Slashdot Mirror
ACLU Asks FTC To Force Carriers To 'Patch Or Replace' Android Devices
chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the federal government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets 'defective and unreasonably dangerous.' The civil liberties group's complaint for injunctive relief with the FTC (PDF), notes that 'major wireless carriers have sold millions of Android smartphones to consumers' but that 'the vast majority of these devices rarely receive software security updates.' The ACLU says carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to' third parties. 'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners,' the ACLU said. Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 25% of Android users running versions 4.1 or 4.2 – the latest versions of the OS, dubbed 'Jelly Bean,' more than six months after its release. In contrast, 40% of Android users are still running the 'Gingerbread' release – versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities."
I think this shows one of the greatest flaws in the not owning your hardware debate. What happens when you the company that owns it simply gives up on support??? You're left holding the bag but can't change it's content.
Dude, you really need to get your Lithium prescription refilled!
I think you missed the point. Google has published the patches but the carriers have not distributed them.
"Many of theses devices have upgrades available." Actually part of the problem is many of them do, but the carriers are specifically blocking them from being released.
"Slashdot, where telling the truth is overrated but lying is insightful."
'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers'
Highlighted the important part from TFS. Google's released patches. Carriers are refusing to give them to their customers. There's nothing Google can do about that. Hence why the ACLU is lobbying the FTC to force the carriers into action.
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
For the exact same reason Microsoft doesn't make new patches for Windows 95, Windows 3.1 or DOS 6.22.
You already knew that answer, however, so go troll elsewhere.
Much of the trouble is that the carriers load the phones with worthless bloatware, and block the user's ability to remove it. There's then not enough free space to install updates.
I own a Motorola Atrix 4G. It is an excellent smartphone platform. It has been abandoned
by Motorola even though the phone can easily run ICS and Jellybean. We Atrix 4G users
may never see an official update, on a phone they originally PROMISED to update.
Sad thing is Motorola Mobility is now owned by Google. Go Figure.
A couple of months ago my carrier was offering me a new phone.
In the set of phones they were offering me, there were some Samsung models running Android 2.x, and an HTC model running 4.x. The Samsung had better specs, but since it was running such an old version of the OS I decided I'd rather have the HTC.
Of course the big problem is that carriers all put on their own shit to make as much money from you as possible. Selling ringtones, wallpapers, their own app stores, all sorts of crap. They don't want to have to re-certify their apps for new versions, so they're not interested in getting these updates rolled out to customers. In fact, I've heard that many of them actively prevent it.
It took me several days of disabling/uninstalling the crap my carrier had installed to make the phone mostly usable, because they literally try to inject their branding/cash grabs into as much as they can do. I'm not sure I've gotten it all, but there was an awful lot of extra crap that needed to be culled.
Carriers aren't interested in your security, they're interested in maximizing their own revenue. If that leaves you with an old and insecure phone, well, the contract shields them from any liability doesn't it?
Lost at C:>. Found at C.
About bloody time that someone does this. It is absolutely indefensible that the carriers have refused to release patches for known security holes for extended periods of time if they release them at all. This blatantly leaves their customers vulnerable and their customers have no way of circumventing this short of rooting their phones.
I read the article before it appeared on Slashdot and many of these phone will literally never receive any patches from the carrier. These phones are effectively being sold as known defective devices and I hope someone initiates a class action lawsuit on the matter as I can't think of any other way to fix this issue. Patch Management really should not be an afterthought and it affects every device, every operating system and unfortunately there are still legions of idiots out there equate Patch Management with Microsoft Windows patch Tuesday.
That it would require a lawsuit in order to patch your phone and secure it against a known vulnerability say much about about the state of American cell phone industry. This country desperately needs to adopt the standards used by the rest of the world and it's a point of shame that we have the industry we do. Most Americans don't know how bad things are here because they never go abroad, and once they do it's like walking into a candy store for the first time with "you can do that?", again and again.
