iPhone Users Sue AT&T For Letting Thieves Re-Activate Their Stolen Devices

An anonymous reader writes "Following on the heels of the FCC and U.S. mobile carriers finally announcing plans to create a national database for stolen phones, a group of iPhone users filed a class action lawsuit against AT&T on Tuesday claiming that it has aided and abetted cell phone thieves by refusing to brick stolen cell phones. AT&T has '[made] millions of dollars in improper profits, by forcing legitimate customers, such as these Plaintiffs, to buy new cell phones, and buy new cell phone plans, while the criminals who stole the phone are able to simply walk into AT&T stories and 're-activate' the devices, using different, cheap, readily-available 'SIM' cards,' states their complaint. AT&T, of course, says the suit is 'meritless.'"

Only if they reported it.

[DurendalMac]

If customers reported their iPhones as stolen and had all of the necessary details (serial number, IMEI number, etc) that could uniquely identify their phones, then this suit may well have merit. This info is likely in either their system or Apple's system, especially if they both track serial numbers through sales and registration. If thieves are bringing stolen phones in and that data is in their system then they damned well should be doing something about it.

Re:Only if they reported it.

[Beardo+the+Bearded]

Which is more likely?

That a company that puts someone in a 3-year contract worth thousands of dollars per customer has no record of what they are selling or they figured that they could get away with selling the same service twice to two different people?

"Your phone was stolen? It's only $550 to get another one, or we can just charge you for the services. Hang on, I've got a Mr. Crowbar McGee on the other line, how odd, same phone as you but no receipt."

Re:Only if they reported it.

[aztracker1]

Yea, but the DMV doesn't issue a new registration tag to the theif.

Re:Only if they reported it.

[AngryDeuce]

I fail to see how these companies could validate with 100% certainty that the device reported stolen actually belong to the owners that claimed to own them.

It's called a police report. It's good enough for the company insuring the phone against theft, so why would it not be enough for AT&T to cut the service?

If the police report is fraudulent, well, there are already legal mechanisms in place to deal with that. The point is, obviously they could do something, they just choose not to because it benefits them financially.

Re:Only if they reported it.

[gstrickler]

The carrier probably has it in their phone records for that account. The IMEI is part of how a device identifies itself to the network. It's used to prevent using stolen phones in many other countries.

Re:Only if they reported it.

[AngryDeuce]

No, but if the thief tried to register that car, it would show up as stolen and the DMV would not allow him to register it under his name. They call the police.

Why is it so unreasonable that AT&T do the same? They can tell the damn phone is registered to someone else, they can't take a minute to see if it was stolen or not? How many people sell cell phones to strangers with all their personal information on them? I mean, really?

Re:Only if they reported it.

[Dahamma]

then you open the door to situations where person A falsly reports persons B's phone stolen and gets it bricked.

That makes absolutely no sense. Besides the fact that they already have methods in place to verify the account owner and prevent for much more important concerns (changing service plan, cancelling the account, etc) how would it be any different from what would happen today if someone were able to convince AT&T that your phone was stolen? They already deactivate the phone from your account when reported stolen, which would cause the same level of inconvenience to the owner.

Adding it to a central database just means if the phone was truly stolen, the thief can't reactivate it on *another* account. If your phone wasn't really stolen (or you thought it was and then found it) you just have to prove that to AT&T (using the same account authentication methods they use to let you deactivate it) and they can take it out of the database.

Re:Only if they reported it.

[Reverand+Dave]

That is why a police report is filed. If the information about a stolen phone is good enough for a police report then it should be good enough for AT&T. Their truculence is merely a matter of profiteering on stolen merchandise.

Re:Only if they reported it.

[girlintraining]

The point is, obviously they could do something, they just choose not to because it benefits them financially.

And that in turn benefits America, because when a corporation makes a profit, that creates jobs, which improves the economy. So why the hell are you doing your patriotic duty and stealing from your fellow citizens so you can give to the corporation?

On a less sarcastic note, the police have often refused to get involved even after a police report is filed _and_ the person knows exactly where the cell phone is (hello? They're radio transmitters). Police resources are only used in cases of violence, property damage, or theft of corporate property. Theft of private property is just... not important.

Re:Only if they reported it.

