Hello XDA and thanks for clicking.
I need your help to decipher this paragraph from the published ACTA-treaty.
It's in Section 5, Article #27 - Chapter two.
The ACTA-treaty can be found all over the web. But for your convenience, I give you this link from the Swedish government:
http://www.regeringen.se/content/1/c6/18/52/44/cb8dd4bb.pdf
Of course it's in English.
6. In order to provide the adequate legal protection and effective legal remedies referred to in
paragraph 5, each Party shall provide protection at least against:
(a) to the extent provided by its law:
(i) the unauthorized circumvention of an effective technological measure carried out knowingly or with reasonable grounds to know; and
(ii) the offering to the public by marketing of a device or product, including computer
programs, or a service, as a means of circumventing an effective technological
measure; and
(b) the manufacture, importation, or distribution of a device or product, including computer programs, or provision of a service that:
(i) is primarily designed or produced for the purpose of circumventing an effective
technological measure; or
(ii) has only a limited commercially significant purpose other than circumventing an effective technological measure
Click to expand...
Click to collapse
Does this mean that rooting, jailbreaking and phone unlocking will be punishable by law according to this treaty? Because from what I can see, it clearly states that any method of circumventing technological measures designed to prevent/restrict unauthorized use will fall under this paragraph under this treaty as illegal.
After all, many of us use root to unlock our phones from operators, access warez markets, apps and whatnot.
Please tell me I'm completely wrong here!
dyallo.
No-one at all?
Lol we will be alright. Pots illegal but peeps still getting high. No one really cares what they say. Its your property to do as u please. Thats like buying a car. But its against the law to use the trunk.
Sent From My steak using A1 steak sauce app (Sensation)
dyallo said:
After all, many of us use root to unlock our phones from operators, access warez markets, apps and whatnot.
Please tell me I'm completely wrong here!
dyallo.
Click to expand...
Click to collapse
I'm pretty sure Root and carrier unlock are unrelated, and you can access warez on a non-rooted droid (You need to JB IOS though).
Not a lawyer and not a professional opinion. Just in case.
@OP: Read paragraph 5 first. It's about protecting access to data that's owned by 3rd parties (it states explicitly that it's about "works, performances, and phonograms"). In other words if you're circumventing some protective measures that are in place to prevent viewing, running or obtaining materials you haven't bought (or more commonly: licensed) then you're in trouble (assuming somebody cares to sue you). But I'd assume that it has to be proven that what you did was done for piracy's sake and not for, say, educational purposes. Of course if some company decides to sue you based on some nonsense, they still can (and most likely will). We've got to assume, however, that courts are "run" by responsible people.
Responsible Disclosure is a term often used in security, but what is it?
In essence, responsible disclosure is the process of making the vendor or OEM of the vulnerable software or system aware of the problem before disclosing details of the vulnerability to the public. The idea here is that the vendor will promptly solve the issue, and release a fix to users of the software, and accredit the finding of the issue to the researcher, who then discloses the vulnerability in full, now the software has been patched.
Responsible disclosure is named as such, as vendors feel it's the most responsible way to go about handling a security issue you have found. It's often the best strategy to try if you do find an issue - look for a security contact for the company, and give them a shout.
Unfortunately, some companies are rather poor at dealing with security issues, and either don't respond, or don't issue a patch or inform users of a mitigation strategy. Or in severe cases, might not even inform users of there being an issue whatsoever, and appear to ignore the vulnerability. Do bear in mind though when dealing with mobile devices that many carriers add significant delays to software releases (where on the desktop, a fix may be available the next day, the OEM might take a week or more to make a patch available on unbranded firmware, since devices and firmwares often must be approved by regulators before release, and carriers will then want further changes applied to these firmwares before their own testing).
Often if a vendor acts like this, the only solution is Full Disclosure, a process where the full details of the vulnerability are publicly released, in order to raise awareness of the vendor's insecurity and inaction (particularly if efforts were already made to contact them). Full disclosure permits the end user to be made aware of the extent and details of the security issue, and attempt to mitigate or resolve it themselves (for example, by removing an affected plugin, deleting an APK, or using a firewall to prevent access to a vulnerable service until a fix is produced).
If you are new to security, and are unsure, responsible disclosure is usually the best way forwards, but there are plenty of people around who can give good advise about this. This may well change, in light of recent practices by some companies pertaining to how they handle security vulnerabilities which are responsibly disclosed (see https://www.openrightsgroup.org/blog/2013/nsa-affects-responsible-disclosure)
Good writeup, thanks!
Is full disclosure really an effective way of handling things though? I can understand that the intention is to make the vulnerability so well known that vendor has no choice but to fix it, but during that lead time there's going to be a vulnerability going around that people could really capitalize on. I don't have figures, but I would imagine that even if a user-made solution is found, the number of people that would actually adopt it has got to be a tiny fraction of a percent. If you're going full-disclosure, aren't you essentially ensuring the worst-case scenario? Security through obscurity is weak, but isn't it still better to sit on your hands and just hope that the vendor will get around to fixing it eventually?
Grand Guignol said:
Good writeup, thanks!
Is full disclosure really an effective way of handling things though? I can understand that the intention is to make the vulnerability so well known that vendor has no choice but to fix it, but during that lead time there's going to be a vulnerability going around that people could really capitalize on. I don't have figures, but I would imagine that even if a user-made solution is found, the number of people that would actually adopt it has got to be a tiny fraction of a percent. If you're going full-disclosure, aren't you essentially ensuring the worst-case scenario? Security through obscurity is weak, but isn't it still better to sit on your hands and just hope that the vendor will get around to fixing it eventually?
Click to expand...
Click to collapse
True, but also depends on the type of vulnerability. Is not the same finding a vulnerability where you need physical access to the device (ie a way of unlocking without PIN) than finding a vulnerabilty that allows remote access to sensite data without user action. I suppose that some sort of waiting can be defined. Like waiting for a week for the first type of vulnerabity and 3 months for the other....just my 2 cents.
Great writeup BTW!
For the security enthusiasts here: The Full DIsclosure Mailing List has been reopened. ENJOY!
Talking about responsible disclosure, I have the following question for you guys:
I found a vulnerability that can be exploited to drain the battery of a device. I informed the application vendor and they reacted that they agree with my finding and will fix it soon. I send my vulnerability and PoC 24th of February and they responded 3 weeks after. Now I am waiting for the vulnerability to be fixed.
I found this bug when writing my thesis and I really want to include it in my paper which should be published on the 31th of May. Does that fit responsible disclosure? Should I send them an e-mail stating that I will publish the details at the end of May?
It can't hurt to let them know youre doing it.
Sent from my Xperia ZL using XDA Free mobile app
Is full disclosure really an effective way of handling things though?
rakoczy12 said:
Is full disclosure really an effective way of handling things though?
Click to expand...
