Here are some answers to questions I’ve been asked recently by reporters on the U.S. stolen phone registry.

> How does this plan work from a security standpoint?

Phones are meant to have a unique identifier. GSM phones, for example, use the International Mobile Equipment Identity (IMEI). This is similar to a Media Access Control (MAC) address many people are familiar with for networking equipment. It’s used by carriers for billing and linking services/support to devices. An identifier tends to includes manufacturer and model information as well as a unique serial. It also has a check digit to help prevent fake numbers.

Carriers could in theory use an identifier to block use of a stolen phone when the identity is unique to that phone. This requires someone to report the phone as stolen, a carrier to have a current and maintained list of stolen phones, and someone to try and register the stolen phone with a carrier with a list. If one or more of these three steps does not happen then the phone can still be used.

> Why is the U.S. far behind other countries in speed in creating database for stolen mobile phones?

Unlocked phones have been more common in other countries. You can easily buy an unlocked phone from Nokia, for example, while Apple clearly does not want their users to unlock their phones. The lock-in of devices to carriers made a centralized/shared database of stolen devices less relevant. With more people using unlocked phones the need for sharing identity information becomes far more important.

> Does this actually prevent theft? If not, what would be a more effective way to do so?

It changes the market dynamics of phone theft. Criminals will try to modify the identifier on the phone when carriers block the identifier. Laws get passed to make modifying the identifier illegal but it is still possible. It turns out that there already are collisions in identifiers and it is not terribly difficult to modify the identifiers. Carriers thus also have to be capable of identifying bogus or stolen identification. This is a centralized model of security, which also raises a question of privacy risk. A centralized database may be considered by some a bigger threat to privacy than the loss of a device. A decentralized model could be where phones use encryption and self-destruction to be rendered valueless when stolen.

A colleague who recently returned from China told me he bought an iPad in a market for $50. He then said it really just looked like an iPad but was actually running Android. He thought it was terribly funny to see a different OS on hardware than originally designed, as if he did not realise the irony. Proprietary RISC hardware running proprietary UNIX was supposedly behind us. It felt like he was showing me that he was able to buy a mainframe or midrange system cheap and run Linux on it. How funny, except I thought we were long past that point in technical liberation.

Then I noticed reports saying Android is “embedded”, far ahead of Apple iOS numbers in China.

…since many of the products were embedded with Android system, this system took the lion’s share in the market in 2011, occupying 51.1% of the market; secondly, the market share of Symbian system has been decreasing constantly. However, the system is still the second largest mobile operating system in China at present; thirdly, other smart operating system shared balanced market share, far lagged behind the abovementioned two major operating systems.

Apparently this is no exception nor a local/national situation, as illustrated by Lookout in an infographic that shows Android growth surging past Apple.

The numbers look global but they do not specify. They also do not mention that Nokia Symbian phones are still far ahead. The Economic Times gives a little more perspective.

Smartphones make up less than a third of industry volume. Nokia has also been working on a new Linux-based software platform, code-named Meltemi, to replace its Series 40 software in more advanced feature phones, industry sources told Reuters.

The Series 40 platform has been used in more cellphones than any other software, reaching a cumulative total of 1.5 billion units a few months ago. Meltemi would enable a more smartphone-like experience on those simpler models.

With that in mind, I wonder if the graph above should look more like this?

That’s still a lot of Symbian left to decrease. Could the Linux distribution Meltemi (ancient Greek for “summer wind”) blow in before the others get there? It’s certainly interesting news that a Linux option is being developed to appeal to an S40 upgrade market. It begs a question of strategy. Apple could find itself squeezed from both the high-end and low-end of the market by Android and Linux phones that run on a wide selection of devices and share applications.

At the same time Nokia has introduced a Windows phone version of their N9 hardware (called the Lumia) into the American market for $99. Apple will be faced not only with the squeeze by open operating systems and a rapidly growing decentralised app market but even those consumers who want a proprietary experience have an alternative to iOS.

All that being said I am most interested in the big security question: who will try to differentiate the privacy story in the fastest-growing markets with complex threat models. I mean, if you are one of the hundreds of millions of women trying to run a small business, what mobile system will you trust more with your business and personal secrets? A Pakistani woman on a Chinese carrier, for example…will she trust iOS?

Forbes has an interesting summary of recent ACLU work to expose the business of cellphone taps in America

Wiretaps cost hundreds of dollars per target every month, generally paid at daily or monthly rates. To wiretap a customer’s phone, T-Mobile charges law enforcement a flat fee of $500 per target. Sprint’s wireless carrier Sprint Nextel requires police pay $400 per “market area” and per “technology” as well as a $10 per day fee, capped at $2,000. AT&T charges a $325 activation fee, plus $5 per day for data and $10 for audio. Verizon charges a $50 administrative fee plus $700 per month, per target.

…an AT&T spokesperson referred me to the company’s privacy policy, pointing out a specific line that reads, “We do not sell your personal information to anyone for any purpose. Period.”

That claim is “simply misleading,” says Catherine Crump, an attorney with the ACLU who coordinated the group’s FOIA project. “That’s a curious definition of ‘sell,’ given that they seem to be charging money for people’s information on a regular basis and handing it over to law enforcement agencies around the country.”

The data is obviously full of clues of how to make a cellphone tap as expensive as possible. It also reveals that the carriers vary widely in their definition of operational “cost”.

In any case the ACLU has an excellent point. Although access to data may carry a cost burden that carriers need to recoup, they directly assign a value and sell access to data instead of covering their costs indirectly.