more effectively.