Jul 5, 2010
Well, it hasn’t really – not for a while anyway – but it’ll do as a title.
The massive problem of mobile phone handsets being stolen led in 2002 to a marvellous bit of innovation. If a phone was stolen, its unique reference number – the International Mobile Equipment Identity (IMEI) – could be logged on a central database of blacklisted numbers, and it wouldn’t work any more. Not on any UK service, anyway, regardless of what SIM card you put in it.
Now, with an idea this brilliant in its simplicity there are bound to be a few drawbacks. (It’s also a really good illustration of problems that come up in any distributed system built around a central point, with a large number of players and variables involved.)
I haven’t managed to find out much in the way of fact about this mysterious IMEI database. I have established that it is known as the Central Equipment Identity Register (how Orwellian is that?) and that the Global System for Mobiles Association (GSMA) handles requests from mobile network operators (MNOs) to join the membership of those able to update it. Whether there is any more regulation relating to it than that is unclear. [Wikipedia tells me there are certain weaknesses in the non-uniqueness of IMEI numbers across handsets, and that handsets can be reprogrammed with a new IMEI number with enough effort. But that's incidental to the argument of this post.]
My main point is that from a process perspective, it doesn’t actually do the job it’s intended to. This is why.
One day my phone stopped working. I took it into the shop. “It’s not the SIM”, they said – “your handset’s been blacklisted. You have a SIM-only contract with us, nothing we can do. Our responsibilities stop there. Where did you get the handset?”
I explained that I’d bought it on eBay about 9 months before (from a very genteel lady in Dorking who didn’t want it as an upgrade). “You’ll need to find her, and get a receipt.” And then what? They looked blank. And what if I can’t? Blanker. “Nothing we can do”. Hmm, I thought.
Obviously, there was no chance of finding the seller – I had absolutely no idea who or where she was, and anyway, why should I? This was a mistake. Could the wrong IMEI have been put on the blacklist by mistake? “Yes.”
I made a big fuss. I tried to track down a regulator. I wrote to Ofcom. I did all the usual things that a public service process obsessive does. Nothing. Silence everywhere. I carried on making increasing levels of fuss to Vodafone – my only hope: with membership of the GSMA club and able to get their digits on the database. Finally, after much griping, emailing and phoning, they said “it’ll work now.” And it did. “It was a mistake,” they said. “Happens quite a lot.”
Which means that making a big enough fuss, being articulate and invoking stories of nice grey-haired ladies in Dorking will get your phone unlocked. Stolen or not. By any MNO you pick on to force the unlocking.
Which seems like a complete load of bollocks.
This is a hugely powerful system, capable of causing immense inconvenience due to a finger-slip by any of hundreds of people, scattered widely. It’s designed to provide a serious barrier to theft, yet it can be unpicked with a sustained bout of whinging and some smartly written emails.
It reminded me of some of the concepts of centralised identity management, which I’ve written about before. As soon as a centralised system becomes powerful enough to be any use, almost by definition it becomes unusable when exposed to many real world conditions. The blocking process might have been quite effective when almost all handsets came via your MNO, and you didn’t swap networks much. But those days are long gone.
Gary Gale reported a similar experience to this today, triggering thoughts that it wasn’t just me, and provoking me to write this post. Thanks Gary. Add any comments you like.
I’m not a mobile industry expert. If any of you are, and I’ve made a string of howlers above, I’m sure you’ll let me know. Is something missing here in terms of an independent point of contact to appeal mistakes like this? Who would run it? Who would pay? We can certainly forget a “well, government should just do it” solution in the current climate.