An Internet of Things that do what they're told

California's phone bricking bill seems to have reduced thefts in the short run, but at the cost of giving dirty cops and wily criminals the power to wipe-and-brick your phone at will.

I've just written an editorial for O'Reilly Radar on designing an Internet of Things that aren't a godsend to authoritarian creeps and relentless crooks — without sacrificing usability, elegance and security.

In other words: as soon as you create a back door on phones, you create the possibility that someone will abuse it. We don't know how to make back doors that only good guys can go through. And that's before we get to the security issues that arise from standardizing telco-controlled back doors in phones that are sent to countries where the rule of law is compromised or nonexistent. A year ago, Ukrainians who attended the Euromaidan demonstrations in Kiev had their mobile
phone IDs harvested by state security services using Stingray devices, who then ordered the national carriers to use them to look up their mobile numbers and broadcast a chilling message by SMS: "Dear subscriber, you are registered as a participant in a mass disturbance."

What happens when we give the state the power to brick any phone without user intervention? After San Francisco BART officers were caught murdering a rider by passengers who recorded and transmitted footage using their mobile phones, the public transit operator tried to shut down mobile service on its property. Hardly a day goes by without stories of cops who illegally seize witnesses's mobile phones after committing illegal acts — what are the consequences of creating a law enforcement remote-wipe-and-brick mandate for those devices?

Imagine a user-centric, data-centric, freedom-centric version of this security measure: all devices would have to be sold with encrypted filesystems by default, so that users whose phones are lost or stolen can be sure that their data is intact, that their bank accounts won't be raided, that the correspondence with their lawyers and doctors and lovers won't be read, that their search history and photos won't be exposed.

An Internet of Things that do what they're told [O'Reilly Radar]