Click to collapse
If the end result of the disclousre is that the users can protect themselves, then yes. As the OP pointed out:
pulser_g2 said:
Full disclosure permits the end user to be made aware of the extent and details of the security issue, and attempt to mitigate or resolve it themselves (for example, by removing an affected plugin, deleting an APK, or using a firewall to prevent access to a vulnerable service until a fix is produced).
Click to expand...
Click to collapse
How did I just now see this forum? Pulser I was talking to you about such an area for many many moons ago.
@pulser_g2
I have a question about posting things I find that script kiddies would love. Like today, I opened up an apk that was supposed to be an icon pack. Instead, it has @Stericson 's RootTools package in it and someone else's libpush work. So it starts out as a script kiddies dream, cause that's all it is. But it would be good for people to learn from.
When I came here, before I installed @DaveShaw 's power menu .cab, I first learned what a cab was, what it did, how it worked, and what all the little bits and pieces did inside of it. You just can never be too safe. Which is probably why I don't go jumping on a new ROM, or app someone just released. I'll mull it over and let some other people be the testers. How could I post something like without giving away how it works, but showing what's inside. So as to let people know to be careful? Teach them how to open it up, the different parts of an apk, how to read it and such. That's the kind of thing I was meaning way back when I was asking you about making this kind of area. But you had the same concerns as me. It not turning into a scriptkiddy funhouse.
Are we going to be able to disclose threats among ourselves? You can't make everyone wear a white hat. Lord knows we didn't all wear one back in compsci. I see it like teaching firemen how to put out a fire. Yea they are going to learn what makes a really big fire that's hard to stop. But if you don't teach them how to build the fire, just put it out, then they have to go through just that extra bit of effort to do bad.
Maybe some parts of this thread belongs here. http://forum.xda-developers.com/general/security/security-threat-middle-attack-umts-t3374626
It is Awesome
wow
An Israeli graduate student has uncovered a serious flaw in Samsung's Android-hardening Knox security software, but neither he nor the South Korean electronics giant is saying exactly what the flaw is.
"This weakness has to be addressed immediately before it falls into the wrong hands," said Mordechai Guri, the Ph.D. candidate at Ben-Gurion University of the Negev in Beersheba in southern Israel who found the flaw, in a*university press releaseissued Tuesday (Dec. 24). "We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately."
A Samsung spokesman told*The Wall Street Journal, which reported Guri's findings Monday (Dec. 23), that the company was aware of the flaw — and that it wouldn't affect a device that had the full corporate Knox software environment.
"The core Knox architecture cannot be compromised or infiltrated by such malware," the Samsung spokesman told the Journal
Is that so.
Sent from Samsung Galaxy Note 3.
If you like my post hit thanks .
tidy said:
An Israeli graduate student has uncovered a serious flaw in Samsung's Android-hardening Knox security software, but neither he nor the South Korean electronics giant is saying exactly what the flaw is.
"This weakness has to be addressed immediately before it falls into the wrong hands," said Mordechai Guri, the Ph.D. candidate at Ben-Gurion University of the Negev in Beersheba in southern Israel who found the flaw, in a*university press releaseissued Tuesday (Dec. 24). "We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately."
A Samsung spokesman told*The Wall Street Journal, which reported Guri's findings Monday (Dec. 23), that the company was aware of the flaw — and that it wouldn't affect a device that had the full corporate Knox software environment.
"The core Knox architecture cannot be compromised or infiltrated by such malware," the Samsung spokesman told the Journal
Click to expand...
Click to collapse
So it will affect only individual phones operating outside of the "full corporate Knox software environment".
Wonder if it's another intentional backdoor for the NSA.
Sounds like a bunch of crap to me :/
Sent from my SM-N9005 using XDA Premium 4 mobile app
The NSA doesn't need backdoors. What the ISP's and mobile companies don't provide, their own software can hack into just as easily. All they need is an active internet connection. Remember, your Google password and your device lockscreen code are not exactly uncrackable.
Anyway, this is not really relevant to any of us, all things considered. It only affects KNOX, which nobody here has enabled. (I mean the security issue and media scaremongering, not the actual post or topic.)
Unless of course it can be used as an exploit for resetting the counter or rooting without tripping it. In which case it becomes very relevant.
I wonder if it might be, considering Samsung is so very loudly not telling us what it is..... Back with the other security leaks, we knew exactly what it was, even the really dangerous ones. (some turned out to be excellent rooting methods.) Now suddenly they won't even tell us what it can cause? I'm just saying, it makes one wonder.
Send From My Samsung Galaxy Note 3 N9005 Using Tapatalk
LOL !! why depends on knox to decide the warranty's status of NOTE 3 when knox itself is not even safe?
I think Samsung should remove the warranty of the phone base on knox's status since it is not safe at all.
What you guys think ?
Good afternoon mods, I'm sorry but I had to open a thread about this topic again.
It's absolutely not illegal to change your IMEI in most of the world. For instance, it's completely legal in the entirety of the US (see https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity#IMEI_and_the_law).
As far as I know, the only known law in the whole of Europe (referring to the continent) that makes it illegal is in the UK and it's only illegal if you don't have the manufacturer permission. If you do, it's legal (see See 3.b https://www.legislation.gov.uk/ukpga/2002/31/section/1). And it's perfectly possible to obtain such permissions from some manufacturers.
There is one specific German law making it illegal if and only if IMEI change is done in the context of tampering with evidence after a crime. And not before if it's not tampering with evidence.
While I do understand IMEI change could be illegal (citation needed?) in some rather few authoritarian regimes like China or even India. It's absolutely not illegal (yet) in most of the democratic world including the US, the UK (if you have permission from the manufacturer) and the EU. But it would be a bit ironic to ban this based on the laws of such regimes as they probably wouldn't allow rooting/jailbreaking either.
I also do understand IMEI change is probably against the ToS of many mobile operators but there is a very large gap between violating ToS and violating the law.
In brief, there are certainly in my opinion not enough of those place (yet) to justify a blanket censorship of this topic when it's also clearly an important privacy issue and that Apps/Operators/Manufacturers and indeed authoritarian law enforcement are using the IMEI to track users and also to track dissidents/protesters (see BLM, see Kashmir, see Hong Kong, see Lebanon, see Belarus, ...)
I would like to kindly request mods to provide a citation of this being illegal before applying such a blanket ban.
This is not a troll at all. There have been numerous threads about this topic on XDA and this is a recurring issue of mods seemingly thinking this is illegal when it's not. The whole perceived illegality of IMEI change is in almost all cases hearsay without any legal base.
Thank you kindly for your consideration and hopefully you won't ban me for this.
(Just to be clear, this topic is not about asking a way to change IMEI but asking the mods to provide citations about the illegality of IMEI change when censoring such threads)
I can't think of a legitimate reason why someone would need to change their IMEI number unless they are doing something shady.