[Shoten]

I fail to see how these companies could validate with 100% certainty that the device reported stolen actually belong to the owners that claimed to own them. This is important; because if you can't validate the owner with 100% certainty, then you open the door to situations where person A falsly reports persons B's phone stolen and gets it bricked. This would be a denial of service prank/attach and I'm sure it would be a much larger liability for AT&T than simply letting theives reactivate a device that was obtained nefariously. Are they going to make everyone that claims to have a phone stolen produce a receipt to validate ownersihp? To requre AT&T to get involved would be a disaster. When you require/allow corporations to get involved in things that should ONLY be law enforcement investigations, then you open a whole new can of worms.

It's been done in just about every other country in the world for some time now. The process works, and it also cuts WAY down on smartphone theft. In Washington, DC (where I live) there has been a rash of armed holdups for smartphones for some time now, and the chief of police has been begging AT&T (because iPhones are the prime target...sorry Android users) to do this. Police departments in cities all over the country have been calling for this to be done.

Yes, it's possible to cause trouble for someone else by filing a false police report. It's also a felony, and quite certain to get you caught. I could cause trouble for you by claiming you stole my phone. But then, AT&T would happen to have that phone associated with your name, SSN, credit card, address, and blood type...and would have had that association for quite some time. So, I would go to jail instead. Following your logic, we shouldn't allow people to say that their cars were stolen, either, because I could just walk up to you in your car and say "THIEF!" and send you to prison while I drive away in your vehicle.

Re:Only if they reported it.

[AngryDeuce]

All of those things you mention are pretty much completely untraceable. Obviously, this is not the case with the iPhone, since the service requires the handsets to be uniquely identifiable at all times on their network.

Besides, go ahead and try and register a car reported as stolen with your local DMV. Watch what happens.

No one expects AT&T to do anything that is not already completely within their power to do, nor is it something that any reasonable person would consider out of line at all.

Re:Only if they reported it.

[laughing+rabbit]

Our company uses Sprint for wireless service. When I call and report a phone stolen, I have to use the account PIN to complete the transaction. The phone is logged to a lost and stolen database and if the phone shows up again, I have to get the phone removed from this database before reactivating it.

My users bring me grey market phones to activate for them on a regular basis. I call Sprint and often they tell me that the phone is in the lost and stolen database and cannot be reactivated unless the original owner contacts them and releases the phone. I hand the phone back to the user and tell him to get his money back, that the phone is hot.

Most insurers of cell phones have a policy that states if the reported phone is reactivated at any time after the claim is processed and a replacement issued, the insured will be billed the retail cost of the phone minus any deductible paid.

There are a lot of identifying codes that phones use to authenticate on the network, and they are strongly linked to the account holder. AT&T is lying like a dog, plus just being cheap.

They are the Evil Empire® after all.

Re:Only if they reported it.

[nedlohs]

Because after they add it to the "do not use" list because Account Holder X reported it stolen, they'd never be able to remove it from the "do not use" list when Account Holder X reported it recovered. That would be impossible.

Now sure if Account Holder Y wants to use it then no go, until they can convince Account Holder X to report it recovered.

Re:Only if they reported it.

[geekoid]

I'll wager the are using the term brick in modern usages, and not archaic usage(5 years ago)

Making rendering it unable to make calls or connect.

Disable would have been a better term for them to use.

I know I know, we have are precise language, and then non nerds get a hold of it and butcher it to the point where hacking is using a facebook account that someone didn't log off from.

Re:Only if they reported it.

[AngryDeuce]

Cars are located and disabled with OnStar, but all vehicles do not have OnStar. If a car with OnStar is reported as stolen, OnStar will work hand in hand with police to get the car recovered. This is a core feature that sells the OnStar service. Ditto with services like LoJack (which they provide for computers now, I used to sell it myself). However, you cannot register a stolen car with any DMV in this country. They check their databases specifically for this reason. The DMV is not a police officer, but I'm betting most reasonable people are cool with them electing not to register cars reported stolen.

For one thing, 99 times out of 100, the police do not recover the phone at all. If it's not resold and reactivated, it either ends up a toy for some thief's kid to play with or broken into a million pieces or rotting at the bottom of a lake or river. How many reasonable people have ever lost or had stolen something like a cell phone and actually expected to see it again? Stolen property, especially stolen property that's relatively cheap like a cell-phone, is not a priority for any police department in this country. If they come across it while investigating other crimes, they'll be good enough to give you a ring and have you come pick it up (unless they need to keep it as evidence), but they don't actively check personal electronics to see if they're stolen unless they have a compelling reason to do so. They don't have the time. No police force in this country has that kind of time, obviously.

