ACLU complaint

Complaint calls 'orphaned' phones 'defective', says carriers should disclose dangers of unclosed security holes

The American Civil Liberties Union today published a complaint (pdf) it filed with the Federal Trade Commission, seeking an investigation into the major U.S. carriers' practice of updating -- or, more to the point, not regularly updating -- the smartphones that they sell for security reasons. "Android smartphones," the 16-page complaint reads, " that do not receive regular, prompt security updates are defective and unreasonably dangerous."

Chris Soghoian, principal technologist and senior policy analyst for the ACLU on speech, privacy and technology, followed up in a blog post, explaining:

Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path. 

At issue is the process in which the process works. Google provides the Android code -- including updates for bugs and security fixes -- but it's up to the hardware manufacturers to implement any changes, and the carriers to approve and ultimately get those changes pushed out. It's a lengthy, messy process that nobody has seemed able to improve with any real effect -- at least not to the satisfaction of the ACLU, or a minority but vocal faction of the buying public.  

The ACLU, in addition to seeking an investigation into the likes of Verizon, Sprint, T-Mobile and AT&T, specifically calls for several things:

  • For carriers to "warn all subscribers using carrier-supplied Android smartphones with known, unpatched security vulnerabilities about the existence and severity [of] the vulnerabilities, as well as any reasonable steps those consumers can take to protect themselves, including purchasing a different smartphone." Tucked into the other leagalese that gets tossed from any smartphone retail box, that probably wouldn't make that big a difference. But imagine if there basically was a big hazmat sticker on the your phone.
  • Allow customers who are under contract to end that contract early (without penalty) if their phone has "not received prompt, regular security updates." That's still relatively open-ended, though certainly it would apply to some of the more low-end devices out there.
  • Give you a refund or exchange (including switching manufacturers and platforms) to another device that does receive "prompt, regular updates."

These upgrade concerns aren't platform-wide, of course. The more high-end, popular phones tend to receive more attention. And Google's own "Nexus" phones, save for the Galaxy Nexus on Sprint or Verizon, are immune to this, getting updates directly from Google, and not carriers. The ACLU correctly notes all this. 

While we appreciate the ACLU attempting to hold the carriers' proverbial feet to the fire, the ACLU's complaint merely asks the same questions anyone in the know has asked for numerous upgrade cycles now. Mainly,

  • What is a "prompt" update? We've seen security fixes roll out on multiple carriers in a month. We've seen others wait for larger maintenance releases. Who gets to decide what's "prompt?"
  • What is a "regular' update schedule?
  • What is realistic -- technically and financially -- for "prompt" and "regular" updates? There is no parity in the smartphone world.
  • Is there something Google or the individual manufacturers can do to expedite the update process? 

And those are just off the top of our head. Again, we agree with the ACLU that security -- and security updates -- are of the utmost importance. And that the ACLU is raising hell is a good thing, even if the FTC isn't required to actually do anything. More of us should do that, whether it's petitions, formal complaints -- or by our favorite method, voting with your wallet.