Regardless of if the process itself is legal or not, the reasons why you would need to do it are most likely not legal. I'm sure that's why it falls under the "Don't get us into trouble." rule on here.
byAidan said:
I can't think of a legitimate reason why someone would need to change their IMEI number unless they are doing something shady.
Regardless of if the process itself is legal or not, the reasons why you would need to do it are most likely not legal. I'm sure that's why it falls under the "Don't get us into trouble." rule on here.
Click to expand...
Click to collapse
Thank you for your answer.
The same reasoning could be used for MAC address randomization or for any other privacy feature such as XPrivacy or Magisk Hide ... Yet those are fine. All the banks and some apps (Netflix) will also argue you have no reason to root/jailbreak and subsequently hide the root/jailbreak if you're not doing shady things.
The same reasoning could be used for VPN/Tor users or those who use private DNS over TLS/HTTPS. If you have nothing to hide you have nothing to fear?
A good legitimate reason is for instance that all Banking Apps (and many others) require "Phone permission" which allows them to read the IMEI. This allows them to track you with an unchangeable UID. A much better UID than any other tracking ID generated by the OS.
Another good legitimate reason besides avoiding commercial tracking is to make illegal dragnet surveillance a bit less effective.
And last but not least, it can help people stay alive under highly oppressive regimes ...
But I'm not arguing to ethically accept something illegal. I'm arguing to not ethically reject something perfectly legal using a wrong reasoning such as its supposed illegality.
I don't see any legitimate reason for Apps/Operators/Manufacturers to be able to track users using unchangeable UIDs such as the IMEI. And again ... it's absolutely not illegal so why make it illegal or shady?
Sure it can be used for shady things ... But this is valid for anything. IMHO Shady people won't use this anyway, they'll just use burner phones. Why bother wasting time with IMEI change ...
In the end, fair enough ... XDA is of course not a public space in itself and they're free to moderate the way they want. I'm just arguing that mods shouldn't use the "It's illegal" reasoning when removing those topics.
Instead they should just say "We think it's too shady and we don't like it ... even if it's legal" ... But stating it's illegal is just factually incorrect in most of the world.
byAidan said:
I can't think of a legitimate reason why someone would need to change their IMEI number unless they are doing something shady.
Regardless of if the process itself is legal or not, the reasons why you would need to do it are most likely not legal. I'm sure that's why it falls under the "Don't get us into trouble." rule on here.
Click to expand...
Click to collapse
I have a rebuttal if may.
The act of changing an IMEI in itself is not legal. I'm also quite sure there are valid and legal reasons to do so. If the reasons were illegal then the act would be, too.
Also. It is not reasonable to throw out a blanket and say that everyone that would want to do this is up to something shady. Most people are decent, to label everyone as having nefarious intentions is counter-productive.
Just my humble opinion.....
Sent from my IN2025 using Tapatalk
---------- Post added at 09:02 PM ---------- Previous post was at 08:56 PM ----------
One more comment. Legal or not is not the issue here. The forum has rules in order to post here. One of them is related legal/illegal activity. Since this is a public forum accessable around the world there could be users from a country where this topic is not legal. For that reason XDA is well within their right to ban this particular subject matter and a few others, too.
Sent from my IN2025 using Tapatalk
hurlube said:
Good afternoon mods, I'm sorry but I had to open a thread about this topic again.
...
Thank you kindly for your consideration and hopefully you won't ban me for this.
(Just to be clear, this topic is not about asking a way to change IMEI but asking the mods to provide citations about the illegality of IMEI change when censoring such threads)
Click to expand...
Click to collapse
@hurlube First, please allow me to apologise that it really took a long time until I recognised this thread - and only by accident. XDA has not only 10+M members, it also hosts 3.5M+ threads with 78+M posts. If you count the number of moderators e.g. here and further consider that all moderators are volunteers and do this "job" for free besides their real life, real family and friends, real business and profession, I hope you can understand that there's no possibility at all to actively every thread and post if moderators' support, assistance or guidance is requested somewhere. We clearly depend on the single and all XDA members is this matter.
It's very unlikely that a moderator becomes aware of e.g. your thread unless a member reports the thread or a post via the report function or you mention or quote a moderator (like I did with you @hurlube). Another possibility is certainly a PM to a moderator but due to the reasons mentioned above it might be that a PM rests in a moderator's inbox unacted for days or weeks.
Now to the subject of this thread itself... Neither I nor my team mates say that the change or the edit of an IMEI is illegal everywhere. If you look at e.g. my post here, I stated with reference to rule no. 9 of the XDA Forum Rules:
Change/edit of IMEI is a legal offence in quite a few of countries; hence discussions or support in this respect is not allowed on XDA.
Click to expand...
Click to collapse
I didn't say that change or edit of IMEI is illegal everywhere. There're quite a lot of things that are legal and even encouraged in some countries while being illegal in other countries like freedom of speech and opinion, the right to demonstrate, suicide and active, passive or indirect euthanasia. I think I could most likely extend this list endlessly. Some countries protect authorship, copyright and ownership while in other countries even official agencies support their violation or plagiarism.
I think it's obviously difficult for a private website in the world wide web to follow a right and consistent way. XDA was founded back in 2003 by developers for developers (see xda-developers: The History -Part One-), and I believe this is still the trait of XDA. Allow me to quote the XDA Forum Rules:
XDA-Developers is based on the principle of sharing to transmit knowledge. This is the cornerstone of our site. Our members and developers freely share their experience, knowledge, and finished works with the rest of the community to promote growth within the developer community, and to encourage those still learning to become better.
Click to expand...
Click to collapse
We try to support developers and defend their ownership, while simultaneously enforcing GPL and the requirement to give credits when due, and we don't accept warez at all.
On the other hand, we don't want to lose sight of all other XDA members and users for whom we want to provide a platform to ask for help and support, to share opinions and experiences in a friendly, civil and respectful environment.
In order to implement above principles, this private website or platform has brought its own and already quoted forum rules into effect. And regarding the change or the edit of IMEI the XDA stance is like stated in my above linked post: We do not allow any kind of IMEI editing! However, if it's about restoring original IMEI/EFS that's not considered editing/changing hence allowed. And we also allow discussion and support regarding IMEI spoofing or masking as long as it happens on software level and the actual hard-coded board IMEI isn't tampered with. Thus it's allowed to post apps or (Exposed Framework) add-ons with this function that many use due to privacy concerns. But again, for sure we don't accept talks about using it for illegal purpose.
I hope I was able to clarify XDA's stance in this matter. And also allow me a very personal but very important remark to me: I do not censor any thread, and I've never observed that any of my moderator fellows does. But we clean a thread or post from anything that does not comply with the forum rules and always explain to the member whose post was affected the reason why we did that; this occurs most of the time privately by PM's but occasionally also publicly by an announcement in the thread. I really hope that you don't call this censorship!
