News by Andrew Kameka on Wednesday April 17, 2013.
|Sponsored links, if any, appear in green.|
The American Civil Liberties Union has filed a complaint with the FTC seeking an investigation of the four major carriers for their perceived failure to update their smartphones and close security vulnerabilities. The ACLU alleges that AT&T, Verizon, Sprint and T-Mobile have sold millions of Android smartphones but failed to offer much support to those devices or users after the sale is complete. Chris Soghoian, an ACLU senior policy analyst and principal technologist, added in a blog post:
"Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks."
According to the ACLU complaint, the four major carriers willfully deceive customers by not warning them that their smartphones have yet to be updated to patch known security flaws. The carriers willingly sell phones with outdated software and known vulnerabilities, according to Soghoian, despite the fact that Google issues security updates to address these issues.
Though Google might release a software update to address security flaws in Android, the fixes often do not trickle down the majority of Android users in the U.S. because manufacturers and carriers fail to update devices to the latest software. Google's release of a security patch will only reach devices if AT&T or Verizon works with Samsung or HTC to update the software of existing phones.
The ACLU asks that the FTC investigate the carriers because it believes that the sale of computing devices (smartphones) makes them fall under the jurisdiction of the FTC. It also cites reports and previous statements from the FTC, FCC, US-CERT, NSA, and President Obama stressing the importance of security updates for software to stress the importance of carriers failing to issue updates. Carriers choosing not to disclose that phones are not update constitute a willful omission of information that affects purchasing decisions, so consumers, as the ACLU argues, "suffer injury from a material misrepresentation."
The ACLU asks the FTC to take the following actions:
- Force wireless carriers to warn customers that their Android smartphones have unpatched security vulnerabilities, and warn about the severity of the security flaws.
- Force wireless carriers to let customers out of their contracts if they do not receive "prompt, regular security updates" without having to pay an early termination fee.
- Force carriers to let customers return or exchange their non-updated Android device for another device that will receive updates from Apple, Google, and Microsoft.
[Ed note - The ACLU effectively means an iPhone, Nexus, or Windows Phone device, but there's no guarantee that these phones will receive prompt updates directly from the source. While Apple and Microsoft have much better track records than Android devices, the definition set by the ACLU is vague. It's also worth noting that the Samsung Galaxy Nexus on Verizon is not updated directly by Google and gets updates months after the HSPA+ model used on AT&T and T-Mobile.]
While many Android users and detractors would welcome these changes, carriers are unlikely to embrace these policies. The companies will argue that they do provide updates whenever technology allows, but that's not enough for the ACLU. Soghoian wrote on the ACLU blog:
"Cybersecurity threats are real, and improving security and privacy should be an important priority for the government. We think there are plenty of things the government can do to protect the computers and networks that consumers, businesses and government agencies depend upon without violating civil liberties. Investigating the wireless carriers and their role in smartphone security updates would be a great first step."source: ACLU
Andrew is MobileBurn.com's managing editor. He is based in Miami, Florida.