#DigitalLaw question: how safe is your #cellphone? #imei #theft #criminalnegligence

I just tweeted the following question:

 

 

I had a very special mobile-phone stolen last week, whilst out of the UK.  I have mentioned the impact the loss had on me on these pages already.  I had built up a special relationship with its nature.  Discussing this further is not the purpose of this post.

I am more interested in talking about the process and procedure attached to blocking a phone and its SIM-card after loss, with the understandable goal of making the phone useless and its content inaccessible to criminal elements, whether organised or rather more desultory.

The phone I lost was purchased from Amazon in the UK on 21st July.  The phone appeared defective after a few days, a few factory resets, and a few attempts to find buggy apps that might not be used.  I was on holiday at the time, the Post Office near where I was staying which was assigned for the pick-up of the planned return had its systems down when I visited it, and so I asked for the return to be processed once back home in Chester.

To cut a long story short, I was so furious with the customer service provided by the company (I had previously had a similarly dispiriting experience in September 2016 when another phone purchase from Amazon in the UK had also stopped working whilst I was away on a short holiday) that they refunded my money and told me to keep the phone: I should do with it what I wished.

What I attempted to do with it, and slowly began to achieve in the following months, is for a quite separate post in some fascinating future when – maybe – you’re going to be prepared to believe me.  Right now, as a recent Liverpool John Moores University MA in International Criminal Justice, I initially wanted to begin to use the skillset acquired to explain what I thought was a series of legal behaviours which should have bordered on being seen as criminal negligence but which, in the event, are – quite unfortunately – apparently tolerated by current legislation.

The issue I have identified revolves around two elements of every mobile phone: the SIM-card, which is to say the phone’s telephone number (what we ring to contact someone), on the one hand, and the number that you are always told you also need which helps track your phone if lost or stolen – the IMEI, or the phone’s birth certificate if you like, on the other.

Before writing this post, I assumed the IMEI was the be-all and end-all of mobile phone identity (thus my tweet).  However, a quick look at Wikipedia (am now not being a recent LJMU law student!) indicates that the IMEI is neither blocked everywhere even if facilitated, nor impossible to modify.  There is something called the IMSI which doesn’t appear as far as I know on your phone’s box, is generally used sparingly by networks as it may be fairly sensitive information which allows a specific user to be easily tracked by those who shouldn’t, but – get this (at least according to Wikipedia …)! – is used frequently when roaming (ie connecting with a network abroad which isn’t your own homegrown one).

Keep the above on the pinboard, for the moment.

The day my phone was stolen, in Dublin on the 17th November 2017 in the afternoon, and after gathering my wits sufficiently, I did three things: reported the loss to the Garda, the Irish police (though they were unable to provide me with a crime incident number – a number I am still waiting for); got my British service provider, EE, to block the SIM-card (this was done most efficiently and immediately); and with EE’s agreement, contacted Amazon, the original vendor of the phone, for the IMEI.  EE were looking to block the IMEI of a phone they hadn’t sold, and even suggested they would do so.  (I had contradictory information in an EE store in Liverpool One yesterday, mind, where the salesperson incompletely reactivated a new SIM-card with the original number, whilst at the same time saying EE didn’t have the facility to hold an IMEI of a phone sold by someone else, nor even block it in the event it was facilitated by the client.)

I had spoken to two Amazon customer-service agents on the same Friday of the theft: neither knew what an IMEI number was, and at least one assumed I was saying iPhone 5s.  One got back to me whilst I was on a separate call, so left a voicemail: the voicemail said Amazon’s policy on the matter was not to supply IMEIs to customers (even after due verification, one assumes) for security reasons.  The security of the phone and its content was of little importance, it would seem.

The following week I contacted the company again for a parallel issue where my access to recent purchases of music from the company – music stored in their cloud – had become impeded.  After speaking with four more people, none of whom knew what an IMEI was (I would always take the opportunity to try and kill two birds with one stone – perhaps my bad, there), in the late afternoon, early evening of the 22nd, whilst I was in Dublin Airport waiting to fly back to the UK, I eventually managed to speak to an MP3-tech guy from the company who knew what an IMEI was.  I had already notified him that whilst I could now access recent music purchases in the cloud, I could no longer see around 350 songs I had stored over the years.  It was then that I decided I had to tell him my phone had been stolen, as I felt that the investigation already underway into cloud-music problems needed to know about the potential access a mobile phone – whose IMEI was still not blocked, five days after it had been taken – could be offering criminal elements.

On the off-chance, always the optimist, I suddenly decided to ask if he could find the IMEI no one else had discovered.  Remember: EE felt this number useful enough for me to attempt to get someone to give it me.  We were on the phone for about an hour, what with one thing and another, when he finally said he found a field with the words IMEI on a database related to the phone purchase in question: the only problem being the field was blank.

Amazon states on its website, on each phone’s webpage they sell, that they automatically communicate the IMEI to the British police, on selling a phone.  There must be a database out there in the company which holds my name against the IMEI in question, and an audit trail which says the police were duly notified on the 21st July.

But the database which the wonderful MP3 guy stumbled across did not hold any such information.

Compare and contrast with my experience today as I bought a replacement SIM-free phone from Carphone Warehouse.  The man who attended me had worked with a Northern English police force, and he happily showed me the bit of their database where my phone’s IMEI was now stored; he confirmed if I phoned during customer-contact hours (not 24/7, but clearly more competently than Amazon were in my case last and this week), they would happily facilitate the number and/or block it; if I had my phone stolen at 3am on a Sunday morning, clearly I and my phone’s content would be stuffed for a number of hours, but at least after that timeframe something would be done.