Last but not least - and I apologise that I've to enforce our rules now as I became aware of your thread: The thread is obviously not related to the Oneplus 8 Pro i.e. I'm moving the thread to the General discussions section.
Stay safe and stay healthy!
Regards
Oswald Boelcke
Thank you very much for your answer Oswald.
hurlube said:
Good afternoon mods, I'm sorry but I had to open a thread about this topic again.
It's absolutely not illegal to change your IMEI in most of the world. For instance, it's completely legal in the entirety of the US (see https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity#IMEI_and_the_law).
As far as I know, the only known law in the whole of Europe (referring to the continent) that makes it illegal is in the UK and it's only illegal if you don't have the manufacturer permission. If you do, it's legal (see See 3.b https://www.legislation.gov.uk/ukpga/2002/31/section/1). And it's perfectly possible to obtain such permissions from some manufacturers.
There is one specific German law making it illegal if and only if IMEI change is done in the context of tampering with evidence after a crime. And not before if it's not tampering with evidence.
While I do understand IMEI change could be illegal (citation needed?) in some rather few authoritarian regimes like China or even India. It's absolutely not illegal (yet) in most of the democratic world including the US, the UK (if you have permission from the manufacturer) and the EU. But it would be a bit ironic to ban this based on the laws of such regimes as they probably wouldn't allow rooting/jailbreaking either.
I also do understand IMEI change is probably against the ToS of many mobile operators but there is a very large gap between violating ToS and violating the law.
In brief, there are certainly in my opinion not enough of those place (yet) to justify a blanket censorship of this topic when it's also clearly an important privacy issue and that Apps/Operators/Manufacturers and indeed authoritarian law enforcement are using the IMEI to track users and also to track dissidents/protesters (see BLM, see Kashmir, see Hong Kong, see Lebanon, see Belarus, ...)
I would like to kindly request mods to provide a citation of this being illegal before applying such a blanket ban.
This is not a troll at all. There have been numerous threads about this topic on XDA and this is a recurring issue of mods seemingly thinking this is illegal when it's not. The whole perceived illegality of IMEI change is in almost all cases hearsay without any legal base.
Thank you kindly for your consideration and hopefully you won't ban me for this.
(Just to be clear, this topic is not about asking a way to change IMEI but asking the mods to provide citations about the illegality of IMEI change when censoring such threads)
Click to expand...
Click to collapse
Very odd. I'm an attorney who practices criminal law in Kentucky and Tennessee, specializing in appellate and posts conviction writs. I have two clients who are serving substantial prison sentences for allegedly spoofing the IMEI/MEID device identifiers on dozens of mobile devices for the purpose of bypassing blacklisting restrictions imposed as a result of the devices having been reported stolen, as well as some allegations of subscriber fraud. To give you an idea of just how substantial the sentences are, both defendants were middle-aged at the time of sentencing, and it is very likely.that neither of them will ever make it to get out of prison.
I'm sure my clients would love to know the precedent you are relying upon in your position that this practice is fully legal in the US. Such a precedent would surely invalidate their convictions and exonerate them both. Let me guess, your legal expertise and position are based on some jargon you read on Google. Everybody is a lawyer who has internet access these days.
Federal law and statutes enacted in all 50 states explicitly prohibit concealing the identity of a mobile phone by way of altering, modifying, spoofing or otherwise changing the device's unique identifiers. While some state statutes require an element of intent for conviction, most prohibit the practice regardless of mens rea (criminal culpability). In fact, the practice is considered so serious, the Department of Homeland Security and the United States Secret Service investigate and initiate prosecution of such offenses on the federal level. The involvement of these two agencies is a surefire indication that this very subject rises to the level of national security. You couldn't possibly be any more incorrect on this subject. Spreading such blatantly false information on a platform such as XDA is poison. I'm sure this BS has been read by a multitude of members and visitors.
You made reference to wanting citation of a specific law or authority prohibiting the practice of changing the unique identifiers of a mobile phone. I would direct you to the federal statute
18 U.S. Code § 1029Read the statute, its annotations, revisions, amendments and progeny very carefully. This is the statute the US Attorney's office will use to crucify you in the event you are caught.
For clarification, there is nothing illegal in rewriting an IMEI/MEID number that has been invalidated, wiped, corrupted or otherwise damaged on a mobile phone. This occurs quite often during procedures such as flashing firmware to a device without first making a backup of the /efs or /nvdata partitions. SP Flash Tool is notorious for wiping device identifiers, MAC addresses and other values unique to the device. It is often necessary to rewrite or fix these components in order to regain network, Bluetooth and WiFi functionality. I am referring specifically to changing device identifiers in a manner that would mask or conceal the device's true identity.
Viva La Android said:
Very odd. I'm an attorney who practices criminal law in Kentucky and Tennessee, specializing in appellate and posts conviction writs. I have two clients who are serving substantial prison sentences for allegedly spoofing the IMEI/MEID device identifiers on dozens of mobile devices for the purpose of bypassing blacklisting restrictions imposed as a result of the devices having been reported stolen, as well as some allegations of subscriber fraud. To give you an idea of just how substantial the sentences are, both defendants were middle-aged at the time of sentencing, and it is very likely.that neither of them will ever make it to get out of prison.
I'm sure my clients would love to know the precedent you are relying upon in your position that this practice is fully legal in the US. Such a precedent would surely invalidate their convictions and exonerate them both. Let me guess, your legal expertise and position are based on some jargon you read on Google. Everybody is a lawyer who has internet access these days.
Federal law and statutes enacted in all 50 states explicitly prohibit concealing the identity of a mobile phone by way of altering, modifying, spoofing or otherwise changing the device's unique identifiers. While some state statutes require an element of intent for conviction, most prohibit the practice regardless of mens rea (criminal culpability). In fact, the practice is considered so serious, the Department of Homeland Security and the United States Secret Service investigate and initiate prosecution of such offenses on the federal level. The involvement of these two agencies is a surefire indication that this very subject rises to the level of national security. You couldn't possibly be any more incorrect on this subject. Spreading such blatantly false information on a platform such as XDA is poison. I'm sure this BS has been read by a multitude of members and visitors.
You made reference to wanting citation of a specific law or authority prohibiting the practice of changing the unique identifiers of a mobile phone. I would direct you to the federal statute
18 U.S. Code § 1029Read the statute, its annotations, revisions, amendments and progeny very carefully. This is the statute the US Attorney's office will use to crucify you in the event you are caught.
For clarification, there is nothing illegal in rewriting an IMEI/MEID number that has been invalidated, wiped, corrupted or otherwise damaged on a mobile phone. This occurs quite often during procedures such as flashing firmware to a device without first making a backup of the /efs or /nvdata partitions. SP Flash Tool is notorious for wiping device identifiers, MAC addresses and other values unique to the device. It is often necessary to rewrite or fix these components in order to regain network, Bluetooth and WiFi functionality. I am referring specifically to changing device identifiers in a manner that would mask or conceal the device's true identity.
