Here are some answers to questions I've been asked recently by reporters on the U.S. stolen phone registry.
> How does this plan work from a security standpoint?
Phones are meant to have a unique identifier. GSM phones, for example, use the International Mobile Equipment Identity (IMEI). This is similar to a Media Access Control (MAC) address many people are familiar with for networking equipment. It’s used by carriers for billing and linking services/support to devices. An identifier tends to includes manufacturer and model information as well as a unique serial. It also has a check digit to help prevent fake numbers.
Carriers could in theory use an identifier to block use of a stolen phone when the identity is unique to that phone. This requires someone to report the phone as stolen, a carrier to have a current and maintained list of stolen phones, and someone to try and register the stolen phone with a carrier with a list. If one or more of these three steps does not happen then the phone can still be used.
> Why is the U.S. far behind other countries in speed in creating database for stolen mobile phones?
Unlocked phones have been more common in other countries. You can easily buy an unlocked phone from Nokia, for example, while Apple clearly does not want their users to unlock their phones. The lock-in of devices to carriers made a centralized/shared database of stolen devices less relevant. With more people using unlocked phones the need for sharing identity information becomes far more important.
> Does this actually prevent theft? If not, what would be a more effective way to do so?
It changes the market dynamics of phone theft. Criminals will try to modify the identifier on the phone when carriers block the identifier. Laws get passed to make modifying the identifier illegal but it is still possible. It turns out that there already are collisions in identifiers and it is not terribly difficult to modify the identifiers. Carriers thus also have to be capable of identifying bogus or stolen identification. This is a centralized model of security, which also raises a question of privacy risk. A centralized database may be considered by some a bigger threat to privacy than the loss of a device. A decentralized model could be where phones use encryption and self-destruction to be rendered valueless when stolen.