Your only recourse now if your phone gets stolen is to call the police and buy a new one. Nobody is expecting anything any different there. All they're asking is that the thief not be able to take that stolen cell phone into another store and reactivate it when AT&T can tell perfectly well that it is a stolen phone. AT&T is not being singled out here. Any time a person has a reasonable suspicion that a good may be stolen they're required to act accordingly regardless of their relationship with that person. If someone offered to sell you a brand new PS3, still in the box, for $50 out of the back of a van, for instance, and it turns out it's stolen, you can't feign ignorance because a reasonable person would have known better and you are guilty of a crime. If a used car salesmen agrees to buy a car with scratched off or non-matching VINs, they are guilty of a crime.

Your "Orwellian society" and "Corporatocracy" claims are pretty ridiculous when people are trying to make a corporation be accountable for once, and requiring them to brick phones they know to be stolen is part of that. As I said above, there is plenty of precedent already covering this, the concept is not new.

What exactly is it that you're worried about here? That AT&T is going to vindictively brick cell phones? That they're going to just let any old person call up and brick any phone he wishes? You can't even talk about your fucking bill without giving them a whole bunch of personal information first, so what exactly are you worried about here? What power is this going to give the corporation to abuse? They've already got this power, so if they were going to abuse it, they would have long before now...

Re:Only if they reported it.

[NardoPolo88]

The DMV does not actually police. Yes they are a state agency but if your vehicle is stolen do you *want* the DMV to issue plates to the person that stole the car? If you file a police report because your phone is stolen do you want the thief to get service on your device? I under stand the difference between the two and would not have used a car as an analogy. I am however smart enough to not debate politics accept to say yes we do have enough problems already.

Re:Only if they reported it.

[thechemic]

It's unreasonable for an idiot to lose his/her phone and then sue the fuck out of AT&T because it failed to protect the idiot from themselves.

It's unreasonable for the idiot to then clog up our court systems with frivelous lawsuits that cost taxpayers millions of dollars

It's unreasonable for AT&T to be required to spend millions on a system designed to protect idiots from themselves and then pass those expenses on to responsible consumers.

It's unreasonable for forgetful idiots that leave their phones in bars, classrooms, and taxi's to report them "stolen" when they were really "lost" and then expect consumers and taxpayers to foot the bill for their cry-baby antics.

In no way is it unreasonable to teach idiots to hang on to their smartphone real tight, and then have AT&T deactivate the SIM card if it's lost. This is the process that's already in place.

Re:Only if they reported it.

[AngryDeuce]

The money that corporations have to put into systems like this to protect idiots from themselves are passed on to responsible consumers like myself.

You do understand that they can already do this, right? I mean, you worked there. What money do they have to spend? They've already spent that money, being able to uniquely identify every handset on the network is a necessity for the things to work in the first place, obviously. All anyone is asking is that they brick a phone that is reported stolen by the owner with a police report on file. It is completely trivial for AT&T to do this, and you know this. What compelling reason is there for them not to?

What the fuck does it matter to AT&T what the circumstances are? So what if I lost the phone, does that mean that someone else should be able to pick it up, say "Alright! Free iPhone!!" and than bop on down to AT&T and get it wiped and registered in their name, especially when the company in question knows that the phone is lost or stolen? What if someone brought the phone in to AT&T and said, "Hey, I found this, but I don't know who it belongs to..." Wouldn't you expect AT&T to at least put in a little effort to find out who's phone that was? Or would you consider it reasonable if they just said "Ha ha, sucks to be that loser!" and put it on the shelf to sell later?

The fact that you worked at AT&T for seven years explains your attitude perfectly, because you're totally coming off as a bitter ex-Customer Service Rep harboring long-term resentment with your eagerness to "stick it to" a bunch of people you've never even met...payback for the years you were forced to hold your tongue. Let it go, man.

Re:Only if they reported it.

[jafiwam]

Taxpayer dollars. What the fuck are you talking about?

Oh, wait, you worked for AT&T. You be stupid. The smart ones went to Lucent.

Re:Only if they reported it.

[nedlohs]

Seriously you are applying your restricted definition of "bricked" to an anonymously written slashdot summary? Even though the word "bricked" is not in the linked articles themselves, instead there's actual descriptions of "blocking" the phones?