Click to expand...
Click to collapse
wow.....
so i'm not sure which is the case and which is worse, that you're a supposed attorney and miss-read the previous statements or that your a supposed attorney and don't understand the inherent difference of intent in 1029 versus what is being talked about here.
i don't mean offense by this, just very, VERY surprised at your whole statement here.
fair bit to unpack here to bear with it for a bit;
just about every causal line in 1029 is prefaced by "knowingly and with intent to defraud..."
obviously your clients intended to use stolen mobile devices and use them for some purpose, either that's cloning another IMEI or simply changing the IMEI to activate them on a new service line.
both ARE illegal acts since the originating device was a stolen device, this in turn then brings into effect 1029 (and also 18 U.S.C. § 2315). since they likely knew it was stolen and even if they used the excuse that they didn't know, after finding out it was blacklisted they went through the further trouble of changing the IMEIs instead of doing the right thing and reporting the devices and the seller which then further calls into question the legality of the means they came into possession of the devices as well as pointing more toward their intent to defraud the cellular carrier.
both those factors i'm sure played a HEAVY role in their convictions.
in a scenario where a legal owner of a device, that they purchased themselves wants to change the IMEI, they can (in the usa), one instance of a LEGAL reason to do so is to prevent undisclosed throttling by the cellular carrier and this is done quite regularly by carriers to varying degrees and regions.
for instance, they will sell you 50gb of hotspot usage but then drastically throttle your connection speeds of the devices behind that hotspot, all the while never disclosing that fact to the customer, often even after being confronted on the subject they will even state that they only throttle in times of high congestion (an easily disproved excuse, if the speed is significantly slower on a tethered device while the cellular device itself has massively better speeds at all times then it's not congestion)
the customer has paid for hotspot usage, not hotspot usage at a reduced speed. (though some are disclosed, if only in the contract text itself, the customer would need to check this first)
changing the IMEI of a hotspot to that of say, a tablet that the person also owns for instance, would bypass that throttling and allow the customer to get the speeds that they have in fact paid for.
this is in fact what this type of modification is most commonly used for.
in this scenario there is no defrauding taking place, the customer is paying for a service that they are using on hardware that they have legally purchased and are taking actions simply to get what they have paid for and what the carrier agreed to provide them per the subscriber contract, neither 18 U.S.C. §1029 or 18 U.S.C. §2315 would come into effect or question, thus the action is perfectly legal.
since as i'm sure you're aware, in the USA, unless there is a law that SPECIFICALLY states an action is illegal, then said action is LEGAL.
the law is restrictive not permissive; people don't need permission to go outside and take a walk down the road, it is not forbidden by law therefore it is legal.
as others have said, most criminals will just buy burner $50 phones from walmart rather than go through all this trouble to change the imei.
In
Mechcondrid said:
wow.....
so i'm not sure which is the case and which is worse, that you're a supposed attorney and miss-read the previous statements or that your a supposed attorney and don't understand the inherent difference of intent in 1029 versus what is being talked about here.
i don't mean offense by this, just very, VERY surprised at your whole statement here.
fair bit to unpack here to bear with it for a bit;
just about every causal line in 1029 is prefaced by "knowingly and with intent to defraud..."
obviously your clients intended to use stolen mobile devices and use them for some purpose, either that's cloning another IMEI or simply changing the IMEI to activate them on a new service line.
both ARE illegal acts since the originating device was a stolen device, this in turn then brings into effect 1029 (and also 18 U.S.C. § 2315). since they likely knew it was stolen and even if they used the excuse that they didn't know, after finding out it was blacklisted they went through the further trouble of changing the IMEIs instead of doing the right thing and reporting the devices and the seller which then further calls into question the legality of the means they came into possession of the devices as well as pointing more toward their intent to defraud the cellular carrier.
both those factors i'm sure played a HEAVY role in their convictions.
in a scenario where a legal owner of a device, that they purchased themselves wants to change the IMEI, they can (in the usa), one instance of a LEGAL reason to do so is to prevent undisclosed throttling by the cellular carrier and this is done quite regularly by carriers to varying degrees and regions.
for instance, they will sell you 50gb of hotspot usage but then drastically throttle your connection speeds of the devices behind that hotspot, all the while never disclosing that fact to the customer, often even after being confronted on the subject they will even state that they only throttle in times of high congestion (an easily disproved excuse, if the speed is significantly slower on a tethered device while the cellular device itself has massively better speeds at all times then it's not congestion)
the customer has paid for hotspot usage, not hotspot usage at a reduced speed. (though some are disclosed, if only in the contract text itself, the customer would need to check this first)
changing the IMEI of a hotspot to that of say, a tablet that the person also owns for instance, would bypass that throttling and allow the customer to get the speeds that they have in fact paid for.
this is in fact what this type of modification is most commonly used for.
in this scenario there is no defrauding taking place, the customer is paying for a service that they are using on hardware that they have legally purchased and are taking actions simply to get what they have paid for and what the carrier agreed to provide them per the subscriber contract, neither 18 U.S.C. §1029 or 18 U.S.C. §2315 would come into effect or question, thus the action is perfectly legal.
since as i'm sure you're aware, in the USA, unless there is a law that SPECIFICALLY states an action is illegal, then said action is LEGAL.
the law is restrictive not permissive; people don't need permission to go outside and take a walk down the road, it is not forbidden by law therefore it is legal.
as others have said, most criminals will just buy burner $50 phones from walmart rather than go through all this trouble to change the imei
Mechcondrid said:
wow.....
so i'm not sure which is the case and which is worse, that you're a supposed attorney and miss-read the previous statements or that your a supposed attorney and don't understand the inherent difference of intent in 1029 versus what is being talked about here.
i don't mean offense by this, just very, VERY surprised at your whole statement here.
fair bit to unpack here to bear with it for a bit;
just about every causal line in 1029 is prefaced by "knowingly and with intent to defraud..."
obviously your clients intended to use stolen mobile devices and use them for some purpose, either that's cloning another IMEI or simply changing the IMEI to activate them on a new service line.
both ARE illegal acts since the originating device was a stolen device, this in turn then brings into effect 1029 (and also 18 U.S.C. § 2315). since they likely knew it was stolen and even if they used the excuse that they didn't know, after finding out it was blacklisted they went through the further trouble of changing the IMEIs instead of doing the right thing and reporting the devices and the seller which then further calls into question the legality of the means they came into possession of the devices as well as pointing more toward their intent to defraud the cellular carrier.
both those factors i'm sure played a HEAVY role in their convictions.
in a scenario where a legal owner of a device, that they purchased themselves wants to change the IMEI, they can (in the usa), one instance of a LEGAL reason to do so is to prevent undisclosed throttling by the cellular carrier and this is done quite regularly by carriers to varying degrees and regions.
