ACLU complaint

Complaint calls 'orphaned' phones 'defective', says carriers should disclose dangers of unclosed security holes

The American Civil Liberties Union today published a complaint (pdf) it filed with the Federal Trade Commission, seeking an investigation into the major U.S. carriers' practice of updating -- or, more to the point, not regularly updating -- the smartphones that they sell for security reasons. "Android smartphones," the 16-page complaint reads, " that do not receive regular, prompt security updates are defective and unreasonably dangerous."

Chris Soghoian, principal technologist and senior policy analyst for the ACLU on speech, privacy and technology, followed up in a blog post, explaining:

Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path. 

At issue is the process in which the process works. Google provides the Android code -- including updates for bugs and security fixes -- but it's up to the hardware manufacturers to implement any changes, and the carriers to approve and ultimately get those changes pushed out. It's a lengthy, messy process that nobody has seemed able to improve with any real effect -- at least not to the satisfaction of the ACLU, or a minority but vocal faction of the buying public.  

The ACLU, in addition to seeking an investigation into the likes of Verizon, Sprint, T-Mobile and AT&T, specifically calls for several things:

  • For carriers to "warn all subscribers using carrier-supplied Android smartphones with known, unpatched security vulnerabilities about the existence and severity [of] the vulnerabilities, as well as any reasonable steps those consumers can take to protect themselves, including purchasing a different smartphone." Tucked into the other leagalese that gets tossed from any smartphone retail box, that probably wouldn't make that big a difference. But imagine if there basically was a big hazmat sticker on the your phone.
  • Allow customers who are under contract to end that contract early (without penalty) if their phone has "not received prompt, regular security updates." That's still relatively open-ended, though certainly it would apply to some of the more low-end devices out there.
  • Give you a refund or exchange (including switching manufacturers and platforms) to another device that does receive "prompt, regular updates."

These upgrade concerns aren't platform-wide, of course. The more high-end, popular phones tend to receive more attention. And Google's own "Nexus" phones, save for the Galaxy Nexus on Sprint or Verizon, are immune to this, getting updates directly from Google, and not carriers. The ACLU correctly notes all this. 

While we appreciate the ACLU attempting to hold the carriers' proverbial feet to the fire, the ACLU's complaint merely asks the same questions anyone in the know has asked for numerous upgrade cycles now. Mainly,

  • What is a "prompt" update? We've seen security fixes roll out on multiple carriers in a month. We've seen others wait for larger maintenance releases. Who gets to decide what's "prompt?"
  • What is a "regular' update schedule?
  • What is realistic -- technically and financially -- for "prompt" and "regular" updates? There is no parity in the smartphone world.
  • Is there something Google or the individual manufacturers can do to expedite the update process? 

And those are just off the top of our head. Again, we agree with the ACLU that security -- and security updates -- are of the utmost importance. And that the ACLU is raising hell is a good thing, even if the FTC isn't required to actually do anything. More of us should do that, whether it's petitions, formal complaints -- or by our favorite method, voting with your wallet.


Reader comments

ACLU wants the FTC to give carriers a kick in the pants over security updates


Another case of people having too much time on their hands and needing something to complain about. I see zero probability of this going anywhere.

Exactly! And if it does go anywhere I see it ending up badly. From the 1st cellphone until today it has always been up to carriers when/if a phone got an update.

I agree it won't go anywhere, but the lack of basic security updates on a device with as much personal information as a smartphone is indeed more than just "something to complain about". It's a real issue and it's one of the reasons i use a nexus.

Since the Carriers are Leasing Our spectrum, U.S. citizens own the spectrum, and it is leased by the FCC on our behalf, it needs to be more regulated to protect us. Carriers are self appointing more power to themselves and also price gouging data rates. Carriers create a service then change it and take away services all in the name of profit and hiking up charges to achieve an 8% increase for the yearly share holders and "Competitive Bonus'" for their executives. The only way we can voice our complaint is filing a complaint with your state's communication regulator and by filing a complaint with the FCC when you are dissatisfied and don't like the services they switch on you.