OK, so your either an idiot or incredibly trusting an naive. Either way, there's no point arguing is there...

And by the way people who break into computer systems using software they found on the internet and have no understanding of. They are called "hackers". Like "bricked" you lost that definitio fight with the general public long ago.

Re:Only if they reported it.

[Phroggy]

On a less sarcastic note, the police have often refused to get involved even after a police report is filed _and_ the person knows exactly where the cell phone is (hello? They're radio transmitters). Police resources are only used in cases of violence, property damage, or theft of corporate property. Theft of private property is just... not important.

They're right, it's not important, compared to catching murderers and rapists and the like. The problem isn't that the police don't care about less important cases like the theft of an iPhone. The problem is that we as a society have decided that WE don't care enough to properly fund our police departments, so that they can handle these less important cases in addition to the more important ones.

Every time you vote to reduce taxes, and vote for politicians who say the government is too big, this is what you're voting for.

Say what you will about Telstra...

in Australia, Telstra have a bad rap for fucking over customers, but this isn't an issue with them. A year back I lost my iPhone, reported it stolen, and within a week another Telstra customer began using it. Telstra stopped their service, had them come into a store, and simply took the phone from them and let me know I could collect it. As gravy, the idiot who'd been using it caused a scene in the Telstra store and had the police called on them - they were known to the cops and arrested for other reasons.

On the bad side, I'd already bought another iPhone in the meantime. Win some lose some.

This should be criminal, not civil

If I call AT&T or its agent and tell them that my phone has been stolen, then they are engaging in a criminal act when they reactivate that phone. There are no legitimate excuses for this behavior.

If somebody steals a car that is equipped with a kill-switch in the engine and I, knowing that it is stolen, disables the kill switch so that the thief can drive the car, then I'm going to go to prison. The only difference between my behavior and AT&T's is that I am not a massive corporation, so I am subject to the laws of the United States.

Re:This should be criminal, not civil

[icebike]

If I call AT&T or its agent and tell them that my phone has been stolen, then they are engaging in a criminal act when they reactivate that phone.

NO, they are not engaged in a criminal act. You made that up.
If these plaintiffs win their case, then it might be considered a criminal act, but until then there is no specific law that covers this.

Its not just AT&T, its ALL carriers that do not block IMEIs. (MEIDs for CDMA phones).

Re:This should be criminal, not civil

[AngryDeuce]

Not necessarily, it has to be proven that the person receiving the stolen goods knew they were stolen, or at the very least that a reasonable person would have known or suspected. For instance, if someone sells an intact, but stolen, TV at a pawn shop the clerk isn't on the hook. However, if the person is trying to sell a TV with the serial numbers scraped off or wants next to nothing for what otherwise would go for a lot more, then the clerk should have reasonably suspected it was stolen and, at the very least, refused the sale, if not reported it to police there and then. Either way, most pawn shops are very strict about things like this because stolen property just ends up confiscated by police and the pawn shop ends up with absolutely nothing 99% of the time. Reputable ones, anyway.

It's kinda like if someone offered to sell you a brand new Escalade for $100 at the parking lot of your local Walmart. If you took the person up on that offer, you would likely be charged with a crime because a reasonable person would have been suspicious.

If it were to come out that specific people at AT&T knew, beyond a shadow of a doubt, that they were enabling the sale of stolen phones (say, an email saying "Hey, let's not brick any phones reported stolen because that way they'll have to buy a new phone, HA HA") then those specific people would be guilty of a criminal act. That's just never going to be proven, obviously, so civil is the best we can hope for.

Still, it would be hysterical to see some C-levels at AT&T being led out in handcuffs, I admit. That company has been thieving from people for 100 years...

Disabled IMSI search

[doston]

When I worked at AT&T as a systems engineer in SMS a few years back, we and anybody in customer care were able to perform a search by IMSI (sort of like a MAC address for cell phones). One day the IMSI search feature was suddenly yanked. Thought it was a bit strange, because one time I was able to use the IMSI search to find the new MSISDN (phone #) for a friend who'd lost his phone and it helped him recover it. Makes me wonder if AT&T just didn't want to be involved in stolen iPhonery, or if they yanked the search feature because the profits from the process (noted in the story headline) were just too tantalizing.

