Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Android Government

ACLU Asks FTC To Force Carriers To 'Patch Or Replace' Android Devices 318

chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the federal government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets 'defective and unreasonably dangerous.' The civil liberties group's complaint for injunctive relief with the FTC (PDF), notes that 'major wireless carriers have sold millions of Android smartphones to consumers' but that 'the vast majority of these devices rarely receive software security updates.' The ACLU says carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to' third parties. 'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners,' the ACLU said. Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 25% of Android users running versions 4.1 or 4.2 – the latest versions of the OS, dubbed 'Jelly Bean,' more than six months after its release. In contrast, 40% of Android users are still running the 'Gingerbread' release – versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities."
This discussion has been archived. No new comments can be posted.

ACLU Asks FTC To Force Carriers To 'Patch Or Replace' Android Devices

Comments Filter:
  • by Anonymous Coward on Wednesday April 17, 2013 @02:11PM (#43474837)

    I think this shows one of the greatest flaws in the not owning your hardware debate. What happens when you the company that owns it simply gives up on support??? You're left holding the bag but can't change it's content.

    • by hairyfeet ( 841228 ) <bassbeast1968 AT gmail DOT com> on Wednesday April 17, 2013 @04:20PM (#43476343) Journal

      Actually I'd say its more about how the corps are trying to treat durable goods as disposable goods. I mean some of these phones are anything but cheap yet by the way these OEMs just abandon the things you'd think they cost the same as those cheapo flash stick you see at checkout lines. If the rumors of Windows Blue are true even MSFT will be getting in on the act, with a new version of Windows being put out every year. If this happens you'll see $1500 laptops treated like $50 tablets because "Your laptop only has drivers for Windows 10 and we are now on Windows 12, go buy a new one".

      So what I think needs to be done is minimum support times need to be written in stone, say a minimum of 5 years of updates from time of sale and any company that refuses to honor the support time should be forced to open up the device and hand over the driver code so another OS can be loaded that is patched.

      • If the rumors of Windows Blue are true even MSFT will be getting in on the act, with a new version of Windows being put out every year. If this happens you'll see $1500 laptops treated like $50 tablets because "Your laptop only has drivers for Windows 10 and we are now on Windows 12, go buy a new one".

        How so? This would only maybe be the case if they change the driver model at every release, which they haven't done and is why even Vista drivers work on Windows 8. But even then one of my systems with a pre-vista graphics card is still supported in Windows 7.

        • Because all the mobile crap they are bolting on is causing changes in the driver model? Lately I have been looking closer at why a lot of the new Windows 8 laptops seem to need the "refresh your PC" option a LOT and I'm seriously starting to think its WinME all over again.

          For those that don't know WinME was supposed to help bridge the gap between Win9X and WinNT and one of the ways it was supposed to do that was supporting both the old VXD driver model and the newer WDM driver model but IRL it turned out if

  • Customer education is needed. Many of theses devices have upgrades available. Those that don't may not be able to run the newer versions satisfactorily. If a law like this is passed, I see carriers and makers having to shoehorn updates that don't fit and run terribly onto consumer devices that are years out of date.

    Carriers and handset makers need to educate customers in order for the customer to protect themselves. The customers themselves need to take responsibility for their device and its security. Carr

    • Re:No law is needed (Score:4, Informative)

      by falcon5768 ( 629591 ) <Falcon5768@comca ... t minus language> on Wednesday April 17, 2013 @02:17PM (#43474921) Journal
      "Many of theses devices have upgrades available." Actually part of the problem is many of them do, but the carriers are specifically blocking them from being released.
    • by h4rr4r ( 612664 )

      Actually all they have to provide is security patches, not an upgrade to the next version of the OS.

      So far unless the device is a nexus updates will likely be few and far between. Samsung has being doing better recently, but still very poorly. The GS2 just a week or so ago finally got 4.2.

