ACLU Asks FTC To Force Carriers To 'Patch Or Replace' Android Devices 318
chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the federal government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets 'defective and unreasonably dangerous.' The civil liberties group's complaint for injunctive relief with the FTC (PDF), notes that 'major wireless carriers have sold millions of Android smartphones to consumers' but that 'the vast majority of these devices rarely receive software security updates.' The ACLU says carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to' third parties. 'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners,' the ACLU said. Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 25% of Android users running versions 4.1 or 4.2 – the latest versions of the OS, dubbed 'Jelly Bean,' more than six months after its release. In contrast, 40% of Android users are still running the 'Gingerbread' release – versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities."
Re:No law is needed (Score:5, Interesting)
I own a Motorola Atrix 4G. It is an excellent smartphone platform. It has been abandoned
by Motorola even though the phone can easily run ICS and Jellybean. We Atrix 4G users
may never see an official update, on a phone they originally PROMISED to update.
Sad thing is Motorola Mobility is now owned by Google. Go Figure.
Re:Bloatware (Score:2, Interesting)
Apple's approach to phones is objectively superior in every way. They do not allow the worthless carrier's to touch their hardware or OS, other than to verify that it will work on their network.
Google allowing the carriers to be involved at all in hardware and especially the OS itself was a huge mistake, one they may never recover from.
Differences in the U.S? (Score:2, Interesting)
Here in Norway, the carriers are not involved in the phone software. They merely provide a SIM card. Software updates are received from Google and sometimes the handset manufacturer. And to save on phone bills, the updates are usually done over wifi. You don't even need the carrier for that - only an ISP. The 'computer' part of the smartphone don't need the carrier (or their SIM card) to operate.
The carriers are only for phoning someone up and talk to them, sms and conference calls. Oh, and they provide 2/3/4G internet, but wifi is always cheaper when available.
The carrier don't provide software at all, except for setting up the SIM card. The "smart" side of the phone is entirely between the user and Google.
And the ACLU cares about this why? (Score:4, Interesting)
Re:sounds like the market has spoken (Score:2, Interesting)
When 40% of your user base is on a 3 year old platform, you patch that platform. Google does not sell a phone OS. Android is open source. What Android is really about is getting users and directing their eyes to Google's information services. Google should do right by their customers and patch the old system versions because that's where their customers are. If Google can't go to their customers then Google will slide into irrelevancy like Microsoft has done. If the carriers don't have the capacity to adapt those bug fixes, well they should have thought of that before customizing Android.
Customers and Google could help (Score:4, Interesting)
There are things Google, and customers, could do to help this problem.
A bit of background as to some of the causes:
Phone manufacturers are hesitant to release updates because they really should test them first. Testing is a pain for a few reasons. One is that they also have customizations to their phone UI. Another is that they have many different hardware configurations. They have all these hardware configurations because their marketing people thought that coming out with an entirely new phone handset every 6 months was a good idea. This problem is amplified by the lawyers who refuse to let them release their drivers open source. So those drivers may not even compile against the latest Android kernel. If they released the drivers, then those drivers would be maintained by Google. (Similar problems existing with some PC hardware manufacturers.)
Sooooo...
Google could require that OEMs provide their drivers back to Google. That way they know the drivers will at least compile against the latest versions of Android. Google has put in some efforts [slashdot.org] to prevent [slashdot.org] fragmentation [slashdot.org]. But I don't think they have addressed the driver issue.
Customers could actually complain to their phone carriers and handset manufacturers about bugs, security problems, and missing features. They could also refuse to buy phones from carriers and manufacturers who don't let you install stock Android on the phone. That right there is the #1 -- just cut out the OEMs entirely.
Comment removed (Score:5, Interesting)
Re:But We Are Open - We are Google - We are Good (Score:4, Interesting)
I think you missed the point. Google has published the patches but the carriers have not distributed them.
Actually, may be they have. In the sources the ACLU is using for its FTC complaint, the most thorough and well researched article [arstechnica.com] they're using to support their point, is purposefully not counting minor updates:
(Note that we define "update" as a major point release of Android—2.2 Froyo, 2.3 Gingerbread, 4.0 Ice Cream Sandwich. More minor updates or firmware releases are not accounted for here.)
Now I understand Android users getting pissed off for not getting major updates, but if we're really talking about "security updates", minor versions should at least be counted. Gingerbread for instance is not going away anytime soon. All manufacturers for instance are still making the cheaper single processor Gingerbread phones, and they currently have no plans of ever stopping that (at least not for the lower end of the market). Does that mean that Gingerbread is insecure? Not in the least, Google is still making minor security updates for Gingerbread and will probably continue to do so for years to come.
And ACLU's Christopher Soghian, author/first signature of the two on the formal ACLU complaint, is quoting a Washington Post article which is only quoting himself, ACLU's Christopher Soghian, as the sole source [washingtonpost.com]. WTF? Why did he even feel the need to reference that article? Is his ego more important than the point he is trying to support?
Also, I can no longer find the reference, but the last time his name came up, someone on slashdot found his linkedin profile in which he immediately described himself as being an iPhone owner. And yes, I realize the irony of quoting a source I can no longer find, when I just complained about someone referencing an article in support of his point quoting himself as the sole source.
But assuming I'm telling the truth, or assuming you remember seeing what I saw, who would do that on their linkedin profile? Does he post that on his resume as well? I can think of more subtle ways to communicate one's membership in the iPhone owners club. And if anyone was coming to the rescue of Android users, I would prefer that person to be an Android user/owner himself (after all, there are so many), instead of a person who proudly wears his iPhone as some kind of badge of honor instead (again, that's assuming you think I'm even telling the truth about what I read from his linkedin profile, you may not even believe me of course).