for instance, they will sell you 50gb of hotspot usage but then drastically throttle your connection speeds of the devices behind that hotspot, all the while never disclosing that fact to the customer, often even after being confronted on the subject they will even state that they only throttle in times of high congestion (an easily disproved excuse, if the speed is significantly slower on a tethered device while the cellular device itself has massively better speeds at all times then it's not congestion)
the customer has paid for hotspot usage, not hotspot usage at a reduced speed. (though some are disclosed, if only in the contract text itself, the customer would need to check this first)
changing the IMEI of a hotspot to that of say, a tablet that the person also owns for instance, would bypass that throttling and allow the customer to get the speeds that they have in fact paid for.
this is in fact what this type of modification is most commonly used for.
in this scenario there is no defrauding taking place, the customer is paying for a service that they are using on hardware that they have legally purchased and are taking actions simply to get what they have paid for and what the carrier agreed to provide them per the subscriber contract, neither 18 U.S.C. §1029 or 18 U.S.C. §2315 would come into effect or question, thus the action is perfectly legal.
since as i'm sure you're aware, in the USA, unless there is a law that SPECIFICALLY states an action is illegal, then said action is LEGAL.
the law is restrictive not permissive; people don't need permission to go outside and take a walk down the road, it is not forbidden by law therefore it is legal.
as others have said, most criminals will just buy burner $50 phones from walmart rather than go through all this trouble to change the imei.
Click to expand...
Click to collapse
Indeed you can change your IMEI if you are a device owner. If you get caught, however, you will be prosecuted. I see you read the language of the statute but failed to read the annotations, commentary, amendments and progeny. Perhaps do your full research on the applicable law and then try to debate the substantive language. My interpretation of the statute is not at fault. I have been litigating this statute for a number of years and know full well what it prohibits.
Click to expand...
Click to collapse
@Mechcondrid, there's a bit more involved in litigation than citing statutory elements. Did you happen to research the federal legal definition of "access device?"
You and I are on the same page in terms of the required mens rea (criminal culpability, i.e. intent) in the context of securing a conviction for access device fraud. The prohibition you're not seeing is the mere act of altering or modifying a device's unique identifiers. This act creates a prima facie case of possessing an unauthorized/counterfeit access device, without demonstrating the mens rea of intent to commit a crime. I'll be glad to hash this out in more detail when I get a few minutes free. So, the question arises, would a person be automatically prosecuted for changing the IMEI/MEID of a mobile device? Maybe, maybe not. Who knows? My point is, that technically speaking, the individual has committed a federal crime within the scope of a prima facie context, by altering the identity of the device, in and of itself. The US Supreme Court expounded upon the contextual meaning of prima facie in the case of Virginia v Black. 538 U.S. 343 (2003). For all intents and purposes of this subject matter, prima facie means evidence which on its first appearance is sufficient to raise a presumption of fact or establish the fact in question, i.e., altering the unique identifiers of a mobile device -- such as a cell phone. But again, when I get a few minutes free I'll hash out the precise points and authorities in the matter sub judice.
Viva La Android said:
@Mechcondrid, there's a bit more involved in litigation than citing statutory elements. This is your free lesson: did you happen to research the federal legal definition of "access device?"
You and I are on the same page in terms of the required mens rea (criminal culpability, i.e. intent) in the context of securing a conviction for access device fraud. The prohibition you're not seeing is the mere act of altering or modifying a device's unique identifiers. This act creates a prima facie case of possessing an unauthorized/counterfeit access device, without demonstrating the mens rea of intent to commit a crime. I'll be glad to hash this out in more detail when I get a few minutes free. So, the question arises, would a person be automatically prosecuted for changing the IMEI/MEID of a mobile device? Maybe, maybe not. Who knows? My point is, that technically speaking, the individual has committed a federal crime within the scope of a prima facie context, by altering the identity of the device, in and of itself. The US Supreme Court expounded upon the contextual meaning of prima facie in the case of Virginia v Black. 538 U.S. 343 (2003). For all intents and purposes of this subject matter, prima facie means evidence which on its first appearance is sufficient to raise a presumption of fact or establish the fact in question, i.e., altering the unique identifiers of a mobile device -- such as a cell phone. But again, when I get a few minutes free I'll hash out the precise points and authorities in the matter sub judice.
Click to expand...
Click to collapse
actually, yes i am familiar with the federal definition of it; I actually design, build and implement custom IoT CnC (command and control) systems, of which one connection option offered is embedded cellular modules (other options include point to point microwave links as well as satcom links like the U-Blox system).
I do this as part of my job for a DoD contractor, so reading up on the compliance requirements of it is basically required to design and sell these systems unless i'd like the company to run afoul of a number of DFARs regulations/clauses and various federal contracting laws/regulations.
i have to even go as far as what specific brands and SoCs i use in a design depending on the customer, contractual context and if it's DoD related or not.
i research and read far more about the legality of things than you would ever expect a system architect to do.
you are coming into the scenario under the presumption that the IMEI is only ever altered (or at least the majority of the time) for illegal or duplicitous means, while that is a possibility, equally a possibility (or even more likely since there is considerable effort and technical skill involved and criminals generally would want easier methods) is a legitimate reason to do so.
the assumption of prima facie evidence runs under the understanding that the particular action is distinctly common to allude to or point to the very likely commission of a crime and only in the absence of competing evidence.
even then it generally requires the prosecution to provide point by point evidence pointing to the confirmation or the support of the prima facie assumption.
someone gets caught with 5 lbs of marijuana (pre-decriminalization/legalization, but this is an apt example that happened quite a bit) and says it's for "personal use"; it's FAR more likely that amount was purchased with the intent to resell (prima facie) than it is that one person is going to go through 5 whole lbs of weed in any realistic amount of time.
i believe there is also the same kind of law concerning liquor reselling without a liquor license somewhere but the core concept remains the same.
a legal non-blacklisted device, active paid carrier account registered to the person in question, and the IMEI being from a device that is also legally owned by the same user and no other active device used on the network with that IMEI would all be competing points of evidence that are easily verifiable by both third parties and the carrier's own records in conjunction with various forms of proof from the person in question themselves.
in one non-DoD customer scenario (that i've actually had to deal with) a cat 18 lte module we had deployed and provisioned would continuously get throttled and deprioritized as a type of hotspot device when it was in fact a single node communications module due to some issue on the carriers backend management in the regional tower software (passadena, ca area to be specific), the module does not move and is simply in a location where running conventional wired or directed microwave networking infrastructure is both financially and physically infeasible; despite working with the carrier's enterprise support, every time we would get the modem back online to realistically usable speeds, about 72-84 hours later the module would again get deprioritized and return to sub megabit speeds on the upstream; this was a implementation that needed near-realtime data relay (less than 1 minute between data collection and upload/reception) which those kind of abysmal upload speeds completely blew out of the water.
after spending a cumulative 80 man hours attempting to work and troubleshoot with the carrier via normal support channels we decided to alter the imei using a cellular capable samsung tablet we purchased specifically to scavenge the IMEI.