Re:Disabled IMSI search

[icebike]

I seriously doubt you worked as a system engineer if you don't know the difference between an IMSI and and IMEI.

IMSI = International Mobile Subscriber Identity, allows you to find out information about the account hold. Its on the sim. It allows you to violate people's privacy, which is why Joe Tech should not be able to look this up, not without a warrant.

IMEI = International Mobile Equipment Identity, a unique number built into the hardware. It can be used to block service to the device. That will bring the user in to complain. No warrant needed.

Re:Disabled IMSI search

[doston]

I seriously doubt you worked as a system engineer if you don't know the difference between an IMSI and and IMEI.

IMSI = International Mobile Subscriber Identity, allows you to find out information about the account hold. Its on the sim. It allows you to violate people's privacy, which is why Joe Tech should not be able to look this up, not without a warrant.

IMEI = International Mobile Equipment Identity, a unique number built into the hardware. It can be used to block service to the device. That will bring the user in to complain. No warrant needed.

It was IMEI, you're right. I'm not as much into cell phones..unix, linux, and the actual messaging systems in the background (SMTP email schleping). Was just a tool I had access to. My actual title was Engineer IV. I reported to Kevin Tromp, still the director of Messaging. Yes, I did work there. ;-)

Re:Disabled IMSI search

[doston]

Can you ask him why it sometimes takes 20 hours for an SMS, made from an at*t phone on an at*t tower, to a likewise phone/tower, to deliver?

If it's a national problem (everyone affected nationally), it could be a problem with the SMSC, particularly the SMSC database. Seemed to always be its weak spot. If you can't text or make calls and it's a national problem, it could be the HLR. If the problem only happens in one area, or it's all the time, but only with your phone, it's more likely to be a problem with a tower or maybe your own device. Your best bet is to try narrowing it down. Does it happen everywhere? Is it happening every day at 4pm? Could be congestion or it could be SMSC congestion. The things have to move like some odd billion messages a year now. The database can get slammed. Or maintenance. The things are never engineered out (capacity wise) far enough, so the real problem was always capacity (you and your fancy iPhones). So there's a lot of night maintenance, database purges, emergency stuff to keep them running while more are being built. That's why it took so long for the iPhone to have MMS...those things are tough to launch into the network and it just couldn't be done overnight, no matter how much money you pay or how hard you work your engineers (I basically, finally had a nervous breakdown). Anyway, it's complicated. You should call tech support. lol

There is no money in stolen phones

[Tastecicles]

...The money is in the use of them - if someone wants something that's not traceable to them in the commission of some other criminal activity, they're gonna do one of two things: buy a disposable prepay or steal a phone. Either way, said handsets are going to be used once or twice, then disposed of ASAP. Whether that be from simply binning them or selling them on to some unsuspecting sucker.

ALL carriers should have a mandate to brick handsets reported as stolen. Yes, there is a way of reactivating most handsets (by flashing them), but I don't think $crook would bother with the expense. He'd rather go buy a disposable prepay, and everyone's a winner. You get to keep your iphone, carrier gets to sell more handsets, and GCHQ gets to track more and more unregistered gear ;)

Re:Hoist by own petard

[zentec]

The ability to keep track of stolen IEMI numbers and not activate a phone on that list is elementary, and in an age where you can track an iPhone across the planet via GPS, such a simple detail screams that they simply did not want to do it. Worse for AT&T, is the fact that they look up the IEMI to enforce customer use; just try to use an iPhone on a non-Iphone data plan. This check is done autonomously.

There are plenty of instances where registrations are checked to assure that they're not stolen. At one time, cell phones that were stolen were indeed blacklisted. And while I agree that AT&T may not have had a legal obligation to do so, with their customers being robbed, it certainly seems easy to say they have a moral obligation to blacklist the phones.

Of course, the consumer outrage is now full scale, and I'm sure legal requirements may indeed be forthcoming.

Re:"buy new cell phone plans", WTF?!

[CompMD]

Because Sprint and a large chunk of Verizon handsets don't use SIM cards, and most people would have brain meltdowns if they saw what the actual retail price of a replacement phone would be. So, they buy a new contract to try and get the purchase price down.

Re:Hoist by own petard

[icebike]

Would the DMV be liable if they licensed a car that was reported stolen....I think so

The DMV is required to do this by law, because they are creating a title to real property of significant value.
AT&T isn't required to do that.

They are not granting you a title simply because they are selling you a service.