.png)
4 days ago
3
UK legislators are questioning why Apple and Google have yet to implement measures to allow smartphones to be locked, reset, and prevented from accessing cloud services after they've been stolen, as requested by police.
Apple phones make up about 80 percent of those stolen
In a one-off evidence session in the House of Commons yesterday, angered Members of Parliament voiced concern that commercial incentives might be behind the tech giant's apparent lack of willingness to comply with calls from the Metropolitan Police, the UK's largest force.
In response, Apple said remotely locking stolen phones after they were stolen or blocking cloud services might create other attack vectors for fraud against legitimate smartphone users. Google said its relationship with customers was through its cloud accounts, not the device.
Speaking before a committee of MPs, Darren Scates, Met Police chief digital data and technology officer, said about 80,000 smartphones were reported as stolen in London alone in 2024, up from 64,000 in 2023. Apple phones make up about 80 percent of those stolen, while estimates suggest the replacement value of stolen phones is £50 million ($67 million) a year, he said.
After they were stolen, most of the devices are collected, distributed, and resold by criminal gangs. About 75 percent were moved abroad – the prime destinations being Algeria, China, and Hong Kong, Scates said. Data showing where stolen phones end up comes from the police working with phone providers and a sample of IMEI (International Mobile Equipment Identity) numbers – a unique 15-digit serial number assigned to every mobile device – known to belong to stolen devices provided by the police. Scates said the IMEI number could allow stolen phones to be blocked at a network level under an agreement by members of the GSMA industry association, representing only 10 percent of global phone networks.
"We're asking – and it's being considered by Apple and Google – [for] an international cloud-level [block]. They actually stop smartphone serial numbers [being allowed] to connect to their services if it's reported as lost or stolen," he told Parliament's Science, Innovation and Technology Committee.
Security experts suggest that an orchestration layer could use the IMEI to take stolen phones out of action globally after they have been unlocked and wiped by criminals, effectively slashing their resale value and the incentive for theft.
Trustonic provides such a layer for private companies, including smartphone supply chain distributors, financiers, and retailers. Dion Price, chief executive, told the committee that the company could control 11 different locking technologies from smartphone manufacturers. However, devices needed to be registered with the platform when they were first turned on and in a "ready-to-lock" state.
"You have to capture the devices at first turn-on," he said. "The devices that are on the street right now, because they've never been registered in any of those systems, they're subject to the locking technology in the market today. We receive a manifest of IMEIs, we ingest them into the system, and then throughout their entire life – it doesn't matter what happens to that device. If we get the signal from the legitimate owner of that device, then we can lock or unlock it within 30 seconds anywhere in the world."
Price suggested that a regulator or new government body could create such a system based on the IMEI numbers of all phones imported into the UK, since the data was already collected for trade and tax purposes.
He pointed out that when stolen phones are reconnected to cloud services, the provider gets a revenue stream. "If the new end consumer wants to leverage any content, any cloud services, any entertainment services, then obviously that's a revenue stream [for Apple]. Same goes from a Google Android perspective," he said.
Select committee chair Chi Onwurah, a Labour MP who has previously worked as an engineer in the telecoms industry, pointed out that phone providers also benefit from the value of replacement phones where "a significant portion of that is actually paid for by insurance companies."
Addressing phone providers, she said: "The Metropolitan Police desire to be able to switch off phones from contact with your cloud services given the specific IMEI. I don't understand, speaking as a telephone engineer myself, why you can't do that."
Gary Davis, global senior director for privacy and law enforcement requests at Apple, said MPs should look at the issue "in relation to all the protections we have in place," at which point the committee members laughed, perhaps in frustration.
- Apple has only 30 days to comply with EU DMA rules
- Google, high on AI, flogs Gemini for all things
- Google brings better bricking to Androids, to curtail crims
- Cops developing Ghostbusters-esque weapon to take out e-bike thugs
Davis continued, saying using the IMEI to lock the phone or block cloud services could create other fraud vectors.
"People will try and pretend a phone is something else on occasion. So we will then make a decision as to whether to activate the device or not. In conjunction with the carriers, we worry, and we have had these discussions with the Met, that there is a vector for fraud.
"We see extensive fraud attempts. Every month, over 1,000 people try to imitate you, me, other people here to seek data from us and to delete your accounts. They do it for malicious purposes. They do it in order to then maybe blackmail you. We see these attack vectors on an ongoing basis, and I would like to think, in an area such as this, that our expertise built up over time in relation to attack vectors would mean something. I'm not saying we're opposed to [IMEI blocking] at all [but] I would wish to see that assessed in the context of all the other protections we have in place."
Committee member Kit Malthouse, a former policing minister, said: "The concern is that it feels to a lot of people like you're dragging your feet … and that sitting behind this is a very strong commercial incentive, right?"
Davis responded: "I think it's a little unfair. It is necessary for me to refute the suggestion that we somehow benefit from our users suffering the traumatic event of having their phones stolen and being disconnected from their lives. We have invested many hundreds of millions [of dollars] in designing in protections."
Simon Wingrove, software engineering manager at Google, said Android devices can be blocked from accessing the cloud services after they are stolen. "The mechanism is slightly different, but that facility already exists. If you go into the Find My Device app and you lock or wipe the device, at that point, you're blocking and doing that. The victim of the theft would do that."
He said the action would stop criminals from accessing a victim's Google account and cloud services like Google Photos, Google Drive, or Gmail, but it was unclear if the stolen phone could be used to access other Google accounts created by the new "owner" after it was stolen, unlocked, and reset.
Onwurah asked: "Why can't you do what the Met Police is asking for, which is to block it on the basis of the IMEI?"
Wingrove explained that the IMEI is connected to the cellular modem of the device and is a construct from the telecom industry. "The IMEI is actually the identifier for the business relationship that the carrier has with the victim of theft. The IMEI represents that relationship. Our relationship with the user is through the Google account," he said. ®