The actual tablet itself is not and was never activated on any network and to this day sits on the server room shelf gathering dust and was never even turned on and had it's first boot setup performed.
i'd honestly be very surprised if the tablet is even still functional considering it's sat there for years in a discharged state.
this was a legal purchase, is not a duplicated hardware node on any carrier network and is being used to access a legally and properly registered service that is being paid for by the registered account owner.
so: no fraud, no cloned device on any network and everything registered as it should be regarding the account owners, simply what amounts to a system repair using IMEI modification.
to date (going on roughly 3 years now) this fix has been rock solid and the only service interruption has been when the local power supply failed after the NEMA enclosure gasket had gotten damaged from a local tech's improper closure of the lid.
there is no specific law (in the USA) forbidding the alteration of an IMEI in and of itself without consideration to the intent or specific actions/activity being performed with the completion of that modification.
a prima facie case would likely be valid if we are talking about an actual cell phone as opposed to a hotspot or other data only terminal since there is little to no legitimate benefit to altering phone IMEIs (smart phone IMEIs are already one of the highest priority devices on carrier networks behind enterprise and first responder/mission critical nodes) outside of some very specific and niche scenarios;
but again, there COULD be legitimate reasons to do so and much of those are relatively easy to prove or disprove with information external to the person that is in question.
Mechcondrid said:
actually, yes i am familiar with the federal definition of it; I actually design, build and implement custom IoT CnC (command and control) systems, of which one connection option offered is embedded cellular modules (other options include point to point microwave links as well as satcom links like the U-Blox system).
I do this as part of my job for a DoD contractor, so reading up on the compliance requirements of it is basically required to design and sell these systems unless i'd like the company to run afoul of a number of DFARs regulations/clauses and various federal contracting laws/regulations.
i have to even go as far as what specific brands and SoCs i use in a design depending on the customer, contractual context and if it's DoD related or not.
i research and read far more about the legality of things than you would ever expect a system architect to do.
you are coming into the scenario under the presumption that the IMEI is only ever altered (or at least the majority of the time) for illegal or duplicitous means, while that is a possibility, equally a possibility (or even more likely since there is considerable effort and technical skill involved and criminals generally would want easier methods) is a legitimate reason to do so.
the assumption of prima facie evidence runs under the understanding that the particular action is distinctly common to allude to or point to the very likely commission of a crime and only in the absence of competing evidence.
even then it generally requires the prosecution to provide point by point evidence pointing to the confirmation or the support of the prima facie assumption.
someone gets caught with 5 lbs of marijuana (pre-decriminalization/legalization, but this is an apt example that happened quite a bit) and says it's for "personal use"; it's FAR more likely that amount was purchased with the intent to resell (prima facie) than it is that one person is going to go through 5 whole lbs of weed in any realistic amount of time.
i believe there is also the same kind of law concerning liquor reselling without a liquor license somewhere but the core concept remains the same.
a legal non-blacklisted device, active paid carrier account registered to the person in question, and the IMEI being from a device that is also legally owned by the same user and no other active device used on the network with that IMEI would all be competing points of evidence that are easily verifiable by both third parties and the carrier's own records in conjunction with various forms of proof from the person in question themselves.
in one non-DoD customer scenario (that i've actually had to deal with) a cat 18 lte module we had deployed and provisioned would continuously get throttled and deprioritized as a type of hotspot device when it was in fact a single node communications module due to some issue on the carriers backend management in the regional tower software (passadena, ca area to be specific), the module does not move and is simply in a location where running conventional wired or directed microwave networking infrastructure is both financially and physically infeasible; despite working with the carrier's enterprise support, every time we would get the modem back online to realistically usable speeds, about 72-84 hours later the module would again get deprioritized and return to sub megabit speeds on the upstream; this was a implementation that needed near-realtime data relay (less than 1 minute between data collection and upload/reception) which those kind of abysmal upload speeds completely blew out of the water.
after spending a cumulative 80 man hours attempting to work and troubleshoot with the carrier via normal support channels we decided to alter the imei using a cellular capable samsung tablet we purchased specifically to scavenge the IMEI.
The actual tablet itself is not and was never activated on any network and to this day sits on the server room shelf gathering dust and was never even turned on and had it's first boot setup performed.
i'd honestly be very surprised if the tablet is even still functional considering it's sat there for years in a discharged state.
this was a legal purchase, is not a duplicated hardware node on any carrier network and is being used to access a legally and properly registered service that is being paid for by the registered account owner.
so: no fraud, no cloned device on any network and everything registered as it should be regarding the account owners, simply what amounts to a system repair using IMEI modification.
to date (going on roughly 3 years now) this fix has been rock solid and the only service interruption has been when the local power supply failed after the NEMA enclosure gasket had gotten damaged from a local tech's improper closure of the lid.
there is no specific law (in the USA) forbidding the alteration of an IMEI in and of itself without consideration to the intent or specific actions/activity being performed with the completion of that modification.
a prima facie case would likely be valid if we are talking about an actual cell phone as opposed to a hotspot or other data only terminal since there is little to no legitimate benefit to altering phone IMEIs (smart phone IMEIs are already one of the highest priority devices on carrier networks behind enterprise and first responder/mission critical nodes) outside of some very specific and niche scenarios;
but again, there COULD be legitimate reasons to do so and much of those are relatively easy to prove or disprove with information external to the person that is in question.
Click to expand...
Click to collapse
You make good points. The key term is "access device," which was amended by legislation fairly recently to include tablets, cell phones, desktop computers, laptops, etc. I certainly agree that there are legitimate reasons as to why device identifiers would need to be modified. Correct, while there is not a statute that expressly prohibits alteration of IMEI/MEID numbers, I am merely outlining the federal statutes by which the government prosecutes such offenses. Similarly, for example. the Commonwealth of Kentucky does not have a statute prohibiting vehicular homicide. So there is no statute expressly saying that you can't go out and drive recklessly and kill people. However, such offenses are prosecuted under the manslaughter or wanton murder statutes. Changing an IMEI can get you prosecuted under the federal statute prohibiting the counterfeiting of an access device. I'm by no means saying that Homeland Security is coming after anybody changing an IMEI. But what I am saying is that federal prosecutors can technically charge an offender. I don't personally know of anybody who has been charged merely for altering device identifiers in the prima facie context. The US government most likely prosecutes only those offenders who have acted with nefarious or malicious intent, such as trafficking in cloned cell phones and the like. But again, my only point is that it is technically possible.
You and I appear to be on the same page on this topic. The only debate has been semantics it seems, whereas we are both correct on the points we are making.
Hello,
is masking/spoofing IMEI on a software level (i.e. for let's say Instagram account creation) legal in the US/Europe?
And I mean by using lxposed or something.
