The federal government appears ready to take dramatic action against U.S. wireless carriers that fail to protect Android smartphone buyers against malware — specifically by not pushing out timely operating-system updates. And the catalyst most likely to kick the feds into gear is an American Civil Liberties Union complaint filed Tuesday with the Federal Trade Commission.
Let The Market Decide
What the ACLU is asking is not difficult. Rather than have the FTC order carriers to ship security updates to the Android operating system as soon as they are made available by Google, the ACLU wants customers to be told upfront that they won't be getting the updates needed to protect their personal data from hackers.
"We think the companies should be forthcoming about this," Christopher Soghoian, principal technologist and a senior policy analyst for the ACLU, said. "If consumers knew that certain phones weren't going to get updates, they might not buy those phones in the first place."
Rather than force carriers to spend a lot of money on automatic update services, the ACLU wants the market to fix the problem, a stand that many lawmakers in Congress should applaud.
"We want the market to work, but consumers are never going to get to vote with their wallets if they don't know which phones are secure and which phones are not secure," Soghoian said.
(See also: FTC To Carriers: Fix Security Or End Up Like HTC)
The ACLU complaint names AT&T, Verizon Wireless, Sprint Nextel and T-Mobile USA. AT&T declined comment, Sprint said it follows "industry-standard best practices," and Verizon said it works closely with manufacturers to provide "mandatory updates to devices as quickly as possible."
T-Mobile was the only carrier to say that it keeps Android customers up to date with the latest software. "T-Mobile takes security very seriously, and regularly provides security updates to our customers, including those using the Android operating system," a company spokesman said.
The FTC Plays The Heavy
If that is what T-Mobile does, then it is more in line with the FTC's thinking than its rivals. In a February settlement with smartphone manufacturer HTC, the agency pointedly emphasized the need to secure mobile devices.
Under FTC pressure, HTC agreed to a "comprehensive security program" that includes patching vulnerabilities that could be exploited by hackers and spammers. The agreement was significant because it outlined for all device manufacturers what the FTC considers best practices for security.
Keeping software up to date is a critical defense against hackers, who often target known vulnerabilities in software because so many users continue to run older, bug-ridden versions. In a blog post following the HTC settlement, FTC chief technologist Steve Bellovin made it clear that securing mobile devices was the responsibility of manufacturers and carriers, and they have to work together at getting updates out to customers.
"Bugs happen, ergo fixes have to happen," Bellovin said.
Android malware is a much larger problem outside the U.S., particularly in Asia and Eastern Europe. That's because people in those regions will download applications from third-party app stores, many of which distribute malware-infected software. In the U.S., most people get their apps from the Google Play store, which regularly checks for malicious software.
Nevertheless, 97% of new mobile malware is directed at Android devices, which comprise 72% of the smartphone market, according to security vendor Symantec's latest Internet Security Threat Report. While most infections today occur from downloading bad apps, experts say hackers are increasingly trying to compromise devices through spam that carries links to malicious Web sites.
Given the mood of the FTC, and trends in Android malware, it should be obvious to carriers that the status quo is unacceptable. If they aren't ready to make changes on their own, then they're likely to get an unfriendly shove from the feds.
Image courtesy of Shutterstock