    • Re:No law is needed (Score:5, Interesting)

      by najay ( 733875 ) on Wednesday April 17, 2013 @02:28PM (#43475031) Homepage

      I own a Motorola Atrix 4G. It is an excellent smartphone platform. It has been abandoned
      by Motorola even though the phone can easily run ICS and Jellybean. We Atrix 4G users
      may never see an official update, on a phone they originally PROMISED to update.

      Sad thing is Motorola Mobility is now owned by Google. Go Figure.

      • Sad thing is Motorola Mobility is now owned by Google. Go Figure.

        Yeah, and they won't give the binary blob needed to run the camera to the Cyanogenmod folks for the Droid 3 either. I'm using very few of the stock applications, but still, I'd like to have a functional upgrade. Motorola Mobility/Google could reduce its liability surface by just forking over the code and letting all the people who would run CM10.1 on the device go "usupported". They'll shut up and the pool of vociferous complainers will be

    • by jopsen ( 885607 )

      Customer education is needed.

      I doubt that will scale... The world is complex, you can't ask customers, or even highly skilled technical experts like you and me to understand everything. For example I'll gladly admit that I don't have a clue how bank transfers etc. works, and what security I have that my money doesn't just disappear. And even if I wanted to understand the protocols and security measures the documentation isn't publicly available...

      I see carriers and makers having to shoehorn updates that don't fit and run terribly onto consumer devices that are years out of date.

      Nobody is talking about major upgrades, just security patches... These usually don't chang

    • by fermion ( 181285 )
      To me the issue is the two year contract. I think the two year contract implies that the device I am buying is functional and secure during those two years. All that the law should say is that the phone should be able to run the latest software well during those two years.

      Here is what I see will happen if such a law is passed. More expensive hardware, maybe one year contracts. The hardware will be more expensive because it will not longer be possible to build a phone that will just be current for the

    • There's a difference between fixing something that was broken to begin with and providing new functionality. I get that my first generation iPad only has 256 MB RAM and the features in iOS 6 require at least 512 MB. That shouldn't absolve Apple from fixing bugs in iOS 5 for some reasonable period of time.

      Perhaps it shouldn't be surprising that so many people don't recognize this, but there is a difference between support and new development. It's not legit to only fix bugs in the newest releases of a produc

  • Bloatware (Score:5, Insightful)

    by yesterdaystomorrow ( 1766850 ) on Wednesday April 17, 2013 @02:25PM (#43475007)
    Much of the trouble is that the carriers load the phones with worthless bloatware, and block the user's ability to remove it. There's then not enough free space to install updates.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Apple's approach to phones is objectively superior in every way. They do not allow the worthless carrier's to touch their hardware or OS, other than to verify that it will work on their network.

      Google allowing the carriers to be involved at all in hardware and especially the OS itself was a huge mistake, one they may never recover from.

      • by h4rr4r ( 612664 )

        May never recover from? They sell more units.

        Apple's approach to carriers is the right one, but this end result is because most phones are subsidized. The carriers get the OEM to load crapware and disable features for their advantage. If smartphones were commonly bought right from the OEM they would have no incentives to do these things.

      • "objectively superior"

        yes, from your perspective maybe. the rest of us like to install things if we want to. If you think carriers don't add bloat to apple I'd like to a: sell you this bridge I own and b: remind you of the apple facetime issue where you'd get a message saying you couldnt' do that.

        Apple one upped google: instead of google letting the carriers do whatever they want, apple instead made the carriers doing what they want into something embedded into the phone!

  • by gstoddart ( 321705 ) on Wednesday April 17, 2013 @02:28PM (#43475035) Homepage

    A couple of months ago my carrier was offering me a new phone.

    In the set of phones they were offering me, there were some Samsung models running Android 2.x, and an HTC model running 4.x. The Samsung had better specs, but since it was running such an old version of the OS I decided I'd rather have the HTC.