Finally, this evening I had another conversation with frontline customer service at Amazon: the gentleman kindly confirmed that Amazon did not have the responsibility nor the processes to block an IMEI, nor communicate it to whoever might be able to; he suggested maybe the police would, and in their absence perhaps the manufacturer (in this case Lenovo).  I asked if Amazon communicated customer- and product-identity information to manufacturers.  The agent replied they did not.  I then suggested Lenovo would find it impossible to connect my purchase with their list of IMEIs.

He offered to send me contact details for Lenovo in an email.  I thanked him for his help.

I then telephoned my local police force.  I explained most of the above: they confirmed the police do not use the IMEI to block, plus a whole lot of other fascinating information … and so it was then that I eventually saw myself able to ask for confirmation that the issue was not covered by law; there is no obligation to block an IMEI; and whilst a company probably should, the criminal negligence I sense – in the light of frequent terrorist communication, of wide-ranging uses made of mobile phones in such dreadful acts, of this almost being like a gun with no reliable serial number! – doesn’t exist in current legislation.

The police officer who took my call at the end gently suggested I contact Citizens’ Advice Bureau or maybe Trading Standards.  At the very most, it was a problem of internal business procedures.  But no crime, really not, was being committed.

And, in the evident reality of my own clear ignorance of the law, I do believe the officer in question.


So let’s summarise and checklist the above into nine much simpler points:

  1. The IMEI is not a very reliable birth certificate: with special tools, it is easily faked.
  2. The IMEI will be blocked in some jurisdictions but not all.  If you lose your phone in the UK, your phone can be blocked by those who voluntarily choose to do so (though not Amazon, and Carphone Warehouse only in customer-contact hours).  In Singapore, it is not seen to be a useful remedy and is apparently never used to protect lost or stolen phones.
  3. The IMSI, transmitted rarely to protect user privacy when within their own network, is used frequently when in roaming.  Why didn’t my provider, or the Garda, or anyone else over the past week, mention the IMSI – which surely was both being used by my EE SIM-card/Amazon SIM-free mobile when roaming in Dublin on the 17th November, and known by anyone with technical access to the network?  Why not suggest it be used to block or track the phone in the absence of my knowing myself the far more common IMEI?
  4. If you don’t buy your phone from your telecommunications operator but from, say, Amazon or Carphone Warehouse, why is it impossible for the operator to then make a note of the third-party IMEI which you, their SIM-card customer, could easily provide prior to any future potential theft or loss?
  5. Why can anyone sell millions of units of as potentially dangerous a device as a modern but untraceable mobile-phone – I mean in the context of organised crime and full-blown terrorism – and not be required in law to have the relevant processes, trained staff and individual procedures to provide their clients and end-users with a “24/7, for the life of the device” blocking service via a publicly and easily accessed phone number?  As already pointed out, even if you know your IMEI, the police do not block it: they only use it to identify in case of recovery.  So if that fateful day I had rung Amazon with the IMEI to hand, where would they have sent me – to Lenovo?  And Lenovo, if their offices had been open – what would they have done?  And if they had not been open, even where Lenovo had relevant process and procedures in place, what bit of good at all would the blessed digits have been to anyone?
  6. How can six of seven frontline customer service agents of a company as big as Amazon not know what an IMEI even is?
  7. How can a mobile-phone sale not retain the IMEI – for example, in as simple a place as on the PDF of the invoice?
  8. Why is none of the above considered cases of a negligence bordering on the criminal in law?
  9. Why is all of the above perfectly legal?

One last thought.  There’s always a reason when something simple doesn’t exist reliably.  The holes through which democratic citizens frequently fall are holes through which democracy may be bent out of shape.

Therein the explanation, perhaps, behind the lack of solidity which a mobile-phone’s alleged, and generally widely understood, birth certificate manifests.

Therein, also, maybe, the explanation why other identifiers, even their very conceptualisation, do not appear on the boxes – or, indeed, anywhere easily accessible that is not Wikipedia – of these precious containers of everything we are now becoming: precious containers which the modern smartphone and its terribly fragile wizardry clearly now do represent.

For if you think this will never affect you, because you are as careful as houses with these fabulous devices you own, then think this: how much of you, in your emails, your texts of heartfelt love and affection, your photos whether discreet or otherwise, your bank details perhaps, your likes and personal profiles for sure, are sitting – right now, right this minute, right so very shared – on so many of your friends’ and family’s very own smartphones and Internet-connected devices?  Perhaps the ones which, for example, your ever-so-young offspring now take to primary school.

Do you still really feel it’s only your own acts that will determine your need in the future to be able to efficiently block access by organised crime to the content, identity and people you so carefully cherish?

For my part, I can live with my idiocies: I have been an all-too-public person over the years, and I acknowledge my now irreversible mistakes.  But it’s the lives and feelings of those who have communicated with me during this time – sometimes out of love, sometimes out of real despair, sometimes out of sheer hatred too – that are now to be found in those thousands of emails, downloaded to the Motogotchi phone someone I honestly, really, sincerely do believe deliberately knew what they were stealing.

And it’s this moment, that second,  when not being able to identify your phone – for example, via its vendor’s surely necessary sense of future responsibility – demonstrates, for me at least, zero duty of care on the part of any such vendor: a zero duty of care either for the integrity of the device or the privacy of all the user’s acquaintances, friends, family networks … or just simply, plainly, flatly, for their life.

Advertisements

1 thought on “#DigitalLaw question: how safe is your #cellphone? #imei #theft #criminalnegligence”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s