Since the Carriers are Leasing Our spectrum, U.S. citizens own the spectrum, and it is leased by the FCC on our behalf, it needs to be more regulated to protect us. Carriers are self appointing more power to themselves and also price gouging data rates. Carriers create a service then change it and take away services all in the name of profit and hiking up charges to achieve an 8% increase for the yearly share holders and "Competitive Bonus'" for their executives. The only way we can voice our complaint is filing a complaint with your state's communication regulator and by filing a complaint with the FCC when you are dissatisfied and don't like the services they switch on you.

If the carriers stopped putting bloatware on the phones, then the authorization of updates and security patches, and the testing - of the former and the latter - would take far less time.

Carrier control is one of the primary reasons that many devices fail to see any updates. International and Nexus devices receive quicker and more prevalent updates, due to their being little to no carrier interference.

This is a valid complaint, but it possesses little to no momentum of ever seeing any action taken upon it.

I suspect the phone manufacturers are just as much to blame as the carriers. They add their own bloatware (e.g. Blur, Sense, TouchWiz, plus apps, etc.) that also causes them to choose to stop supporting older phones prematurely. And, of course, slowing down propagation of Android updates from Google. As well as, of course, introducing manufacturer- or phone-specific security holes.

Damn you know what you are that i think of it Samsung was horrible for that back in the early stages of android! I do think that manufacturers are getting better with this over the years.

Samsung and Motorola (post Google) have gotten significantly better with updating aging hardware. HTC, the ball is in your court now.

Samsung is still bad at this. Don't forget about the big dialer snafu late last year on phones that would allow folks to wipe your phone via HTML. There were so many Samsung phones that hadn't received a security update, even though Google patched it early last year.

You make a great point. Fragmentation - be it from the OEMs, Carriers, or Google - will be the elephant in the room for quite some time, until there's a one-size-fits-most solution.

Wait, are you saying that Blur, Sense, TouchWiz are the source of security vulnerabilities?

Because if you aren't making that claim then its patently clear you've never written a line of code in your life.

When a security vulnerability is detected a patch is released by Google (Android Alliance). Just like a source patch from Linux. You apply the patch, recompile THAT SPECIFIC MODULE, re-link and distribute. You don't have to touch Blur, Sense, TouchWiz or any other part of the system.

For security patches, Blur, Sense etc do not affect any part of that. They don't have to get rebuilt. You compile only the low-level module(s) affected by the change
and recreate the rest of the package with one command. Rinse and repeat for each different phone model.

There are three problems holding up a rational patch scenario for Android that every other system already has.

1) The install base is huge. Really Freakin Huge. The bandwidth requirements to distribute a patch to 500 million Android devices worldwide is simply gigantic, in comparison to the actual risk that someone will find a way to exploit these phones via the market.

2) Android is a monolithic package. Every other sane operating system has abandoned that packaging method so that you can replace one tiny module independent of downloading the entire OS package for even the tiniest fix.

3) There are too many different phones, each requiring a repackage and redistribution of their entire OS because its a monolith.

With a different distribution model, one (or a very few) tiny modules would be distributed which would suffice for a multitude of devices, even across different manufacturers and different Android versions. Most often without even the need of a reboot.

We have a mess right now, because the distribution and packaging methods are running a quarter century behind current methodology.

He didn't say THE source, he said ANOTHER source. And he's right. Just a month or so ago, there was that lockscreen security flaw found primarily only on Samsung phones with Touchwiz. There was also a Touchwiz specific flaw back in September that could factory reset your phone if you visited a maliciously coded website (I would post the link to the article, but due to AC's filters that think my post is automatically spam because of the link, I can't. But AC wrote about it on 9/25/12). To my knowledge, neither of these issues were ever found on HTC phones running their Sense overlay, or Motorola with their earlier MotoBlur, or even on AOSP.

People want to complain that it's their phone, not the carrier's, and they should be able to unlock, root, install any software they want, etc.. And then they want to complain that the carrier should be better managing security on their phone?

You can't have your cake and eat it, too.