    Of course the big problem is that carriers all put on their own shit to make as much money from you as possible. Selling ringtones, wallpapers, their own app stores, all sorts of crap. They don't want to have to re-certify their apps for new versions, so they're not interested in getting these updates rolled out to customers. In fact, I've heard that many of them actively prevent it.

    It took me several days of disabling/uninstalling the crap my carrier had installed to make the phone mostly usable, because they literally try to inject their branding/cash grabs into as much as they can do. I'm not sure I've gotten it all, but there was an awful lot of extra crap that needed to be culled.

    Carriers aren't interested in your security, they're interested in maximizing their own revenue. If that leaves you with an old and insecure phone, well, the contract shields them from any liability doesn't it?

    • by h4rr4r ( 612664 ) on Wednesday April 17, 2013 @02:37PM (#43475147)

      Why did you buy a carrier phone?
      Why not get a device that might actually get updates?

      You voted for this system with your purchase, you are part of why it exists.

      • Re: (Score:3, Insightful)

        by CanHasDIY ( 1672858 )

        Why did you buy a carrier phone?
        Why not get a device that might actually get updates?

        A guess would be, because the unsubsidized price is gouged, and hard.

        To wit: The other day, I was perusing the Sunday paper circulars when I came across one for Best Buy; on the front page, there was an ad for the Galaxy Tab II 10.1" tablet, and the Galaxy SIII phone; though the specs were almost identical (the SIII has a better processor, the Tab II has a 10 inch screen), the price difference was astronomical; the Tab II was listed for ~$350 and the SIII? Unsubsidized, the cost was $700! Heck, an unlocked

      • Why did you buy a carrier phone?

        One reason might be that CDMA2000 carriers (Verizon and Sprint) have noticeably more reliable coverage where the subscriber lives and works than GSM carriers (AT&T and T-Mobile). There are parts of the United States where Verizon carrier, has the most reliable coverage by far. The problem here is that CDMA2000 carriers in the United States happen not to use a removable CSIM. Instead, the carrier programs the subscriber identity directly into the device, and the major U.S. CDMA2000 carriers are willing t

  • About time! (Score:5, Insightful)

    by onyxruby ( 118189 ) <onyxruby@comc[ ].net ['ast' in gap]> on Wednesday April 17, 2013 @02:32PM (#43475099)

    About bloody time that someone does this. It is absolutely indefensible that the carriers have refused to release patches for known security holes for extended periods of time if they release them at all. This blatantly leaves their customers vulnerable and their customers have no way of circumventing this short of rooting their phones.

    I read the article before it appeared on Slashdot and many of these phone will literally never receive any patches from the carrier. These phones are effectively being sold as known defective devices and I hope someone initiates a class action lawsuit on the matter as I can't think of any other way to fix this issue. Patch Management really should not be an afterthought and it affects every device, every operating system and unfortunately there are still legions of idiots out there equate Patch Management with Microsoft Windows patch Tuesday.

    That it would require a lawsuit in order to patch your phone and secure it against a known vulnerability say much about about the state of American cell phone industry. This country desperately needs to adopt the standards used by the rest of the world and it's a point of shame that we have the industry we do. Most Americans don't know how bad things are here because they never go abroad, and once they do it's like walking into a candy store for the first time with "you can do that?", again and again.

    • by AmiMoJo ( 196126 ) *

      The phone companies were used to selling dumb phones that never had updates. They assumed they could sell smartphones the same way, but actually becoming a smartphone manufacturer means you have to provide constant updates for years and invest significant resources in doing so.

      To be fair a lot of computer manufacturers fail to understand this as well. Sure, you get Windows updates, but what about drivers and the BIOS? My friend bought a mobo/CPU/RAM/case combo from Novatech and it comes with a custom BIOS t

  • Verizon took months to roll out the last Galaxy Nexus android update to end users. This is despite the fact that other users got their update within a couple days of it going live. Verizon is horrible when it comes to updates.
  • by Anonymous Coward

    Here in Norway, the carriers are not involved in the phone software. They merely provide a SIM card. Software updates are received from Google and sometimes the handset manufacturer. And to save on phone bills, the updates are usually done over wifi. You don't even need the carrier for that - only an ISP. The 'computer' part of the smartphone don't need the carrier (or their SIM card) to operate.

