Slashdot Mirror
ACLU Asks FTC To Force Carriers To 'Patch Or Replace' Android Devices
chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the federal government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets 'defective and unreasonably dangerous.' The civil liberties group's complaint for injunctive relief with the FTC (PDF), notes that 'major wireless carriers have sold millions of Android smartphones to consumers' but that 'the vast majority of these devices rarely receive software security updates.' The ACLU says carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to' third parties. 'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners,' the ACLU said. Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 25% of Android users running versions 4.1 or 4.2 – the latest versions of the OS, dubbed 'Jelly Bean,' more than six months after its release. In contrast, 40% of Android users are still running the 'Gingerbread' release – versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities."
I think this shows one of the greatest flaws in the not owning your hardware debate. What happens when you the company that owns it simply gives up on support??? You're left holding the bag but can't change it's content.
I think you missed the point. Google has published the patches but the carriers have not distributed them.
"Many of theses devices have upgrades available." Actually part of the problem is many of them do, but the carriers are specifically blocking them from being released.
"Slashdot, where telling the truth is overrated but lying is insightful."
'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers'
Highlighted the important part from TFS. Google's released patches. Carriers are refusing to give them to their customers. There's nothing Google can do about that. Hence why the ACLU is lobbying the FTC to force the carriers into action.
"Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
Much of the trouble is that the carriers load the phones with worthless bloatware, and block the user's ability to remove it. There's then not enough free space to install updates.
I own a Motorola Atrix 4G. It is an excellent smartphone platform. It has been abandoned
by Motorola even though the phone can easily run ICS and Jellybean. We Atrix 4G users
may never see an official update, on a phone they originally PROMISED to update.
Sad thing is Motorola Mobility is now owned by Google. Go Figure.
About bloody time that someone does this. It is absolutely indefensible that the carriers have refused to release patches for known security holes for extended periods of time if they release them at all. This blatantly leaves their customers vulnerable and their customers have no way of circumventing this short of rooting their phones.
I read the article before it appeared on Slashdot and many of these phone will literally never receive any patches from the carrier. These phones are effectively being sold as known defective devices and I hope someone initiates a class action lawsuit on the matter as I can't think of any other way to fix this issue. Patch Management really should not be an afterthought and it affects every device, every operating system and unfortunately there are still legions of idiots out there equate Patch Management with Microsoft Windows patch Tuesday.
That it would require a lawsuit in order to patch your phone and secure it against a known vulnerability say much about about the state of American cell phone industry. This country desperately needs to adopt the standards used by the rest of the world and it's a point of shame that we have the industry we do. Most Americans don't know how bad things are here because they never go abroad, and once they do it's like walking into a candy store for the first time with "you can do that?", again and again.
Why did you buy a carrier phone?
Why not get a device that might actually get updates?
You voted for this system with your purchase, you are part of why it exists.
I run (unofficial) Cyanogenmod and mostly like it, but I wouldn't wish it on anyone. Every release has a little something important broken. Don't get me wrong, I'm very grateful to the people doing this stuff for free, but when your battery life suddenly gets cut in half and you have to choose between a working camera in the newest release or short battery life, it gets to be a PITA. Plus, it's a time sink...
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
No, the difference is that no one is blocking anyone from getting the XP updates that Microsoft releases. This isn't about Google no longer supplying updates to old Android versions, it's about carriers blocking users from getting updates.
I agree that security on peoples' private phones is important, but I have no idea why the ACLU is getting involved. It's one thing to fight against government intrusion into privacy, and quite another to fight to have the government compel private companies to force updates on users' phones.
Taking guns away from the 99% gives the 1% 100% of the power.
Very true. My old communications device was the most secure and I've yet to find something that rivals it. It was impossible to spoof, clone, or manipulate and all my data was secure. Sure it was hard to make long-distance calls, because finding large spools of string is difficult, but the fidelity of those tin cans was soooo pure. Plus, they never got any malware, not even once.
There are things Google, and customers, could do to help this problem.