I hope this does go somewhere. Because the way I see it going is to push other carriers to offering plans like T-Mobile is now. E.g. Verizon no longer sells you a phone and has you on a contract. Instead, they sell you a phone, offering you a finance plan, and your account has no contract. Then they'll just respond to these ACLU's complaints by saying "not our problem. The phone belongs to the customer. They can terminate their account with us any time. BUT, they bought a phone that had no guarantees of future updates and they have to pay us the full amount for it, whether they choose to keep using it or not." Of course, with Verizon, that will probably make things more expensive, as they won't drop the price of the service. You'll still pay the same for that PLUS pay for your phone. Hopefully, I'm wrong on that last bit and they'll drop the price of the service so that service plus the payment on a financed phone is the same as the price of just the service now (i.e. like T-Mobile).

Not likely to yield the result the ACLU wants, but could still end up benefiting us customers.

Being able to root, install any software and wanting the device manufacturer to continue to provide security updates don't conflict and really it addresses different groups.

When you root or unlock a bootloader, you're basically agreeing that whatever happens to your phone and the security of the data on it is your responsibility. the phone manufacturer and carrier aren't responsible for what happens after that point.

For the mainstream stock user, who doesn't root or unlock bootloaders, expecting their device to at minimum be updated with security patches isn't too much to expect. The aclu moves into some areas where I am less sure, like new features etc which I don't think they are obligated to fulfill but security updates for existing software should be given promptly.

I already voted with my wallet - I ditched my Verizon Galaxy Nexus and on-contract phones for a Nexus 4, and I couldn't be happier. Still, I hope the ACLU manages to put a bit of pressure on the carriers - they really need to have the right to regulate phone software taken away from them, that would be like letting Time Warner decide when your Mac or PC gets to upgrade to a new version of an OS. The fact that is always has been this way (for phones) is not an excuse to continue the idiotic practice.

So you're saying there is already an alternative for consumers to buy a phone that is not regulated by the carriers? Then how can you say the carriers have this "right to regulate phone software" that needs to be taken away?

It sounds to me like consumers have a choice to buy a phone that the carrier doesn't regulate at all. OR, the consumer can CHOOSE to buy a phone that is updated through their carrier. Some people might feel like having the carrier do additional testing, etc., on an OS update before it is released to their phone is a benefit. And since the customer (apparently) already has a choice in this matter, what should "they" (the government, presumably?) do?

It seems to me that the current situation is like Time Warner offering to sell you a PC and telling you that if you buy it from them, they will provide you tech support and they will control and validate all the udpates for it. Or you can go buy your PC from somebody else and still use it on their cable network, but you'll have to get your support and updates from somebody besides TW. What's wrong with that?

I'm actually saying exactly what the ACLU is (in this case): that most consumers simply don't know. Even most of my tech-savvy friends don't realize the tradeoff they are making in terms of software updates, security, etc. when they buy a subsidized phone (indeed, most don't even realize there is another option). U.S. carriers have largely hid both the true costs of ownership and the risk/potential costs of using a device that they control, and they should have to explain it in big bold print to anyone who comes in to purchase such a device (and should be forced to allow customers off of contract this time around who were so mislead).

After that fine, if you feel safer buying your device letting carriers handle the updates rather than the people who actually write the software (or if you simply have to have the most expensive phone but can't afford to pay for it up front and don't mind the tradeoff) that's up to consumers.

The problem here is that the smartphone market evolved from selling devices that were appliances and not computers, so a market model that at one time made more sense (or at least was less malicious to consumers) was grandfathered in as "the norm" in the U.S. even as the costs to consumers piled up. PC sales, on the other hand, grew before getting connected (and thus having a service provider) was the norm, and so companies like Time Warner who could offer such a service (and there are at least some specialty providers to seniors who do provide similar hardware/OS update packages) have to compete against people who sell you hardware outright, and the result of that free market competition is clear: when consumers understand the tradeoffs they rarely want to be beholden in such a way (again, outside of niche services).

So what the government should do is what we have one for - force a bit of truth in advertising, provide an awareness campaign, and allow customers that have been taken advantage of to move off contract (or trade in for a more suitable device) without the companies that have acted egregiously to profit from it (e.g. no early termination fees). At that point as much would be done as can be done, and it would be up to consumers to choose which purchasing model they prefer.