I run (unofficial) Cyanogenmod and mostly like it, but I wouldn't wish it on anyone. Every release has a little something important broken. Don't get me wrong, I'm very grateful to the people doing this stuff for free, but when your battery life suddenly gets cut in half and you have to choose between a working camera in the newest release or short battery life, it gets to be a PITA. Plus, it's a time sink...
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Verizon took months to roll out the last Galaxy Nexus android update to end users. This is despite the fact that other users got their update within a couple days of it going live. Verizon is horrible when it comes to updates.
TheVeryBest
Here in Norway, the carriers are not involved in the phone software. They merely provide a SIM card. Software updates are received from Google and sometimes the handset manufacturer. And to save on phone bills, the updates are usually done over wifi. You don't even need the carrier for that - only an ISP. The 'computer' part of the smartphone don't need the carrier (or their SIM card) to operate.
The carriers are only for phoning someone up and talk to them, sms and conference calls. Oh, and they provide 2/3/4G internet, but wifi is always cheaper when available.
The carrier don't provide software at all, except for setting up the SIM card. The "smart" side of the phone is entirely between the user and Google.
No, the difference is that no one is blocking anyone from getting the XP updates that Microsoft releases. This isn't about Google no longer supplying updates to old Android versions, it's about carriers blocking users from getting updates.
Because someone still has to port the update to the phone. This is because many devices are not running stock android. If the kernel changes or the issue is with a driver then you are looking at a whole ball of wax.
The issue here is that ARM has nothing like PCI, and has traditionally not had to worry about this sort of thing. This means bootloaders and everything else can and are different across devices.
Carriers don't want to pay for updates because they want you to buy another device.
Oh really? Because I have a Nexus One here which would disagree (if it were able to go long enough without crashing to do so). Running 2.3.6 and it will forevermore report itself as "up to date," because google decided the phone was too old to receive updates after less than 2 years.
the most powerful intellect is that unbounded by indubitable preconception
Nexus branded phones aren't much better. The galaxy S2 got an update to ICS (4.0) then an update to Jellybean (4.1) before updates were discontinued. That's two major updates for the S2. The Nexus S got an update to ICS (4.0) then an update to Jellybean (4.1) and google announced no 4.2 would be coming for the nexus S... That's just two major updates the the Nexus S, no better than the S2. The Nexus one was the same, update to Froyo (2.2) and gingerbread (2.3), then announced no more updates. The sad thing is the nexus series of phones really dont get more updates than anyone else, they just get to release the software update for their own devices first.
I agree that security on peoples' private phones is important, but I have no idea why the ACLU is getting involved. It's one thing to fight against government intrusion into privacy, and quite another to fight to have the government compel private companies to force updates on users' phones.
Taking guns away from the 99% gives the 1% 100% of the power.
Very true. My old communications device was the most secure and I've yet to find something that rivals it. It was impossible to spoof, clone, or manipulate and all my data was secure. Sure it was hard to make long-distance calls, because finding large spools of string is difficult, but the fidelity of those tin cans was soooo pure. Plus, they never got any malware, not even once.
In other words, just like the GP said, Google said go fuck yourself after 1.5 years.
Yeah, that's SO much better than the carriers.
There are things Google, and customers, could do to help this problem.
A bit of background as to some of the causes:
Phone manufacturers are hesitant to release updates because they really should test them first. Testing is a pain for a few reasons. One is that they also have customizations to their phone UI. Another is that they have many different hardware configurations. They have all these hardware configurations because their marketing people thought that coming out with an entirely new phone handset every 6 months was a good idea. This problem is amplified by the lawyers who refuse to let them release their drivers open source. So those drivers may not even compile against the latest Android kernel. If they released the drivers, then those drivers would be maintained by Google. (Similar problems existing with some PC hardware manufacturers.)
Sooooo...
Google could require that OEMs provide their drivers back to Google. That way they know the drivers will at least compile against the latest versions of Android. Google has put in some efforts to prevent fragmentation. But I don't think they have addressed the driver issue.
