Yesterday, we filed a complaint with the Federal Trade Commission (FTC) asking the agency to investigate the major wireless carriers for failing to warn their customers about unpatched security flaws in the software running on their phones. These companies—AT&T, Verizon, Sprint and T-Mobile—have sold millions of smartphones to consumers running versions of Google’s Android operating system. Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks.
In a 16-page complaint filed with the FTC, we argue that the major wireless carriers have engaged in “unfair and deceptive business practices” by failing to warn their customers about known, unpatched security flaws in the mobile devices sold by the companies.
Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path. The problem isn’t that consumers aren’t installing updates, but rather, that updates simply aren’t available. Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners.
This is in sharp contrast to the norm on the desktop, where Mac and PCs both receive regular security updates directly from Apple and Microsoft. Apple also provides regular security updates to mobile devices, such as the iPad and iPhone. And it is standard practice for the companies that make almost all widely used software -- such as operating systems, web browsers and third party applications -- to issue regular updates to their software, including security fixes.
We are not the first to highlight this problem—it has been covered at length by the technology press, and more recently, in a front page article in the Washington Post. The market has unfortunately failed to deliver regular security updates to millions of consumers using Android devices. As such, we believe that Federal regulators should step in and protect consumers.
As we stated in our complaint, if the mobile carriers are not going to provide important security updates, the FTC should at a minimum force them to provide device refunds to consumers and allow consumers to terminate their contracts without penalty so that they can switch to a provider who will.
Cybersecurity can be protected without violating civil liberties
As consumers increasingly store vast amounts of private, sensitive data on their smartphones, the ACLU is fighting to make sure that data stays safe. Although our most high-profile advocacy and litigation in this area relates to the threat of warrantless searches of data stored on mobile devices, the US government is by no means the only threat to mobile privacy. Identity thieves, stalkers and foreign state actors also pose a threat to consumers and their data.
During the last year, both the FBI Director and the Director of National Intelligence have stated that cybersecurity-related threats have surpassed terrorism as the number one threat facing the United States. Some of this rhetoric can border on the alarmist – and Congress, predictably, has responded with misguided legislative proposals that will do little to protect consumers from cybersecurity threats, while opening the door to a massive expansion of the government’s surveillance powers.
But cybersecurity threats are real, and improving security and privacy should be an important priority for the government. We think there are plenty of things the government can do to protect the computers and networks that consumers, businesses and government agencies depend upon without violating civil liberties. Investigating the wireless carriers and their role in smartphone security updates would be a great first step.