The problem isn't that the carrier does the updates. The problem is that the carrier doesn't do updates in a timely manner. In fact, in many cases the carrier has disincentives to update phones period. The ACLU, however, is looking at this from the standpoint that if a phone sold by carriers has known security vulnerabilities and is still under contract, it is to be considered a defective product. That's why they are pushing for consumers to be able to receive a refund/exchange, or to be released from their contract. To use your own analogy, if Time Warner was blocking updates for known security vulnerabilities they would likely be sued for selling a defective product. There is no difference when looking at the current state of Android phones in the cell phone industry. Companies should be looking at maintaining security updates with the view that it is a sunk cost for making/selling Android devices.

I always chuckle when the words "Blackberry" and "competitive" are mentioned in the same sentence.

See how easy it is to troll?

To me, carrier branded devices are completely out of the question when security and updates are viewed as important. The carrier adds an extra layer between the manufacturer and the consumer and should be taken out. The track record for branded devices has been bad for many years, in many countries. There is not a single example where a device has received more timely updates because of it being branded.

I think it is time for people to use their consumer power and select unlocked, unbranded products like the Nexus 4 rather than acting like an uneducated group that argues that "it is too expensive to pay $599 + $30-50/month for a phone so I buy this one on contract that will set me back with $2699 instead (contract included)".

Everyone that cares about timely updates should know that carrier branded devices are inferior in this regard and act accordingly. The only way the situation can improve is by using consumer power and pair it with different measures that protects and reinstates the free market (BYOD and unlocked being the norm paired with installment plans for financing).

OR you can get an IOS device, which does not suffer from this particular problem { fragmentation }. IOS is NOT perfect, far from it, but this is one issue it does not suffer from. Before I get jumped on, I LIKE ANDROID, if it did not have the issue of NOT getting regular updates { unless it is a NEXUS } I would enjoy having a larger screen...etc, etc.

Fragmentation is not "iOS brainwash". It has been admitted to by Google and discussed at length on the forums here. Relabeling the problem "diversification" does not make the issue go away.

this dookie is begging for root exploits to be patched...thats about it.

All in the name of having the latest Android version!

ACLU is really making the carriers a favor. If or once there is a massive exploit there will be a bunch of lawyers lining up to sue the hell out of them.

It may be telling when communications carriers (T Mobile, Verizon, etc) cannot seem to communicate with their suppliers (HTC, etc). The best interests of both would be served in getting the security/update act together.


rooting, etc, removes warranty and I think obligation on all sides. The ACLU should understand this distinction and if not, they will be briefed before a Judge on the matter.

Contrary to opinions which may dismiss the ACLU, the carriers have (old, dried) blood on their hands and need to be challenged constantly in order that they approach some level of honesty and fair play with customers. I see T-Mobile heading in this direction, particularly, and it's refreshing.

Carriers need to decide what they are going to be. A pipe like Gas/water/electricity or a Provider like a Cable/Sattelite Television services. They can't be both. The Robber Baron era of Cellular is coming to a close.

Someone wasn't thinking when they came up with this. It's hardly the fault of the carrier. While in the case of Verizon the carrier seems to be responsible for excessive delays the carrier did not build the device and can't be responsible for updates developed for them. If they're going to go after someone, though I think it's still a stupid idea, they would have to go after *every* device manufacturer too. Good luck with some of them.

I completely disagree. Each carrier sells their devices locked to their own network, under contract. It is essentially their product, with the phone manufacturers essentially serving as OEMs. That's why each carrier refuses to relinquish the right to certify all updates on phones sold by them before they are released to the public. If the carriers want the manufacturers to be held accountable, then they need to step out of the update process, like they have with iOS.

It will take public and corporate pressure to force the carriers, manufacturers and OS developers to issue more timely security updates. Microsoft, Adobe, Oracle and others have responded to public pressure to fix security holes in their products. Mobile operating systems have similar kinds of flaws to Windows, Linux and OS X.