Customers could actually complain to their phone carriers and handset manufacturers about bugs, security problems, and missing features. They could also refuse to buy phones from carriers and manufacturers who don't let you install stock Android on the phone. That right there is the #1 -- just cut out the OEMs entirely.
That's what you think. You never noticed that I was sitting there with two extra cans and a pair of scissors!
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
Part of the problem is that there isn't anything preventing someone from removing Windows 95, 3.1, or DOS 6.22 from their PC and installing an alternate supported operating system.
The big issue with phones is that many of them prevent the user from having the choice to discontinue use of the unsupported OS and move to a supported OS.
I'd argue that when a vendor takes measures to block consensual installation of a 3rd party OS that the vendor must take on the responsibility for ensuring the safety of user from the perspective of the original OS.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
Why did you buy a carrier phone?
One reason might be that CDMA2000 carriers (Verizon and Sprint) have noticeably more reliable coverage where the subscriber lives and works than GSM carriers (AT&T and T-Mobile). There are parts of the United States where Verizon carrier, has the most reliable coverage by far. The problem here is that CDMA2000 carriers in the United States happen not to use a removable CSIM. Instead, the carrier programs the subscriber identity directly into the device, and the major U.S. CDMA2000 carriers are willing to program only devices that they sold.
From TFS:
'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google
They did release patches, the carriers are blocking them, therefore, ACLU is suing to get the carriers to stop being jerks.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Here in Norway, the carriers are not involved in the phone software. They merely provide a SIM card.
In the United States, two of the major carriers don't use GSM at all but instead CDMA2000. Devices using CDMA2000 are not required to use CSIM cards, and most CDMA2000 devices in the U.S. do not. Instead, devices' radio interfaces are hardcoded to talk to one carrier.
Oh, and they provide 2/3/4G internet, but wifi is always cheaper when available.
Is Wi-Fi available on city buses?
Greenpeace doesn't have a lot of time either, what with its focus on better guidelines for iOS developers to ensure they can safely know ahead of time whether their apps will make it into the App Store.
You're right: it does create e-waste to switch to a Mac and buy an iPad mini only to find that your application concepts would run up against a blanket category ban in the App Store Review Guidelines.
When 40% of your user base is on a 3 year old platform, you patch that platform. Google should do right by their customers and patch the old system versions because that's where their customers are.
I know, this is slashdot, but you can at least RTFS which states that carriers are not releasing any fixes for older devices (or, usually, newer devices). So your suggestion is that Google should produce patches which exactly zero people can install? Brilliant!
I would say 5 years for any device that costs $500 or less, 7 years for any device that costs between $500-$800, and 10 years for any device that costs $1000 and above.
They should also be forced to put the driver code in escrow which must be provided by the hardware manufacturer so if they refuse to update and patch that code can be handed out so a different OS can support it. That way if a company wants to keep it proprietary? fine then YOU have to provide patches and updates. Don't want to do that? Then you hand out the code so somebody else can. Sounds pretty straightforward to me.
ACs don't waste your time replying, your posts are never seen by me.
Groups like the ACLU always need money. They have to keep their big contributors happy.
I have discoverd that Melissa Chabrán is on the board of the Washing State ACLU. She is also the Senior Program Officer at the Bill & Melinda Gates Foundation.
Ya your Nexus One is ancient, it's.... what? You say the 4 year old iPhone 3GS runs the latest iOS 6.1? Oh.... umm idk then, i guess buy apple next time
my karma will be here long after I'm gone
Very true. My old communications device was the most secure and I've yet to find something that rivals it. It was impossible to spoof, clone, or manipulate and all my data was secure. Sure it was hard to make long-distance calls, because finding large spools of string is difficult, but the fidelity of those tin cans was soooo pure. Plus, they never got any malware, not even once.
Unfortunately, you're very vulnerable to a can-in-the-middle attack.