A bit of background as to some of the causes:
Phone manufacturers are hesitant to release updates because they really should test them first. Testing is a pain for a few reasons. One is that they also have customizations to their phone UI. Another is that they have many different hardware configurations. They have all these hardware configurations because their marketing people thought that coming out with an entirely new phone handset every 6 months was a good idea. This problem is amplified by the lawyers who refuse to let them release their drivers open source. So those drivers may not even compile against the latest Android kernel. If they released the drivers, then those drivers would be maintained by Google. (Similar problems existing with some PC hardware manufacturers.)
Sooooo...
Google could require that OEMs provide their drivers back to Google. That way they know the drivers will at least compile against the latest versions of Android. Google has put in some efforts to prevent fragmentation. But I don't think they have addressed the driver issue.
Customers could actually complain to their phone carriers and handset manufacturers about bugs, security problems, and missing features. They could also refuse to buy phones from carriers and manufacturers who don't let you install stock Android on the phone. That right there is the #1 -- just cut out the OEMs entirely.
That's what you think. You never noticed that I was sitting there with two extra cans and a pair of scissors!
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
From TFS:
'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google
They did release patches, the carriers are blocking them, therefore, ACLU is suing to get the carriers to stop being jerks.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
When 40% of your user base is on a 3 year old platform, you patch that platform. Google should do right by their customers and patch the old system versions because that's where their customers are.
I know, this is slashdot, but you can at least RTFS which states that carriers are not releasing any fixes for older devices (or, usually, newer devices). So your suggestion is that Google should produce patches which exactly zero people can install? Brilliant!
I would say 5 years for any device that costs $500 or less, 7 years for any device that costs between $500-$800, and 10 years for any device that costs $1000 and above.
They should also be forced to put the driver code in escrow which must be provided by the hardware manufacturer so if they refuse to update and patch that code can be handed out so a different OS can support it. That way if a company wants to keep it proprietary? fine then YOU have to provide patches and updates. Don't want to do that? Then you hand out the code so somebody else can. Sounds pretty straightforward to me.
ACs don't waste your time replying, your posts are never seen by me.
Very true. My old communications device was the most secure and I've yet to find something that rivals it. It was impossible to spoof, clone, or manipulate and all my data was secure. Sure it was hard to make long-distance calls, because finding large spools of string is difficult, but the fidelity of those tin cans was soooo pure. Plus, they never got any malware, not even once.
Unfortunately, you're very vulnerable to a can-in-the-middle attack.
"No, no, no. Don't tug on that. You never know what it might be attached to."
I think you missed the point. Google has published the patches but the carriers have not distributed them.
Actually, may be they have. In the sources the ACLU is using for its FTC complaint, the most thorough and well researched article they're using to support their point, is purposefully not counting minor updates:
(Note that we define "update" as a major point release of Android—2.2 Froyo, 2.3 Gingerbread, 4.0 Ice Cream Sandwich. More minor updates or firmware releases are not accounted for here.)
Now I understand Android users getting pissed off for not getting major updates, but if we're really talking about "security updates", minor versions should at least be counted. Gingerbread for instance is not going away anytime soon. All manufacturers for instance are still making the cheaper single processor Gingerbread phones, and they currently have no plans of ever stopping that (at least not for the lower end of the market). Does that mean that Gingerbread is insecure? Not in the least, Google is still making minor security updates for Gingerbread and will probably continue to do so for years to come.
And ACLU's Christopher Soghian, author/first signature of the two on the formal ACLU complaint, is quoting a Washington Post article which is only quoting himself, ACLU's Christopher Soghian, as the sole source. WTF? Why did he even feel the need to reference that article? Is his ego more important than the point he is trying to support?
Also, I can no longer find the reference, but the last time his name came up, someone on slashdot found his linkedin profile in which he immediately described himself as being an iPhone owner. And yes, I realize the irony of quoting a source I can no longer find, when I just complained about someone referencing an article in support of his point quoting himself as the sole source.
But assuming I'm telling the truth, or assuming you remember seeing what I saw, who would do that on their linkedin profile? Does he post that on his resume as well? I can think of more subtle ways to communicate one's membership in the iPhone owners club. And if anyone was coming to the rescue of Android users, I would prefer that person to be an Android user/owner himself (after all, there are so many), instead of a person who proudly wears his iPhone as some kind of badge of honor instead (again, that's assuming you think I'm even telling the truth about what I read from his linkedin profile, you may not even believe me of course).