    The carriers are only for phoning someone up and talk to them, sms and conference calls. Oh, and they provide 2/3

    • Here in Norway, the carriers are not involved in the phone software. They merely provide a SIM card.

      In the United States, two of the major carriers don't use GSM at all but instead CDMA2000. Devices using CDMA2000 are not required to use CSIM cards [], and most CDMA2000 devices in the U.S. do not. Instead, devices' radio interfaces are hardcoded to talk to one carrier.

      Oh, and they provide 2/3/4G internet, but wifi is always cheaper when available.

      Is Wi-Fi available on city buses?

  • by XxtraLarGe ( 551297 ) on Wednesday April 17, 2013 @02:59PM (#43475427) Journal
    I agree that security on peoples' private phones is important, but I have no idea why the ACLU is getting involved. It's one thing to fight against government intrusion into privacy, and quite another to fight to have the government compel private companies to force updates on users' phones.
    • Well someone's got to do it. The NRA was too busy worrying about the Windows 8 user interface and demanding action be taken to re-introduce the "Start" button to bother itself with Android issues, and Greenpeace doesn't have a lot of time either, what with its focus on better guidelines for iOS developers to ensure they can safely know ahead of time whether their apps will make it into the App Store.

      • I don't use Windows, but even CNET videos (very un-geeky) describe how to reenable the Start menu.

      • Greenpeace doesn't have a lot of time either, what with its focus on better guidelines for iOS developers to ensure they can safely know ahead of time whether their apps will make it into the App Store.

        You're right: it does create e-waste to switch to a Mac and buy an iPad mini only to find that your application concepts would run up against a blanket category ban in the App Store Review Guidelines.

  • The American Civil Liberties Union? []

    "In Citizens United, the Supreme Court ruled that independent political expenditures by corporations and unions are protected under the First Amendment and not subject to restriction by the government. The Court therefore struck down a ban on campaign expenditures by corporations and unions that applied to non-profit corporations like Planned Parenthood and the National Rifle Association, as well as for-profit corpora

  • by MobyDisk ( 75490 ) on Wednesday April 17, 2013 @03:37PM (#43475857) Homepage

    There are things Google, and customers, could do to help this problem.

    A bit of background as to some of the causes:
    Phone manufacturers are hesitant to release updates because they really should test them first. Testing is a pain for a few reasons. One is that they also have customizations to their phone UI. Another is that they have many different hardware configurations. They have all these hardware configurations because their marketing people thought that coming out with an entirely new phone handset every 6 months was a good idea. This problem is amplified by the lawyers who refuse to let them release their drivers open source. So those drivers may not even compile against the latest Android kernel. If they released the drivers, then those drivers would be maintained by Google. (Similar problems existing with some PC hardware manufacturers.)


    Google could require that OEMs provide their drivers back to Google. That way they know the drivers will at least compile against the latest versions of Android. Google has put in some efforts [] to prevent [] fragmentation []. But I don't think they have addressed the driver issue.

    Customers could actually complain to their phone carriers and handset manufacturers about bugs, security problems, and missing features. They could also refuse to buy phones from carriers and manufacturers who don't let you install stock Android on the phone. That right there is the #1 -- just cut out the OEMs entirely.

  • by edibobb ( 113989 ) on Wednesday April 17, 2013 @08:23PM (#43478569) Homepage
    It seems that the ACLU is broadening its mission in order to garner headlines and cheap publicity. Cell phone security does not exactly come under the heading of "civil liberties."

You know, Callahan's is a peaceable bar, but if you ask that dog what his favorite formatter is, and he says "roff! roff!", well, I'll just have to...