"No, no, no. Don't tug on that. You never know what it might be attached to."
The OS 6.1 for 3GS with striped features is about as "updated" as Android 2.3.6.
Except for security updates, presumably.
It seems that the ACLU is broadening its mission in order to garner headlines and cheap publicity. Cell phone security does not exactly come under the heading of "civil liberties."
I think you missed the point. Google has published the patches but the carriers have not distributed them.
Actually, may be they have. In the sources the ACLU is using for its FTC complaint, the most thorough and well researched article they're using to support their point, is purposefully not counting minor updates:
(Note that we define "update" as a major point release of Android—2.2 Froyo, 2.3 Gingerbread, 4.0 Ice Cream Sandwich. More minor updates or firmware releases are not accounted for here.)
Now I understand Android users getting pissed off for not getting major updates, but if we're really talking about "security updates", minor versions should at least be counted. Gingerbread for instance is not going away anytime soon. All manufacturers for instance are still making the cheaper single processor Gingerbread phones, and they currently have no plans of ever stopping that (at least not for the lower end of the market). Does that mean that Gingerbread is insecure? Not in the least, Google is still making minor security updates for Gingerbread and will probably continue to do so for years to come.
And ACLU's Christopher Soghian, author/first signature of the two on the formal ACLU complaint, is quoting a Washington Post article which is only quoting himself, ACLU's Christopher Soghian, as the sole source. WTF? Why did he even feel the need to reference that article? Is his ego more important than the point he is trying to support?
Also, I can no longer find the reference, but the last time his name came up, someone on slashdot found his linkedin profile in which he immediately described himself as being an iPhone owner. And yes, I realize the irony of quoting a source I can no longer find, when I just complained about someone referencing an article in support of his point quoting himself as the sole source.
But assuming I'm telling the truth, or assuming you remember seeing what I saw, who would do that on their linkedin profile? Does he post that on his resume as well? I can think of more subtle ways to communicate one's membership in the iPhone owners club. And if anyone was coming to the rescue of Android users, I would prefer that person to be an Android user/owner himself (after all, there are so many), instead of a person who proudly wears his iPhone as some kind of badge of honor instead (again, that's assuming you think I'm even telling the truth about what I read from his linkedin profile, you may not even believe me of course).
Because the invisible hand is only good for taking your wallet? i mean how you forgotten how many busts for collusion we have seen the past few years? RAM, LCD panels, i personally think HDD and SSD manufacturers should be investigated as I have a feeling you'll find price fixing there to.
You see the flaw in your logic is VERY simple and easy to spot and is thus: If I am one of the companies with shitty support and the little guy is cutting into my bottom line? Then its in my best interests NOT to become like the little guy but instead buy out the little guy or rig the market so I can keep my hold on the market without changing my ways. For a perfect example of this look at how Intel passed off the piece of shit that was netburst onto the planet by just bribing the OEMs not to deal with the other guy. They made billions and billions on the deal, let them pretty much kill Via and cripple AMD so badly they really have never recovered.
So you see your free market just doesn't work because it doesn't exist, what DOES exist is a bunch of companies that would rather just rig the market in their favor and call it a day. After all you think the OEMs will make MORE money or less by having the devices become obsolete quicker? if you strictly go by the market its in their best interests to give you as little support as possible and with so few players it really isn't hard to do exactly that, as TFA points out.
ACs don't waste your time replying, your posts are never seen by me.
your primary carrier is still getting your monthly payment and still recovering the phone subsidy.
No they subsidize the phone based on the fees they collect for usage
What you refer to as "the fees they collect for usage" is part of what I referred to as "your monthly payment". Could you explain the difference?
why would prepaid carriers such as Virgin Mobile USA be selling locked phones and using radio protocols such as CDMA2000 that encourage the sale of locked phones?
Don't like it? Buy one outright instead.
Phones bought outright from CDMA2000 carriers are still locked.