ACLU Files FTC Complaint Over Android Smartphone Security

Yesterday, we filed a complaint with the Federal Trade Commission (FTC) asking the agency to investigate the major wireless carriers for failing to warn their customers about unpatched security flaws in the software running on their phones. These companies—AT&T, Verizon, Sprint and T-Mobile—have sold millions of smartphones to consumers running versions of Google’s Android operating system. Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks.

In a 16-page complaint filed with the FTC, we argue that the major wireless carriers have engaged in “unfair and deceptive business practices” by failing to warn their customers about known, unpatched security flaws in the mobile devices sold by the companies.

Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path. The problem isn’t that consumers aren’t installing updates, but rather, that updates simply aren’t available. Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners.

This is in sharp contrast to the norm on the desktop, where Mac and PCs both receive regular security updates directly from Apple and Microsoft. Apple also provides regular security updates to mobile devices, such as the iPad and iPhone. And it is standard practice for the companies that make almost all widely used software -- such as operating systems, web browsers and third party applications -- to issue regular updates to their software, including security fixes.

We are not the first to highlight this problem—it has been covered at length by the technology press, and more recently, in a front page article in the Washington Post. The market has unfortunately failed to deliver regular security updates to millions of consumers using Android devices. As such, we believe that Federal regulators should step in and protect consumers.

As we stated in our complaint, if the mobile carriers are not going to provide important security updates, the FTC should at a minimum force them to provide device refunds to consumers and allow consumers to terminate their contracts without penalty so that they can switch to a provider who will.

Cybersecurity can be protected without violating civil liberties

As consumers increasingly store vast amounts of private, sensitive data on their smartphones, the ACLU is fighting to make sure that data stays safe. Although our most high-profile advocacy and litigation in this area relates to the threat of warrantless searches of data stored on mobile devices, the US government is by no means the only threat to mobile privacy. Identity thieves, stalkers and foreign state actors also pose a threat to consumers and their data.

During the last year, both the FBI Director and the Director of National Intelligence have stated that cybersecurity-related threats have surpassed terrorism as the number one threat facing the United States. Some of this rhetoric can border on the alarmist – and Congress, predictably, has responded with misguided legislative proposals that will do little to protect consumers from cybersecurity threats, while opening the door to a massive expansion of the government’s surveillance powers.

But cybersecurity threats are real, and improving security and privacy should be an important priority for the government. We think there are plenty of things the government can do to protect the computers and networks that consumers, businesses and government agencies depend upon without violating civil liberties. Investigating the wireless carriers and their role in smartphone security updates would be a great first step.

Add a comment (4)
Read the Terms of Use

Anonymous

That's a load of bull hockey.
The users are the ones who store private stuff on their phones and may download malicious software.
When MS and Adobe update their software, the computer user's ISP allows the updates to download. The ISP doesn't send the updates.
It should be the same with the cellular carriers. They should allow the updates if Google (or most likely the hardware manufacturers) decides to send them. Or Google or the hardware manufacturers can allow them to be downloaded via the web onto a computer then loaded on a phone. But most users wouldn't know how to do that anyway.
I don't see blaming the carriers for the users' inability to keep their phone secure and the phone manufacturers lack of updates. Remember, some phones cannot be updated.

Anonymous

I disagree with the top comment to an extent. Yes, users need to be better educated on avoiding malicious files, sites, etc. That's the best line of defense and should be #1. Google's AOSP (Android Open Source Project) receives many updates, including minor - major security fixes. Manufactures implement the new code with their builds and then push them to the carrier. This is where the problem is. Carrier testing is taking a ridiculous amount of time and preventing these ready to use updates from being pushed to the device. There needs to be a unified process after the point Google releases the source code to the updates being pushed to the phone. Quicker updates means more secure devices and happier users.

Anonymous

GREAT! This is annoying, since I was the victim of identity theft - having no idea how they got my information - and it happened at EXACTLY THIS POINT IN TIME.
THAT'S probably how they did it, and for the life of me I still CAN'T figure out how I could have filed a police report, given them all the details but they STILL couldn't find who did it, and nobody TOLD me this is what it could have been. They never mentioned my phone at all and thought it happened through my desktop computer when all along THIS is how it probably happened.
I can't wait wait until the "people" who DID that to me meet the Angel of Death.

Anonymous

Blaming the CUSTOMERS is a load of "bull hockey" not to mention making all these updates so obscure and inscrutable that only someone BORN with a computer in their brain can figure the shit out.
And they'll lose all their customers if they KEEP the attitude of blaming the customers. Especially when everything is so user hostile to people over a certain age.

I know a guy who has an MBA in Business Administration and a Bachelor's in Macroeconomics.
You don't operate a business for LONG if you ignore all complaints that your customers make and do everything as if nobody else exists but you.
He didn't especially like the way Bill Gates used to do business, but the statement Gates made about "listening to what people DON'T like about your business is as important as hearing what pleases them" is true.

Sign Up for Breaking News