01:35 PM
Connect Directly
Repost This

ACLU Seeks Carrier Smackdown Over Android Updates

ACLU urges FTC to let consumers return carrier-supplied Android devices for full refund or exchange within two years if they don't get regular security updates.

Facebook Home Invasion
Facebook Home Invasion
(click image for slideshow)
Are mobile phone carriers putting subscribers at risk by failing to update their Android mobile devices in a timely manner?

That question is at the heart of a complaint filed Tuesday by the American Civil Liberties Union (ACLU) with the Federal Trade Commission, requesting that the agency investigate the country's four major wireless carriers.

The ACLU also seeks a "request for relief" for consumers, and proposed allowing any consumer using a carrier-supplied mobile device running Android that doesn't receive regular security updates to return the device in favor of one "from Apple, Google, Microsoft or another mobile operating system vendor" that issues regular updates directly to device users. Alternatively, said the ACLU, consumers using devices that aren't regularly updated should be allowed to return their device, within two years, for a full refund.

[ Are flyers safe? Read FAA Dismisses Android App Airplane Takeover. ]

"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers’ smartphones by the wireless carriers and their handset manufacturer partners," said the complaint, coauthored by the ACLU's Speech, Privacy & Technology Project principal technologist and senior policy analyst Christopher Soghoian and director Ben Wizner.

Failure to update modern smartphones in a timely manner puts millions of consumers at risk of having their personal data stolen or communications intercepted. "Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous," wrote Soghoian and Wizner.

To date, however, there's been little consumers can do about it. "In spite of the fact that their devices are vulnerable ... consumers remain locked into their wireless service contracts, which are enforced by prorated early termination fees," they said. By forcing consumers to choose between being penalized for breaking a contract, versus using a smartphone that's reasonable secure, carriers are perpetrating an "unfair business practice," they said.

The four carriers named in the ACLU's complaint are AT&T, Sprint Nextel, T-Mobile USA and Verizon Wireless.

Asked via email to respond to the ACLU's allegations and to provide a list of all Android devices they currently sell -- as well as a timeline of all operating system and security updates released for those devices -- Sprint responded with the following statement: "Sprint follows industry-standard best practices designed to protect its customers."

T-Mobile USA spokesman Glenn Zaccara said via email that "T-Mobile takes security very seriously, and regularly provides security updates to our customers, including those using the Android operating system."

AT&T and Verizon Wireless did not immediately respond to the same emailed request. But Verizon told Ars Technica that it works to provide "mandatory updates" for consumers. "We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to customers," said Verizon. "We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience."

This isn't the first time that criticism has been leveled at some Android smartphone manufacturers and carriers for their failure to update some devices in a timely manner, if ever. For example, Harry Sverdlove, CTO of Bit9, released a report in November 2011 assessing the security of the top 20 Android smartphones then on the market, and found that on average, carriers treated a device as being "end of lifed" -- meaning it no longer received support or updates -- after just one year, despite the majority of consumers having signed two-year contracts.

Sverdlove also found that some carriers and manufacturers took months after Google released an Android operating system update to distribute it to their subscribers. For example, Samsung took 316 days to patch its Galaxy Mini, while Motorola's fastest update was 141 days, for the Droid X.

Sverdlove's research was complicated by manufacturers occasionally releasing updates and then withdrawing them without warning due to instability issues. In other cases, carriers and manufacturers would make updates available to users, but require them to jump through hoops to install the software fix; for example, by having to manually root their phone first.

"As a security professional, it's the most chaotic thing I've ever seen," said Sverdlove at the time.

Updates for Android devices can be slowed by manufacturers and carriers adding their own overlays -- aka skins or enhancements -- and tools to the core Android operating system. In some cases, these additions amount to little more than bloatware, and in worst-case scenarios can introduce new security vulnerabilities.

In the wake of a zero-day vulnerability being exploited by multiple active attacks, IT teams wait for Oracle to respond. Again. Here's how to keep your systems safe. Get our Insecurity With Java report today. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Number 6
Number 6,
User Rank: Strategist
2/20/2014 | 2:37:32 PM
re: ACLU Seeks Carrier Smackdown Over Android Updates
So how's this going? I'll take a wild guess... nowhere.
User Rank: Moderator
4/24/2013 | 8:36:49 AM
re: ACLU Seeks Carrier Smackdown Over Android Updates
Great comment. If the carriers are going to sign you up to a two-year contract (or whatever the length), that contract should work both ways: you continue to pay, and the carrier continues to release timely updates/patches for the device. If the carrier drops the ball, then the contract should be void.
User Rank: Apprentice
4/23/2013 | 6:26:14 PM
re: ACLU Seeks Carrier Smackdown Over Android Updates
A couple different things struck me while reading this article. I appreciate the ACLU for looking out for consumers. Also, the rate at which of updates, patches, etc. is fairly quick and with patches or updates sometimes causing more harm than good I understand the reluctance by the wireless providers. The real problem that should be outlawed is being forced to sign a 2-year contract for a subsidized phone that may or most likely not have important security updates coming down.
User Rank: Apprentice
4/18/2013 | 6:13:23 PM
re: ACLU Seeks Carrier Smackdown Over Android Updates
I have an HTC Inspire that is over 2 years old. When I check for a software update, it tells me my software is up to date yet I am using Gingerbread (Android 2.3.3 vs v4 Jelly Bean). So my software is most decidedly NOT up to date. At the time I bought my phone, I was not as knowledgeable about Android as I am now. This issue has me strongly considering a GǣskinlessGǥ Nexus device. Actually, the new line of Motorola phones [read: Google phones] will be running the stock or GǣpureGǥ Android OS.
User Rank: Apprentice
4/18/2013 | 6:04:15 PM
re: ACLU Seeks Carrier Smackdown Over Android Updates
I am glad this is getting the attention of the ACLU and I think the concern/argument it is presenting is the right approach. However, the wireless lobby usually gets its way and will whine and cry about how expensive it will be to replace phones that it already subsidizes (regardless of the HUGE profits it makes off the data plans on networks long ago built out).

I think the ACLU needs to find a connection to national security. That is one trump card that would be very hard for the wireless providers to overturn. Time to write our useless Congress again I guess.
User Rank: Apprentice
4/18/2013 | 11:43:31 AM
re: ACLU Seeks Carrier Smackdown Over Android Updates
So I would not have thought about this being a "safety issue" .. although as a network admin I certainly lecture people on keeping software patched and up to date. I would think there is a financial side to this as well? fraud? .. monopolistic action? ... were you told when you purchased your last phone that it would not be receiving updates? I was not ... and I would not have bought the phone I did had I known that... what about you?
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.