Personally, I don't think so.
If someone has anything concrete, cases, laws etc. Would be most helpful.
Thank you.
@Viva La Android
IMEI change and legality, mods please read
Good afternoon mods, I'm sorry but I had to open a thread about this topic again. It's absolutely not illegal to change your IMEI in most of the world. For instance, it's completely legal in the entirety of the US (see...
forum.xda-developers.com
Seems like it is illegal. Well damn, I understand why because of the fraudsters but there are still some legitimate uses for it.
CptLongJohn said:
Hello,
is masking/spoofing IMEI on a software level (i.e. for let's say Instagram account creation) legal in the US/Europe?
And I mean by using lxposed or something.
Personally, I don't think so.
If someone has anything concrete, cases, laws etc. Would be most helpful.
Thank you.
Click to expand...
Click to collapse
I am licensed by both the Kentucky and Tennessee Bar Associations for the practice of law within those two states. Nevertheless, do not construe this information as legal advice. Always seek out competent legal counsel if faced with a legal dilemma of any kind -- counsel who is knowledgeable in the particular field of law in which you seek advice or legal guidance.
It has been argued on a number of blogs, forums and platforms that there is not a US state or federal statute which explicitly prohibits the practice of altering a mobile device's unique identifiers, such as IMEI/MEID numbers.
Those who argue this point are technically correct. However, the absence or omission of a criminal law that prohibits a particular action does not automatically render said action lawful. For example, there is also not a statute specifically stating that I cannot mame, kill and dismember my wife with a meat cleaver, but I can assure you these actions are otherwise prohibited under the various individual state homicide statutes. (I'm actually not married, but you get the point I'm sure.) This principle applies equally to altering the IMEI/MEID numbers of a particular mobile device in a manner so as to conceal or spoof the true identity of the device (emphasis added). There is a catch-all provision of applicable law that applies here. Offenders within the jurisdiction of the United States are prosecuted by the Department of Homeland Security and/or the US Secret Service, via the United States Attorney General's Office and the US Justice Department, under the federal statue
18 U.S. Code § 1029 - Fraud and related activity in connection with access devices."Access devices" is a term that has evolved progressively with the ever-growing data technology era. Access Device means any electronic device you use to access account info and/or view electronic documents. This includes , but is not limited to, a traditional computer such as a desktop or laptop computer; or a mobile device such as a tablet computer or a smartphone. While the offender must possess criminal intent to perpetrate a fraud under this statute, in order to be adjudicated guilty, a prima facie case can be made against a suspect on a mere showing.that a mobile device's unique identifiers have been altered in a manner which would conceal the true identity of the device. In other words, a suspect can be deemed to possess the requisite criminal intent to commit fraud on the mere basis that the suspect altered a mobile device's unique identifiers in a manner which concealed the true identity of the device. This begs the question, "is altering a MEID/IMEI number a crime in and of itself in the US?" The plain answer to this question of law, unfortunately, is not simply yes or no. The above-referenced criminal statute includes language prohibiting the alteration of device identifiers for purposes of unlawfully accessing a mobile network, but also prohibits possessing or trafficking in altered mobile devices. The answer here, in terms of legal or illegal, is better stated as not necessarily illegal; the prima facie component isn't to say that every person who alters an IMEI or MEID is de facto guilty of a crime, but the legal concept certainly infers that the person could be guilty of a crime. It really depends on whether the US government and its agents wish to pursue a criminal prosecution against a particular suspect. Hence, the legality of the practice of altering unique mobile device identifiers is based on a totality of the circumstances and facts of a particular investigation. The penalty range for a person convicted under this statute is 5 to 15 years in prison for each offense, a substantial fine, and forfeiture of any altered access devices. In all reality, I certainly don't see the US government going after Android enthusiasts, developers and modders who are legitimately altering device identifiers for a practical development purpose, and not for fraudulent or nefarious purposes. Nor have I ever heard of or personally seen the government targeting members of the custom Android community in this regard. This is for informational purposes, so use and apply the info however you wish.
Moreover, discussing methods and ways of spoofing or altering unique mobile device identifiers is strictly prohibited on XDA. This is the only information I can give on the subject. Hope it helps. Mr. @Oswald Boelcke hashes out an excellent general legal analysis below, in terms of the legality of this subject matter within some other countries and jurisdictions globally. He also outlines the applicable XDA rules and guidelines on this subject, and what exactly is allowed and disallowed on the platform.
CptLongJohn said:
is masking/spoofing IMEI on a software level (i.e. for let's say Instagram account creation) legal in the US/Europe?
Click to expand...
Click to collapse
@CptLongJohn I apologise for my delayed response due to real life at this extended holiday weekend. Please see my post also as a reply to your private message (PM). Generally, I refrain from responses to such messages as the XDA community doesn't benefit from a private conversation. In order to respect confidentiality that you might connect with your PM, I'm not quoting it; however, you're certainly free to share your PM here.
I'm unfamiliar with the legislation of the USA and Europe consists out of 46 - 49 sovereign countries; the affiliation of three countries is ambiguous. This means it's extremely difficult to answer your question in respect to Europe without academic work.
However, as a German citizen living in Germany, I can assure you the IMEI spoofing or masking on software level is not illegal in Germany, and also the European Union has not imposed any EU regulation that would have to be transferred into national laws in all EU countries. Latter does not mean that it might be legal in all EU countries.
The question you've raised is certainly interesting, and I certainly don't intend to stop the collection of knowledge and opinions or any discussion. However, independently from your question allow me to advise on the policy of this private website regarding IMEI's:
We don't allow any discussion of or support to change or edit of an IMEI (e.g. quite often asked for due to high taxes in some countries). Any references to paid services that support such requests are removed as soon as we become aware of them.
Support to restore or repair of the original IMEI of a device is accept, allowed and encouraged. Our forum doesn't consider the restoration of the original IMEI as a change of IMEI.
We allow that applications or e.g. (Ed)Xposed framework add-ons, which spoof , fake or mask an IMEI on software level, are posted and support to them are provided on XDA, as long as the spoofing or masking happens on software level, and the actual original IMEI is not tampered with. This software level spoofing is mainly done out of privacy concerns, which we respect, to disallow an application to use the IMEI as an unambigous identification and as such tracking feature. However, the XDA staff would immediately intervene if support or discussion would cover illegal purposes.
I'm sorry that I'm obviously unable to answer your questions from your above post or your PM but I hope our stance refected in our policy provides some clarification to our way how we handle these IMEI things on this private website. In case you're unhappy about this I suggest to contact our website's owners:
Contact Us | XDA Developers
Founded in 2002, XDA is the world’s largest smartphone and electronics community. Looking for the latest tech news and reviews? Want to do more with your Android phone, Windows PC, iPhone, iPad, or MacBook? Look no further than XDA.
www.xda-developers.com
Regards
Oswald Boelcke
Senior Moderator